- SANS Technology Institute

advertisement
Group Discussion Written Project
SANS Technology Institute
Creating a No Phishing Zone
Team: Russell Eubanks & Tsega Thompson
Date: December 8, 2011
2
Executive Summary
It is difficult to stay ahead of malicious software invoked by phishing schemes. Daily new
attacks are discovered and organizations realize that these malicious attacks often enter their
networks from well meaning users who assume their actions are harmless. Employees believe
that if an email comes from what appears to be a trusted party, then it must be safe. Social
engineering blatantly exploits this trust and has been regularly used to steal sensitive information
from a diverse number of organizations. This paper seeks to introduce a training program
focused on phishing attacks. It will look at various methods of spear phishing attacks, geared
towards educating employees to recognize and hopefully prevent these attacks from occurring on
the GIAC Enterprises networks and systems. This will be done by a combination of real time,
simulated experiences, information sharing, and positive reinforcement. The expected results of
this training and evaluation program would be an employee population with a less than 2%
chance of responding to a phishing attack.
According to the Anti-Phishing Working Group “there were at least 112,472 unique phishing
attacks worldwide, in 200 top-level domains (Rasmusse & Aaron, 2011). GIAC Enterprises
employees will be trained to successfully identify and report suspected phishing schemes to the
Help Desk. In August 2011, it was discovered that “Operation Shady rat has been stealing
valuable intellectual property (including government secrets, e-mail archives, legal contracts,
negotiation plans for business activities, and design schematics) from more than 70 public- and
private-sector organizations in 14 countries”(Gross, 2011). Is Shady RAT the most significant
cyber intrusion in recent years or does it serve to highlight an ongoing problem that the target is
now the human users?
GIAC Enterprises is a small to medium sized growing business and is the largest supplier of
Fortune Cookie sayings in the world. In recent months, a cyber attack dubbed Operation Shady
Rat was discovered by McAfee. Despite the recent detection the attack itself has been in
circulation for approximately five years. After a recent meeting the CEO was advised that the
number one reason these organizations were initially compromised were via phishing attacks and
has decided on a proactive approach. Strategically it was decided that the best course of action
would be to create a companywide training program geared towards educating end users about
phishing. The training program would include awareness as well as mandatory testing to ensure
that users understood the gravity of the situation.
Since then an independent security consulting firm was hired to complete phishing tests within
the company. Through this special study, the CIO wants to ensure all employees are adequately
prepared for the new wave of spear phishing attacks, similar to those that were used in Operation
Shady Rat. GIAC Enterprises Tiger Team is now charged with ensuring that the new training
program properly protects the employees of the company from phishing attacks.
Research has shown that phishing campaigns affect diverse business sectors, making almost
everyone a potential target. A report submitted by Anti-Phishing Working Group (APWG, 2011)
shows a breakdown of the business sectors affected by phishing attacks in the last quarter of
2010 (see diagram below). Although regular phishing attacks have decreased in recent years,
spear phishing attacks have increased. Cyber espionage has become more prevalent as attackers
GDWP STI CPR
Creating a No Phishing Zone
R.Eubanks & T. Thompson
3
have ceased attempts of trying to gain personal information from users and are now focusing on
having unsuspecting users download crime ware, so as to simply collect and retrieve sensitive
information including, but not limited to company trade secrets.
Image 1
With a marked increase of cyber attacks it is no longer adequate to simply focus or test the
common phishing attacks. “At the end of last year, 43% of all social networking users had been
on the receiving end of phishing attacks” (Zonealarm, 2011). Operation Shady Rat demonstrated
too many that it matters not the size of the organization or even the industry that organization is
in; anyone can be the target of a spear phishing attack.
Frequently employees blindly trust the contents of an email message, believing everything it to
be true. “Commercial emails that emphasize urgency should be always considered extremely
suspect, and under no circumstances should you do anything suggested in the email.” (Krebs,
2011) Often the user is tempted to respond without considering the implications of simply
opening an electronic message. Even more worrisome is that employees often respond to emails
without logically considering the implications of what they are doing. For example, an email
arrives from UPS informing you of a package delivery. Note that someone else’s name is in the
“To” field, and more often than not you the user were not expecting a package. Why then would
you click on the link in the email?
Given that the focus of criminals is to steal more information from unsuspecting computer users,
the more prepared users are for these oncoming attacks, the more likely they will be to not
engage in this exchange of personal and often sensitive information. It is expected that the result
of this campaign will lead to a decreased number of users clicking on nefarious emails and
attachments. This will also be realized by increased calls to the Help Desk reporting these
emails.
