Group Discussion Written Project SANS Technology Institute Creating a No Phishing Zone Team: Russell Eubanks & Tsega Thompson Date: December 8, 2011 2 Executive Summary It is difficult to stay ahead of malicious software invoked by phishing schemes. Daily new attacks are discovered and organizations realize that these malicious attacks often enter their networks from well meaning users who assume their actions are harmless. Employees believe that if an email comes from what appears to be a trusted party, then it must be safe. Social engineering blatantly exploits this trust and has been regularly used to steal sensitive information from a diverse number of organizations. This paper seeks to introduce a training program focused on phishing attacks. It will look at various methods of spear phishing attacks, geared towards educating employees to recognize and hopefully prevent these attacks from occurring on the GIAC Enterprises networks and systems. This will be done by a combination of real time, simulated experiences, information sharing, and positive reinforcement. The expected results of this training and evaluation program would be an employee population with a less than 2% chance of responding to a phishing attack. According to the Anti-Phishing Working Group “there were at least 112,472 unique phishing attacks worldwide, in 200 top-level domains (Rasmusse & Aaron, 2011). GIAC Enterprises employees will be trained to successfully identify and report suspected phishing schemes to the Help Desk. In August 2011, it was discovered that “Operation Shady rat has been stealing valuable intellectual property (including government secrets, e-mail archives, legal contracts, negotiation plans for business activities, and design schematics) from more than 70 public- and private-sector organizations in 14 countries”(Gross, 2011). Is Shady RAT the most significant cyber intrusion in recent years or does it serve to highlight an ongoing problem that the target is now the human users? GIAC Enterprises is a small to medium sized growing business and is the largest supplier of Fortune Cookie sayings in the world. In recent months, a cyber attack dubbed Operation Shady Rat was discovered by McAfee. Despite the recent detection the attack itself has been in circulation for approximately five years. After a recent meeting the CEO was advised that the number one reason these organizations were initially compromised were via phishing attacks and has decided on a proactive approach. Strategically it was decided that the best course of action would be to create a companywide training program geared towards educating end users about phishing. The training program would include awareness as well as mandatory testing to ensure that users understood the gravity of the situation. Since then an independent security consulting firm was hired to complete phishing tests within the company. Through this special study, the CIO wants to ensure all employees are adequately prepared for the new wave of spear phishing attacks, similar to those that were used in Operation Shady Rat. GIAC Enterprises Tiger Team is now charged with ensuring that the new training program properly protects the employees of the company from phishing attacks. Research has shown that phishing campaigns affect diverse business sectors, making almost everyone a potential target. A report submitted by Anti-Phishing Working Group (APWG, 2011) shows a breakdown of the business sectors affected by phishing attacks in the last quarter of 2010 (see diagram below). Although regular phishing attacks have decreased in recent years, spear phishing attacks have increased. Cyber espionage has become more prevalent as attackers GDWP STI CPR Creating a No Phishing Zone R.Eubanks & T. Thompson 3 have ceased attempts of trying to gain personal information from users and are now focusing on having unsuspecting users download crime ware, so as to simply collect and retrieve sensitive information including, but not limited to company trade secrets. Image 1 With a marked increase of cyber attacks it is no longer adequate to simply focus or test the common phishing attacks. “At the end of last year, 43% of all social networking users had been on the receiving end of phishing attacks” (Zonealarm, 2011). Operation Shady Rat demonstrated too many that it matters not the size of the organization or even the industry that organization is in; anyone can be the target of a spear phishing attack. Frequently employees blindly trust the contents of an email message, believing everything it to be true. “Commercial emails that emphasize urgency should be always considered extremely suspect, and under no circumstances should you do anything suggested in the email.” (Krebs, 2011) Often the user is tempted to respond without considering the implications of simply opening an electronic message. Even more worrisome is that employees often respond to emails without logically considering the implications of what they are doing. For example, an email arrives from UPS informing you of a package delivery. Note that someone else’s name is in the “To” field, and more often than not you the user were not expecting a package. Why then would you click on the link in the email? Given that the focus of criminals is to steal more information from unsuspecting computer users, the