To make training stick, immerse employees

When aspiring pilots go through flight school, they learn both in a conventional ground setting and using a flight simulator. On the simulator, new pilots are immersed in the experience of flying, and receive real-time feedback about their decision making. Not surprisingly, the simulator is seen as a more effective training tool than conventional classroom training.

One of the greatest challenges facing security awareness initiatives is providing employees with an experience they will actually remember and retain. Training users to avoid risky security behavior is not nearly as complicated as teaching someone to fly a plane, but just like with pilots, immersive training that simulates the kind of attack methods employees face is a more effective way to conduct security awareness.

Breaking the Myths of Social Engineering

Last week, a Washington Post article by Robert O’Harrow offered an interesting look at the most common attack vector used by cybercriminals to penetrate enterprises today: spear phishing. While we applaud (loudly) the thrust of the article – that enterprises need to educate users on the dangers of spear phishing – there are some very real challenges in user education that the article does not address.

LinkedIn password leak: What it means for phishing

Spoiler: LinkedIn password leak: What it means for phishing?  Answer:  Not Much!

When people talk to us about phishing, they often want to know “What’s next in phishing? What else are you seeing?”

This gets asked a lot, and is one of my least favorite questions because the truth is, email based spear phishing works as-is It has no reason to evolve right now.

2011 – The year of spear phishing And spear phishing

spearphish vs spearphish

spear phish vs. spear phish

An odd title for a blog post but something that has been on my mind for a while now. We get a fair amount media requests for comments or perspective on phishing stories.  This is a good thing. It’s nice to have recognition in your field. Of course 2011 was no shortage of phishing related news. (What’s up RSA, I’m looking at you. I’ve noticed you frequent our website a lot. How about a demo. Couldn’t hurt?)

Spear Phishing with Password Protected Zip Files

The Slashdot headline this morning reads: Spear Phishing Campaign Hits Dozens of Chemical, Defense Firms

What is it about? Simple, the poison ivy trojan wrapped in a password protected ZIP file so it can get past filtering.  Symantec has an excellent analysis of these attacks in a paper titled: The Nitro Attacks: Stealing Secrets from the Chemical Industry by Eric Chien and Gavin O’Gorman.  You can read the entire paper here.

The most recent attacks focusing on the chemical industry are using password-protected 7zip files which, when extracted, contain a self-extracting executable. The password to extract the 7zip file is included in the email. This extra stage is used to prevent automated systems from extracting the self-extracting archive.”

Packing malicious code into ZIP file and including the password in the body of the email is fairly common spear phishing technique that has been going on for quite some time.  In fact, we have specific training about this tactic available at PhishMe. Here is a small snip from our training about password protected ZIP files:

By now you may be aware of spear-phishing emails that contain malicious attachments.  We have technology in place that scans email looking for malicious attachments, but it’s not foolproof.  In this cat-and-mouse game, the bad guys are always looking for new ways to get past our safeguards.
One technique they use is placing the malicious attachment inside of a password protected ZIP file. It works like this:  the attacker zips the malicious file, then puts the password for the ZIP file in the body of the email. They do this because they know our email security tools can’t see what is inside the protected ZIP file.
 
Existing PhishMe customers:  If you haven’t gotten the message out to your people about spear phishing using password protected ZIP files, login to you account and check it out.
 

Future customers:  You could be using our award winning solution right now to train people about this exact tactic.

stay safe,

Aaron Higbee

Machines v/s Humans: Who Do You Think Is More Intelligent?

As the barrage of security breaches continues, Citigroup is the latest victim. This eWeek article: http://www.eweek.com/c/a/Security/Citigroup-Credit-Card-Portal-Breach-Compromises-200000-Customers-461930/ discusses the potential impact of this attack.   One of the commentators brings up the topic of phishing.   Hannigan, the CEO of Q1 labs, rightly points out that  “Security trust means more than just making sure you’re in compliance with regulations,”. On the other hand, some of the quotes, like that from Anup Ghosh, co-founder of Invincea has a blatant technology solution vendor bias. He discounts human intelligence when referring to customers in this quote – “it’s not reasonable to expect them to differentiate spear phishing attacks”. So technology can differentiate these attacks but humans can’t? The claim is baseless.

Having trained in excess of 1.8 million people using PhishMe, I can confidently say that training works! It’s how you train people that matters. Invincea has a solution to protect against malicious PDFs and one to isolate the browser to protect against malware, I guess. Even if we assume that they provide 100% protection in these domains, what about malicious files in other formats – .docx, .xlsx, .chm (and the list goes on)?  How long do you think it would take one of my Intrepidus Group consultants to craft an attachment that would squeak past Invincea’s solution? (hint: not very long)

What about targeted attacks that solicit sensitive information? Sweeping claims by vendors are a disservice to our industry. The false sense of security they create by offering a solution that relies on a single approach or technology do more harm than good. Their customers feel at ease and think that the targeted phishing problem is solved by that shiny box with blinky lights. There is no panacea – defending against spear phishing needs a multi-pronged approach – education/training, technology at the mail server, technology at the end point…and even then the bad guys may succeed; but you’ve raised the bar!

