Podcast: Phishing and Its Dangers to Your Security with CyberClan’s own Bryan McNeil and Joseph Serrano


EPISODE SUMMARY

Phishing may seem like a familiar old topic in cybersecurity but it still remains a large threat to your business. In this episode we go back to the ABCs of phishing and dive deep into how companies need to think of the “human firewall” by providing training to their employees to bolster their security posture.

EPISODE NOTES

Today we discuss:

  • What is phishing?
  • How common is it and does it only occur through email?
  • What is the “human firewall”?
  • How should companies think about training their employees to look for phishing attacks?
  • Is your company’s security posture enough to protect against these types of attacks?

Transcript

Erin Keating:
Welcome to the brand new podcast by Cyber Clan. Incidentally, we know a lot of experts in the cybersecurity space, and we know that there needs to be a lot more education across the industry. We endeavor each episode to bring you different aspects of the cybersecurity industry, whether it’s insurance, breach coaching, incident response, and much, much more. Let’s dive in.

Well, hello, everybody. Welcome to Incidentally brought to you by Cyber Clan. We are exploring an interesting topic today, phishing. I think it’s something that everybody in their world has heard of as well as spamming, but it’s also something that’s been around so long that maybe people are forgetting that all of the software that you can have in place and security protocols you can have in place don’t necessarily stop people from falling for things like phishing. So we felt it was worth it to talk to some of our guys who have a lot of experience in this area about phishing. Let’s just bring it back up to the top of the list for people to think about. What do they need to think about as far as training and protocols to put in place in order to avoid this type of attack? So today we have with us Brian McNeil and Joseph Serrano with Cyber Clan. Gentlemen, welcome. And thank you for being here. Would each of you just take a moment to introduce yourselves?

Brian McNeil:
Yeah, sure. So as said, my name is Brian. I’m one of the security analysts at Cyber Clan, and both of us really do a lot of the phishing campaigns that we do for clients. So we do simulated phishing, and we actually try to get people training by doing real phishing simulations. And that’s really where a lot of this is going to come from today.

Joseph Serrano:
And I’m Joseph Serrano. I’m one of the lead pen testers with Cyber Clan. Been here for a number of years, and we’ve done multiple phishing engagements as part of penetration tests, red team events, et cetera.

Erin Keating:
Perfect. Well, thank you guys, both for being here today. So I think for all the Luddites, which I am included in that category, out there today listening, would you just start with the basics? What is phishing?

Joseph Serrano:
So at its core, a phishing is going to be an email that attempts to fool you, regardless of whether that contains malware or the ability to steal your credentials through a malicious link. It’s going to be all about trying to fool you into doing something. That could be as simple as, hey, send a wire transfer to this person, the boss ordered it, or it could be as complex as, here’s a link to a spoofed version of Gmail, a version of Gmail that looks like Gmail and acts like it but isn’t, in order to get you to sign in with your credentials, or even an email that just opening it can compromise the device. That recently happened with iOS devices.

Brian McNeil:
I’m going to expand on that because it can be more than just an email. You can get text messages. I’ve seen a lot of text messages going around with the pandemic going on right now about just here’s a text message on pandemic news in your community kind of thing. And that’d be a text. And I’ve also seen phone calls, people trying to get personal information out of you on a phone call, pretending to be the IRS or the CIA.

Joseph Serrano:
And that can get even more complex as sort of deep fake technology gets better. We’re learning to fake voices and fake webcam images. So yeah, across all spectrums.

Erin Keating:
So scary. Okay.

Brian McNeil:
Oh yeah. You can go to the point of, I think you could take a picture of someone and you can have a webcam picture and the face will move and everything.

Erin Keating:
Oh my gosh. That’s quite frightening. So I have a very silly elementary question. Why, because I’m assuming it’s phishing after F-I-S-H. Why is it ph? Does anyone have that answer?

Brian McNeil:
Because hackers are cool, man. Hackers speak cool.

Joseph Serrano:
I could be incorrect on this, but I believe it comes from the same place as the old term of phreaking that used to be done on a phone line before email.

Erin Keating:
Ah, okay. Oh, that makes a little sense.

