An innovative and comprehensive framework for Social Driven Vulnerability Assessment 20 November 2014
Who are we? Enrico o Frument nto Rober erto Puricelli lli (twitter: enricoff) (twitter: robywankenoby) ICT Security Specialist @ CEFRIEL ICT Security Consultant @ CEFRIEL Main Activities: unconventional security, Main Activities: Social-driven Vulnerability phreak, tweak, psychohistorian , … Assessment, Security research, passionate of technology … 2
Who is cefriel Who is CEFRIEL? Bridging the gap between industries and academia to BOOST INNOVATION HIGH Industrial companies CEFRIE FRIEL L Unique Value e Pro ropos osition on CEFRIEL Academic universities LOW RESEARCH INNOVATION MARKET 3
What will you get? Real numbers How vulnerable How are? companies What is SE react? today? …a lot of phun, but no beers
What’s cybercrime today? From geek-driven to business-driven. 5
What’s cybercrime today? Selling is selling! What do you need to sell cybercriminals products? Who’s the customer? 6
What’s cybercrime today? BO BOTH TH TRIES TO TO ENTER , , TWEAKIN AT THE DOOR .. .. ING THE PERSON AT D OOR OOR -2- DOOR SELLER LER == == M ODERN AL - SELLE RN CYBERCRIMI RIMINAL ELLER 7
What’s cybersecurity today? YES S A TOTALL LLY DIFFE FERENT RENT APPROACH, H, USING G THE SAME E TECHN HNIQU IQUES ES OF MARKETIN KETING. G.. V IRAL AL , ILLA , GUERRIL NAL , UNCONV NVENTIO NTIONA … AND OF RSE S OCIAL NEERING 2.0 OF COURS IAL ENGI GINEERING T? ANYTHING HING NEW?? W?? SO WHAT? 8
What’s cybercrime today? ADVERTISING “ ADVERTISING ” … DEVELOPERS SOCIOLOGIST HCI EXPERTS PSYCHOLOGIST SELLERS MARKETING EXPERTS 9 SN INFLUENCERS
What is the security team? Our team includes several competences • malware expert • web designer • web developer • psychologist • expert of HCI interaction • marketing expert • SN influencer • legal advisor 10
SOCIAL ENGINEERING 2.0
The Role of the Human Factor in Hacker Attacks 12
Characteristics of SE 2.0 Automatic Social Malware Ecosystem 2.0 Engineering Attacks (ab)use of linked-data (ASE) (ab)use of psychology, personality profiling Chat-bot Mail attack vector systems and cognitive science models Economic Drivers 13
Malware Ecosystem 2.0 SE became an important part of the malware 2.0 and the main infection strategy 14
Automatic Social Engineering Attacks (ASE) Automation of SE attacks through information collection and mining and through the sentiment analysis from Social Networks 15
(ab)use of linked-data The public bodies and anyone are moving toward the free circulation of data, to the web 3.0. This is the Linked-Open-Data or web-of-data . (ab)using LOD will facilitate the collection of data to fully contextualize attacks to targets. 16
Chat-bot Diffused use of chat-bot , as in ASE attacks to start and maintain conversations with other social networks users and to balance the lack of a real social engineer ( mass social engineering attacks ) 17
(Ab)use of Psychology and Cognitive Science Professional use of memetics and personality models of the attacked users, especially of models coming from theories of cognitive psychology 18
Mail Attack Vector Massive use of mails - if compared to other attack vectors - since it doesn’t need talented hackers and it can reach lot of victims at a time (i.e. new forms of spam) 19
Economic Drivers SE 2.0 is since the beginning an investment (no ways doing it for phun), all attacks have one common aim: making money . 20
Characteristics of SE 2.0 vs vs 21
Characteristics of SE 2.0 (ab)use of psychology and models of cognitive science Professional use of memetics and personality models of the attacked users, especially of models coming from theories of cognitive psychology (ab)use of Social Networks Social Networks are fantastic sources of information about victims, tastes, personalities, profiles, etc. The phase of information collection about the target in a crucial step for each attack. 22
23
The first example… RSA THE case study… You probably know this email 24
.. the latest one: Darkhotel attacks • More than 7 years • Target business executives • Drive-by download attack • Steal data and collect passwords What’s in common? Social Engineering at the beginning 25