more prepared users are for these oncoming attacks, the more likely they will be to not engage in this exchange of personal and often sensitive information. It is expected that the result of this campaign will lead to a decreased number of users clicking on nefarious emails and attachments. This will also be realized by increased calls to the Help Desk reporting these emails. “To make compliance training more interesting and to invite participation, trainers create interactivity with games, role plays, case studies, real-life examples, and even humor. Some create interest by demonstrating relevance by using of real-life scenarios, case law, current news stories, and emphasizing the cost of noncompliance”(Woulfe, 2010) By engaging users in how to GDWP STI CPR Creating a No Phishing Zone R.Eubanks & T. Thompson 4 protect themselves at work as well as at home, they will be equipped to be more diligent during their computer usage. General Information A regular phishing attack, which accounts for the most commonly known phishing attacks is a social engineering ploy designed to have users willingly relay sensitive information via electronic communication to a purported trusted entity. This information includes, but is not limited to passwords, usernames, credit card information and any personal information that would be valuable to criminals. All phishing attacks require that the user have some level of trust relationship with the sender. However, these emails may in fact originate from their own company or other trusted organization. With a spear phishing attack, the trust relationship is more defined. These email spoofs are most likely to appear from trusted parties. These are more targeted attacks geared to steal information more effectively. When a user opens the attachment or link, an invisible program is installed whose purpose is to simply retrieve information. The Proposal The Phishing Awareness Program has two basic steps: a. Pre Assessment User Awareness b. Post Assessment Evaluation The program lasts for four weeks during which time we will boost user awareness as well as reinforce principles discussed. 1. A mandatory awareness webinar. At logon users will be prompted to log onto a portal. Once they are in the portal they will hit the play button where by a presentation will start. The length of the presentation will be approximately twenty (20) minutes and cover basic topics such as: a. What is phishing? b. The different types of phishing found today. c. The impact of phishing on an organization d. How to detect phishing attacks. e. Signs that you have succumbed to a phishing attack f. Steps to mitigate phishing attacks g. Hotline information whereby users can report suspected attacks. This webinar will be activated for a period of 72 hours. After which, a link to the webinar will be placed on the company’s intranet for referencing. On day four (4) of the program we will begin testing user knowledge of what was shared in the previous three (3) days. We have chosen five (5) phishing attacks which will be sent to users randomly over a two (2) week period. Each of the attacks will contain an embedded cookie that will track the recipient and determine whether they reacted to the attack. If the user succumbs to the attack when they click the link or attachment, it will open advising them that they succumbed GDWP STI CPR Creating a No Phishing Zone R.Eubanks & T. Thompson 5 to a phishing attack as well as pointing out the signs in the email that should have tipped them off to the attack. On Day twenty-four, intentional reinforcing of all that was learned in the previous three weeks will begin. Users will be prompted to complete a mandatory quiz. The quiz will have the previously sent phishing attacks as well as some non attacks and users will be asked to identify whether it is an attack or not. The final day of the program, day twenty-six is Report Card Day. On this day the team will present to you where your company stands at this point regarding user knowledge on the subject matter. Statistics will be provided showing the most at risk departments and personnel. Additionally, we will provide possible solutions to mitigate the risks of phishing throughout the company. If desired, we will also discuss whether there is a need to do follow up training within the next three to six months. Image 2 Selling Point It has been noted that one of the most defensive mechanisms we have today against phishing attacks is user awareness. Unlike a lot of other malicious attacks on the web today, phishing attacks do not target computers but humans. Therefore the same way we program computers to defend against these attacks, we in turn need to program our human resources to do likewise. We do this by arming the humans in our workforce with the knowledge to firstly recognize the attack so that it can be thwarted. Human behavioral studies have taught that most behavior patterns are learned through reinforcement, be it positive or negative. In this case we will lean towards positive reinforcements by awarding persons who have successfully completed the training program with a reward system. It can be something as simple as coupons for Starbuck’s coffee or airtime. Additionally, persons tend to learn better from hands on exposure as well as repetition. By simulating actual phishing attacks, users