Brian McNeil:
Ruined that for me.

Erin Keating:
You really just wanted to believe it was the hackers were so cool. So with it. So I’m curious. There’s a lot of companies out there that might be going, “Well, we’ve got great security protocols in place. We’ve got VPNs, we’ve got all sorts of security put around our emails and everything. We don’t need to really worry about this.” But why is it that people still need to be thinking about phishing even under the tightest security protocols?

Joseph Serrano:
Well, even under the tighter security protocols, the tightest protocols can’t stop legitimate user behavior. So in a successful phish, what we’re doing is looking for legitimate user credentials or a legitimate user machine with a legitimate user account to then act and behave as that user within your environment. The better the phish and the better the threat actor, the closer we can mirror someone’s actual behavior. It couples well with a pen testing philosophy known as living off the land, which is where we will use the tools that are already present in your environment to vandalize or ransom your environment back to you. So it just kind of couples all with that.

Erin Keating:
I’m thinking of this as far as all the emails I get in my inbox. I know that I’ve started in the habit of if I see something saying, oh, this is from Gmail and you have a notification, I just get away from the email, I go over to the internet and I go into my Gmail to see if there’s actually something there. Is that one of the more basic ways that people can just ignore emails that are coming in? Or even opening that email could put you at risk?

Joseph Serrano:
Even opening can put you at risk. iOS devices are recently vulnerable and exploited, where merely opening the email would allow attackers to take data from the phone.

Erin Keating:
That is quite frightening.

Brian McNeil:
Apparently Apple is being very, “Oh yeah, no, it’s not a big deal. Don’t worry about it.”

Erin Keating:
Are there certain devices that are more safe than others? I mean, is iOS more susceptible to things like that?

Brian McNeil:
Well, everything is susceptible. I think, Joseph back me up on this if you think, but I feel like more malware is written for Windows than it is Apple operating systems.

Joseph Serrano:
Mobile phones are becoming more common, so people are attempting to write more and more advanced malware for mobile devices, but it scales very well with how common a given operating system is. The probably only exception to that is Linux because so many websites, so many critical infrastructure and supercomputers all run on Linux, that there’s more malware out there for Linux than their market share and sort of the desktop user environment would make you think they would have.

Erin Keating:
That’s a good point because I would have think most average individuals don’t even think about Linux as being a thing out there. We’re either on our Mac or we’re on our PC. And that’s all we really kind of think about. Or we’re on our Android device or we’re on our iPhone. And so we often aren’t thinking about the things that you all are thinking about nor even knowing how far reaching.

Joseph Serrano:
Well, pretty much every website you visit is going to be running on a Linux server. There are exceptions to that, but it’s above 95%, if I believe. Although, 90% of statistics are false. That’s basically what Alexa says, give or take a few percentage points.

Brian McNeil:
Regardless, straying away from the superior Linux operating system talk here, we do find that most office environments do run on Windows. If you have a regular employee, he or she’s got a Windows laptop. Person next to them, Windows computer. And that’s really where you’re trying to get the data from. You’re trying to get the document on their computer, which is all going to be office documents on the Windows. So we find a lot of this stuff is done for Windows simply just because of how common it is in the office environment.

Erin Keating:
So I’m sure in a COVID space, every cybersecurity podcast out there and content maker as well as us have been talking about how companies are even at a more increased risk right now because people are using their own devices for things. What kinds of things can companies think about as far as putting safeguards in place?

Brian McNeil:
Really, and it would be hard to do this now that everyone is generally working from home, working remote, you need to do the best thing against phishing is the training. And you really have to do some one-on-one training or a really in depth training with people. So you start out with a simulated campaign, you make one, you send it to all the people at the office and you see who clicks on it. And then those people who click on it, you have to say, hey, okay, we’re going to have to put you through a training program now because you’re susceptible to this.

Erin Keating:
So what kinds of things, can you give us a few examples of ways in which people might see a phishing attack come in? Do you have any good war stories of a way that someone recently got attacked this way?

