Low Tech Threats:Protecting the People Side of SecurityRyan KalemberMarch 16 2019
© 2019 Proofpoint. All rights reserved
Attacks increasingly target people, not infrastructure
7© 2019 Proofpoint. All rights reserved
$12.5B+
78,617incidents worldwide
direct losses worldwide(Oct 2013 – May 2018)
Source: FBI.
99%+Rely on user to run
malicious code
300%+Increase in corporate credential phishing
(Q2 to Q3 2018)Source: Proofpoint Threat Data.
EMAIL FRAUD IS ABOARD-LEVEL ISSUE FOR ALL INDUSTRIES
INFRASTRUCTURE SHIFTS CREATE NEW
THREAT VECTORS, DATA EXPOSURE
THREATS USE SOCIAL ENGINEERING, NOT VULNERABILITIES
Source: Proofpoint Threat Data.
Orgs exposed to targeted attacks63%Orgs detected
successful breach37%
Account takeover is a growing problem
© 2019 Proofpoint. All rights reserved
It’s all about the credential!
9© 2019 Proofpoint. All rights reserved
And it doesn’t work if the target doesn’t click (or
you block it)
What About the Lowest Tech Threat of All?
10© 2019 Proofpoint. All rights reserved
What Attacker Innovation Looks Like
© 2019 Proofpoint. All rights reserved11
IT STARTS WITH AN EMAIL.WHICH CONTAINS A PDF.THE PDF HAS A LINK.WHICH POINTS TO SHAREPOINT.THE SHAREPOINT HOSTS A PDF.AND THAT PDF HAS A LINK.AND IF YOU CLICK THAT LINK...YOU GET PHISHED.
STAY AHEAD OF THE THREAT ACTORS
© 2019 Proofpoint. All rightsreserved13
Defenders don’t focus on people, attackers do
14© 2019 Proofpoint. All rights reserved
Attack VectorsIT Security Spending
Source: 2018 Verizon DBIRSource: Gartner (2017 forecast)
Network62%
Endpoint18%
Email 8%
Web 12%
93%all breaches are attacks
targeting people, 96% via email
Defensive strategy needs to rival attacker tactics
15© 2019 Proofpoint. All rights reserved
LEGACY APPROACH CURRENT ATTACKER TACTICS
Protect channels, devices, data Target people, across all channels
Assessing the Human Attack Surface:Who are your VAPs?
© 2019 Proofpoint. All rights reserved16
Attack
Vulnerability Privilege
VAPs
Access to Valuable Data
Work in High Risk Ways
Targeted by Threats
Receive highly targeted, very sophisticated, or
high volumes of attacks
Clicks on malicious content, fails awareness training, or uses risky devices or cloud
services
Can access or manage critical systems or
sensitive data
Not All Threats Are Created Equal: Scoring via Indexes
17
#1 Target: public-facing shared mailbox for aerospace heat exchanger BUActor: TA470/Subaat/Gorgon GroupTargeting: broad (hundreds in campaign)Payload: drops RAT or stealerScore: 960/1000
Sophistication
Volume
Type of attack
• Variable weighted composite score• Trended over time• Comparable across users, groups
and organizations
Targeting
ATTACK INDEX
Focusing on the 10X User Risk
19© 2019 Proofpoint. All rights reserved
20© 2019 Proofpoint. All rights reserved
PEOPLE-CENTRIC ATTACK VECTORS: INITIAL COMPROMISE
External Email
Cloud Accounts
Internal Email
Personal Webmail
Delayed action URLs
Malware
PhishSpoofing/BEC
Targeted passwordattacks
MalwarePhish
MalwarePhish
Attack Index
BetaBot: Powersystemscampaign61 targeted organizations, known actorFake order lureDrops stealer
Lure: “Interested in your product”45 targeted organizationsDrops keylogger
Lure: “Metal quote”10 targeted organizationsDrops stealer
21© 2019 Proofpoint. All rights reserved
PEOPLE-CENTRIC CONTROLS: POST-COMPROMISE
PEOPLE-CENTRIC CONTROLS: ECOSYSTEM
External Email
Internal Email
Cloud Accounts
Web Browsing
IdentityDeception
Exfiltrate data
Exfiltrate dataMove laterally
Exfiltrate dataEstablish persistence
Upload malwareBECData loss
MalwarePhish
SocialEmail fraudLookalike
domains
Key VAP:Pre-sales engineer in vibration sensor BU
Example campaign:7 targeted organizationsUnknown actorFake RFP/RFQ lureHost in DropboxDrops RAT
22© 2019 Proofpoint. All rights reserved
PEOPLE-CENTRIC ATTACK VECTORS: INITIAL COMPROMISE
PEOPLE-CENTRIC CONTROLS: POST-COMPROMISE
PEOPLE-CENTRIC CONTROLS: ECOSYSTEM
External Email
Cloud Accounts
Internal Email
Personal Webmail
External Email
