Upgrade to Pro — share decks privately, control downloads, hide ads and more …

I Got 99 Email Problems, and Spearphishing Ain'...

bromiley
March 19, 2019
Technology
0
92

I Got 99 Email Problems, and Spearphishing Ain't One

When defenders think of email threats, they often think of spearphishing and how to defend against it. However, ask an attacker about email threats, and their opinion may be very different. Many attackers are taking advantage of email servers to gain footholds into the environment, steal accounts, or in some cases, even steal the entire Active Directory! Come join me for a fun night where we turn the tables back to blue.

In this talk, we are going to examine the other side of email threats. Via an examination of attack and detection techniques, attendees will walk away with greater knowledge of how these attacks are orchestrated. Furthermore, we are going to look at how to potentially detect and defend within your own environment.

bromiley

March 19, 2019
Tweet

More Decks by bromiley

See All by bromiley
Purple Packets - BSides Austin 2019
bromiley
0
280
SANS 2019 CTI Summit Keynote
bromiley
1
84
Event Logs? What Event Logs?
bromiley
0
41
Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years
bromiley
0
180
Going Right to the Data, Part 2: An Advanced Look at MS SQL Forensic Analysis
bromiley
0
73
Database Forensics without the Database
bromiley
0
4.6k
Cache Me If You Can!
bromiley
1
440
Beef Up Your DFIR Toolbox with Elasticsearch
bromiley
0
230
NoSQL Forensics: What to do with (No)ARTIFACTS
bromiley
2
400

Other Decks in Technology

See All in Technology
福岡新卒エンジニアの会
teba_eleven
1
140
新卒1年目が挑む!生成AI × マルチエージェントで実現する次世代オンボーディング / operation-ai-onboarding
cyberagentdevelopers
PRO
1
190
使えそうで使われないCloudHSM
maikamibayashi
1
250
Exadata Database Service on Cloud@Customer セキュリティ、ネットワーク、および管理について
oracle4engineer
PRO
0
1.1k
フルカイテン株式会社 採用資料
fullkaiten
0
39k
今、始める、第一歩。 / Your first step
yahonda
2
410
VPC間の接続方法を整理してみた #自治体クラウド勉強会
non97
1
1k
コンテナのトラブルシューティング目線から AWS SAW についてしゃべってみる
kazzpapa3
1
120
マルチモーダルRAGやってみた
tanimon
0
110
AWS⼊社という選択肢、⾒えていますか
iwamot
1
750
家具家電付アパートの冷蔵庫をIoT化してみた!
scbc1167
0
140
SREの前に
nwiizo
9
1.4k

Featured

See All Featured
The Cost Of JavaScript in 2023
addyosmani
45
6.6k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k
Optimising Largest Contentful Paint
csswizardry
33
2.9k
Practical Orchestrator
shlominoach
186
10k
Keith and Marios Guide to Fast Websites
keithpitt
409
22k
A Philosophy of Restraint
colly
203
16k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
8k
Code Reviewing Like a Champion
maltzj
519
39k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
14
2k
Art, The Web, and Tiny UX
lynnandtonic
297
20k
Why Our Code Smells
bkeepers
PRO
334
57k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
168
50k

Transcript

  1. I GOT 99 EMAIL PROBLEMS, AND SPEAR PHISHING AIN’T ONE

  2. HOW WE GOT HERE

  3. HOW WE GOT HERE What have we been saying for

    years? You must put MFA in front of everything!

  4. HOW WE GOT HERE What have applications been doing for

    years? Finding ways around it.

  5. HOW WE GOT HERE What have users been doing? Developing

    bad habits.

  6. HOW WE GOT HERE New Old

  7. HOW WE GOT HERE New Old Modern Authentication Basic Authentication

  8. HOW WE GOT HERE New Old Modern Authentication Basic Authentication

    Multi-Factor EWS, IMAP, POP

  9. HOW WE GOT HERE New Old Modern Authentication Basic Authentication

    Multi-Factor EWS, IMAP, POP O365/Cloud-Hosted On-Prem Needs

  10. WEAK AUTHENTICATION KEEPING YOU DOWN?

  11. WEAK AUTHENTICATION KEEPING YOU DOWN? • Many recent Exchange vulnerabilities

    have dealt with NTLM abuse • A recently-disclosed attack allows for privilege escalate via NTLM Relay + Exchange

  12. IN WITH THE NEW

  13. IN WITH THE NEW

  14. IN WITH THE NEW

  15. IN WITH THE NEW

  16. IN WITH THE NEW

  17. WEAK AUTHENTICATION KEEPING YOU DOWN? • Weak authentication is allowing

    more than advanced attacks… …it’s allowing attackers to use older tools and protocols.

  18. NIGERIA: DOING EMAIL RIGHT

  19. OUT WITH THE OLD

  20. not an actual forward acmeacb =/= acmeabc OUT WITH THE

    OLD

  21. IN WITH THE NEW

  22. OUT WITH THE OLD

  23. IN WITH THE NEW

  24. IN WITH THE NEW

  25. SPEAR PHISHING TECHNIQUES (I KNOW, WE SAID WE WOULDN’T TALK

    ABOUT THESE) • Transposed/Character Substitution Domains • Unicode Play • Email Body Encoding/Obfuscation • Anyone here know RFC 2047? • Encoded Email Header Data: Subject: =?utf- 8?B?0JDRgdGB0L51bnQgU3XRgNGA0L5ydCBO0L50aWZp0YHQsHRp 0L5uICNJRDox?==?utf-8?Q?72932?=

  26. TECHNIQUE CALL OUT: WEBSITE REPLICTION DATA ENCODING DATA OBFUSCTION SPEAR

    PHISHING LINK TARGETED CAMPAIGNS

  27. IN WITH THE NEW

  28. TECHNIQUE CALL OUT: AUTOMATED CREDENTIAL COLLECTION, NORMALIZATION, AND ENRICHMENT

  29. IN WITH THE NEW Once credentials are obtained, attackers will

    take two roads: 1) Synchronize mailboxes 1) Do this by subverting MFA with application passwords. 2) Learn flow of money. 2) Steal address books 1) Do this by using a Mac. 2) Learn who you trust.

