During the previous blog post series “Knowing your Enemy” we
highlighted the types of threat actors that are present and the types of
security testing methodologies that are geared toward managing the risk
associated with exposure from these threats.
Many threat actors today have moved away from typical
network level targets, such as scanning for missing patches, default or weak system
passwords and zero-day buffer overflows. Modern internal risk and vulnerability
management strategies have developed into quickly identifying these risks,
allowing for fast and effective remediation. That is not to say that these
types of vulnerabilities are not still out there and present, but they are
becoming more and more rarer and organisations become more security aware.
But as discussed previously, this is not reducing the number
of organisations that are being targeted by the various threat actor’s or the
number of successful attacks. In fact, cybercrime revenue for malicious crime
syndicates has now overtaken the revenue from the illegal drug trade. If you
think about how many billions the cartel’s turn over every year selling illegal
drugs, you realise that cybercrime threats are a huge problem.
So how are the bad guy’s still managing to get hold of your
data or gain access to your systems?
As discussed previously, a red team assessment methodology
of security testing would utilise many basic initial steps in gathering information
from open source intelligent sources in order to gain a foothold into your
organisation.
“A STAR assessment
would take this further buy performing a threat analysis phase in order to
gather more information on these weakest links, based across any human or system
information available”.
Red Team methodology (some may say true penetration testing)
is geared toward the initial exploitation of the most easily accessible and
weakest link in the security chain and discovering how much further into the
network an attacker could get and what assets could be comprised.
Traditional security
testing methods are geared toward detailing as many of the potentially
exploitable vulnerabilities as possible, exploitation of a few if time allows.
This type of testing can sometimes be a bit overly informative and doesn’t
really aim focus toward the most likely attack vectors.
This weakest, most easily accessible link is usually the
human, who can be exploited through various methods of social engineering.
One of the more effective form of social engineering, that
is also relatively easy and safe for an attacker to perform from a distance, is
Phishing.
So what does a malicious Phishing campaign look like and
what does an attacker hope to achieve.
There are essentially two types of Phishing campaign, a
generic mass mailing version, usually named simply Phishing or a more targeted
campaign, named Spear Phishing.
We are going to focus on the targeted, Spear Phishing
attacks here, a generic campaign would be similar in nature, although less
focused on a specific organisations end users and would attempt to spoof a
well-known public facing domain and web site, such as Facebook or twitter.
The first stage of a targeted attack would usually encompass
Information gathering or reconnaissance. The Attacker would spend time to
assess an organisations public internet footprint, looking at registered domain
names for corporate and any third party systems that are used by end users and
publicly accessible.
An attacker would then register a similar domain as one that
would be used by the company for sending emails, or regularly accessed by end
user’s, such as a registered domain name for a corporate remote access or web
mail portal. This spoofed domain name could then be used to masquerade as a
legitimate corporate domain. This technique is sometimes referred to as domain
squatting.
Once a similar domain name is registered, an attacker could then
attempt to create a website that has the same look and feel as an organisation’s.
This could involve simply cloning the original website or application front
end, or by manually creating one from HTML code. This process would be adopted
if an attacker wishes to lure unsuspecting end users to the spoofed site, via a
crafted link in an email, in order to attempt to trick the user into entering
credentials or downloading a malicious file.
However, modern security technologies attempt to prevent an
attacker from being able to spoof a corporate domain through applying
reputational controls over accessible domain names, usually via web content
filtering engines, such as the Bluecoat web pulse website categorisation
engine. For an attacker to bypass these controls, he may have to run a domain
name as a legitimate site for a period of time in order for the domain to
become reputable by these systems.
An SSL certificate may also be obtained for the registered
domain name in order to provide a legitimate HTTPS connection to the attacker
controlled site. This will add to the authenticity of the site and would
provide a perception of trust to connecting users.
The next stage would then be to perform passive
reconnaissance, which would be an analysis publicly available information
sources, such as social media sites and domain name registration information,
in order to obtain a list of valid email addresses for internal users.
Once a full reconnaissance has been carried out the Attacker
would have an email distribution list of end user’s and a spoofed corporate sounding
domain name to send emails from plus potentially a corporate looking web site
with a legitimate SSL certificate.
The next phase would be for an attacker to send a malicious
email to the target distribution list for the purpose of either gathering
information, or performing some form of malicious activity through spreading
malware.