Brian McNeil:
Well, it’s generally through email. I get phishing texts and phishing calls all the time. I mean, sometimes I don’t know if really Super Eight Motel is calling me or not, but I really doubt it. We find that you’re usually going to find them through emails. A lot of COVID ones going on right now and in the states right now, there’s a lot of political ones going on right now as well, people asking for funds that don’t really go to where they say they’re going to go. One of the most common things to do is to look at the email address. Now of course, email addresses can be spoofed and that’s quite a bit advanced, but generally speaking, your run of the mill phish is going to come from a weird email address. If you get a Google alert and the domain of that email address is just a bunch of random letters, there’s a good chance it’s not actually from Google.
I find the best way to do it is, especially in an office environment, is do I expect this email? If someone sent me a document, do I know what this document is supposed to be about? Am I really expecting it? Am I supposed to do work on this document? If I don’t know, talk to the person that says it came from if you can or talk to someone with a face to face conversation. Because what I was saying with the spoofing emails, I can spoof employee one’s email address, send a phishing email to employee number two, and then all employee number two got to do is get up from their desk, walk over to employee number one, say, “Hey, what’s up with this email you sent me? I don’t know what this is.” And then they’ll say, “I didn’t send you an email. That’s sketchy.”

Erin Keating:
Right. And of course now everyone’s worried that you don’t have that face to face conversation. So is it as easy as also then, or is it as safe as just having a chat window open and chatting someone? I mean, everyone talks about this face to face, but I’m assuming you can get that information from a coworker other ways virtually.

Brian McNeil:
Oh yeah. Give them a call. Ring them up on the phone. Hey, what’s up with this document you sent me?

Erin Keating:
What do you think we are? 80? Come on.

Joseph Serrano:
And then if you have a secure communications platform, if you’re using Teams or Slack, there’s more often than likely they haven’t compromised that. So you’ll be able to ask through those secure alternate channels.

Brian McNeil:
It can definitely be hard because I found out there are… A very good way of doing it because phishing emails are getting very, very targeted, what some people will do is they’ll send a word document over to the HR people posing as a job application. And when you open the documents, the docm files, it’s got macros on it and you hit enable macros, and that’s when the script starts to run and harvest all your data. So HR people have to watch out for that really.

Joseph Serrano:
And all those combined come back to a general topic of the main way to protect yourself is mainly in computer literacy, knowing what a macro is and that you probably shouldn’t enable them unless you’re expecting them. Knowing that Gmail is not going to email you from some random domain, it’s always going to come from the same email every time. Knowing who’s contacting you about what, and kind of that expectation. And it’s a challenge for both the technical and nontechnical. Because on the technical side, we have to learn better communication strategies and better sort of predictive analytics about people. That’s sort of like getting in touch with what we expect people to do and how they normally behave, which for some of the more misanthropic technical people out there is actually a challenge in learning how to expect and interact with people and what they’re going to get through their inbox and communication lines.
It’s not incredibly common. We don’t [inaudible 00:12:24] the stereotype of tech people don’t know people at all, but it is a thing. And on the same other side, for nontechnical people, knowing what a macro is and whether or not they should enable it, that’s a question that they might not have the answer to. Again, not all, because stereotypes are almost never true, but it is just a matter of both sides learning a little bit about the other side in order to protect themselves against what is a very human attack. It’s the reason the field is called social engineering.

Erin Keating:
Yeah. That’s a good point. And I’ve always wondered, is it safe, if you get an email that you’re questioning, is it safe to forward it to someone to say, hey, can you look at this? Or even in the act of forwarding it engaging the actual email?

Joseph Serrano:
It would likely be safe to send it to your system administrator. They’ll know to check what are the email headers first. They’ll know to look in the backend of Gmail to look what’s going on with this email, where did it come from? Those extra precautions in place before they open it if it is a suspected phishing email. A good way of doing this also is if your administrator has a dedicated sort of set up for opening phishing, such as an email address that is connected to a mail client that’s on a machine that is sort of protected, also known as could be air gapped. It could just be virtualized, just protected in some way. They can open it on that and be relatively sure that even if it is malicious, they can just burn the device, basically. They could just wipe out that whole setup and rebuild it.

