Episode 10 - Detecting and Preventing Phishing Attacks

Show Notes

Quotes:

"Phishing targets the human element, the 'wetware,' often the weakest link in any security chain." - Clint Marsden
"Phishing isn't just about poorly spelled emails anymore; it's about sophisticated campaigns that even cyber-aware individuals can fall victim to." - Clint Marsden
"Effective defense against phishing involves not just technology but ongoing education and a culture of security awareness." - Clint Marsden

Key Takeaways:

•  Phishing attacks continue to evolve and remain a significant cybersecurity threat despite advances in technology.
•  Attackers leverage sophisticated techniques including AI and social engineering to exploit human psychology.
•  Effective defense strategies involve a multi-layered approach including user education, advanced email gateway technologies, and stringent access controls.

Action Points:

1.  Implement ongoing and evolving user education programs to enhance awareness of phishing tactics.
2.  Ensure email gateways are configured with DKIM, SPF, and DMARC protocols, and ensure the SEG is tuned appropriately to filter out malicious emails 
3.  Follow the Essential 8 guidelines, focusing on restricting Microsoft Office macros and restricting admin privileges. If you've got the capacity, go straight into application control.
4.  Implement multi-factor authentication (MFA) across all public-facing and internal systems to add an additional layer of security against phishing attempts.

Links and references:

Mitre ATT&CK - Phishing

https://attack.mitre.org/techniques/T1566/

ASD Essential 8:

https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight

IDN Homograph attacks:

https://shahjerry33.medium.com/idn-homograph-attack-reborn-of-the-rare-case-99fa1e342352


Phishing Landscape 2023 by Interisle Consulting and APWG:

https://www.interisle.net/PhishingLandscape2023.pdf

Anti Phishing Working Group:

https://apwg.org/trendsreports/

Transcript

(0:00 - 0:18)
Welcome to TLP, the Digital Forensics Podcast. I'm Clint Marsden, and today we're diving into the world of phishing attacks. This topic might seem familiar, but we can't overstate its importance in cybersecurity, so let's unpack this unassuming threat vector.

(0:20 - 0:49)
Phishing is a form of social engineering that's delivered electronically, and it's a deceptive practice that's designed to gain unauthorized access to systems by encouraging the recipient of an email to click on a link. You might wonder why we're still talking about phishing in 2024. After all, it's been around for decades, and despite significant advancements in cybersecurity technology and awareness, phishing remains one of the most prevalent threat vectors today.

(0:50 - 2:55)
Organizations worldwide spend millions on user awareness training, advanced firewalls, and vulnerability management platforms, yet somehow phishing attacks continue to succeed at an alarming rate. So why is this the case? I've got three ideas why. First, phishing attacks have developed. 

They're no longer just poorly spelled emails asking for your bank details. Today's phishing attempts are sophisticated and often indistinguishable from legitimate communications, and this has been enabled by AI tools. Additionally, phishing takes advantage of human psychology, and it preys on emotions like fear, urgency, and curiosity, and a well-crafted phishing campaign can make even the most cyber-aware people fall victim. 

And phishing has been around for so long that the creators of these phishing campaigns could essentially be considered subject experts on it by now, and it doesn't really sound nice, thinking of someone being an expert at an activity that it's designed to rip someone else off, and excluding our friends in the red teaming community, of course, that take a certain pride in being as deceptive and ingenious as possible to achieve their mission objectives. And thirdly, the sheer volume of phishing attempts is overwhelming. Have you heard of the Anti-Phishing Working Group? Well, they've got some great research that helps drive how we can detect and defend against phishing, and in Q1 of 2024, they've got some interesting data. 

They've seen phone-based phishing, which is directly engaging victims, is still popular. Phishing using phone calls, so-called voice phishing or phishing, it's also increasing every single quarter. Now, in Q1 of 2024, APWG observed 963,994 phishing attacks.

(2:55 - 4:47)
This is in contrast to 2023, which was reported as the worst year for phishing on record, and the APWG observed almost 5 million phishing attacks in 2023. And this eclipsed the 4.7 million attacks seen in 2022. What's also interesting is that social media platforms were the most frequently attacked sector, targeted by 37.4% of all phishing attacks in Q1 2024. 

We're going to move on from the stats in a second, but I've just got one final one. The average wire transfer amount, net bank transfer in Australia, requested in a business email compromise or BEC attack in Q1 2024 was $84,059, up to nearly 50% from the prior quarter's average. What we do know is that phishing isn't uniform across all sectors. 

It ranges from broad, non-targeted approaches by less than sophisticated script kiddies, to more focused attacks by experienced threat actors, and then the final boss, nation state threat actors. The broad approach includes spam campaigns that flood inboxes indiscriminately. And on the other end, we've got spear phishing. 

