Upgrade to Pro — share decks privately, control downloads, hide ads and more …

I Got 99 Email Problems, and Spearphishing Ain'...

bromiley
March 19, 2019
Technology
0
92

I Got 99 Email Problems, and Spearphishing Ain't One

When defenders think of email threats, they often think of spearphishing and how to defend against it. However, ask an attacker about email threats, and their opinion may be very different. Many attackers are taking advantage of email servers to gain footholds into the environment, steal accounts, or in some cases, even steal the entire Active Directory! Come join me for a fun night where we turn the tables back to blue.

In this talk, we are going to examine the other side of email threats. Via an examination of attack and detection techniques, attendees will walk away with greater knowledge of how these attacks are orchestrated. Furthermore, we are going to look at how to potentially detect and defend within your own environment.

bromiley

March 19, 2019
Tweet

More Decks by bromiley

See All by bromiley
Purple Packets - BSides Austin 2019
bromiley
0
280
SANS 2019 CTI Summit Keynote
bromiley
1
84
Event Logs? What Event Logs?
bromiley
0
41
Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years
bromiley
0
180
Going Right to the Data, Part 2: An Advanced Look at MS SQL Forensic Analysis
bromiley
0
73
Database Forensics without the Database
bromiley
0
4.6k
Cache Me If You Can!
bromiley
1
440
Beef Up Your DFIR Toolbox with Elasticsearch
bromiley
0
230
NoSQL Forensics: What to do with (No)ARTIFACTS
bromiley
2
400

Other Decks in Technology

See All in Technology
Next.jsとNuxtが混在? iframeでなんとかする!
ypresto
1
130
心が動くエンジニアリング ── 私が夢中になる理由
16bitidol
0
100
【令和最新版】AWS Direct Connectと愉快なGWたちのおさらい
minorun365
PRO
5
780
EventHub Startup CTO of the year 2024 ピッチ資料
eventhub
0
130
Taming you application's environments
salaboy
0
200
SREが投資するAIOps ~ペアーズにおけるLLM for Developerへの取り組み~
takumiogawa
2
500
SDNという名のデータプレーンプログラミングの歴史
ebiken
PRO
2
130
開発生産性を上げながらビジネスも30倍成長させてきたチームの姿
kamina_zzz
2
1.7k
iOSチームとAndroidチームでブランチ運用が違ったので整理してます
sansantech
PRO
0
150
日経電子版のStoreKit2フルリニューアル
shimastripe
1
150
プロダクト活用度で見えた真実 ホリゾンタルSaaSでの顧客解像度の高め方
tadaken3
0
210
アプリエンジニアのためのGraphQL入門.pdf
spycwolf
0
110

Featured

See All Featured
Happy Clients
brianwarren
98
6.7k
Ruby is Unlike a Banana
tanoku
97
11k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
27
840
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
232
17k
Code Review Best Practice
trishagee
64
17k
GitHub's CSS Performance
jonrohan
1030
460k
Mobile First: as difficult as doing things right
swwweet
222
8.9k
Optimizing for Happiness
mojombo
376
70k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
42
9.2k
Become a Pro
speakerdeck
PRO
25
5k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
16
2.1k
Practical Orchestrator
shlominoach
186
10k

Transcript

  1. I GOT 99 EMAIL PROBLEMS, AND SPEAR PHISHING AIN’T ONE

  2. HOW WE GOT HERE

  3. HOW WE GOT HERE What have we been saying for

    years? You must put MFA in front of everything!

  4. HOW WE GOT HERE What have applications been doing for

    years? Finding ways around it.

  5. HOW WE GOT HERE What have users been doing? Developing

    bad habits.

  6. HOW WE GOT HERE New Old

  7. HOW WE GOT HERE New Old Modern Authentication Basic Authentication

  8. HOW WE GOT HERE New Old Modern Authentication Basic Authentication

    Multi-Factor EWS, IMAP, POP

  9. HOW WE GOT HERE New Old Modern Authentication Basic Authentication

    Multi-Factor EWS, IMAP, POP O365/Cloud-Hosted On-Prem Needs

  10. WEAK AUTHENTICATION KEEPING YOU DOWN?

  11. WEAK AUTHENTICATION KEEPING YOU DOWN? • Many recent Exchange vulnerabilities

    have dealt with NTLM abuse • A recently-disclosed attack allows for privilege escalate via NTLM Relay + Exchange

  12. IN WITH THE NEW

  13. IN WITH THE NEW

  14. IN WITH THE NEW

  15. IN WITH THE NEW

  16. IN WITH THE NEW

  17. WEAK AUTHENTICATION KEEPING YOU DOWN? • Weak authentication is allowing

    more than advanced attacks… …it’s allowing attackers to use older tools and protocols.

  18. NIGERIA: DOING EMAIL RIGHT

  19. OUT WITH THE OLD

  20. not an actual forward acmeacb =/= acmeabc OUT WITH THE

    OLD

  21. IN WITH THE NEW

  22. OUT WITH THE OLD

  23. IN WITH THE NEW

  24. IN WITH THE NEW

  25. SPEAR PHISHING TECHNIQUES (I KNOW, WE SAID WE WOULDN’T TALK

    ABOUT THESE) • Transposed/Character Substitution Domains • Unicode Play • Email Body Encoding/Obfuscation • Anyone here know RFC 2047? • Encoded Email Header Data: Subject: =?utf- 8?B?0JDRgdGB0L51bnQgU3XRgNGA0L5ydCBO0L50aWZp0YHQsHRp 0L5uICNJRDox?==?utf-8?Q?72932?=

  26. TECHNIQUE CALL OUT: WEBSITE REPLICTION DATA ENCODING DATA OBFUSCTION SPEAR

    PHISHING LINK TARGETED CAMPAIGNS

  27. IN WITH THE NEW

  28. TECHNIQUE CALL OUT: AUTOMATED CREDENTIAL COLLECTION, NORMALIZATION, AND ENRICHMENT

  29. IN WITH THE NEW Once credentials are obtained, attackers will

    take two roads: 1) Synchronize mailboxes 1) Do this by subverting MFA with application passwords. 2) Learn flow of money. 2) Steal address books 1) Do this by using a Mac. 2) Learn who you trust.