Internal Email
Cloud Accounts
Web Browsing
IdentityDeception
Delayed action URLs
Malware
PhishSpoofing/BEC
Brute force attacks
MalwarePhish
MalwarePhish
Exfiltrate data
Exfiltrate dataMove laterally
Exfiltrate dataEstablish persistence
Upload malwareBECData loss
MalwarePhish
SocialEmail fraudLookalike
domains
Scaling People-Centric with AD/Privilege
23© 2019 Proofpoint. All rights reserved
The Attacker’s POV
Monica HallCustomer Service Mgr127 connections
Jack BarkerExecutive at Car Co500+ connections
Richard Hendricks • 3rd
Senior System Admin
Laurie Bream • 2nd
Financial Analyst500+ connections
The VIP VAP Clickers The One with Access The IT Insider
Persona Example: Executives (the VIP VAP)
Jack BarkerDeputy Secretary at Agency500+ connections
VAP ScoresVULNERABILITY
MEDIUM HIGHPhish sim result: no actionRisky device / network use: yesMFA: inconsistent
ATTACK
Max threat: 850 (top 5%)Attack Index: 9,143 (top 10%)
HIGHPRIVILEGE
VIP: yesSensitive data: yes, email and CASB DLP data
Adaptive Controls
+ Training Control
+ Access Control
+ Threat Control
Cloud: steps up authentication
Email: Circle of Trust classifier
Training: data protection
Persona Example: Support ClickersVAP Scores
VULNERABILITY
HIGH LOWPhish sim result: clicks everythingRisky device / network use: yesMFA: partial
ATTACK
Max threat: 350(bottom 50%)Attack Index: 5,120 (bottom 50%), high with aliases
MEDIUMPRIVILEGE
VIP: noSensitive data: yes, PII
Adaptive Controls
+ Information Control
+ Access Control
+ Threat Control
Cloud: examine logins/user agent for risk factors
Email/network: Isolation for shared mailboxes
Cloud: restrict high volume downloads
Monica HallSupport Manager127 connections
Persona ExampleVAP Scores
VULNERABILITY
MEDIUM MEDIUMThreatSim result: no actionRisky device / network use: yesMFA: PAM
ATTACK
Max threat: 930(top 1%)Attack Index: 1,830 (top 20%)
HIGHPRIVILEGE
VIP : noSensitive data: yes, email and CASB DLP violations
Adaptive Controls
+ Information Control
+ Access Control
+ Threat Control
Auth: integrate with SAML gateway to step up
Email/network: Isolate inbound URLs/webmail
Training: anti-phishing training based on APT lure
Laurie Bream • 2nd
Policy Analyst500+ connections
Persona Example: The IT InsiderVAP Scores
VULNERABILITY
MEDIUM MEDIUMThreatSim result: no actionRisky device / network use: noMFA: PAM
ATTACK
Max threat: 150(top 40%)30 day total: 465 (top 50%)
HIGHPRIVILEGE
VIP in TAP: noSensitive data: yes, email and CASB DLP violations
Adaptive Controls
+ Information Control
+ Access Control
+ Threat Control
PIM: integrate with PIM in case of clicks
Protection: IMD for internal email
CASB: restrict high volume d/l
Richard Hendricks • 3rd
Senior System Administrator
29© 2019 Proofpoint. All rights reserved
PEOPLE-CENTRIC ATTACK VECTORS: INITIAL COMPROMISE
PEOPLE-CENTRIC ATTACK VECTORS: POST-COMPROMISE
PEOPLE-CENTRIC ATTACK VECTORS: ECOSYSTEM
External Email
Cloud Accounts
Internal Email
Personal Webmail
External Email
Internal Email
Cloud Accounts
Web Browsing
IdentityDeception
GatewayEmail sandboxing
Phish response automationInternal MailScanning
Cloud Account Defense
Isolation
DLP
Encryption
Internal Mail Scanning
CASB
Web IsolationDigital Risk
DMARC, Email FraudDetection
Protection across the key people-centric
threat vectors
Minimize the damage from compromises that
do occur
Stop people-centric attacks across the broader ecosystem
Make users more resilient against threats
Proofpoint overview
30© 2019 Proofpoint. All rights reserved
The leader in protecting people from advanced threats and compliance risk
19 consecutive years of MQ leadership across:
The most trusted partner to protect the
#1 threat vector
Fortune1000
Fortune100
Seamless integration with other next
gen leaderscybersecurity
company
Email protection
Information protection
Awareness training
50,000+ global organizations
#1fastest growing public
cybersecurity company for 3 years
CASB
Top 5
The only one focused on
protecting people