(gentle music) (clapping) - Thank you all for
being here this morning. We're gonna have a lot of fun talking about BEC. Now, I'm gonna do
my best not to say the word Nigeria-- uh, sorry, a little late. Nevermind. We're gonna talk a little
about Nigeria as well because it's an important
thing to understand what our threat actors are. I like to have fun
with presentations so if some of you recognize
these quotes up here then fantastic. If not, don't worry. I give correct attribution
where I need to. We're gonna start
out really quickly by focusing on why we
are losing this battle. Anyone who thinks we
are winning this battle, I have some horrible,
horrible news for you. We're then gonna talk
about Tradecraft Shark, doot, doot, doot, doot, doot. We're also gonna talk then
about how we work together. And last but not least, I have a little bit of a
tool release for you as well. So, we're gonna have some fun. All right, any fans
of The office in here? The U.S. based Office? There was a fantastic quote
that Michael Scott said, well, I'm saying
Michael Scott said it. If you want to lose pick
a fight with revenue. I don't know how many folks
that are intel practitioners or analysts, or digital forensic
and incident response, or whatever acronym or
logo you'd like to throw on whatever role it is you do. I don't know how
many folks consider that this is actually what
you're battling up against in a lot of cases. I'm aware Malware is super sexy. Don't get me wrong, I've seen some amazing
exploits in my time. I've seen some
nations do some things that have completely
blown me away. But I have to remember
that at some point in time I am battling with dollar signs. When I was here two years
ago on this exact stage, in this exact room, giving a very,
very similar talk, we had some statistics
from the FBI. Between October
2013 and May 2016 this particular type of attack or groups of attacks
had stolen somewhere in the vicinity of 3.1
billion dollars in losses. Has anyone done the
math really quick? I did, saved you the hassle. It's an average of
somewhere in the vicinity of 3.168 million dollars a day. I don't know. Anyone here making that much
money in revenue right now? 'Cause this attack group is. Guess what? They updated our stats for us. June 2018 the FBI
came back and said global aggregate 12.5
billion dollars in losses. We now have a threat group
that has now escalated to a whopping 7.366 million
dollars a day average take home pay. Not a bad way to run
your threat campaign. So, if anyone out there is ever
asking the question of like, "It's just spear
phishing, right, "why should I care?" You're clearly then telling me that you can afford this loss. In which case I'd like
to be your best friend if we possibly could. This is why we have
to care about this. Because IP theft is cool. Not cool that it's stolen, but it's a cool thing to follow. Year long investigations
are amazing to follow. Very, very intricate,
detailed, quiet, silent, stealthy, threat
actors are amazing to follow. These guys right here, this is days, maybe weeks at
most inside of an environment. Sometimes you'll find a
couple months long cases. We'll talk about those. But this is a threat actor
that needs a couple of days in order to literally bring
companies to their knees. Which we'll talk about
in moment as well. All right, let's talk
about some Tradecraft because that's one of the
key things that has changed, that has developed about
this particular threat actor. And, of course, anywhere I
can insert the theme song into your head I will. Good luck getting it out now. By the way, Tradecraft has the correct
number of syllables to fill right into
Baby shark as well. Two years ago this is
the example that I used. Believe it or not
this example still trips up a lot of people. We get things like
late in the day, transposed domain names, fake forwarded emails, basically text manipulation. Really, really simple
and straight forward. This is an easy phish. Lot of folks in this room who would ever click that? Who would ever open that? Ah, but see, you're not
the intended audience of this particular email. We're gonna talk a lot about
the human side of these attacks and how it gets forgotten
in a lot of this as well. This was a really simple flow
model for our attack groups. I phish a target. That target receives an invoice. They send money to that
particular bank account. I have someone go
raid that bank account and boom, I'm done. Wash, rinse and repeat. This earned three
billion dollars over the course
of a couple years. It worked, it was great, but then guess what happened? Snarky, smart ass security
researchers get on stage at the 2017 CTI Summit and say look at what all
these people are doing, look at all these techniques. Look at how we can
thwart all of this. So, our attackers had
to get a lot smarter. They also used to
give us a lot of really nice pivot
points as well. I used to get PDFs and MetaData. They would buy a
computer and register it to their actual name. They would leave
their address behind. They would post pictures