A typical and highly lucrative campaign could emanate via a
Maas (Malware as a service) offering, whereby the entire process can be handled
as a service on the black market. This would employ the end user’s distribution
list as the target, and possibly the hosting of malware on a spoofed corporate
site but most likely a file would be included within the email.
These days however, the more likely payload for the Phishing
campaign would be the installation of some form of ransomware, whereby the end
user’s system or data is compromised unless a fee is paid to an attacker.
How can Specialist Security Consultancy, who are skilled in
performing Phishing assessment’s help?
Phishing assessments can be performed by specialist security
testing companies in order to gauge how effective an organisations systems are
preventing malicious emails from entering the environment and how effective any
in-house security awareness training has been deployed through analysing end
user’s responses to various forms of communication, usually either emails or
telephone calls, although for this post, we are going to focus on the email
campaign.
“A further in depth
form of testing can be adopted to gauge how effective internal security
controls are at dealing with any malware that has been downloaded or sent via
an email and installed or allowed to run by an end user, this type of malware
simulation testing will be covered in a future blog post”.
A good security consultancy should Replicate a typical
Phishing campaign through a tailored, targeted assessment, which should be aimed
to assess if internal users are suitably aware of the types of attacks that
commonly occur and how to avoid becoming a victim of such an attack.
The three main types of assessment that should be available are
as follows
- Click Tracking. Captures when a user clicks a link/URL in the email
This is the most basic form of
awareness testing, it does not usually include a landing page or spoofed
version of a corporate site, but is used to determine how likely end users are
at trusting links sent through emails, either via a generic campaign (non-targeted)
or via a spoofed corporate sounding sender email address.
- Data Capture - Capturing personal information, credentials etc from a fake / spoofed web page
This attack is typically replicated during a red team
assignment, whereby the aim is to gauge is users are likely to be fooled into
entering corporate credentials into a spoofed corporate web site. On a red team
assignment, these credentials would then be used to further penetrate or
compromise an organisations environment.
It is also typical of the more generic Phishing attack,
whereby a spoofed version of Amazon of Facebook may be deployed by a real
attacker, although it is unlikely that an end users personal account
credentials would fall into scope for a Corporate assessment, hence why the
generic Phishing assessments are usually only through the click tracking or
malware.
- Malware - Capture when a user downloads or executes a benign payload or attachment
This payload, when used as part of an assessment, will gauge
how likely an end user is to either download a binary application from a
spoofed website, or open and run a binary included in an email. However, it is
vitally important to note that for a user awareness assessment (Phishing), the
test binary should be both benign and undetectable in order to fully ascertain
if it’s the end users who are aware of the threat and not running the code and
not any form of anti-virus or anti-spam software blocking the user from
accessing the code.
“The type of
assessment that would focus on evaluating the measures and processes in place
to protect the environment from malicious files or malware being propagated
from any form of attack, including via a Phishing campaign, would be a separate
activity, specifically aimed toward evaluating malware. We will be posting
another blog on malware simulation testing in the near future”.
A typical Phishing assessment, being completed by an
effective security consultancy, should also be able to highlight common
vulnerabilities, which could include (but is not limited to)
- Domain Squatting (Similar Domain Names registered and held)
- Vulnerable browser and Operating System versions in use.
- Lack of Anti-Spam filtering (Ideally, a simple, generic campaign should be blocked)
- Awareness of any publicly available email addresses (Open Source Intelligence)
- Lack of Alerting (Are security teams aware of an ongoing attack)
- Lack of Security Incident Response (How well do security teams deal with an ongoing attack)
- Lack of user awareness (The need for Staff awareness training)
- Weak Passwords (Harvested via the Data Capture)
The final outcome from the assessment should include a clear
and concise analysis of the threat landscape and make valued and pragmatic
recommendations in order to remediate or mitigate the threats.
Links
Conclusion
So as you can see, there are many benefits and advantages in
allowing a specialised security consultancy to perform either a targeted or
generic Phishing campaign against an organisation, although allowing a mixture
of both (A generic to test the basic anti-spam and entry level user awareness,
a targeted for a more in depth analysis of behaviour) would be recommended.
Although, it is imperative that any vulnerabilities, either
with the systems or the end users lack of awareness, are remediated
effectively. For end user’s, allowing real-time user awareness training
following on from an action, such as being re-directed to a user awareness
training portal after they have clicked on the spoofed link, would be ideal.
