Beyond the Nigerian Prince: A How-To Guide to Modernizing Phishing Defenses
December 11, 2018
Logistics
> You will be on mute
> Submit questions in the Q&A box (probably on the right side of your screen) in the GoToWebinar control pane
>Webinar is being recorded and will be available for replay
> Slides will be made available after the webinar
Copyright © 2018 GreatHorn & dmarcian 2
Kevin O’BrienCEOGreatHorn
Tim DraegenCEOdmarcian
Agenda
> Recap: The evolution of phishing
> Anatomy of modern email threats
> Assess your defenses
>Most common areas
> Prioritizing next steps
Copyright © 2018 GreatHorn & dmarcian 3
Last Time…
Prevent your brand from being used in phishing attacks
Prevention Protection
Industry Organization Individual
Shared Responsibility Model
Protect your organization from falling victim to phishing attacks
“Phishing” is Many Things, Not Just One
> Requires different tools / strategies to combat
> Constantly evolving attack patterns easily bypass threat intel-based defenses
>Most dangerous:ѱ Impersonationsѱ Business Services spoofingѱ Credential Theft
Copyright © 2018 GreatHorn & dmarcian 5
Common Characteristics of a Phishing Email
Copyright © 2018 GreatHorn & dmarcian 6
Trusted Sender
Urgency
Response Required
Anatomy of a Phishing Email: Name SpoofWhat: > Display Name is adjusted to a
person of trust
Challenge: > Personal email addresses &
mobile devices
Copyright © 2018 GreatHorn & dmarcian 7
Anatomy of a Phishing Email: Direct Spoof
Copyright © 2018 GreatHorn & dmarcian 8
What:
> Sender email appears to be colleague’s business email
Challenge:
> Email, photo, Outlook history are correct
> Average user doesn’t know how to check header data
Anatomy of a Phishing Email: Business Services Spoofing
Copyright © 2018 GreatHorn & dmarcian 9
What: > Sender appears as
an automated alert from a trusted business service
Challenge: > Often properly
branded and carefully crafted
> Some links are legitimate; others are not
Anatomy of a Phishing Email: Malware
Copyright © 2018 GreatHorn & dmarcian 10
What:
> Malicious attachment
Challenge:
> Display name matches content
> Average user doesn’t know how to check header data
Phishing Tactics & Countermeasures
Technical Tactics
> Display name spoof
> Email address spoof
> Branding
> Domain look-alikes
> URL obfuscation
Countermeasures
> Check authentication
> Verify sending email addresses against known email addresses
> Review header dataѱ Reply toѱ Return Pathѱ IP Addressѱ Sending Domain
> Confirm destination URLs
Copyright © 2018 GreatHorn & dmarcian 11
Challenge: Users can’t / won’t review email metadata
What Now?
How to prevent phishing and protect your employees
Copyright © 2018 GreatHorn - GreatHorn Confidential 12
Assess Your Defenses: Phishing Protection “Danger Zones”
> Shared responsibility breaks down at intersections
> How well do organizations support:ѱ Industry standards for confirming corporate identity?ѱ Providing individuals context on email risk?
Industry Organization Individual
Manage Online Identity
Manage Internal Risk
Translate into Actionable Areas of Protection
Industry Organization Individual
Prevention Protection
Prevention: Managing Online Identity
Protect employees, customers, and partners from direct spoofs and domain spoofs
Copyright © 2018 GreatHorn - GreatHorn Confidential 15
Prevention – Role of Online Identity
Organization A
Organization B?
Organization A needs to know:“Are you reallyOrganization B?”
Prevention - Email Focus
Biggest problem gets the focus.
>90% of attacks begin with an email.
The email you send becomes email that others receive.
How can you make yourself into a Trusted Sender?
Prevention - Trusted Sender Benefits
>Allow others to easily determine if your email is real.
>Tell others to ignore email that pretends to be you.
>Receivers can build on your trust to reliably deliver your email.
Prevention - Become a Trusted Sender
>Technology exists to make your email easy to identify.
>DMARC introduces stable domain-level identifiers to email. Brings:ѱ Policy controls for how to dispose of non-DMARC/fake email.ѱ Feedback mechanisms to make deployment possible.ѱ Consistency to email practice to ease maintenance.