of themself on Facebook buying G-Wagons with the
flag and the license plate and the mailbox right behind it. It was like a
threat intel dream. It was almost like
every single day was the APT-1 report. We're like okay,
cool, there we go. There's the guy getting
the money out of the bank, there's him stuck in
traffic in Downtown Lagos, and there he is buying a
car with said stolen money. I can trace this back together. But unfortunately, this was not going
to last forever. By the way, don't get comfortable
with levels of data, levels of attribution, or any sort of intelligence
that we are releasing or that an attacker
may become aware of because they'll take it away
and they'll get smarter. Here's the new news. The new way that these
attacks take place. Anyone seen this page before? I hope not because I'm hosting
it in Digital Ocean right now on a droplet that's costing
me five bucks a month and any credential
that gets entered gets emailed directly to me. So, I hope you have not
seen this page before, but I'm sure you've seen
a page like this page. And the distinction that
I've just made there is the difference between
a successful phish and an unsuccessful phish. That's what these attackers
are taking advantage off. It is just enough. How many people in
this room immediately let their guard
down a little bit. You weren't aware that
you let your guard down, but you did. I'm familiar with that. Nice little stock hipster
art in the background, probably somewhere in a
Starbucks on a MacBook. There's a little top of a
nice flower latte to the side. Someone's in a nice
pullover sweater, probably working on their
novel or something like that. That's your login page. Because that's what you
think about when you login. By the way, if anyone ever
sends you a document and says I'm storing
this in OneDrive for you, the other mail login is not
the way you access that thing. Our attackers got smarter. They figured out how
to duplicate websites. They also figured
out that there were other steps beyond this. What some attackers do is
they're really good at step one. They build an amazing facade and then you walk
into the warehouse and it's just this
absolute nightmare. These guys take
it a step further. They've actually done some work and they've build out
these login pages. How familiar does that look? Guard goes down further. How about that one? Can anyone say that is
not the legitimate code that provides the login
box for Microsoft. It definitely is. And as we all know there's a
second page for that as well. And you better believe
the second step has the nice little multi-dot
scrolling bar at the top which is Microsoft's nice
little spinning wheel. And then sometimes you
just gotta get creds. So, they just throw some
sort of random page in there because I don't know, if you're not used to
seeing this or this, maybe you're used
to seeing that. But either way, credentials go back
to the same place. Our attackers that were once
creating very, very basic, very, very simple PDFs, all learned how to code. Sorry, let me rephrase that. They learned how to steal code
from other people as well. Before we get to
their code though, some of their various
email techniques and I apologize this font
I would like it to be a little bit larger
but that's okay. We had a last minute AB switch. They'll use transposed
character substitution domains. They'll still do that. That's still a big one. They will do Unicode Play. Anyone been caught
in a Unicode trap? Believe it or not
for some reason, someone decided a long time ago that we might want to put
emojis inside of Email subjects. Those of you who get
spam mail know exactly what I'm talking about. I can put nice, big,
beautiful, bright emojis, I can also hide things
inside of there as well. Email Body Encoding Obfuscation. Anyone here familiar
with RFC 2047 off the top of their head? I know someone's
googling it right now. If you're not, guess what? That's the RFC for SMTP that allows you to put encoded
email data in your headers. That is a subject line that says account invoice number 19043
or something like that. Do you think the user
ever sees that text? By the way, has anyone here ever written a
successful Reg-X for Base 64? Good luck. We're doing a lot of intra, we're doing a lot of processing to convert that
to get it working. I can speak from personal
three day old experience, text filters inside
of O365 and Gmail have a very, very tough time
with those particular strands. Very tough. But they get rendered
in the browser (snapping) no problem. Our attackers know
little intricate details like this as well. Be honest, did anyone here just learn
in the past four minutes that I could put Base 64 data
inside of an SMTP header? 'Cause guess what? I learned this recently too. Our attackers though, they study this. They watch these
different things. How can I make plays here. Does this feel like
spam email tactics? Does this feel like click
here for enlargement links? And, you know, other sort
of spam emails you get? This seems like techniques
that I wouldn't expect a group this