  30. IN WITH THE NEW

  31. IN WITH THE NEW

  32. IN WITH THE NEW

  33. IN WITH THE NEW

  34. IN WITH THE NEW

  35. IN WITH THE NEW

  36. TECHNIQUE CLASSIFICATION: INTRA- and INTER-ORGANIZATIONAL LATERAL MOVEMENT VIA EMAIL

  37. IN WITH THE NEW

  38. IN WITH THE NEW

  39. IN WITH THE NEW

  40. TECHNIQUE CALL OUT: TRUSTED RELATIONSHIP ABUSE

  41. NOT YOUR MAILBOX ANYMORE • Subvert trust with address book

    sending • Implement Inbox Rules to forward, delete and hide mail • SMTP Forwarding • Searching for keywords (“wire”, “payment”, “invoice”, “remittance”) • MFA 0-Fs given • Application Passwords • Users accept anyways

  42. TECHNIQUE ROUNDUP • Well-Funded • Trusted Relationship Abuse • Intra-

    and Inter-Organizational Lateral Movement • Data Obfuscation • Data Encoding • Automated Credential Theft • Targeted Campaigns • Website Replication • Multiple Types of Spear phishing • MFA Bypass • Exfiltration via Email

  43. TECHNIQUE ROUNDUP • Well-Funded • Trusted Relationship Abuse • Intra-

    and Inter-Organizational Lateral Movement • Data Obfuscation • Data Encoding • Automated Credential Theft • Targeted Campaigns • Website Replication • Multiple Types of Spear phishing • MFA Bypass • Exfiltration via Email

  44. DEFENSE

  45. DEFEN(S|C)E

  46. None

  47. DEFENSE MATRIX – BEC STYLE Authentication Sender/Link Verification ACH Payments

    Multi-Factor Hover-Over Verbal Verify Strong Passwords Don’t Click Things Visual Verify Monitor Application Passwords External Address Flagging Invoice Template Signing Active Directory Integration DMARC Multi-Person Verification Post-Click URL Validation

  48. DEFENSE MATRIX – BEC STYLE Authentication Sender/Link Verification ACH Payments

    Recovery Multi-Factor Hover-Over Verbal Verify Notify FBI Strong Passwords Don’t Click Things Visual Verify Notify Bank Monitor Application Passwords External Address Flagging Invoice Template Signing Call Counsel Active Directory Integration DMARC Multi-Person Verification Change Passwords Post-Click URL Validation

  49. DEFENSE MATRIX – BEC STYLE Authentication Sender/Link Verification ACH Payments

    Recovery All Else Fails Multi-Factor Hover-Over Verbal Verify Notify FBI Unplug Internet Strong Passwords Don’t Click Things Visual Verify Notify Bank Go Home, Polish Resume Monitor Application Passwords External Address Flagging Invoice Template Signing Call Counsel Do Nothing. Active Directory Integration DMARC Multi-Person Verification Change Passwords Post-Click URL Validation

  50. DEFENSE MATRIX – BEC STYLE Authentication Sender/Link Verification ACH Payments

    Recovery All Else Fails Human Multi-Factor Hover-Over Verbal Verify Notify FBI Unplug Internet Funny Feeling Strong Passwords Don’t Click Things Visual Verify Notify Bank Go Home, Polish Resume Not Normal Monitor Application Passwords External Address Flagging Invoice Template Signing Call Counsel Do Nothing. “Not Done Like This” Active Directory Integration DMARC Multi-Person Verification Change Passwords Uncomfortabl e. Post-Click URL Validation

  51. DEFENSE MATRIX – BEC STYLE Authentication Sender/Link Verification ACH Payments

    Recovery All Else Fails Human Multi-Factor Hover-Over Verbal Verify Notify FBI Unplug Internet Funny Feeling Strong Passwords Don’t Click Things Visual Verify Notify Bank Go Home, Polish Resume Not Normal Monitor Application Passwords External Address Flagging Invoice Template Signing Call Counsel Do Nothing “Not Done Like This” Active Directory Integration DMARC Multi-Person Verification Change Passwords Uncomfortable Post-Click URL Validation Pay Attention

  52. HOW DO WE DEFEND AGAINST SPEAR PHISHING? We don’t.. We

    teach users to be better.

  53. ” “ SOLVING PROBLEMS TOGETHER

  54. None
  55. None
  56. None
  57. None
  58. None
  59. None
  60. None

  61. October 2013 – May 2016 $3.1bn in losses $3.168 mil/day

    Source: https://threatpost.com/fbi-email-scams-take-3-1-billion-toll-on-businesses/118696/

  62. October 2013 – June 2018 $12.5bn in losses $7.366 mil/day

    Source: https://www.ic3.gov/media/2018/180712.aspx

  63. I GOT 99 EMAIL PROBLEMS, AND SPEAR PHISHING AIN’T ONE

    BUT – IT’S USUALLY THE START

  64. ” “ Work Together.

  65. ” “ Work Together. We keep dreams afloat.

  66. Thank You. @mbromileyDFIR