low tech threats: protecting the people side of security · 2019. 4. 22. · betabot: powersystems...
TRANSCRIPT
![Page 1: Low Tech Threats: Protecting the People Side of Security · 2019. 4. 22. · BetaBot: Powersystems campaign 61 targeted organizations, known actor Fake order lure Drops stealer Lure:](https://reader035.vdocuments.us/reader035/viewer/2022081407/605353f32c30d972b0024075/html5/thumbnails/1.jpg)
Low Tech Threats:Protecting the People Side of SecurityRyan KalemberMarch 16 2019
© 2019 Proofpoint. All rights reserved
![Page 2: Low Tech Threats: Protecting the People Side of Security · 2019. 4. 22. · BetaBot: Powersystems campaign 61 targeted organizations, known actor Fake order lure Drops stealer Lure:](https://reader035.vdocuments.us/reader035/viewer/2022081407/605353f32c30d972b0024075/html5/thumbnails/2.jpg)
![Page 3: Low Tech Threats: Protecting the People Side of Security · 2019. 4. 22. · BetaBot: Powersystems campaign 61 targeted organizations, known actor Fake order lure Drops stealer Lure:](https://reader035.vdocuments.us/reader035/viewer/2022081407/605353f32c30d972b0024075/html5/thumbnails/3.jpg)
![Page 4: Low Tech Threats: Protecting the People Side of Security · 2019. 4. 22. · BetaBot: Powersystems campaign 61 targeted organizations, known actor Fake order lure Drops stealer Lure:](https://reader035.vdocuments.us/reader035/viewer/2022081407/605353f32c30d972b0024075/html5/thumbnails/4.jpg)
![Page 5: Low Tech Threats: Protecting the People Side of Security · 2019. 4. 22. · BetaBot: Powersystems campaign 61 targeted organizations, known actor Fake order lure Drops stealer Lure:](https://reader035.vdocuments.us/reader035/viewer/2022081407/605353f32c30d972b0024075/html5/thumbnails/5.jpg)
![Page 6: Low Tech Threats: Protecting the People Side of Security · 2019. 4. 22. · BetaBot: Powersystems campaign 61 targeted organizations, known actor Fake order lure Drops stealer Lure:](https://reader035.vdocuments.us/reader035/viewer/2022081407/605353f32c30d972b0024075/html5/thumbnails/6.jpg)
![Page 7: Low Tech Threats: Protecting the People Side of Security · 2019. 4. 22. · BetaBot: Powersystems campaign 61 targeted organizations, known actor Fake order lure Drops stealer Lure:](https://reader035.vdocuments.us/reader035/viewer/2022081407/605353f32c30d972b0024075/html5/thumbnails/7.jpg)
Attacks increasingly target people, not infrastructure
7© 2019 Proofpoint. All rights reserved
$12.5B+
78,617incidents worldwide
direct losses worldwide(Oct 2013 – May 2018)
Source: FBI.
99%+Rely on user to run
malicious code
300%+Increase in corporate credential phishing
(Q2 to Q3 2018)Source: Proofpoint Threat Data.
EMAIL FRAUD IS ABOARD-LEVEL ISSUE FOR ALL INDUSTRIES
INFRASTRUCTURE SHIFTS CREATE NEW
THREAT VECTORS, DATA EXPOSURE
THREATS USE SOCIAL ENGINEERING, NOT VULNERABILITIES
Source: Proofpoint Threat Data.
Orgs exposed to targeted attacks63%Orgs detected
successful breach37%
Account takeover is a growing problem
![Page 8: Low Tech Threats: Protecting the People Side of Security · 2019. 4. 22. · BetaBot: Powersystems campaign 61 targeted organizations, known actor Fake order lure Drops stealer Lure:](https://reader035.vdocuments.us/reader035/viewer/2022081407/605353f32c30d972b0024075/html5/thumbnails/8.jpg)
© 2019 Proofpoint. All rights reserved
It’s all about the credential!