successful to be using. But sure enough they are. There is a whole nother topic
of attackers blending in commodity techniques
into their workflows, but we're not gonna get
into that right now. We're gonna stick on this one. But just understand that
they are studying RFCs, they are studying how
data gets represented, they are propping
up environments, they are replicating attacks. They are doing
all of this to see what does it look like
on the other side. I'm a splice a
couple of slides in as we walk through
the new news of BECs. I'm gonna start to call
out some techniques. So, we've already seen
website replication. I'm aware that's not how
you spell replication. The A key on my keyboard broke. Data encoding. Data obfuscation. Multiple types of
spear phishing. And these are very,
very targeted campaigns. Let's talk about how some
of their other techniques have advanced as well. They've learned how to code. This is the PHP code that
was from that previous page. For anyone that's
looking too closely the third line is an
attacker email address. It's likely been
shut down by now, but if anyone wants to go
check and have some fun, it's there. If anyone has a Gmail backdoor they want to activate
really quick, you can go and find out the
population of clients here. But look at this code. This code is commented. Number one. Well, it's got three,
four, five comments, which don't lie, is more than some of us
include in our scripts. It is nicely formatted. There are conditional
statements. Did they give me One Drive? Did they give me Outlook? There is also to
the right side here, geolocation lookup. Did the individual that I
phished in San Francisco log in from San Francisco? There's an HT Access
file that is too large to include with this
particular slide right here. Who here works for
a security company. There's an HT Access
file with your egress IP inside of that HT Access. You coming from your home office cannot access most
of these sites because they stop
you at the IP level. Guess what? That's the most basic type of
firewall you'll ever run into. But guess what? It also works. It works really well. And they prevent these types
of things from happening. Everyone, this is a group
that for the largest part of I can remember in
the past couple of years has just been a
nuisance to everyone. We're seeing replicated
but well structured code. We're seeing security
research firms prevented from access. We're seeing targeted campaigns. We're seeing use of
data obfuscation, use of data encoding. Starting to feel a lot
like an advance group. starting to sound
like it at least. So let's call out a
couple things here. Automated credential collection, normalization, and enrichment. If you think there are not
scripts on the other side of this email
address right here, that is collecting and
collating email addresses, and providing them in
an automated manner, and also doing
correlation for you, I've got some awful,
awful wake up news for you because I guarantee
you they are. They are very aware of
who they break in to. We're going to talk about
how and why as well. Let's talk about the
new type of attack. How these things
are launched now. Same deal. We have a target. Anyone have an email account? How many people have you emailed
using your email account? There's this scary,
scary notion out there of someone gets access
to your email account and a lot of people think, oh my gosh, I've sent
W-2 forms in there. I've got social securities
inside of there. I've got all this data in there. I know none of us have
ever emailed unencrypted, sensitive work data, so I won't say that out loud. However, there's a lot of
things in our email accounts that we wouldn't want
someone to get access to. These guys want
your address book. That's it. They want your address book. Here's how our attacks
work these days. First off, if you'll notice, there is a fork in the road. We're gonna turn right first. We take that first
fork in the road, someone breaches a target, they get into that
particular account and they start scraping
that address book. They start saying, ah, so and so works in
such and such department. I'm gonna get the department. I'm gonna find the CEO. I'm gonna find
wait, boom and gold. There's the person responsible
for money transfers. Let me break this down into
another situation for you. The early version of
these attacks needed to phish someone in accounting. Preferably somebody who was
in charge of sending money. Because that person needed
to process a document. I don't need that anymore. The whole company
is now up for grabs because all I need is
the global address list. And active directory takes
care of the rest for me. So, all I have to do is
hit someone somewhere with an email account. And then I can
start to enumerate. Also, what happens if I send
an email internal to internal? Do I gain all the
wonderful benefits of all these
external email things that have been put in place? Do I get that nice
little EXT flag added on to my subject line? Do I get some sort of
a warning that shows up and says FYI, you might
