Today's Whiteboard Wednesday features Joe Dubin, Rapid7's Product Marketing Manager for Metasploit, who will be talking about social engineering security with Metasploit, specifically phishing.
It is important to test your employee's social engineering security and phishing awareness to make sure that they understand that a security breach can easily be conducted by phishing emails. Joe gives great examples around how you can safely create phishing email campaigns with Metasploit to your own employees, monitor their actions, and create social engineering security awareness programs for employees who need to learn how to detect these malicious emails.
Interested in trying out these great new social engineering security features? Download a free trial of Metasploit Pro!
Read Video Transcript
Hi. I'm Joe Dubin, Product Manager for Metasploit. This week's Whiteboard Wednesday is on phishing. I wanted to go over a little bit about phishing because it's on the rise; we're seeing this more and more as an attack vector. The main reason is it's easy; it's oftentimes the easiest way to get into a company's systems is through exploiting its weakest link, which tends to be the human link. Again, easy way to pwn.
In terms of what a classic phish looks like, there are many different flavors of phish, you might say, but in terms of the mechanics of it, most often, this is an email that is spoofed to look like it is coming from a legitimate sender. Very often, it says, "There's been a security problem, you need to go in and change your password," or some other appeal. Often coming from people in authority; it might be coming from your CIO, it might be coming from your support people and it will say, "Quick. Login to this website and make this fix." Then it will lure you to a webpage, and there are systems out there that clone the web pages that make it look pixel-perfect, so you think that you're on a legitimate web page. You type in your username, password, press Submit and, 'Bam,' we have your credentials, and people will use those credentials to gain access to systems, elevate their privileges, steal files, and run rampant.
There are a number of variations on this. There are still some emails that go out with evil attachments on them, executables or office documents that take advantage of exploits for Word or PDF files. Not so much anymore because there's a lot of effective filtering out there. Most of them do tend to have web links in them that are drawing you into a website. Another variation on this, in addition to the website capturing your credentials, it could also serve up some malware once you go to the web page. It could either be drive-by, and you don't even know it's happening. You probably heard about the exploit that came out for Internet Explorer 8 and 9 a few weeks ago, when we broke that story. Sometimes also, it will get people to click on something. You'll go to a web page and it'll say, "Look at this cool app for sharing," and people can click on that and say, "Yes, I'll allow this Java-signed applet," and that's a sure way for people to get owned.
You might think, "How big of a problem is this?" What we've found in our professional services group, is that even in companies that do user awareness training, there're usually about 1 in 5 people who will fall for a phish. People will go through this classroom training, but it doesn't necessarily stick. The best way to find out, first of all, is your training effective and how are we making sure that the results are getting better, that people are getting trained better over time, is to actually go in and conduct live phishing exercises on your own people. We recommend before you do this, you actually tell people about it. Be very transparent and open, tell people that you'll be doing phishing exercises, explain why, that it's to improve the risk factor, to reduce the possibility of this happening, because there have been some very high profile phishes recently, very recently, you may have heard about the State of South Carolina and millions of taxpayer data and Social Security Numbers were stolen. That was through a phish that an employee opened up. A couple of years ago, there was RSA, and RSA lost the feeds that control their 2-factor authentication keys. They had to replace over a third of all the keys out there; that was also because of somebody who picked a junk mail out of the junk mailbox and opened it up, and opened up a spreadsheet in there. That was an attachment-based attack.
We recommend you do these phishes on your own population, as I mentioned earlier, to really get people to open them up, you make them urgent, tailor it to your audience. You'll put something in there that's relevant to the business. If you're in a security business, you can say, "We've had a breach," for example, and that will certainly get people's attention; any number of things you can do to customize your phishes.
We recommend that, first of all, you don't single people out. You're not doing this to name and shame people. In fact, one idea is you give rewards to the team or the group of people that find the most phishes and bring them to the attention of the IT department. You want to get the word out to people, 'If you find a phish, what do you do? Here. Alert your IT department, or send it to this message," however you want to take care of it, and then phish them over time. You can pattern them after the incoming phishes that you're seeing.
We recommend also, start out fairly simple. Make them obvious phishes with weird looking domain names, obvious typos, the usual type of thing, and then make them more sophisticated over time. One really good way for the training aspect to stick is once people have been phished; give them some teachable-moment training. As soon as they click on that link, instead of taking them to an evil web page, you can take them a training web page, and have that training web page point out, "This is a phish. You've just been phished. Here's what happens." Or possibly a slightly more shocking version of it is, take them to the web page that captures their credentials, and once they type it in and press Submit, then put up the training page. Then they'll have that, 'Oops,' moment.
There are other types of phishes, just variations of phishing campaigns. There's the opportunistic phishing campaign: People will just spray out a phish to all sorts of different companies and they're not targeting your organization in particular. Then there's spear phishing, where people are looking to go after your organization, and again, they will craft it and make it very specific to your organization. There's whaling, where they're going after a very high-profile target, like the CEO. Maybe they'd craft an email that says, "Your company's the subject of a hostile takeover. Open this right now." Have it crafted as coming from, for example, the media relations people or the investor relations people, all this type of information they could be pulling off of open source areas, such as LinkedIn, they could be doing the research on you.
Once you conduct these phishing campaigns, it's best to have the tool available, this is something, by the way, that we have available in the Metaspoilt version 4.5. There's a social engineering piece to it that can conduct phishing campaigns, that can do USB key drops as well if you want to see if anybody's going to pick up those keys in the parking lot. Once you do that, there will be a few key statistics that you should be looking at: There's how many people are opening the emails, which will tell you, roughly, who looks at it. That's important, because if nobody's opening them, then maybe your subject line isn't that interesting, maybe it's being caught up in the spam filter; that can happen. It's a good thing when it does happen. Once people are opening it, there's very little risk involved in actually opening a phishing email. It's extremely rare that there would be a compromise just from looking at an email. The risk comes as soon as people click on that web link. Again, you look at the click-through rate to see how many people are clicking through, because again, that's an area where people can be compromised. Just by looking at the web page, it could drive-by pwn their machines. If you are also capturing credentials, you can also look at the Submit rate on that. The first time you do this, just look to get a baseline for the numbers, probably for the first couple of phishes that you do, and then look to see the trends going down over time.
In terms of remediation, how do you make sure those numbers go down over time? Again, there's the training, both classroom and doing it at the point of phish. Be open about it with your people. We recommend doing it at least on a monthly basis. Emphasize the benefits: Again, you're not doing it to punish people; you're doing this to improve the security posture of the organization. If you do find some repeat offenders, those may be the people to go and talk to on a one-by-one basis. In terms of technical controls, a number of things to put in place there, of course there are junk mail filters, there are spam filters, there are web filtering software, so that if people do click on a link and it's a known evil link in the outside world, you can block it. Those would be the main things, in terms of technical controls.
We hope you enjoyed this. Thanks for watching.