When a hacked Twitter account spreads false news of an explosion at the White House and causes hysteria that spurs a 140 point drop in the stock market, it should encourage calls for Twitter to bolster its security measures, so it’s no surprise that many are clamoring for Twitter to offer 2-factor authentication. One problem with this – news outlets are reporting that hackers gained access to the AP’s account through a phishing attack. While 2-factor authentication makes it more difficult to phish an account, it will not prevent this type of attack from being successful (nor will a more complex or longer password for that matter).
What do nearly all of the recent high-profile data breaches have in common? They have all been traced to sophisticated threats and cyber criminals. While there are many disagreements in the security industry, after every significant breach nearly everyone agrees that it was sophisticated (Twitter, Apple, and the Department of Energy are some of the unfortunate organizations to be compromised by a sophisticated attack recently).
On the surface, it isn’t hard to see why. First, technology vendors need attackers to be super sophisticated, because simple tactics couldn’t circumvent their products, right? For victims of a breach, it is advantageous for it to seem as though it took a sophisticated actor to penetrate its network. And from the incident response standpoint, it behooves IR consultants to describe these breaches as ultra-sophisticated to help their customers save face.
“It’s legit,” an APT1 hacker wrote in response to a recipient who questioned the validity of a spear phishing email sent by the now notorious Chinese hacking group. This recipient had the awareness to initially question the authenticity of the phishing email, but when APT1 responded, it added an element of trustworthiness to its communication, one that could trip up even a savvy employee.
This is one of the tactics Mandiant® described in its report about APT1, and is something we at PhishMe® have observed as well from both our customers and our contacts in the industry. To address this issue, we rolled out the Double Barrel, a new scenario type that will simulate the conversational phishing techniques used by advanced adversaries like APT1. This has been in development for months, and it was a happy coincidence that we rolled this out the same week that Mandiant provided the world with a concrete example.
Most of you are probably aware of the breach that occurred at the New York Times. Employee passwords and sensitive information related to an investigative news story covering the finances of Wen Jiabao, China’s Prime Minister, were compromised. The New York Times’research helps give them a competitive advantage in their industry, it is their proprietary information. It is the equivalent to the theft of financial reports, blueprints and customer data.
The headlines roll in… The NYTimes breached by spear-phishing! Symantec AV fails to detect attackers! In an official press release, Symantec says, “Anti-virus software alone is not enough.” Later, the CEO of the incident response firm hired to respond to the NYtimes news goes to Bloomberg TV to say that these attacks are rampant and that the group responsible for the breach has been active in nearly 100 other organizations. In that same interview he says that the attack (spear-phishing) is not unique.
This sounds like the type of story PhishMe would pounce on and twist into an obvious sales pitch right? Security Technology Fail; Spear Phishing is “rampant” ergo you need the PhishMe training method to change employee behavior regarding email safety.
I read Aitel’s article right before leaving for BlackHat: “Why you shouldn’t train employees for security awareness”
Popcorn in hand, this should be a fun read. After all, we agree that traditional awareness methods don’t seem to be sticking.
Spoiler: LinkedIn password leak: What it means for phishing? Answer: Not Much!
When people talk to us about phishing, they often want to know “What’s next in phishing? What else are you seeing?”
This gets asked a lot, and is one of my least favorite questions because the truth is, email based spear phishing works as-is It has no reason to evolve right now.
Last week I attended the Educause Security Professionals Conference 2012 in Indianapolis Indiana and was lucky enough to co-present with Emory University to discuss the phishing problems higher education face. This event had an entire track devoted to Awareness & Training and of course a major topic for discussion was phishing.
An odd title for a blog post but something that has been on my mind for a while now. We get a fair amount media requests for comments or perspective on phishing stories. This is a good thing. It’s nice to have recognition in your field. Of course 2011 was no shortage of phishing related news. (What’s up RSA, I’m looking at you. I’ve noticed you frequent our website a lot. How about a demo. Couldn’t hurt?)
Q: When did it start?
A: We started building early prototypes of PhishMe in 2007, had beta customers in the first part of 2008 and paying customers later that year.
Q: What is it?
A: PhishMe is a subscription to use the PhishMe infrastructure to facilitate the most effective and memorable spear phishing awareness training around.