Erin Keating:
So you mentioned that you do a lot of pen testing and Brian, I loved your theory of let’s just embarrass employees to see. That’s not what you said. I’m putting words in your mouth. But if we run these campaigns and basically test the theory of which of our people are going to actually, I don’t want to call them dumb enough to open them, but are just not cautious enough and open certain ones, so now you’ve identified who might be needing the training, is that part of the risk assessment that you all work within at Cyber Clan? So if a client does come to you and say, “Hey, we need to understand what our risk profile looks like,” is it something as basic as checking phishing habits or response, I guess if you will, as part of that risk assessment?

Brian McNeil:
Well, I will say we do not want to embarrass people.

Erin Keating:
I put those words in your mouth.

Brian McNeil:
As funny as that would be. [crosstalk 00:14:50].

Erin Keating:
A meme of IT professionals thinking they’re pulling practical jokes on each other by phishing emails and things, catching them.

Brian McNeil:
Yeah. That would just be awful. Because then you can get really targeted and it’s not even fair at that point.

Erin Keating:
It’s lovely to learn a little bit more about the industry and the people that work in it and what you find is fun. But back to our serious question, the risk assessments.

Brian McNeil:
Yes. We do. One of the major things in our risk assessment is to look at how people do against phishing. And we will actually simulate several phishing attacks. So we’ll make it and we’ll send them off and we’ll see, we can track who’s clicking on it. And we do file a report on who clicks on it so that they can get the appropriate training. Because really it does all come down to the training. People need to know, the nontechnical people, they need to be technical enough to know about the dangers of some emails, what Joseph said about the macros.

Erin Keating:
Well, I was going to ask, as far as the training goes, again for a layman or as I like to call myself a Luddite, someone that really just feels like when you start talking macros and any other kind of language, my eyes glaze over and I’m not quite sure I’ll even understand. And so I’ll just turn into a nervous Nellie and send my poor system administrator every email I get. So how do you figure out or how do you make those types of terms? Is it exercises that people have to go through? Is it quizzes? Are there language and things that you’re showing them? How do you actually train someone to grasp technical concepts like this if they’re just not inclined?

Joseph Serrano:
I always recommend a multistate solution of sort of the approach of quizzes and learning videos and having someone sort of show you what to look for in a video format and then being quizzed on it. That sort of stuff is very helpful in just sort of getting that initial education. And then it’s the matter of testing it, actually going through and having your system administrator or a third party actually test that capability and see, okay, who needs a little bit more work, and just continuing the cycle of repeated trainings. If you find that video and training systems aren’t working, try to work with the specific employee or work with your employees in general and figure out where the gaps are, where they’re not picking something up and just adjusting as needed towards that. It kind of comes back to a general mindset of awareness of you don’t have to forward every email, but even when an email is okay, you should always be checking who sent it?
Who is it going to? Where did it come from? And what’s in it? And don’t trust it just because it has official looking logos or official looking language or a mean legal disclaimer or in some cases, even blackmail or intimidation. Always just be very careful and aware of it. And this is a concept which I refer to and I think a lot of others as the human firewall aspect of it, of training yourself to be the sort of first line of defense. Because you are not alone in stopping this phishing email.
Even if it does get through, there is spam protection mechanisms. There are phishing protection mechanisms in place to help you along that way. So if an email even makes it to your inbox, it’s gotten through those. So that’s where you’re going to come in and say, all right, as a human, does this look right? Does this feel right? And if it’s not, send it to someone who might know better. Have that conversation. That’s your next level of defense, that sort of social defense as part of the human firewall. Because the number one way to counteract a social engineering attack is with a social defense in place.

Erin Keating:
Yeah. And I think you make a good point because again, because phishing in my mind has been around for a long time, I think people always equate it with the email that comes to you from some Nigerian prince that needs money or something. So you’re always thinking it’s going to be some outrageous claim or something that you’re just going to go, well, that’s fishy right off the bat. But as you’re stating it, and as I’ve seen certainly even in my own email, a lot of the time these are coming from what looks like very legit Equifax. We just wanted to make sure that you’ve seen this recent bump in your credit report. And then all of a sudden, before you click there, you look in the email subject line, you’ll go, oh, wait, that’s not even from Equifax, but man, did that look like a very convincing Equifax email. So I think it’s really important that people understand just how complicated and how sophisticated a lot of the folks have gotten out there. Right?