not want to open this thing because nothing works out here? I hope no one here
is in this boat. But I've been in a
lot of situations where companies turn off
internal to internal monitoring. There's way too much
going back and forth, we don't want to get
that taken care of. Think about the compliance
risks if you were monitoring and scanning
your own internal email. They know this. They know how we
treat internal email and they use that to
their advantage as well. So, the next thing they do, they also take a deeper
look at your address book. Your internal address
list, fantastic. Who else are you
talking to outside? Who else are you emailing? Let me phrase this in
an intelligence way. Who else do you have a
trusted relationship with that I can take
advantage of right now? What other credentials
have I stolen? What other accounts
do I have access to? Can I map out your
entire supply chain from attack to attack, from victim to victim, just by doing address
list correlation? I'm telling you right now
the answer is obviously yes. Now, I'll pause here. 'Cause I know some of
you out here are like, yeah, but this is
not as fancy as like stealing Kerberos tickets and hopping across forests. And all that really,
really cool stuff. Can I give these
guys bonus points because they don't need to? They already have
what it is they need. Who here has got O365 tied
into Active Directory? Don't raise your hands. There are some folks in the room who really want to know that. I don't want to make
you volunteer that
information for us. But let's start to draw a lot of links and correlations
between these two here and all of a sudden, I've got a pesky, nuisance group that primarily
utilizes spear phishing that all of a sudden
just encountered my entire Active
Directory as well as a target list of all the people who won't think twice about
an email address from me. Pretty sure that gives
us another technique that we'll look at in a moment. That whole diagram
that I walked through just a moment ago
gets washed, rinsed, and repeated and daisy
chained for as long as they can possibly go. Because guess what? I already have the trust and I can go from address
book to address book, to address book to technique, to technique, to technique, until finally boom, I've got a hold of 20
different companies all daisy chained together, and I didn't have to send
but one spear phishing email. That is the beauty and again, I'm being very careful
on compliments here, but that is the beauty
of one spear phish. One turns into 20 targets. Talk about a threat
intel diagram. Anyone ever drawn link
analysis like these together before where
you're looking at how many things go through. I've easily seen super,
super, super advanced groups with the same type
of correlation, same type of lateral
movement taking place. Let's talk about who this
particular target may be. It may be you directly. It may be one of your shippers, maybe a supplier. Some other external vendor. HVAC Some other vendor who supplies
a service to your company. There's also attacks taking
place right now on real estates. There are spoofed
C-Suite ACH changes. Spoofed website fixes. All different types. If you can think of a way
that I can insert myself into the flow of money
inside of an organization, you are a target or that particular
transaction is a target. I'm gonna classify
a new technique. I couldn't find this
in the attack matrix. Itra and inter organizational
lateral movement via email. As far as I'm concerned and experience tells
me that it works. I've seen it happen. Now, again, my goal is not
to break into the file share or rip credit cards for
social security numbers out of a database. But if my goal is to steal money and my goal is to
insert myself into the payment flow of 20, 30,
somewhere in the vicinity of 800 thousand
monetary organizations, no problem. I've got that sorted out. Here's one example. I actually worked this
case about two weeks ago. This is a very, very
straightforward example. A company has a vendor. That vendor does
things for the company. The vendor bills the company, the company pays the vendor. Hopefully no one has an issue
with this particular cycle. This is how the world works. The attacker
compromised the vendor. Not the company, the vendor. Sat in the vendor and monitored and watched for all
this email activity. Who are they talking to? Who are they billing? Who are they
sending invoices to? And you better believe
that the attacker then referenced the
exact same invoice from the month of
November and said, "hey company, we have not
been paid yet for November, "would you please pay us?" What followed was a 12 back
and forth email conversation about we have not been paid. I swear I sent it. I'm so sorry. We didn't receive
it, blah, blah, blah. Oh, by the way, we
now bank in Hong Kong. And at this point in time, the person at legitimate
company feels so awful about not having
paid this vendor that they're like I will
do whatever you want, no problem. If anyone in here thinks
that that feeling of awfulness and regret and
remorse was accidental, you are 100% wrong. That is the goal. Make someone feel so
