Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Levers of Human DeceptionThe Science and Methodology Behind Social Engineering
Erich KronSecurity Awareness Advocate, KnowBe4, Inc.
• CISSP, CISSP-ISSAP, MCITP, ITIL v3, etc…
• Former Security Manager for the US Army 2nd Regional Cyber Center – Western Hemisphere
• Former Director of Member Relations and Services for (ISC)2
• A veteran of IT and Security since the mid 1990’s in manufacturing, healthcare and DoD environmentsErich Kron
Security Awareness Advocate
About Erich Kron
About Us• The world’s most popular integrated Security Awareness
Training and Simulated Phishing platform
• Based in Tampa Bay, Florida, founded in 2010
• CEO & employees are ex-antivirus, IT Security pros
• Former Gartner Research Analyst, Perry Carpenter is our Chief Evangelist and Strategy Officer
• 200% growth year over year
1
23,000Over
Customers• We help thousands of
organizations manage the problem of social engineering
4
“All warfare is based on deception.” - Sun Tzu, The Art of War
5
98% of Attacks Rely on Social Engineering
Attackers go for the low-hanging fruit:
humans
6
Agenda
• The Perception vs. Reality dilemma• Understanding the OODA (Observe, Orient, Decide,
Act) Loop• How social engineers and scam artists achieve their
goals by subverting its different components• How we can defend ourselves and our
organizations
7
Agenda
• The Perception vs. Reality dilemma• Understanding the OODA (Observe, Orient, Decide,
Act) Loop• How social engineers and scam artists achieve their
goals by subverting its different components• How we can defend ourselves and our
organizations
88
Pick a card!
99
Is it gone now?
10
How did we identify and remove your card?
Here’s what we started with:
And here’s what we ended with:
Yeah: These are two completely different sets of cards.But, by rushing you through the process, you probably didn’t notice!
11
Our brains’ jobto filter,
interpret, and present
‘reality’
Understanding the root of deception
12
Agenda
• The Perception vs. Reality dilemma• Understanding the OODA (Observe, Orient, Decide,
Act) Loop• How social engineers and scam artists achieve their
goals by subverting its different components• How we can defend ourselves and our
organizations
13
An Interesting History
http://ciamagic.com/
Using our brain’s strengths against us
14
An Interesting History Using our brain’s strengths against us
http://ciamagic.com/
Spies, Magicians, Pickpockets, Con-artists and Cybercriminals all use the principles
we are about to discuss
OODA-----------
A Model for Decision Making
17
What is an OODA Loop and how do I mess with it?
Observe
Orient
Decide
Act
“In order to win, we should operate at a faster tempo or rhythm than our adversaries—or, better yet, get inside [the] adversary's Observation-Orientation-Decision-Action time cycle or loop ... Such activity will make us appear ambiguous (unpredictable) thereby generate confusion and disorder among our adversaries—since our adversaries will be unable to generate mental images or pictures that agree with the menacing, as well as faster transient rhythm or patterns, they are competing against.”
-- John Boyd (creator of the OODA Loop)
18
Agenda
• The Perception vs. Reality dilemma• Understanding the OODA (Observe, Orient, Decide,
Act) Loop• How social engineers and scam artists achieve their
goals by subverting its different components• How we can defend ourselves and our
organizations
Social Engineering
The ideal situation for a social engineer is to hijack the OODA loop by creating a
knee-jerk action that effectively bypasses the first three steps and results in the
attacker’s intended Action.
21
Attackers will do anything to bypass critical thinking• Spoofs a campus-wide security
alert for a community college (confidential information blocked out) in Florida.
• Exploits current concerns over active shooters on education campuses
• Crafted to generate a reflexive click.• Directs to credential capture site.• Other variants seen:
• “IT DESK: Security Alert Reported on Campus”
• “IT DESK: Campus Emergency Scare”
• “IT DESK: Security Concern on Campus Earlier”
22
Example: Business Email Compromise (The Phish Evolved)• a.k.a. CEO Fraud• No payload• Low volume email targeting high value
individuals• Personalized• Few to no ‘traditional’ spam/phishing
tells (such as poor grammar, egregious misspellings, etc.)
23
Example: W2-Fraud
24
The Invoice/P.O. Phish
• The most common phishing genre in the emails reported to us via the Phish Alert Button (PAB)
• This type of phish easily blends into the deluge of emails that employees in many positions deal with on a daily basis.
25
The Package or Parcel Delivery Phish
• Companies and organizations in the business of delivering packages and parcels now email customers and users on a daily basis.
• Once again, the bad guys regularly seek to capitalize and exploit this kind of business-to-business communication by crafting phishing emails that mimic those sent by recognized organizations like USPS, UPS, FedEx, and DHL.