  30. IN WITH THE NEW

  31. IN WITH THE NEW

  32. IN WITH THE NEW

  33. IN WITH THE NEW

  34. IN WITH THE NEW

  35. IN WITH THE NEW

  36. TECHNIQUE CLASSIFICATION: INTRA- and INTER-ORGANIZATIONAL LATERAL MOVEMENT VIA EMAIL

  37. IN WITH THE NEW

  38. IN WITH THE NEW

  39. IN WITH THE NEW

  40. TECHNIQUE CALL OUT: TRUSTED RELATIONSHIP ABUSE

  41. NOT YOUR MAILBOX ANYMORE • Subvert trust with address book

    sending • Implement Inbox Rules to forward, delete and hide mail • SMTP Forwarding • Searching for keywords (“wire”, “payment”, “invoice”, “remittance”) • MFA 0-Fs given • Application Passwords • Users accept anyways

  42. TECHNIQUE ROUNDUP • Well-Funded • Trusted Relationship Abuse • Intra-

    and Inter-Organizational Lateral Movement • Data Obfuscation • Data Encoding • Automated Credential Theft • Targeted Campaigns • Website Replication • Multiple Types of Spear phishing • MFA Bypass • Exfiltration via Email

  43. TECHNIQUE ROUNDUP • Well-Funded • Trusted Relationship Abuse • Intra-

    and Inter-Organizational Lateral Movement • Data Obfuscation • Data Encoding • Automated Credential Theft • Targeted Campaigns • Website Replication • Multiple Types of Spear phishing • MFA Bypass • Exfiltration via Email

  44. DEFENSE

  45. DEFEN(S|C)E

  46. None

  47. DEFENSE MATRIX – BEC STYLE Authentication Sender/Link Verification ACH Payments

    Multi-Factor Hover-Over Verbal Verify Strong Passwords Don’t Click Things Visual Verify Monitor Application Passwords External Address Flagging Invoice Template Signing Active Directory Integration DMARC Multi-Person Verification Post-Click URL Validation

  48. DEFENSE MATRIX – BEC STYLE Authentication Sender/Link Verification ACH Payments

    Recovery Multi-Factor Hover-Over Verbal Verify Notify FBI Strong Passwords Don’t Click Things Visual Verify Notify Bank Monitor Application Passwords External Address Flagging Invoice Template Signing Call Counsel Active Directory Integration DMARC Multi-Person Verification Change Passwords Post-Click URL Validation

  49. DEFENSE MATRIX – BEC STYLE Authentication Sender/Link Verification ACH Payments

    Recovery All Else Fails Multi-Factor Hover-Over Verbal Verify Notify FBI Unplug Internet Strong Passwords Don’t Click Things Visual Verify Notify Bank Go Home, Polish Resume Monitor Application Passwords External Address Flagging Invoice Template Signing Call Counsel Do Nothing. Active Directory Integration DMARC Multi-Person Verification Change Passwords Post-Click URL Validation

  50. DEFENSE MATRIX – BEC STYLE Authentication Sender/Link Verification ACH Payments

    Recovery All Else Fails Human Multi-Factor Hover-Over Verbal Verify Notify FBI Unplug Internet Funny Feeling Strong Passwords Don’t Click Things Visual Verify Notify Bank Go Home, Polish Resume Not Normal Monitor Application Passwords External Address Flagging Invoice Template Signing Call Counsel Do Nothing. “Not Done Like This” Active Directory Integration DMARC Multi-Person Verification Change Passwords Uncomfortabl e. Post-Click URL Validation

  51. DEFENSE MATRIX – BEC STYLE Authentication Sender/Link Verification ACH Payments

    Recovery All Else Fails Human Multi-Factor Hover-Over Verbal Verify Notify FBI Unplug Internet Funny Feeling Strong Passwords Don’t Click Things Visual Verify Notify Bank Go Home, Polish Resume Not Normal Monitor Application Passwords External Address Flagging Invoice Template Signing Call Counsel Do Nothing “Not Done Like This” Active Directory Integration DMARC Multi-Person Verification Change Passwords Uncomfortable Post-Click URL Validation Pay Attention

  52. HOW DO WE DEFEND AGAINST SPEAR PHISHING? We don’t.. We

    teach users to be better.

  53. ” “ SOLVING PROBLEMS TOGETHER

  54. None
  55. None
  56. None
  57. None
  58. None
  59. None
  60. None

  61. October 2013 – May 2016 $3.1bn in losses $3.168 mil/day

    Source: https://threatpost.com/fbi-email-scams-take-3-1-billion-toll-on-businesses/118696/

  62. October 2013 – June 2018 $12.5bn in losses $7.366 mil/day

    Source: https://www.ic3.gov/media/2018/180712.aspx

  63. I GOT 99 EMAIL PROBLEMS, AND SPEAR PHISHING AIN’T ONE

    BUT – IT’S USUALLY THE START

  64. ” “ Work Together.

  65. ” “ Work Together. We keep dreams afloat.

  66. Thank You. @mbromileyDFIR