Joseph Serrano:
Yeah. And what would it cost you to go to Equifax’s website, find their contact and say, “Hey, I got an email from you guys. Is that real?” It’ll take five minutes out of your day. You can put off looking at that email for a couple of days. And then when they get back to you about whether it’s real or not, you can move forward. And I don’t think there’s a sys admin in the world who would complain about protecting their users even further. It can get overwhelming for many IT departments, but it’s a good thing to do for your user base and your employees and help them move forward.

Brian McNeil:
As you said, let’s say you get something from Equifax, you get an email from Equifax, don’t click on the link that they say to go to the website. Go to the website. Or they give you a phone number to call in the email, go to Google, look up the customer support number and call that number and confirm. Go through a different channel than what’s in the email. Because yeah, hackers, they don’t care about copyright infringement. They’ll use whatever logos they want. Because you can get these things off of Google so easily. It’s a copy paste.

Joseph Serrano:
They usually take them out of the actual email that the real company sent.

Brian McNeil:
Oh yeah, definitely. We get an email from Google, just copy paste the code, there you go. Easy.

Joseph Serrano:
And sort of on that topic, my favorite sort of phish is one that looks very mundane, sort of similar to the Equifax you mentioned. I prefer boring HR policy, sort of like, “Hey, I want you to review some changes in the HR policy as they’re relevant to you and your team.” Just so boring.

Brian McNeil:
I don’t think anyone reads those. I think you’re the only one, man. Every time it’s like, here’s our quarterly report-

Erin Keating:
Yeah, we’re talking to the rule followers, the people who are like, well, I must have to read this because corporate sent it. But yeah, I’m sure there’s still plenty of people who would. And to that point, it’s not just the people, it takes all kinds to respond to phishing. So to that point, a person who really believes that they’re following all the rules could be the person that’s the most responsive to ones that come across as if it’s something coming from higher ups saying, “You’ve got to review this policy and show us that you read it. So click here to prove that you’ve read this policy,” or something like that, that it’s people who are believing that they’re actually just following the rules and that they aren’t. Do you guys have, just out of curiosity, do you have either a big case that you’ve worked on or just a national case that everyone has known about but may not have understood that it started in phishing, as an example?

Joseph Serrano:
We don’t deal much on the incident response side. So that would mostly be on Felix’s team. We do mostly on the initial intrusion side. We’ve worked with some very large firms in terms of that, but I think I’m not allowed to talk about any of them, especially if they’re larger.

Erin Keating:
What about a big national one? The Target, I don’t even know what the big Target hack was. Was that a phishing scam? Has there been anything in the national news that was actually related to a phishing attack? I don’t know. The answer may be that most of those are actually data hacks.

Brian McNeil:
Back in 2016, wasn’t there that one that happened in Ukraine that shut down the power? Wasn’t that a phishing? I believe that was a spear phishing attack that actually ended up in the shutdown of power all over Ukraine. I think back in 2016, I think it was.

Joseph Serrano:
I don’t know any large ones that have happened recently, but I know that just today COVID-19 themed phishing campaigns have spiked up, in terms of that. But also there’s a large campaign going around right now, which is that they’re using phishing campaigns with Fortnite, the popular video game, to bait minors into giving away credit card information because the parents will give them the credit card information.

Erin Keating:
Yes. I need to know all about this. My 12 year old plays Fortnite all the time, and I constantly feel like he’s asking me things. I’m like, do not respond to anything. Do not answer any chats. Do not do anything on that machine.

Brian McNeil:
I think V-Bucks are going to be more valuable than Bitcoin one day.

Erin Keating:
Yes. That is a true story. Yes. 100%. Now really quickly, you mentioned spear phishing. Is there a difference between spear phishing and regular phishing?