“To make compliance training more interesting and to invite participation, trainers create
interactivity with games, role plays, case studies, real-life examples, and even humor. Some
create interest by demonstrating relevance by using of real-life scenarios, case law, current news
stories, and emphasizing the cost of noncompliance”(Woulfe, 2010) By engaging users in how to
GDWP STI CPR
Creating a No Phishing Zone
R.Eubanks & T. Thompson
4
protect themselves at work as well as at home, they will be equipped to be more diligent during
their computer usage.
General Information
A regular phishing attack, which accounts for the most commonly known phishing attacks is a
social engineering ploy designed to have users willingly relay sensitive information via
electronic communication to a purported trusted entity. This information includes, but is not
limited to passwords, usernames, credit card information and any personal information that
would be valuable to criminals.
All phishing attacks require that the user have some level of trust relationship with the sender.
However, these emails may in fact originate from their own company or other trusted
organization. With a spear phishing attack, the trust relationship is more defined. These email
spoofs are most likely to appear from trusted parties. These are more targeted attacks geared to
steal information more effectively. When a user opens the attachment or link, an invisible
program is installed whose purpose is to simply retrieve information.
The Proposal
The Phishing Awareness Program has two basic steps:
a. Pre Assessment User Awareness
b. Post Assessment Evaluation
The program lasts for four weeks during which time we will boost user awareness as well as
reinforce principles discussed.
1. A mandatory awareness webinar. At logon users will be prompted to log onto a portal.
Once they are in the portal they will hit the play button where by a presentation will start.
The length of the presentation will be approximately twenty (20) minutes and cover basic
topics such as:
a. What is phishing?
b. The different types of phishing found today.
c. The impact of phishing on an organization
d. How to detect phishing attacks.
e. Signs that you have succumbed to a phishing attack
f. Steps to mitigate phishing attacks
g. Hotline information whereby users can report suspected attacks.
This webinar will be activated for a period of 72 hours. After which, a link to the webinar will be
placed on the company’s intranet for referencing.
On day four (4) of the program we will begin testing user knowledge of what was shared in the
previous three (3) days. We have chosen five (5) phishing attacks which will be sent to users
randomly over a two (2) week period. Each of the attacks will contain an embedded cookie that
will track the recipient and determine whether they reacted to the attack. If the user succumbs to
the attack when they click the link or attachment, it will open advising them that they succumbed
GDWP STI CPR
Creating a No Phishing Zone
R.Eubanks & T. Thompson
5
to a phishing attack as well as pointing out the signs in the email that should have tipped them
off to the attack.
On Day twenty-four, intentional reinforcing of all that was learned in the previous three weeks
will begin. Users will be prompted to complete a mandatory quiz. The quiz will have the
previously sent phishing attacks as well as some non attacks and users will be asked to identify
whether it is an attack or not.
The final day of the program, day twenty-six is Report Card Day. On this day the team will
present to you where your company stands at this point regarding user knowledge on the subject
matter. Statistics will be provided showing the most at risk departments and personnel.
Additionally, we will provide possible solutions to mitigate the risks of phishing throughout the
company. If desired, we will also discuss whether there is a need to do follow up training within
the next three to six months.
Image 2
Selling Point
It has been noted that one of the most defensive mechanisms we have today against phishing
attacks is user awareness. Unlike a lot of other malicious attacks on the web today, phishing
attacks do not target computers but humans. Therefore the same way we program computers to
defend against these attacks, we in turn need to program our human resources to do likewise. We
do this by arming the humans in our workforce with the knowledge to firstly recognize the attack
so that it can be thwarted.
Human behavioral studies have taught that most behavior patterns are learned through
reinforcement, be it positive or negative. In this case we will lean towards positive
reinforcements by awarding persons who have successfully completed the training program with
a reward system. It can be something as simple as coupons for Starbuck’s coffee or airtime.
Additionally, persons tend to learn better from hands on exposure as well as repetition. By
simulating actual phishing attacks, users can be more aware of what to expect as they experience
it firsthand.
Instead of simply sending out each attack to each individual at the same time and waiting for a
response. We will send each of the five attacks to random users, on random days, at random
times. This is done with the assumption that if they all arrive at the same time, through some type
GDWP STI CPR
Creating a No Phishing Zone
R.Eubanks & T. Thompson
6
of communication users will realize very quickly what is happening and rather than recognize the
attacks themselves, they will base their actions upon those of their colleagues. If for example on
day 5 between the hours of 9am and 1pm only 10 emails have been sent and only one person in
the department receives it, they are more likely to accept it as being genuine.