Then at the boss level, a phishing attack could be created by doing some OSINT or open source intelligence on the target, and building it in a highly targeted way. So why are these attacks making it past traditional email security gateways? Well, some attackers use advanced evasion techniques to get emails past the gateway and into user mailboxes. They might alter email metadata or headers from compromised accounts.

(4:48 - 5:07)
Some even forge or spoof the sender's identity. And automated security tools are fooled by these techniques, but they can also easily be detected using things like DKIM and SPF. As we know, email gateways rank emails with a score, and this is all hidden in the email header.

(5:08 - 5:23)
And depending on the score threshold, the gateway will decide to pass it through the recipient, quarantine it, or outright block it. Let's look at some real examples. There's a group called Axiom, and they've used spear phishing to compromise victims initially.

(5:24 - 5:44)
Another group, Gold Southfield, has run malicious spam campaigns to access victims' machines. The Malware High kit has also spread through spear phishing. There's an interesting method that's called callback phishing, and the Royal Ransomware Group has used this approach, where their victims are prompted to call a number that's provided in an email.

(5:45 - 6:15)
It adds a bit of a personal element to their plan that's essentially designed to bypass mail filters. There's no link to click on, and there's no malicious attachment. So I like where this is going. 

The reason I like where it's going is this is evidence that our tools are making things more difficult for attackers. I'm referencing the Pyramid of Pain. It's becoming more costly and time-consuming for attackers to modify their TTPs, and an email like this has a very low score.

(6:16 - 6:42)
This is an email with just a phone number to call because there are no attachments or links. Now, you might be thinking, with all these sophisticated attacks, how can we possibly defend ourselves? I've thought this in the past as well. And it's not easy, but there are some strategies that we can continue to employ to make it more difficult for attackers and to turn up the pain just a little bit and force them to modify their tactics.

(6:43 - 7:22)
On an endpoint level, we'll start with user education. And this is possibly the most important non-technical control that you could implement, and that's by teaching your staff to spot social engineering and phishing attacks. But this is not a one-time thing. 

The training has got to be ongoing, and it needs to evolve as the threats evolve. Once or twice a year would be suitable. Antivirus and anti-malware software. 

I don't want to spend too much time here. I really feel that calling out AV on endpoints and mail gateways, these days it's almost like asking if you've had food and drink in the past three days. It's a given.

(7:23 - 8:27)
It's something that I haven't mentioned much of on the podcast, but we need to talk about the E8 or the Essential 8. The Essential 8 has been designed to protect organizations' internet-connected information technology networks, and the Essential 8 maturity model provided by the ASD is based on ASD's experience in producing cyber threat intelligence, responding to cybersecurity incidents, conducting pen testing, and assisting organizations to implement the Essential 8. The Essential 8 includes patching applications, patching operating systems, MFA, restricting admin privileges, application control, which is whitelisting, restricting Microsoft Office macros, user application hardening, and regular backups. So what will stop phishing attacks is based on restricting Microsoft Office macros and restricting admin privileges. And if you've got the capacity to do it, go straight into application control.

(8:28 - 9:53)
This is probably easier said than done, but getting a start on restricting macros and restricting admin privileges will greatly reduce the ability of any incident to take hold. Next up, are you getting regular pen tests or red team engagements? Are you following the recommendations at the end of the report? Once you're through the juicy findings, it's time to follow the recommendations. These help mitigate the ability of an attacker to expand their level of access throughout your network. 

And if you're running a red team engagement, consider getting the red team to target bypassing the email gateway. You want to know where the weak points are for this. Network intrusion detection and prevention systems. 

Similar to AV and EDR, they're your first line of defense against many types of attacks. In some cases, you can classify them as virtual patching. It's all part of defense in depth. 

Anti-spoofing and email authentication help filter out many malicious messages and implementing protocols like DMARC, DKIM, and SPF can significantly reduce email-based threats if, and this is a big if, your mail gateways and the recipient's mail gateways are configured correctly. It's great that you've got SPF, DMARC, and DKIM configured on your DNS and MX records. If someone spoofs your domain in an email, guess what? It's going to be in their headers.

(9:54 - 17:07)
Who's looking at the headers though? Hopefully, it's not just an incident responder. And by ensuring that your mail gateways are dropping or even quarantining messages from spoofed domains, these emails won't end up in users' mailboxes, which translates into phishing attacks that can be neutralized. One of the challenges that you might have here is that automated mailers or email platforms that are used for marketing can commonly be used to spoof your email address or spoof your domain. 

This is something that will need to be filtered out and essentially you'll need to go through the logs and identify which systems are using these and they may need to be granted an exemption. Multi-factor authentication. While it's not foolproof, as attackers have started moving on to token theft over the last few years using info-stealer malware like VIDAR, it does add an extra layer of security that can thwart many phishing attempts. 

Now, let's discuss detection. This is where digital forensics comes into play and we can focus on three main areas. First, application logs. 