bad about not paying you that they will
happily redirect money anywhere in the world for you. And again, it works
to the tune of probably now upwards of
14 to 15 billion dollars. So, I'm gonna call
out another technique. Trusted Relationship Abuse. We saw this a little
bit earlier as well What do they do once they
get access to these inboxes? Well, as I said earlier
they take advantage of your address book,
that's the big one. They get trust. They are in an account that
you won't think twice about. They will also
drop an inbox rules where they will
forward your inbox or emails that match
a certain things, pick a phrase if you want, and they'll forward
that out to some sort of external account. They'll also drop
in SMTP Forwarding and say screw it, every email that comes through
the door send it over my way. They'll search for keywords. Wire, payment, invoice,
remittance, ACH, so on and so forth. They look for terms that
help them figure out the flow of money. And I really hate to say this, but I've also seen
the case that I just walked through a moment ago, multifactor off being
thwarted as well. Now, before anyone
goes super crazy, this was not a multi
factor off bypass. They do two things
to get around this. Number one, they get legitimate
access to an account. They set up an
application password which gives them single
factor off to get in. That's one method. I should say there's
really three. Method two. Try to log in, you get prompted
for multi-factor. As long as you select
keep me signed in, you've got enough time. When you get a
multi-factor phone call, what do you do? You answer it, press one, whatever it is you're
supposed to do, right. Do we ever take a
step back and say, wait a second, I didn't just try to
log in to anything. So, we're in this
weird phase now where we've made a security
recommendation for years and now the users are kind of
in changing password world. Where they're just like this
thing is just a nuisance. Yeah, whatever,
accept, accept, accept. I would hope that if
anyone in this room and anyone at the
companies you all work for, received a dual push in
the middle of the night, you would ignore it. Unfortunately, the
average bear does not. So, the users accept anyways. Let's round up these techniques. Well-funded, Trusted Relationship Abuse, Lateral Movement
Internal and External Data Obfuscation Encoding Automated Credential Theft, Targeted Campaigns, Website Replication, the A worked there. Multiple Types of
spear phishing, MFA Bypass, Exfiltration via Email. At what point do we
start to call this and advance threat actor? At what point do we
start to treat them with the same level of respect and of course that's a I wanna burn you to
the ground respect that we do with
other nation states. At one point, how many boxes do I need
to check as a threat group for someone to finally say we have a serious problem here. We'll talk about that
one in just a little bit. In case you're confused by this
particular list right here, I went ahead and threw it into what you may be
more familiar with. Granted it's hard to
read and this is yes, just a screen shot
of Attack Navigator, but I went ahead a
selected some boxes. But what I started
to think about was actually something else. How do we start to defend
against this better? How do we get to
a place where our users are not suffering so much? And I wish, I wish
there were some sort of structure I could use in
order to provide guidance to people. Some sort of boxy
framework setup thing, I came across a matrix and I had this brilliant idea
for designing the matrix. The Defense Matrix. But I was afraid that
no one would read it. So I made it lead. Then I was afraid Katie
wouldn't be able to read it. So then it's the Defense Matrix. (clapping and laughing) Wait, hold on. Then, I was afraid that Chris
wouldn't be able to read it, so you can use an S
or a C, if you want. The Defense Matrix and
again I'm having fun here, but in a very, very,
very real sense. If you're taking a phot of this, there's three more
columns to add. Defense Matrix very,
very, really gave me a way to talk to
my clients and say you know what, here's the things that you
need to be considering. I'm not gonna send you
bullet lists in an email. I'm gonna start
giving you a structure of things to think about. Then is said, what happens if we
actually got breached? I'll give you a recovery column. Call the FBI, call the bank, call your external counsel, call internal counsel, change your passwords. Implement MFA, wait, you should have
already done authentication. And then I said, what
if all else fails? Unplug the internet, go home, polish resume or just do nothing
and turn a blind eye. But you know what everyone? We're missing one key
piece to all this. All of this assumes
there's ones and zeroes that I can control
and that I can program and that I can deal
with on the backend. You're missing the true,
true defense mechanism here which is the human, the most important one. The way to thwart
attacks like this is trust your humans. This doesn't feel right. That is not usually how