can be more aware of what to expect as they experience it firsthand. Instead of simply sending out each attack to each individual at the same time and waiting for a response. We will send each of the five attacks to random users, on random days, at random times. This is done with the assumption that if they all arrive at the same time, through some type GDWP STI CPR Creating a No Phishing Zone R.Eubanks & T. Thompson 6 of communication users will realize very quickly what is happening and rather than recognize the attacks themselves, they will base their actions upon those of their colleagues. If for example on day 5 between the hours of 9am and 1pm only 10 emails have been sent and only one person in the department receives it, they are more likely to accept it as being genuine. The aim of this program is not for the users to fail testing but to ensure that users fully understand and recognize these attacks. This is why we are going to give the users the same scenarios in two different ways. We are expecting that with the awareness program most persons will be on the lookout for phishing attacks, and start implementing what was taught. However, it is expected that for some the information will simply filter through without taking root. Therefore, it is expected that there will be quite a few users who will after the awareness portion of the program still fall prey to the phishing attacks. Despite this, by the end of Reinforcement day those numbers should have significantly reduced. As a bonus feature we will send out daily security tips to users. These tips will not only focus on cyber attacks but general security as well. This is to be implemented through the use of Group Policy in Active Directory. Each day when the employee logs on to the computer a pop up window will display the tip and the user will be able to close the window once completed. The Tests The testing portion of the program is twofold. First we will test users by simulating phishing attacks and then at a later date we will quiz those users. Below are the tests that we are planning to simulate with organizational approval. 1. The updated Employee Directory - Employees will receive an email that appears to have been sent by the HR/PR department informing them that the Employee Directory in the process of being updated. Users will be asked to click on the url link to update their information. Once users click the link they will be routed to the company’s intranet home page and requested to enter username and password to access the page/form. 2. Company Reorganization Chart – Users will receive an email informing them that the company is currently undergoing re-organizational changes. Please refer to the pdf attachment to view these new changes. 3. Top Secret Fortune Cookie Recipe Microsoft Word attachment- Users will receive an email with the subject heading TOP SECRET- HIGHLY CONFIDENTIAL. When they open it they will see a word attachment. The word attachment has what appears to be the complete recipe for GIAC fortune cookies. 4. Submit a fortune – In an attempt to boost employee morale, users are being asked to submit fortunes for the upcoming Holiday season. All users have to do is reply to email with their creative fortunes. 5. Payroll information- Users will receive an email that contains a compensation report spreadsheet. GDWP STI CPR Creating a No Phishing Zone R.Eubanks & T. Thompson 7 If the user clicks on the link, or the attachment, or respond to the email a word attachment will open advising them that they have been phished. It will also detail aspects of the simulated attack that was suspect. See Appendix3. How will the Employees Detect the Phish? As stated earlier, if users fall for any of the attacks, it will be recorded in a database for further analysis. However, an automated email will be sent to these users clearly outlining the signs of the phishing attack. The worst kinds of phishing attacks are those that appear to be coming from your own organization. After all, no one distrusts their fellow workers. Luckily there are still some things users can be aware of: 1. Look at the “From” field. If the email address is in anyway different from the known address of the person that should raise a red flag. These differences can appear subtle such as a character within the email address, or a new distribution list i.e. ALL@ giacenterprises.com whereby it has always been STAFF@giacenterprises.com. 2. BEWARE of any email that asks you to disclose personal information. Take a look at the email’s header information which tells you the routing information of the email. Some ways to access the headers in some well known email sources are noted below for ease of reference (Fraudguides, 2011). Outlook: select View/Options Outlook Express: select Properties/Details Eudora: click on the "Blah Blah Blah" button Pine: type H Hotmail: go to Options/Mail Display Settings/Message Headers and select "Full." Yahoo! Mail: select "Full Headers." Netscape: select View/Headers/All 3. Note differences between the sender and the sender’s email address. For example you get a notification from Apple that you received a free ipad2 but the email address is apple@msn.com. 4. Run attachments through antivirus software prior to opening. 5. If you receive an email that seems to be out of place contact the sender for confirmation prior to opening. 