Joseph Serrano:
Yes. Spear phishing, we’re going to target specific individuals within a company. In a phishing, we’re going to target a larger sector. Not necessarily the whole company, maybe a single department, or maybe just what we can find online, but with a spear phishing, we’re going to target your CEO, your head of HR, maybe someone specifically who works in HR who we know isn’t high up in HR, someone in accounting. We’re going to target the email to be very specifically towards their interests and what they are going to fall for.
And this is a tactic which, it tends to be considered on the more advanced side because the training required to get around this is much more in depth because you have to know what someone’s going to do to fool you specifically. A good example of this is if I want to target someone in accounting, I’m going to send them a quote with maybe some products that their company sells on it. Maybe I’ve even received a quote from that company. And I’m going to say like, hey, I already paid this. Why is it being marked as unpaid? And they’re going to click on that to be like, what invoice is it? Do you have to invoice number off the top? And that’s when I’ve gotten you because you downloaded my PDF.

Erin Keating:
Okay. That makes a lot of sense. Now that leads on to another question I have for you. If someone is subjected to a phishing attack, does it only affect their particular computer or their phone, or how does it reach out into the broader network of computers? And why do people and companies need to be more concerned about how it affects the entire system as opposed to just one device?

Joseph Serrano:
We consider fishing to be an entry point. If you’re interested at all on cybersecurity, you’ve definitely heard of the concept of a vulnerability and an exploit. Phishing is in the category for us in our everyday work as almost the exploit. It’s the way in to grab an initial foothold. Once we’re in, it’s then back to more traditional techniques of moving and migrating through the environment. So if we get your credentials, say they’re just your email credentials, our next step is to log into your email and send emails with your legitimate email that will be recognized by your system as a legitimate email to your coworkers. If we end up getting some sort of internal access through this, say your email password is the same as your VPN portal’s password, we’re going to start going on traditional network attacks and trying to, we have a foothold in the network, or at least and ability to connect.
We’re now going to look for machines that we can jump into and then do what’s called pivoting where we then attack other machines from that machine, trying to gain a larger foothold in the environment. All the while, we’re building up a set of legitimate credentials as we go. The first machine we compromise, we create a new account. We look at how your network is, your users are laid out, and we try to add it within your framework to make it look like just another ordinary user on just another ordinary machine doing just ordinary user things. Now, those ordinary user things aren’t going to be ordinary for every user. And that’s how you can catch us. Because when a new account starts using PowerShell and using browsers in weird ways or something like that, you can kind of suss it out. But that’s more of the realm of what a SOC is trained to look for, not a person.

Erin Keating:
Well, I really appreciate the time with both of you. I would just leave this last moment here for any parting thoughts for folks listening about phishing and what concerns they should be on the lookout for, or how they should be approaching training.

Brian McNeil:
Take it seriously. You’re going to get phished every day. Yeah. Act like you’re going to get phished every day. I mean, I’ve been seeing a ton of emails and texts having to do with COVID on my personal stuff. So I am getting phished every day. And just treat every email as a phishing email. That’s really the best way to do it. Just be paranoid.

Joseph Serrano:
And for me, if you get an email that is threatening or attempts to blackmail you, just let it be. Because even if it’s real, what’s the worst thing that could happen? Kidding. [crosstalk 00:27:19]. Yeah. If you get an email that’s threatening or blackmail, it’s likely phishing and you can ignore it safely.

Erin Keating:
Well, I think that’s great advice and very interesting conversation. So Brian, Joseph, thank you so much for joining us today. And on this topic of phishing. We look forward to bringing you guys back in the future for other topics, especially around vulnerability testing and pen testing and so on and so forth. So thank you so much for taking a little bit of time out on a Friday afternoon to talk to us.

Brian McNeil:
Yeah. Thank you.

Erin Keating:
Absolutely. That’s it for today’s episode of Incidentally brought to you by Cyber Clan. Check us out at www.cyberclan.com.

Knowledge Base

Incidentally in the News: Russian Hacking of Vaccine Research

Russians are potentially the perpetrators of widespread malware attacks on healthcare organizations, pharmaceutical companies, and university research programs working on finding a vaccine for the global coronavirus pandemic. Today we

Read More +

Incidentally in the News: Twitter Breach and EU Data Privacy Challenge

Twitter has been breached in an unprecedented hack of a Social Media platform, and the EU top court just invalidated an agreement between the US and the UK on data

Read More +
icon-dark icon-light icon logo-light