![Page 9: Low Tech Threats: Protecting the People Side of Security · 2019. 4. 22. · BetaBot: Powersystems campaign 61 targeted organizations, known actor Fake order lure Drops stealer Lure:](https://reader035.vdocuments.us/reader035/viewer/2022081407/605353f32c30d972b0024075/html5/thumbnails/9.jpg)
9© 2019 Proofpoint. All rights reserved
And it doesn’t work if the target doesn’t click (or
you block it)
![Page 10: Low Tech Threats: Protecting the People Side of Security · 2019. 4. 22. · BetaBot: Powersystems campaign 61 targeted organizations, known actor Fake order lure Drops stealer Lure:](https://reader035.vdocuments.us/reader035/viewer/2022081407/605353f32c30d972b0024075/html5/thumbnails/10.jpg)
What About the Lowest Tech Threat of All?
10© 2019 Proofpoint. All rights reserved
![Page 11: Low Tech Threats: Protecting the People Side of Security · 2019. 4. 22. · BetaBot: Powersystems campaign 61 targeted organizations, known actor Fake order lure Drops stealer Lure:](https://reader035.vdocuments.us/reader035/viewer/2022081407/605353f32c30d972b0024075/html5/thumbnails/11.jpg)
What Attacker Innovation Looks Like
© 2019 Proofpoint. All rights reserved11
IT STARTS WITH AN EMAIL.WHICH CONTAINS A PDF.THE PDF HAS A LINK.WHICH POINTS TO SHAREPOINT.THE SHAREPOINT HOSTS A PDF.AND THAT PDF HAS A LINK.AND IF YOU CLICK THAT LINK...YOU GET PHISHED.
STAY AHEAD OF THE THREAT ACTORS
![Page 12: Low Tech Threats: Protecting the People Side of Security · 2019. 4. 22. · BetaBot: Powersystems campaign 61 targeted organizations, known actor Fake order lure Drops stealer Lure:](https://reader035.vdocuments.us/reader035/viewer/2022081407/605353f32c30d972b0024075/html5/thumbnails/12.jpg)
![Page 13: Low Tech Threats: Protecting the People Side of Security · 2019. 4. 22. · BetaBot: Powersystems campaign 61 targeted organizations, known actor Fake order lure Drops stealer Lure:](https://reader035.vdocuments.us/reader035/viewer/2022081407/605353f32c30d972b0024075/html5/thumbnails/13.jpg)
© 2019 Proofpoint. All rightsreserved13
![Page 14: Low Tech Threats: Protecting the People Side of Security · 2019. 4. 22. · BetaBot: Powersystems campaign 61 targeted organizations, known actor Fake order lure Drops stealer Lure:](https://reader035.vdocuments.us/reader035/viewer/2022081407/605353f32c30d972b0024075/html5/thumbnails/14.jpg)
Defenders don’t focus on people, attackers do
14© 2019 Proofpoint. All rights reserved
Attack VectorsIT Security Spending
Source: 2018 Verizon DBIRSource: Gartner (2017 forecast)
Network62%
Endpoint18%
Email 8%
Web 12%
93%all breaches are attacks
targeting people, 96% via email
![Page 15: Low Tech Threats: Protecting the People Side of Security · 2019. 4. 22. · BetaBot: Powersystems campaign 61 targeted organizations, known actor Fake order lure Drops stealer Lure:](https://reader035.vdocuments.us/reader035/viewer/2022081407/605353f32c30d972b0024075/html5/thumbnails/15.jpg)
Defensive strategy needs to rival attacker tactics
15© 2019 Proofpoint. All rights reserved
LEGACY APPROACH CURRENT ATTACKER TACTICS
Protect channels, devices, data Target people, across all channels
![Page 16: Low Tech Threats: Protecting the People Side of Security · 2019. 4. 22. · BetaBot: Powersystems campaign 61 targeted organizations, known actor Fake order lure Drops stealer Lure:](https://reader035.vdocuments.us/reader035/viewer/2022081407/605353f32c30d972b0024075/html5/thumbnails/16.jpg)
Assessing the Human Attack Surface:Who are your VAPs?