Prevention - Assess Your Trust
Your organization has domains on the Internet.
Collect all of your domain assets into a big list.
Are you using DMARC?− dmarcian inspector: https://dmarcian.com/dmarc-inspector/− Internet.NL has a great email-testing suite− Global Cyber Alliance: https://dmarc.globalcyberalliance.org/
Prevention - What To Expect
Convert feedback data into actions
Actions:
Identify vendors, infrastructure, senders
Build internal process to maintain DMARC
Fix up senders et al to send DMARC-compliant email
Roll out DMARC controls to disallow fake email
Maintenance mode: just another asset to keep locked down
Prevention - Ounce of Prevention..
Building an online identity using DMARC allows good actors to “Trust but verify”.
In terms of protection, DMARC:
Protects against direct spoofs and brand impersonations
Protection: Managing Internal Risk
Copyright © 2018 GreatHorn - GreatHorn Confidential 23
Effective Phishing Protection Requires a Lifecycle of Email Security
Incoming Email Inbox
Threat Detection
Automated Threat Defense
Incident Response Copyright © 2018 GreatHorn - GreatHorn Confidential 24
Putting Lifecycle into Practice
Copyright © 2018 GreatHorn & dmarcian 25
People
Business Process
Technology
Evaluate Business Processes with Phishing in MindWork with high risk teams to minimize risk
Develop internal communication processes for sharing incident information
Finance – How are wire transfers authorized?
HR / Execs – How do different classes of confidential information get communicated?
How do executive teams communicate urgent requests?
Who has access to what data? Who has access to which systems?
Copyright © 2018 GreatHorn & dmarcian 26
Protects against phishing attacks that target financial risk & information theft
Change Mindset from “User=Risk” to “User Improves Security”
Ensure that security controls balance risk and business agility
Provide accessible tools for users to easily judge email authenticity
Invest in context-based tools to reinforce business processes and security hygiene habits
Develop program for users to participate in security improvements – phish reporting, etc.
Automate integration of user feedback email security
Copyright © 2018 GreatHorn & dmarcian 27
Protects against social engineering techniques
Technology as Both Enablement and EnforcementAssess existing threat detection tools against phishing threats
Is multi-factor authentication enabled across all apps?
Provide users real-time security context within email
Implement a feedback mechanism to determine effectiveness / accuracy of email security
Evaluate existing incident response processes / tools against ideal time-to-remediation goals
Align technology capabilities against business process / user feedback needs
Determine whether customizations are required to meet your organization’s risk profile / tolerance
Copyright © 2018 GreatHorn & dmarcian 28
Protects against phishing and enforces other areas
Next Steps
> Evaluate your risk against biggest threatsѱ Which tactics / goals make you most vulnerable?
> Prioritize core areas (brand reputation, business process, people, technology) based on analysis
> Create an integrated plan for each risk areaѱ E.g. Protecting against wire transfer fraud involves:
− Business process changes
− User training
− Making DMARC / authentication / header data accessible / understandable to end users− Contextualized warnings
Copyright © 2018 GreatHorn & dmarcian 29
30
Control your email with DMARC. Control your DMARC process with dmarcian.
dmarcian specializes in processing complex DMARC reports and identifying what steps needs to be taken, so you can become DMARC compliant.
At dmarcian, we see email security and authentication as cornerstones of the Internet. We’re dedicated to upgrading the entire world’s email by making DMARC accessible to all. dmarcian brings together thousands of senders, vendors, and operators in a common effort to build DMARC into the email ecosystem.
We believe email is worth fixing.
GreatHorn simplifies email security by automating detection, remediation, and incident response.
Security teams using GreatHorn not only gain enterprise-class protection against both sophisticated phishing attacks and traditional threats, they also reduce complexity, manual remediation time, and negative impact on business operations.
www.dmarcian.com
www.greathorn.com
Questions?
> Recording and slides will be made available following the webinar
> Keep an eye out for our upcoming webinar (dates TBD):
ѱ Comprehensive Phishing Defense with dmarcian and GreatHorn(Part 3 in our “Beyond the Nigerian Prince” series)
Copyright © 2018 GreatHorn & dmarcian 31
www.dmarcian.com
www.greathorn.com