We need to watch the mail gateway logs and third-party application logging and look for any other signs that might indicate phishing attempts. This includes filtering based on DKIM and SPF which can help detect fake email senders. Second, looking for file creation. 

We need to monitor for new files that might come from phishing messages. This can be tricky as attackers often use legitimate file types to hide their malware. In an incident response scenario, reviewing the MFT and the USN journal can help identify more IOCs. 

To give some context to the flow here, say you receive a ticket from a user who to their credit says, hey I've clicked a phishing link and I've entered my credentials. I've reset my password just in case but once I logged into the website it was just a blank page. This could be an indication that malware was dropped and it's now a good time to pull out the incident response playbook. 

Using the date and time from when the email was read by the user, following the timeline of when the user clicked on the link, you can look at the MFT and USN journal. You can then follow up by looking at event logs and see what else has occurred on the system. Thirdly, network traffic. 

This involves checking SSL and TLS traffic patterns and looking at packet inspection if you're fortunate enough to have a packet inspection device on your gateway or internally at different network segments. Here, from a threat hunting perspective, we're looking for anything that doesn't match the expected protocol standards and traffic flows and it might surprise you about how many applications don't follow the RFCs and this can be a little bit of noise but when you can get a bit of a baseline you understand what normal looks like. When things that are happening on the network are not normal you'll be in a better position to detect them. 

So systems that employ things like UEBA or user experience behavior analytics can be really useful here and this ties into the scenario that I just mentioned. So a lot of phishing is credential harvesting but an up-and-coming trend is phishing and based on the data and I suspect being enabled by AI voice cloning tools this is going to be the next thing that needs to go into user awareness training. With security awareness programs teaching users to be more vigilant by hovering over the link before clicking, looking at the full email address of the sender and other good cyber hygiene attackers are becoming more sophisticated. 

They're using techniques like IDN homograph attacks to create URLs that appear legitimate but they're not. An IDN stands for internationalized domain name and in an IDN homograph attack attackers register domain names that contain characters from different scripts that look similar to Latin characters and Latin characters are what we would classify as standard English characters and this can be particularly deceptive because the domain name appears legitimate when displayed in the user's native language. So even though IDN homograph attacks have been around since 2005 they've had a bit of a lull but they're coming back and not every mail server out there is vulnerable to an IDN homograph attack where someone might be using an IDN domain to pretend to be your organization but it's not but there are always exceptions to the rule. 

Some other new and novel techniques are the use of consent phishing. So this is tricking users into giving permissions to malicious applications. This is achieved by using OAuth 2.0 request URLs for persistent access into mailboxes and an attack vector that exists for this is where staff are getting AI tools attached to their mailboxes and then using AI assistants for transcription services. 

So changing OAuth application permissions in Office 365 is needed to get users to start asking for permission prior to deploying OAuth apps in their mailbox as some of them can be very tricky to remove. When I say asking for permission I mean that it's not available to install by default and they must seek the approval of an administrator and the administrator can actually install the application for them. As we finish today's episode it's obvious that while simple phishing remains a significant threat and despite our efforts in user awareness and email gateway technology it continues to be an effective attack vector. 

Why? Because it targets the human element the wetware often the weakest link in any security chain. However this doesn't mean we're out of options. By combining more defense in depth with ongoing education and a culture of security awareness we can significantly reduce the risk. 

Let's recap how we can achieve a defense in depth strategy for phishing. Talk to your staff about the evolution of phishing attacks. It's no longer just about not clicking on a link they need to be aware of vishing voice phishing phone calls attempting to socially engineer sensitive information that can be used for identity theft or to reset their corporate passwords. 

Disabling OAuth apps in 0365. Change this to require administrative approval. Restricting office macros. 

Follow the essential eight. Do it and have macros available for a select few staff who absolutely need it. Follow your pen test and red team recommendations. 

If your environment is compromised slowing the attackers down and having more time to detect and prevent them from moving laterally is the goal. Ensure all system accounts have MFA not just email. Everything that supports MFA should have it switched on. 

Having your IDS and IPS monitored and tuned. Ensure that you're getting the latest updates and have someone administering the platform to activate new protections as they're released. Tune your email gateway. 

Review what messages are getting through. Have the vendor do a health check and see if you can tighten the screws to reduce high risk mail from coming through. User awareness training.

(17:08 - 17:42)
Don't rely on the same training with screenshots from five years ago. AI is fixing the bad grammar and poorly crafted phishing emails. Update the training deck and make it highly relevant and engaging. 

That's all for our podcast on phishing attack detection and prevention. I hope you found this information useful and that it's given you a deeper understanding of why phishing remains such a persistent threat. If you've got any questions or ideas for topics for future episodes please contact me through LinkedIn. 

This is Clint Marsden signing off. Until next time. Bye for now.