The aim of this program is not for the users to fail testing but to ensure that users fully
understand and recognize these attacks. This is why we are going to give the users the same
scenarios in two different ways. We are expecting that with the awareness program most persons
will be on the lookout for phishing attacks, and start implementing what was taught. However, it
is expected that for some the information will simply filter through without taking root.
Therefore, it is expected that there will be quite a few users who will after the awareness portion
of the program still fall prey to the phishing attacks. Despite this, by the end of Reinforcement
day those numbers should have significantly reduced.
As a bonus feature we will send out daily security tips to users. These tips will not only focus on
cyber attacks but general security as well. This is to be implemented through the use of Group
Policy in Active Directory. Each day when the employee logs on to the computer a pop up
window will display the tip and the user will be able to close the window once completed.
The Tests
The testing portion of the program is twofold. First we will test users by simulating phishing
attacks and then at a later date we will quiz those users. Below are the tests that we are planning
to simulate with organizational approval.
1. The updated Employee Directory - Employees will receive an email that appears to have
been sent by the HR/PR department informing them that the Employee Directory in the
process of being updated. Users will be asked to click on the url link to update their
information. Once users click the link they will be routed to the company’s intranet home
page and requested to enter username and password to access the page/form.
2. Company Reorganization Chart – Users will receive an email informing them that the
company is currently undergoing re-organizational changes. Please refer to the pdf
attachment to view these new changes.
3. Top Secret Fortune Cookie Recipe Microsoft Word attachment- Users will receive an
email with the subject heading TOP SECRET- HIGHLY CONFIDENTIAL. When they
open it they will see a word attachment. The word attachment has what appears to be the
complete recipe for GIAC fortune cookies.
4. Submit a fortune – In an attempt to boost employee morale, users are being asked to
submit fortunes for the upcoming Holiday season. All users have to do is reply to email
with their creative fortunes.
5. Payroll information- Users will receive an email that contains a compensation report
spreadsheet.
GDWP STI CPR
Creating a No Phishing Zone
R.Eubanks & T. Thompson
7
If the user clicks on the link, or the attachment, or respond to the email a word attachment
will open advising them that they have been phished. It will also detail aspects of the
simulated attack that was suspect. See Appendix3.
How will the Employees Detect the Phish?
As stated earlier, if users fall for any of the attacks, it will be recorded in a database for further
analysis. However, an automated email will be sent to these users clearly outlining the signs of
the phishing attack.
The worst kinds of phishing attacks are those that appear to be coming from your own
organization. After all, no one distrusts their fellow workers. Luckily there are still some things
users can be aware of:
1. Look at the “From” field. If the email address is in anyway different from the known
address of the person that should raise a red flag. These differences can appear subtle
such as a character within the email address, or a new distribution list i.e. ALL@
giacenterprises.com whereby it has always been STAFF@giacenterprises.com.
2. BEWARE of any email that asks you to disclose personal information. Take a look at the
email’s header information which tells you the routing information of the email. Some
ways to access the headers in some well known email sources are noted below for ease of
reference (Fraudguides, 2011).
Outlook: select View/Options
Outlook Express: select Properties/Details
Eudora: click on the "Blah Blah Blah" button
Pine: type H
Hotmail: go to Options/Mail Display Settings/Message Headers and select "Full."
Yahoo! Mail: select "Full Headers."
Netscape: select View/Headers/All
3. Note differences between the sender and the sender’s email address. For example you get
a notification from Apple that you received a free ipad2 but the email address is
apple@msn.com.
4. Run attachments through antivirus software prior to opening.
5. If you receive an email that seems to be out of place contact the sender for confirmation
prior to opening.
6. If an email seems suspect report it to the relevant IT department.
GDWP STI CPR
Creating a No Phishing Zone
R.Eubanks & T. Thompson
8
Expected Results
Research shows that the average users disregard security advice and thereby extension awareness
programs (Stephanou, 2010). This makes users most likely to click a link or open a suspicious
attachment. After the initial awareness/ information sharing portion of the program it is expected
that at least 25 % of users will still fall victim to a phishing attack. As this program progresses it
will advise users as to what they missed with each attack and it is expected that the amount of
potential victims will be reduced by 3-5% with each attack. At the end of the program it is
anticipated that less than 2% will be susceptible to a spear phishing attack. This group should be
largely comprised of persons who were out of office on vacation or sick leave and thus missed
the information.