6. If an email seems suspect report it to the relevant IT department. GDWP STI CPR Creating a No Phishing Zone R.Eubanks & T. Thompson 8 Expected Results Research shows that the average users disregard security advice and thereby extension awareness programs (Stephanou, 2010). This makes users most likely to click a link or open a suspicious attachment. After the initial awareness/ information sharing portion of the program it is expected that at least 25 % of users will still fall victim to a phishing attack. As this program progresses it will advise users as to what they missed with each attack and it is expected that the amount of potential victims will be reduced by 3-5% with each attack. At the end of the program it is anticipated that less than 2% will be susceptible to a spear phishing attack. This group should be largely comprised of persons who were out of office on vacation or sick leave and thus missed the information. Measuring Success The success of this program will be tangibly measured. Through use of the cookies we will know exactly who fell susceptible to each of the attacks. As we know the persons we also know which departments pose the greatest risk to the organization. From this information we will be able to determine if a plan needs to be customized for these persons. The statistics from the cookies will allow us to analyze whether users got better at recognizing attacks, as well as which attacks were harder to recognize. The mandatory quiz which is given towards the end of the program is to see how well users have put it together. This part of the program is designed to test whether users have decided all links and attachments are bad or whether they truly can recognize the attacks. At the end of the four (4) weeks we will be in a better position to determine where the users are, and whether further training is required. Additional Recommendations There are ways to mitigate the risk of spear phishing within an organization. These include but are not limited to: a. Create and enforce a Computer and Email Policy. b. Implement an Intrusion Detection System (IDS). c. Patch systems timely regularly to safeguard against zero-day attacks. d. Implement Database Activity Monitoring (DAM). Conclusion According to Dimitri Alperovitch (Gross, M.J., 2011), organizations are broken into two categories—“those that know they’ve been compromised, and those that don’t know. If you have anything that may be valuable to a competitor, you will be targeted, and almost certainly compromised.” With the increasing complexity of cyber espionage it is hard to stay updated with electronic protection mechanisms. Many of these exploits rely on social engineering and therefore rely on the vulnerabilities of humans to launch their attacks successfully. In efforts to mitigate risks, organizations have found it best to train employees to recognize these attacks and GDWP STI CPR Creating a No Phishing Zone R.Eubanks & T. Thompson 9 thus circumvent them. After all, knowledge is power. The best defense against cyber attacks knows how to stand strong against it. GDWP STI CPR Creating a No Phishing Zone R.Eubanks & T. Thompson 10 References APWG.Phishing activity trends report, 2nd half / 2010. (2011, July 31). Retrieved from http://www.antiphishing.org/reports/apwg_report_h2_2010.pdf Fraudguides (2011). Fake or "spoofed" email detection. (n.d.). Retrieved from http://www.fraudguides.com/internet_detect_spoofed_email.asp Gross, M. (2011, August 2). Operation shady rat—unprecedented cyber-espionage campaign and intellectual-property bonanza. Retrieved from http://www.vanityfair.com/culture/features/2011/09/operation-shady-rat-201109 Gross, M. J. (2011, September). Enter the cyber-dragon Vanity Fair, Retrieved from http://www.vanityfair.com/culture/features/2011/09/chinese-hacking-201109 Krebs, B. (2011, April 11). After epsilon: Avoiding phishing scams & malware. Retrieved from http://krebsonsecurity.com/tag/phishing Rasmusse, R., & Aaron, G. (2011, November 7). Global phishing survey: Trends and domain name use in 1h 2011. Retrieved from http://www.apwg.org/reports/APWG_GlobalPhishingSurvey_1H2011.pdf Stephanou , T. (2010, June 26). Bursting the bubble. Retrieved from http://alinement.net/component/content/article/58 Woulfe, M., (2010, September). Corporate training pulse check. Training and Development, 64 (9), 62-65. Zonealarm (2011).The dark side of social media: How phishing hooks users. (2011, July 26). Retrieved from http://blog.zonealarm.com/2011/07/how-phishing-hooks-users.html GDWP STI CPR Creating a No Phishing Zone R.Eubanks & T. Thompson 11 Appendix 1 Employee listing and results of targeted emails Appendix 2 Phishing Emails 1 - TOP Secret - Highly Confidential (Word document) GDWP STI CPR Creating a No Phishing Zone R.Eubanks & T. Thompson 12 2 - Create a fortune (Requested reply to specific email and Excel attachment) 3 - Confidential Payroll information (Excel spreadsheet) GDWP STI CPR Creating a No Phishing Zone R.Eubanks & T. Thompson 13 4 – Email inviting employee to update their contact information (Click on specific URL) 5 – Email inviting employee to review new Organizational Chart in (PDF document) GDWP STI CPR Creating a No Phishing Zone R.Eubanks & T. Thompson 14 Appendix 3 GDWP STI CPR Creating a No Phishing Zone R.Eubanks & T. Thompson