© 2019 Proofpoint. All rights reserved16
Attack
Vulnerability Privilege
VAPs
Access to Valuable Data
Work in High Risk Ways
Targeted by Threats
Receive highly targeted, very sophisticated, or
high volumes of attacks
Clicks on malicious content, fails awareness training, or uses risky devices or cloud
services
Can access or manage critical systems or
sensitive data
![Page 17: Low Tech Threats: Protecting the People Side of Security · 2019. 4. 22. · BetaBot: Powersystems campaign 61 targeted organizations, known actor Fake order lure Drops stealer Lure:](https://reader035.vdocuments.us/reader035/viewer/2022081407/605353f32c30d972b0024075/html5/thumbnails/17.jpg)
Not All Threats Are Created Equal: Scoring via Indexes
17
#1 Target: public-facing shared mailbox for aerospace heat exchanger BUActor: TA470/Subaat/Gorgon GroupTargeting: broad (hundreds in campaign)Payload: drops RAT or stealerScore: 960/1000
Sophistication
Volume
Type of attack
• Variable weighted composite score• Trended over time• Comparable across users, groups
and organizations
Targeting
ATTACK INDEX
![Page 18: Low Tech Threats: Protecting the People Side of Security · 2019. 4. 22. · BetaBot: Powersystems campaign 61 targeted organizations, known actor Fake order lure Drops stealer Lure:](https://reader035.vdocuments.us/reader035/viewer/2022081407/605353f32c30d972b0024075/html5/thumbnails/18.jpg)
![Page 19: Low Tech Threats: Protecting the People Side of Security · 2019. 4. 22. · BetaBot: Powersystems campaign 61 targeted organizations, known actor Fake order lure Drops stealer Lure:](https://reader035.vdocuments.us/reader035/viewer/2022081407/605353f32c30d972b0024075/html5/thumbnails/19.jpg)
Focusing on the 10X User Risk
19© 2019 Proofpoint. All rights reserved
![Page 20: Low Tech Threats: Protecting the People Side of Security · 2019. 4. 22. · BetaBot: Powersystems campaign 61 targeted organizations, known actor Fake order lure Drops stealer Lure:](https://reader035.vdocuments.us/reader035/viewer/2022081407/605353f32c30d972b0024075/html5/thumbnails/20.jpg)
20© 2019 Proofpoint. All rights reserved
PEOPLE-CENTRIC ATTACK VECTORS: INITIAL COMPROMISE
External Email
Cloud Accounts
Internal Email
Personal Webmail
Delayed action URLs
Malware
PhishSpoofing/BEC
Targeted passwordattacks
MalwarePhish
MalwarePhish
Attack Index
BetaBot: Powersystemscampaign61 targeted organizations, known actorFake order lureDrops stealer
Lure: “Interested in your product”45 targeted organizationsDrops keylogger
Lure: “Metal quote”10 targeted organizationsDrops stealer
![Page 21: Low Tech Threats: Protecting the People Side of Security · 2019. 4. 22. · BetaBot: Powersystems campaign 61 targeted organizations, known actor Fake order lure Drops stealer Lure:](https://reader035.vdocuments.us/reader035/viewer/2022081407/605353f32c30d972b0024075/html5/thumbnails/21.jpg)
21© 2019 Proofpoint. All rights reserved
PEOPLE-CENTRIC CONTROLS: POST-COMPROMISE
PEOPLE-CENTRIC CONTROLS: ECOSYSTEM
External Email
Internal Email
Cloud Accounts
Web Browsing
IdentityDeception
Exfiltrate data
Exfiltrate dataMove laterally
Exfiltrate dataEstablish persistence
Upload malwareBECData loss
MalwarePhish
SocialEmail fraudLookalike
domains
Key VAP:Pre-sales engineer in vibration sensor BU
Example campaign:7 targeted organizationsUnknown actorFake RFP/RFQ lureHost in DropboxDrops RAT
