RSAC 2017: The Human Exploitation Kill Chain
One talk I attended at RSAC 2017 was The Human Exploitation Kill Chain, presented by Ira Winkler, CISSP, President of Secure Mentem and Co-Host of the Irari Report, describing the kill chain of a phishing attack. When it comes to social engineering attacks like phishing, everyone blames awareness. However, awareness is not the main problem when it comes to phishing - it’s a systematic failure of a network. If someone clicks on something and brings the whole system down, then it’s your environment that sucks, and it’s the failure of a security team. No one person should have that much power.
The problem with most awareness programs is that they are often training programs that only train people to recognize simulations. A good training program should consistently reinforce good behavior. In a kill chain, each phase represents a point of protection, failure and detection. In the different phases of an attack, an attacker has to find, fix, track, target, engage and assess.
In the target phase, an attacker will do reconnaissance to get more information about their target by scanning company data, finding information on social media sites like LinkedIn, and searching for public records. In one example, he said you could find information about the security of a building online, since the building permit files are public. Another approach an attacker may take is the mass attack approach, where they randomly target everyone in the company.
Ira referenced the RSA breach of 2011 in which the attacker targeted their human resources department, sending them a spreadsheet that appeared to be from Monster.com, the job search website. According to an analysis on RSA’s blog, their attacker sent two different phishing emails to two groups of employees that were not typically considered high-profile targets. The email subject line was “2011 Recruitment Plan.”
One of the employees went into their junk mail folder and opened the attached Excel file, which contained a zero-day exploit that installed a backdoor via an Adobe Flash vulnerability. The attackers then moved laterally within the network to compromise other machines and eventually steal company/customer data.
Each type of attack has its own unique kill chain. The phishing kill chain includes a number of steps in which either technology or a user has an essential role in either stopping or enabling the attack. The primary way to stop the success of phishing attacks is to make sure your employees are following your company’s governance/process in certain situations.
For example, there should be an explicit process outlined for how to pay an invoice, and employees should never sidestep the process in order to expedite a request, even it appears to come from their CEO.
One layer of technology that can plays a part in the phishing kill chain is the pre-mail filter. Another is your mail server - it should be able to detect phishing messages. The client mail application should also provide another layer of filters and ways to quarantine suspected spam and phishing messages. The mail filter should warn a user that is attempting to open an email in their spam folder. Finally, the average user shouldn’t be allowed to download or execute Internet programs onto their machine.
Users are key - they’re “human intrusion detection systems,” the eyes and ears of your security program that can tell you where attacks come from. Ira also recommended using multi-factor authentication (MFA) and single sign-on (SSO) to prevent phishing attacks. Launching an internal phishing simulation campaign can also help you measure your risk, and get insight into your users and devices logging into your applications.
Check out the rest of our RSAC 2017 coverage.