Measuring Success
The success of this program will be tangibly measured. Through use of the cookies we will know
exactly who fell susceptible to each of the attacks. As we know the persons we also know which
departments pose the greatest risk to the organization. From this information we will be able to
determine if a plan needs to be customized for these persons. The statistics from the cookies will
allow us to analyze whether users got better at recognizing attacks, as well as which attacks were
harder to recognize. The mandatory quiz which is given towards the end of the program is to see
how well users have put it together. This part of the program is designed to test whether users
have decided all links and attachments are bad or whether they truly can recognize the attacks.
At the end of the four (4) weeks we will be in a better position to determine where the users are,
and whether further training is required.
Additional Recommendations
There are ways to mitigate the risk of spear phishing within an organization. These include but
are not limited to:
a. Create and enforce a Computer and Email Policy.
b. Implement an Intrusion Detection System (IDS).
c. Patch systems timely regularly to safeguard against zero-day attacks.
d. Implement Database Activity Monitoring (DAM).
Conclusion
According to Dimitri Alperovitch (Gross, M.J., 2011), organizations are broken into two
categories—“those that know they’ve been compromised, and those that don’t know. If you have
anything that may be valuable to a competitor, you will be targeted, and almost certainly
compromised.” With the increasing complexity of cyber espionage it is hard to stay updated with
electronic protection mechanisms. Many of these exploits rely on social engineering and
therefore rely on the vulnerabilities of humans to launch their attacks successfully. In efforts to
mitigate risks, organizations have found it best to train employees to recognize these attacks and
GDWP STI CPR
Creating a No Phishing Zone
R.Eubanks & T. Thompson
9
thus circumvent them. After all, knowledge is power. The best defense against cyber attacks
knows how to stand strong against it.
GDWP STI CPR
Creating a No Phishing Zone
R.Eubanks & T. Thompson
10
References
APWG.Phishing activity trends report, 2nd half / 2010. (2011, July 31). Retrieved from
http://www.antiphishing.org/reports/apwg_report_h2_2010.pdf
Fraudguides (2011). Fake or "spoofed" email detection. (n.d.). Retrieved from
http://www.fraudguides.com/internet_detect_spoofed_email.asp
Gross, M. (2011, August 2). Operation shady rat—unprecedented cyber-espionage campaign and
intellectual-property bonanza. Retrieved from
http://www.vanityfair.com/culture/features/2011/09/operation-shady-rat-201109
Gross, M. J. (2011, September). Enter the cyber-dragon Vanity Fair, Retrieved from
http://www.vanityfair.com/culture/features/2011/09/chinese-hacking-201109
Krebs, B. (2011, April 11). After epsilon: Avoiding phishing scams & malware. Retrieved from
http://krebsonsecurity.com/tag/phishing
Rasmusse, R., & Aaron, G. (2011, November 7). Global phishing survey: Trends and domain
name use in 1h 2011. Retrieved from
http://www.apwg.org/reports/APWG_GlobalPhishingSurvey_1H2011.pdf
Stephanou , T. (2010, June 26). Bursting the bubble. Retrieved from
http://alinement.net/component/content/article/58
Woulfe, M., (2010, September). Corporate training pulse check. Training and Development, 64
(9), 62-65.
Zonealarm (2011).The dark side of social media: How phishing hooks users. (2011, July 26).
Retrieved from http://blog.zonealarm.com/2011/07/how-phishing-hooks-users.html
GDWP STI CPR
Creating a No Phishing Zone
R.Eubanks & T. Thompson
11
Appendix 1
Employee listing and results of targeted emails
Appendix 2
Phishing Emails
1 - TOP Secret - Highly Confidential (Word document)
GDWP STI CPR
Creating a No Phishing Zone
R.Eubanks & T. Thompson
12
2 - Create a fortune (Requested reply to specific email and Excel attachment)
3 - Confidential Payroll information (Excel spreadsheet)
GDWP STI CPR
Creating a No Phishing Zone
R.Eubanks & T. Thompson
13
4 – Email inviting employee to update their contact information (Click on specific URL)
5 – Email inviting employee to review new Organizational Chart in (PDF document)
GDWP STI CPR
Creating a No Phishing Zone
R.Eubanks & T. Thompson
14
Appendix 3
GDWP STI CPR
Creating a No Phishing Zone
R.Eubanks & T. Thompson
Download