P ROBLEM : IT ’ S NOT ANYMORE SO ADVANCED . “A DVANCED ” ONLY MEANS THAT THE ATTACKERS HAVE A ( DEVILISH ) BUSINESS PLAN 26
Advanced Persistent Threat Model An APT often begins with a Social Engineering attack • Email is the most used attack vector SE attack • How to build an effective attack? 27
Advanced Persistent Threat Model Spear phishing is the new evil • A contextualized email is more effective Target SE selection attack • How to gather information? 28
Advanced Persistent Threat Model Internet and Social Network allow to retrieve lots of information • Public information are already available • Also “active” attacks OSINT Target SE selection attack • What’s the result? 29
Advanced Persistent Threat Model Technological attack can create a backdoor inside the company • Known vulnerabilities or zero-day attacks OSINT Target SE Ad-hoc selection attack tech attack • What’s next? 30
Advanced Persistent Threat Model Inside the network, lateral movement Difficult to detect slow and punctual attacks OSINT Target SE Ad-hoc Attack selection attack tech expansion attack 31
Advanced Persistent Threat Model OSINT Target SE Ad-hoc Attack Data selection attack tech expansion exfiltration attack How can we measure that risk? 32
OUR FRAMEWORK
Our Framework OSINT Target SE Ad-hoc Attack Data selection attack tech expansion exfiltration attack 34
Our Framework Passive social information mining Spear phishing attack simulation Technological attack simulation OSINT SE Ad-hoc Target Attack Data attack tech selection expansion exfiltration attack 35
Our Framework Setup Passive social information mining Framework Spear phishing attack simulation Technological attack simulation Awareness 36
Setup Prior to start the assessment, it is necessary to provide a startup phase Since the activities is innovative stakeholders need to: • share objectives • define the boundaries Stakeholders of the company Security IT HR Innovation Legal 37
People are the target of the assessment • A potential attacker has no constraints • Direct contact with the target (active) Don’t care about consequences • • During an assessment need to take care about the users • Ethical vs legal perspective Ethics Legal Only passive scanning Public sources Anonymous results 38
Passive information mining The purpose is to find some evidence regarding the feasibility of the social engineering attack Focus on the company, not on the user Even if the source are public, lot of information retrieved… ..and it’s just the tip of the iceberg 39
40
Source2 Source3 123 11 mail mail Source1 Source4 633 mail 103 mail Source5 emails initiatives 91 mail of employees related to possibily attacked company or employees templates evidence for building related to specific effective attack risks 41
Spear Phishing Attack Simulation The purpose is to test the user behavior when stimulated with social engineering attack It begins with emails sent to employees Target is a sample of employees We evaluate two different type of risks: 1 1. The user click on the email • Expose to drive by-infection 2 1. The user also provides the requested credentials • Lose of a critical company asset 42
Type of phishing: A SDVA Example An example of email for a SDVA test 43
Type of phishing – Example of a website An example of the related phishing website Refers to the phishing campaign ACME� corpora on� established� a� partnership� ra on� to� established� a� partnership� to� propose� discount� to� all� the� employees� count� to� all� the� employees� Limited� offers� only� for� ACME� corpora on� employees.� Click� on� the� � ACME� link� below� corpora on� an employees.� Click� on� the� link� below� and� sign� � in� with� your� company� creden al� to� obtain� the� discounts� � pany� creden al� to� obtain� the� discounts� � 70%� 70%� DISCOUNT� DISCOUNT� T� Lots� of� discounts� nts� Limited� me� Company asset Only� for� Employees� SIGN� oyees� IN� SIGN� IN� SIGN� IN � SIGN� IN � Sign� in� with� your� company� creden als� ur� company� creden als� requested (credential) Both email and website contains clues that allow to identify the risk 44
Collected information The assessment track user behaviors • Anonymity vs result analysis Visit website Sample data Report Insert credentials 45
Recommend
More recommend