Organizations pay for a one year license based on the number of people to be trained, to send as many spear phishing training campaigns as they see fit. It replicates Click-Only, Data Entry, and Attachment based spear phishing attacks. We provide stories and themes to get people started, but subscribers are welcome to craft their own. Subscribers manage recipient groups, pick their phishing themes, and customize the education message that is presented to anybody that falls for the phish. It also helps them keep track of who reported the spear phishing email and reward staff for reporting suspicious emails. Detailed reports show how effective the training is. Subscribers can then select multiple campaigns to build trend reports. Using PhishMe allows organizations to see real measurable results in awareness improving, using the trend reporting that is provided.
Spear phishing awareness training isn’t a one-and-done event. There are different types of spear phishing attacks and humans need reminders that it doesn’t matter what position they hold in the organization, everyone is a valuable target for a spear phisher.
Q: Who buys PhishMe subscriptions?
A: Organizations that have been Phished multiple times.
It’s extremely frustrating for organizations that own every type of end-point-security product and appliance and have rigorous proactive patching and anti-virus to still get compromised via a spear phishing email. Their vendors tell them if you buy magic heuristic -cloud-malware appliance X, it will solve their phishing problem. How does one write a signature for an email that sends a user to a website that simply asks the victim for their username and password? The truth that the security product vendors don’t want to admit: they can’t. When an organization has an 8 person IR team onsite billing $300hr, looking over at that rack of failed security products is demoralizing. Faced with these circumstances, sending spear phishing emails to the workforce as a means to deliver awareness education about spear phishing stops sounding like a crazy idea.
Q: Who else buys PhishMe?
A: Organizations replacing their own homegrown solution.
Organizations who know they need to do this and have made attempts to build their own solution, but have learned through experience conducting these exercises in a safe controlled manner isn’t as simple as it sounds. What if the recipient is on IE6? Will your page render? What if they open it from a BlackBerry or iPhone? Will their scripts still be able to record the results? What if the end user forwards the training exercise on to digg, slasldot, redditt? You don’t want to be headline news like the Air Force was with their uncontrolled attempt: http://www.networkworld.com/news/2010/043010-us-air-force-phishing-test.html Many PhishMe customers transition from their own solution to PhishMe because it’s easier, safer, and has better reporting.
Q: Anybody else?
A: Consulting organizations buy professional services licenses to conduct training exercises on behalf of their clients.
Q: Any changes over time?
A: In 2009 and 2010 we saw a shift in our inbound sales.
The word “Phishing” often conjures thoughts about consumer related phishing scams aimed at getting financial information or information that could facilitate identity theft. In the past two years, the differentiation between spear phishing targeting specific actors in an organization vs. consumer phishing is more well-known. We began getting inbounds by customers who were aware they needed to proactively address spear phishing, if not from their own experience, from reading about it in trade publications or talking with industry colleagues who were combating the problem. Still, to this day, the majority of inbound sales leads come from companies who have been compromised via spear phishing. Stories like the RSA breach just help make it more acceptable to disclose “yes, we were compromised by hilarious pictures of cats”.
Organizations don’t need to sit around and wonder if they have a spear phishing problem. They can find out how bad the problem is and do something about it.
I just got back from The Credit Union Information Security Professionals Association 3rd annual National event in Austin Texas where Rohyt and I were talking to the folks about www.PhishMe.com.
I have never attended a CUISPA event before and welcomed the opportunity. It was refreshing to see this industry work together. Credit unions don’t have the budgets larger institutions do and many of their technologists wear multiple hats. Security is a group effort. (as it should be)
Two major takeaways I had from the conference:
1.) Credit Union security professionals have a can-do attitude and value networking with their peers to solve their security woes
2.) Don’t show up to a Credit Union event dressed in New York-Financial attire (unless you enjoy looking like that creepy sales guy) 🙂
On the heels of the CUISPA event is a good white paper I saw on BankInfoSecurity.com titled The State of Information Security 2008 – Survey Executive Overview (Free signup)
Tom Field (Editorial Director) did a good job putting the overview together. The top security issues I heard the Credit Union folks discuss are the same ones captured in this survey. (It’s good to see that this paralleled what I saw in person at CUISPA … too often these days a whitepaper is just a synonym for marketing fluff.)
p.s. If you happen to attend my ShmooCon 2008 presentation please be kind with the Shmooballs.