Upgrade to Pro — share decks privately, control downloads, hide ads and more …

I Got 99 Email Problems, and Spearphishing Ain'...

I Got 99 Email Problems, and Spearphishing Ain't One

When defenders think of email threats, they often think of spearphishing and how to defend against it. However, ask an attacker about email threats, and their opinion may be very different. Many attackers are taking advantage of email servers to gain footholds into the environment, steal accounts, or in some cases, even steal the entire Active Directory! Come join me for a fun night where we turn the tables back to blue.

In this talk, we are going to examine the other side of email threats. Via an examination of attack and detection techniques, attendees will walk away with greater knowledge of how these attacks are orchestrated. Furthermore, we are going to look at how to potentially detect and defend within your own environment.

bromiley

March 19, 2019
Tweet

More Decks by bromiley

Other Decks in Technology

Transcript

  1. HOW WE GOT HERE What have we been saying for

    years? You must put MFA in front of everything!
  2. HOW WE GOT HERE New Old Modern Authentication Basic Authentication

    Multi-Factor EWS, IMAP, POP O365/Cloud-Hosted On-Prem Needs
  3. WEAK AUTHENTICATION KEEPING YOU DOWN? • Many recent Exchange vulnerabilities

    have dealt with NTLM abuse • A recently-disclosed attack allows for privilege escalate via NTLM Relay + Exchange
  4. WEAK AUTHENTICATION KEEPING YOU DOWN? • Weak authentication is allowing

    more than advanced attacks… …it’s allowing attackers to use older tools and protocols.
  5. SPEAR PHISHING TECHNIQUES (I KNOW, WE SAID WE WOULDN’T TALK

    ABOUT THESE) • Transposed/Character Substitution Domains • Unicode Play • Email Body Encoding/Obfuscation • Anyone here know RFC 2047? • Encoded Email Header Data: Subject: =?utf- 8?B?0JDRgdGB0L51bnQgU3XRgNGA0L5ydCBO0L50aWZp0YHQsHRp 0L5uICNJRDox?==?utf-8?Q?72932?=
  6. IN WITH THE NEW Once credentials are obtained, attackers will

    take two roads: 1) Synchronize mailboxes 1) Do this by subverting MFA with application passwords. 2) Learn flow of money. 2) Steal address books 1) Do this by using a Mac. 2) Learn who you trust.
  7. NOT YOUR MAILBOX ANYMORE • Subvert trust with address book

    sending • Implement Inbox Rules to forward, delete and hide mail • SMTP Forwarding • Searching for keywords (“wire”, “payment”, “invoice”, “remittance”) • MFA 0-Fs given • Application Passwords • Users accept anyways
  8. TECHNIQUE ROUNDUP • Well-Funded • Trusted Relationship Abuse • Intra-

    and Inter-Organizational Lateral Movement • Data Obfuscation • Data Encoding • Automated Credential Theft • Targeted Campaigns • Website Replication • Multiple Types of Spear phishing • MFA Bypass • Exfiltration via Email
  9. TECHNIQUE ROUNDUP • Well-Funded • Trusted Relationship Abuse • Intra-

    and Inter-Organizational Lateral Movement • Data Obfuscation • Data Encoding • Automated Credential Theft • Targeted Campaigns • Website Replication • Multiple Types of Spear phishing • MFA Bypass • Exfiltration via Email
  10. DEFENSE MATRIX – BEC STYLE Authentication Sender/Link Verification ACH Payments

    Multi-Factor Hover-Over Verbal Verify Strong Passwords Don’t Click Things Visual Verify Monitor Application Passwords External Address Flagging Invoice Template Signing Active Directory Integration DMARC Multi-Person Verification Post-Click URL Validation
  11. DEFENSE MATRIX – BEC STYLE Authentication Sender/Link Verification ACH Payments

    Recovery Multi-Factor Hover-Over Verbal Verify Notify FBI Strong Passwords Don’t Click Things Visual Verify Notify Bank Monitor Application Passwords External Address Flagging Invoice Template Signing Call Counsel Active Directory Integration DMARC Multi-Person Verification Change Passwords Post-Click URL Validation
  12. DEFENSE MATRIX – BEC STYLE Authentication Sender/Link Verification ACH Payments

    Recovery All Else Fails Multi-Factor Hover-Over Verbal Verify Notify FBI Unplug Internet Strong Passwords Don’t Click Things Visual Verify Notify Bank Go Home, Polish Resume Monitor Application Passwords External Address Flagging Invoice Template Signing Call Counsel Do Nothing. Active Directory Integration DMARC Multi-Person Verification Change Passwords Post-Click URL Validation
  13. DEFENSE MATRIX – BEC STYLE Authentication Sender/Link Verification ACH Payments

    Recovery All Else Fails Human Multi-Factor Hover-Over Verbal Verify Notify FBI Unplug Internet Funny Feeling Strong Passwords Don’t Click Things Visual Verify Notify Bank Go Home, Polish Resume Not Normal Monitor Application Passwords External Address Flagging Invoice Template Signing Call Counsel Do Nothing. “Not Done Like This” Active Directory Integration DMARC Multi-Person Verification Change Passwords Uncomfortabl e. Post-Click URL Validation
  14. DEFENSE MATRIX – BEC STYLE Authentication Sender/Link Verification ACH Payments

    Recovery All Else Fails Human Multi-Factor Hover-Over Verbal Verify Notify FBI Unplug Internet Funny Feeling Strong Passwords Don’t Click Things Visual Verify Notify Bank Go Home, Polish Resume Not Normal Monitor Application Passwords External Address Flagging Invoice Template Signing Call Counsel Do Nothing “Not Done Like This” Active Directory Integration DMARC Multi-Person Verification Change Passwords Uncomfortable Post-Click URL Validation Pay Attention
  15. October 2013 – May 2016 $3.1bn in losses $3.168 mil/day

    Source: https://threatpost.com/fbi-email-scams-take-3-1-billion-toll-on-businesses/118696/
  16. October 2013 – June 2018 $12.5bn in losses $7.366 mil/day

    Source: https://www.ic3.gov/media/2018/180712.aspx