Phishing and Spear-Phishing and APTs, oh my!

With all of the media coverage on the recent flurry of successful phishing attacks targeting RSA, Epsilon’s clients and their customers, and Oak Ridge, it’s come to our attention that the fire hose of terms might leave some people confused.  We thought it might be a good opportunity to explain what some of these terms are (and aren’t).

Phishing

Phishing essentially boils down to an adversary tricking a victim into doing something. Email is, by far, the most common medium used but others are certainly possible (snail mail, telephone calls, etc.).

A traditional consumer email phish is what most of us are familiar with. It will try to get the recipient to give-up their login credentials by displaying a fake login form that looks like a legitimate site. But sometimes the attacker only wants the user to click a link to exploit a security vulnerability in the recipient’s web browser or email client.  And in the case of the attack on Oak Ridge, recipients were asked to open a specially crafted attachment which exploited a security vulnerability in the program used to open it. If you’re not familiar with these, go check out PhishTank.

Spear-Phishing

Many people think that “spear-phishing” and “phishing” are interchangeable; not true!

A spear-phisher has done their homework to create a targeted attack. They’re sending baited emails to specific individuals (or, a very small group of individuals — like the accounting department, for example).

This could be as simple as including the targeted company’s logo in the email and fake login page.  Or it could be as sophisticated as sending an email that appears to come from an individual who actually works at the company about a topical subject (“Hi John – Please complete and return this form to enroll you and your family in the new health care program that President Smith talked about at last month’s all-hands.  Thanks!  –Sally Jones”).

The spear-phishing label had been mostly reserved for enterprises. But now with the Epsilon breach, consumers will likely start receiving more tailored and targeted phishing scams. So we won’t cringe as much when people confuse phishing and spear-phishing because the line is getting blurred.

Advanced Persistent Threat (APT)

This term is getting thrown around a lot lately. A lot.

There is quite a bit of disagreement in the information security community as to the “correct” definition of an APT. Some people feel it is a “who” (for example, China and/or Russia), some think it’s a “what” (a hacking incident that meets certain, sometimes subjective, criterion), while other people believe it’s a marketing gimmick or an excuse as to why an adversary was successful. When we think of APT at PhishMe, we focus on the “persistent” part:  the realization that an organization now has to do business despite the fact they have bad guys inside of their network, and there is a good chance they will NEVER be able to fully rid themselves of this threat.  Since the attackers are, by definition “advanced”, they are able to maintain a persistent foothold in an organization.

Unfortunately the misuse of the term APT presents a marketing challenge for us.   When people talk about APT, spear-phishing naturally enters into the conversation.  The reason is simple, attackers need to break in first before they can become a “ persistent threat”.  And it’s no surprise  that they are getting in via well-crafted spear-phishing emails. So while spear-phishing is the attack vector that leads to APT, APT is the ugly fact that you may never find a cure to get rid of your persistent threat.  People seem to agree with this part of the APT definition, but it seems most technology vendors have successfully been able to re-write the definition of APT to be a convenient scapegoat for anything that circumvented their “bullet proof” technology.

Post Sales Engineer: “Did you have it configured in super-duper-malware analyze mode? .. You did? and you still got owned? Well, it was an APT, what do you expect from us!@# – click”

If our message gets lost in the APT marketing noise, then accept our humble apology in advance for “can’t-beat-em-join-em” regarding the misuse of the term APT in future marketing initiatives.

Fortunately, it’s possible to thwart a spear phishing attack  …before it gets Advanced or Persistent.

Cheers!

Doug Hagen

Whitepaper: The State of Information Security 2008

I just got back from The Credit Union Information Security Professionals Association 3rd annual National event in Austin Texas where Rohyt and I were talking to the folks about www.PhishMe.com.
I have never attended a CUISPA event before and welcomed the opportunity. It was refreshing to see this industry work together. Credit unions don’t have the budgets larger institutions do and many of their technologists wear multiple hats. Security is a group effort. (as it should be)

Two major takeaways I had from the conference:

1.) Credit Union security professionals have a can-do attitude and value networking with their peers to solve their security woes
2.) Don’t show up to a Credit Union event dressed in New York-Financial attire (unless you enjoy looking like that creepy sales guy) 🙂

On the heels of the CUISPA event is a good white paper I saw on BankInfoSecurity.com titled The State of Information Security 2008 – Survey Executive Overview (Free signup)

Tom Field (Editorial Director) did a good job putting the overview together. The top security issues I heard the Credit Union folks discuss are the same ones captured in this survey. (It’s good to see that this paralleled what I saw in person at CUISPA … too often these days a whitepaper is just a synonym for marketing fluff.)

Of course the #3 issue “3) Training – Employees, Customers Need More.” grabs our attention as our http://phishme.com/ moves from beta and inches towards launch.
I’m beyond excited.
-higB

p.s. If you happen to attend my ShmooCon 2008 presentation please be kind with the Shmooballs.