26
Example: Gift Card Scams
Source: BEC-international Slack Channel
27
Example: Payroll Redirection
Source: BEC-international Slack Channel
28
Example: Wire Transfer Fraud
Step 1: Starts Simple
Step 2:Moves to the attack
Source: BEC-international Slack Channel
29
Clickbait: It’s More Science Than You Think
• Leverages “pattern interruption” to create curiosity often based on the "information-gap" theory
• “Such information gaps produce the feeling of deprivation labeled curiosity. The curious individual is motivated to obtain the missing information to reduce or eliminate the feeling of deprivation.” -George Loewenstein, Carnegie Mellon
• Also leverages outrage and anger, which drives us to take action
30
Agenda
• The Perception vs. Reality dilemma• Understanding the OODA (Observe, Orient, Decide,
Act) Loop• How social engineers and scam artists achieve their
goals by subverting its different components• How we can defend ourselves and our
organizations
3131
32
Are You Being Manipulated?-- understand the lures --
Greed
Urgency
Curiosity
Fear
Self Interest
Helpfulness
Where are you distracted?
34
35
Through combined security awareness and behavior training
Arm Your Organization
Security awareness, coupled with frequent simulated phishing training, will help
employees make smarter security decisions, everyday
36
Benchmark Phish Prone Percentage by IndustryBaseline Phish Prone Percentage (B-PPP)
Industry 1 – 249 employees
250 – 999 employees
1000+ employees
Energy & Utilities 31.56 29.34 22.77
Financial Services 27.41 28.47 23.00
Business Services 29.80 31.01 19.40
Technology 30.68 30.67 28.92
Manufacturing 33.21 31.06 28.71
Government 29.32 25.12 20.84
Healthcare & Pharmaceuticals 29.80 27.85 25.60
Insurance 35.46 33.32 29.19
Not For Profit 32.63 25.94 30.97
Education 29.20 26.23 26.05
Retail & Wholesale 31.58 30.91 21.93
Other 30.41 28.90 22.85
27%Avg. Initial
Baseline PPP across all industries and sizes
_______________
Average PPP by Size of Organization
Org Size Initial PPP1 - 249 30.1 %
250 - 999 28.5 %
1000+ 25.06 %
37
Results after 1 Quarter of CBT and Phishing TestingBaseline Phish Prone Percentage (B-PPP)
Industry 1 – 249 employees
250 – 999 employees
1000+ employees
Energy & Utilities 12.53 13.31 13.40
Financial Services 10.01 9.09 14.53
Business Services 12.89 13.99 13.86
Technology 14.12 16.93 19.83
Manufacturing 13.87 14.24 9.88
Government 13.13 12.76 7.90
Healthcare & Pharmaceuticals 16.81 11.02 15.79
Insurance 13.39 16.49 13.23
Not For Profit 16.01 17.28 17.07
Education 16.95 17.16 22.56
Retail & Wholesale 13.39 10.47 10.49
Other 14.86 16.37 19.97
13.3%Avg.
90 Day PPP across all industries and sizes
_______________
Average PPP by Size of Organization
Org Size Initial PPP
1 - 249 13.11 %
250 - 999 13.20 %
1000+ 14.10 %
38
Results after 12 Months of CBT and Phishing TestingBaseline Phish Prone Percentage (B-PPP)
Industry 1 – 249 employees
250 – 999 employees
1000+ employees
Energy & Utilities 2.83 1.87 5.56
Financial Services 1.54 2.22 5.81
Business Services 1.89 3.09 1.27
Technology 2.02 2.42 2.69
Manufacturing 2.16 3.13 2.47
Government 1.87 1.46 1.52
Healthcare & Pharmaceuticals 2.00 1.65 2.17
Insurance 2.23 2.68 5.26
Not For Profit 2.47 2.24 3.01
Education 2.80 1.91 5.31
Retail & Wholesale 2.14 1.87 2.68
Other 1.82 3.18 4.21
2.17%Avg.
One Year PPP across all industries and sizes
_______________
Average PPP by Size of Organization
Org Size Initial PPP
1 - 249 1.94 %
250 - 999 2.21 %
1000+ 3.04 %
Percentages are calculated for users who experienced a combination of CBT *and* at least 10 phishing tests.
39
Build engagement and decrease behavior-related risk
Baseline TestingWe provide baseline testing to assess the Phish-prone™ percentage of your users through a free simulated phishing attack.
Train Your UsersOn-demand, interactive, engaging training with common traps, live hacking demos and new scenario-based Danger Zone exercises and educate with ongoing security hints and tips emails.
Phish Your UsersFully automated simulated phishing attacks, hundreds of templates with unlimited usage, and community phishing templates.
See the ResultsEnterprise-strength reporting, showing stats and graphs for both training and phishing, ready for management. Show the great ROI!
Thank You!
Tel: 855-KNOWBE4 (566-9234) | www.KnowBe4.com | [email protected]