![Page 22: Low Tech Threats: Protecting the People Side of Security · 2019. 4. 22. · BetaBot: Powersystems campaign 61 targeted organizations, known actor Fake order lure Drops stealer Lure:](https://reader035.vdocuments.us/reader035/viewer/2022081407/605353f32c30d972b0024075/html5/thumbnails/22.jpg)
22© 2019 Proofpoint. All rights reserved
PEOPLE-CENTRIC ATTACK VECTORS: INITIAL COMPROMISE
PEOPLE-CENTRIC CONTROLS: POST-COMPROMISE
PEOPLE-CENTRIC CONTROLS: ECOSYSTEM
External Email
Cloud Accounts
Internal Email
Personal Webmail
External Email
Internal Email
Cloud Accounts
Web Browsing
IdentityDeception
Delayed action URLs
Malware
PhishSpoofing/BEC
Brute force attacks
MalwarePhish
MalwarePhish
Exfiltrate data
Exfiltrate dataMove laterally
Exfiltrate dataEstablish persistence
Upload malwareBECData loss
MalwarePhish
SocialEmail fraudLookalike
domains
![Page 23: Low Tech Threats: Protecting the People Side of Security · 2019. 4. 22. · BetaBot: Powersystems campaign 61 targeted organizations, known actor Fake order lure Drops stealer Lure:](https://reader035.vdocuments.us/reader035/viewer/2022081407/605353f32c30d972b0024075/html5/thumbnails/23.jpg)
Scaling People-Centric with AD/Privilege
23© 2019 Proofpoint. All rights reserved
![Page 24: Low Tech Threats: Protecting the People Side of Security · 2019. 4. 22. · BetaBot: Powersystems campaign 61 targeted organizations, known actor Fake order lure Drops stealer Lure:](https://reader035.vdocuments.us/reader035/viewer/2022081407/605353f32c30d972b0024075/html5/thumbnails/24.jpg)
The Attacker’s POV
Monica HallCustomer Service Mgr127 connections
Jack BarkerExecutive at Car Co500+ connections
Richard Hendricks • 3rd
Senior System Admin
Laurie Bream • 2nd
Financial Analyst500+ connections
The VIP VAP Clickers The One with Access The IT Insider
![Page 25: Low Tech Threats: Protecting the People Side of Security · 2019. 4. 22. · BetaBot: Powersystems campaign 61 targeted organizations, known actor Fake order lure Drops stealer Lure:](https://reader035.vdocuments.us/reader035/viewer/2022081407/605353f32c30d972b0024075/html5/thumbnails/25.jpg)
Persona Example: Executives (the VIP VAP)
Jack BarkerDeputy Secretary at Agency500+ connections
VAP ScoresVULNERABILITY
MEDIUM HIGHPhish sim result: no actionRisky device / network use: yesMFA: inconsistent
ATTACK
Max threat: 850 (top 5%)Attack Index: 9,143 (top 10%)
HIGHPRIVILEGE
VIP: yesSensitive data: yes, email and CASB DLP data
Adaptive Controls
+ Training Control
+ Access Control
+ Threat Control
Cloud: steps up authentication
Email: Circle of Trust classifier
Training: data protection
![Page 26: Low Tech Threats: Protecting the People Side of Security · 2019. 4. 22. · BetaBot: Powersystems campaign 61 targeted organizations, known actor Fake order lure Drops stealer Lure:](https://reader035.vdocuments.us/reader035/viewer/2022081407/605353f32c30d972b0024075/html5/thumbnails/26.jpg)
Persona Example: Support ClickersVAP Scores
VULNERABILITY
HIGH LOWPhish sim result: clicks everythingRisky device / network use: yesMFA: partial
ATTACK
Max threat: 350(bottom 50%)Attack Index: 5,120 (bottom 50%), high with aliases
MEDIUMPRIVILEGE
VIP: noSensitive data: yes, PII
Adaptive Controls
+ Information Control
+ Access Control
+ Threat Control
Cloud: examine logins/user agent for risk factors
Email/network: Isolation for shared mailboxes
Cloud: restrict high volume downloads
Monica HallSupport Manager127 connections
