The Art of Phish - A more in depth analysis of the issue

Very recently, and as I discussed in my last post, I received a very good phishing email that was well targeted, relevant to my status as a student, and very convincingly put together.  This lead me to think about the best way to protect my customers from being that victim of a Phishing campaign.  

Spearphishing has changed the game a bit.  With tools like Data.com out there giving incredibly in depth information for a very low price (around $1 per contact, less if you know how to use Google properly) someone who wants in to an organization will have no problem finding the names and email addresses of high ranking people to attack.  Spammers and phishing used to require a wide net, which meant that it was likely some blacklist somewhere would pick up the spammer and help to protect your users.  Now, with such targeted attacks, we can no longer rely on blacklists for anything but the most mundane spam protection.  

So what can protect us?

We are faced with an ever expanding number of platforms that access corporate email and resources.  Because of this, we need to look at how to protect at a server level, regardless of the email client used to access emails.  I am a big fan of content filtering emails, but can we somehow integrate a back check on links?  Is there even a decent threat intelligence database on phishing attacks?

I have been vocal in my thoughts on threat intelligence, and because someone can spin up an AWS instance and register a domain name in minutes these days, I really don't think that the model of threat intel works at all for anti-phishing, especially the targeted spearphishing that I am really concerned with.  White listing links would be an option, but there's no possible way for an IT department of any size to manage a white list of acceptable websites that are allowed to send a link.  It would be a huge burden, and would quickly die off as a good idea that couldn't be maintained.

Also, a huge portion of the malware i see delivered to my clients is through malicious software uploaded to sites like Dropbox and others that may have legitimate business uses.  I can't virus scan them because the file is out in the cloud.  I can't block Dropbox for a lot of clients because they do use it for legitimate purposes,

So what can we do?

I have three things i am going to try to implement going forward.

1. Strip display names from emails.  Sure, they look nice and make email more readable, but they also hide the domain name of the email address.  If I don't deliver a display name, no client will display it, unless it's already in their address book.  I want people to see raw email addresses as opposed to the masqueraded display names attackers hide behind.  As i figure out how to do this in Exchange, i will put up another post with directions.

2. Disable HREF's and display them in plaintext - Making a user copy and paste an address will discourage mobile use, and is a tried and true way to make a user look harder at a link.

3. Educate users about the risks continuously, instead of in one big class.  If we make education a continuous process, and make the content relevant and simple, we will get better results than we would in a classroom environment.

The Art of Phish - Spamming in the new age of Infosec

Those of you who know me from Twitter may have seen that I posted a pretty convincing Phishing email that I received on Sunday night on my school email account.  I took away a few things as a security practitioner from this event.

1. Display names should always be displayed with an email address.  Sure, display names look pretty but seeing "Amazon Student" instead of the spammy email address that was hiding behind that probably leads to far more clicks that it would if people saw the whole picture up front.

2. Phishing emails are getting really REALLY good.  People will fall for them not because they're lazy of overly gullible, they will fall for them because there is an art to spamming.

3. Links should be displayed - I turn off HTML formatting when I see a suspicious message.  Maybe we can pop up something that displays just the domain name of the link before a user is allowed to follow it?  I am open to suggestions here.

These get better every day, and no user training in the world is going to eliminate this activity.  Tight content filtering policies would have prevented this one, when I cross checked the destination URL it showed up as an uncategorized site.

Where does threat intelligence best fit in? Securing from the Inside Out

To answer this question, I started with a different question:

"What threats are causing me problems, and what threats do I foresee causing me issues"

I went back through trouble tickets and assigned the treat sources to categories as I ran across them.  I did not define my buckets before I started, as I did not want any bias to be present to confirm any of my current suspicions.  I really came up with three categories of threat vector:

1. Googling downloads: A huge amount of the malware we deal with daily comes from malicious repacks of iTunes and Flash, among a few other things. 

How can I block access to malware laden repacks?

2. Phishing: This one really goes without explanation.

How can I block the most common phishing attacks?

3. Personal Email: People need to be able to check personal email at work, I understand this.  I know many of you will disagree, but the political impact of blocking personal email accounts at the office is significant and isn't a battle worth fighting for a lot of execs.  I know of one CISO who lost his job because he implemented this, and would not relent.  

How can I prevent users from bypassing email scanning and downloading compromised attachments?

With those three questions asked, the answer for me was even fuzzier than before.  How does threat intelligence help with these problems, and is threat intelligence the answer to my questions.

For me the answer was no to two of these problems, and a maybe to the first.  Would threat intel help me with the problem of people Googling downloads?  Probably.  Can I do it effectively without buying another blinky box?  Probably.

If I were managing a perimeter that had a large attack surface, I could see spending the money on something to dynamically update lists of bad IP's and IPS definitions.  But as we have seen in the past few years, most major breaches have come through much more hard to predict threat vectors that I am not sure current versions of threat intel really help with.  

What I am driving at is that for me, I will be focused on securing from the Inside to the outside as opposed to focusing on the perimeter and trying to prevent script kiddies from port scanning my web servers.  My analysis of threats that are the most prevalent leads me to look at workstation integrity first and foremost.