![Page 27: Low Tech Threats: Protecting the People Side of Security · 2019. 4. 22. · BetaBot: Powersystems campaign 61 targeted organizations, known actor Fake order lure Drops stealer Lure:](https://reader035.vdocuments.us/reader035/viewer/2022081407/605353f32c30d972b0024075/html5/thumbnails/27.jpg)
Persona ExampleVAP Scores
VULNERABILITY
MEDIUM MEDIUMThreatSim result: no actionRisky device / network use: yesMFA: PAM
ATTACK
Max threat: 930(top 1%)Attack Index: 1,830 (top 20%)
HIGHPRIVILEGE
VIP : noSensitive data: yes, email and CASB DLP violations
Adaptive Controls
+ Information Control
+ Access Control
+ Threat Control
Auth: integrate with SAML gateway to step up
Email/network: Isolate inbound URLs/webmail
Training: anti-phishing training based on APT lure
Laurie Bream • 2nd
Policy Analyst500+ connections
![Page 28: Low Tech Threats: Protecting the People Side of Security · 2019. 4. 22. · BetaBot: Powersystems campaign 61 targeted organizations, known actor Fake order lure Drops stealer Lure:](https://reader035.vdocuments.us/reader035/viewer/2022081407/605353f32c30d972b0024075/html5/thumbnails/28.jpg)
Persona Example: The IT InsiderVAP Scores
VULNERABILITY
MEDIUM MEDIUMThreatSim result: no actionRisky device / network use: noMFA: PAM
ATTACK
Max threat: 150(top 40%)30 day total: 465 (top 50%)
HIGHPRIVILEGE
VIP in TAP: noSensitive data: yes, email and CASB DLP violations
Adaptive Controls
+ Information Control
+ Access Control
+ Threat Control
PIM: integrate with PIM in case of clicks
Protection: IMD for internal email
CASB: restrict high volume d/l
Richard Hendricks • 3rd
Senior System Administrator
![Page 29: Low Tech Threats: Protecting the People Side of Security · 2019. 4. 22. · BetaBot: Powersystems campaign 61 targeted organizations, known actor Fake order lure Drops stealer Lure:](https://reader035.vdocuments.us/reader035/viewer/2022081407/605353f32c30d972b0024075/html5/thumbnails/29.jpg)
29© 2019 Proofpoint. All rights reserved
PEOPLE-CENTRIC ATTACK VECTORS: INITIAL COMPROMISE
PEOPLE-CENTRIC ATTACK VECTORS: POST-COMPROMISE
PEOPLE-CENTRIC ATTACK VECTORS: ECOSYSTEM
External Email
Cloud Accounts
Internal Email
Personal Webmail
External Email
Internal Email
Cloud Accounts
Web Browsing
IdentityDeception
GatewayEmail sandboxing
Phish response automationInternal MailScanning
Cloud Account Defense
Isolation
DLP
Encryption
Internal Mail Scanning
CASB
Web IsolationDigital Risk
DMARC, Email FraudDetection
Protection across the key people-centric
threat vectors
Minimize the damage from compromises that
do occur
Stop people-centric attacks across the broader ecosystem
Make users more resilient against threats
![Page 30: Low Tech Threats: Protecting the People Side of Security · 2019. 4. 22. · BetaBot: Powersystems campaign 61 targeted organizations, known actor Fake order lure Drops stealer Lure:](https://reader035.vdocuments.us/reader035/viewer/2022081407/605353f32c30d972b0024075/html5/thumbnails/30.jpg)
Proofpoint overview
30© 2019 Proofpoint. All rights reserved
The leader in protecting people from advanced threats and compliance risk
19 consecutive years of MQ leadership across:
The most trusted partner to protect the
#1 threat vector
Fortune1000
Fortune100
Seamless integration with other next
gen leaderscybersecurity
company
Email protection
Information protection
Awareness training
50,000+ global organizations
#1fastest growing public
cybersecurity company for 3 years
CASB
Top 5
The only one focused on
protecting people