Matt asks for money. I swear to god I paid
him that invoice. Oh wait, I did, there's
the ACH transfer. Did you ever think
that in the course of 13 emails being
exchanged back and forth, no one ever went to the bank and said can you just
verify that that check actually got sent? No one made that
additional step. So, let humans do what
we're good at doing. Which is feeling
uncomfortable about things. And feeling uncomfortable
about security and use that, use that to help determine
what your environment is gonna look like if you allow
these things to take place. All right, that's enough
about the attacker. Let's take five
minutes and talk about how we make this better because as I said I stood
on this stage two years ago and I gave some advice about how I think this
could be better, and in the past two years, we have seen an incredible
global response. Those of you who work in CTI, I hopefully am going to change the way you think about
collaboration afterwards because it matters. This is the meme, not
really meme, the picture. The picture I gave in
the last presentation. Since then we've seen
multiple take downs of these particular campaigns. Operation WireWire back
in June brought down over close to 80 people
in as you can see six different countries
around the globe that were perpetrating
these particular attacks. We now have an
international open slack focused on targeting
and bringing down BEC. Yes, there's a couple
names in there, but I've gone ahead and
redacted what it is they said. Anyone here can join. I would like to
see a 12-and-a-half
billion dollar threat actor with an open world joined
slack to bring them down. And I hope to god
they're in the channels. I really do. Because the faster
I see you run, the faster I start catching up an then eventually
I get ahead of you. That's where we're gonna end up. How many arrests
do you want to see? You want to continue
walking through history. I can just pick numbers, I can pick jail sentences and I can line these guys
up one by one by one. It works, it happens. Last but not least. I gave a slight
webcast talking about O365 investigations
back in July, and I released a tool that was very, very loosely maintained. Again, thinking back
to cold commenting and that kind of stuff. Microsoft has done us a very,
very, very wonderful service of changing the way these
log formats are stored every I don't know six
minutes it feels like. That being said, I've gone ahead and
updated this framework. OLAF, or the O365 Log Analysis
Framework as I call it. Now, well I should say when I go and press commit
after this talk, or push, sorry Scott, push after this talk. When that commit takes place, you're gonna see
update dashboards for new exchange
and user operations. In February, Microsoft
is gonna start recording mail read operations. There are gonna be
dashboards and tools built out for that as well. There is also additional
parsing support of user and active
directory logs. I have also built and
I will be releasing an anonymized IP
Address database that you can download
and update at will and use for API calls
to see when someone is leaving out of a VPN mode that you weren't
aware of before. And I also had the
wonderful pleasure of writing last night a
free geodistance calculator. So, what I encourage
you all to do is if you find yourself
having to investigate these particular scenarios, here's a tool that's literally
is a couple of buttons, couple lines of script, run it, find evil. It used to be really simple. In July you'd wait for the
Nigeria dashboard to populate, then you'd be done. But they started using
exit VPNs and so forth. My last and final comment
for everyone in the room. Work together. Work together to help solve
these particular problems. We're all in this room
so we already have some sort of semblance
of working together, but I want to share a
little story really quick. And this will be my last
thing and I'll be done. I worked a BEC case
back in May last year where the company had
lost somewhere in the neighborhood of
two-and-a-half million dollars in a 72 hour period. Phish one was 800
thousand dollars. Phish two was 1.7 million. Phish one was again on a Monday. Phish two was on a Wednesday. I got a call on Thursday, and as you can imagine that
company was in dire straits. This attack that
they had suffered brought down 30%
of their workforce. 30% of the people
they had employed had to be let go as a
result of this attack. I'm not gonna get into a
further discussion on this, but this company
had already reduced 40% of their workforce
due to ongoing tariffs. 70% of their workforce, almost half of it directly
attributable to Nigerian scams. Luckily, this is not
a horn toot moment. This is a reflection. Luckily, we got involved, we got in touch with law
enforcement quick enough, we got in touch with
the banks quick enough. We got in touche with whoever
we need to quick enough an we got about 70%
of the money back. That 30% reduction of workforce didn't have to be
reduced anymore. They luckily were able
to keep their jobs. So, I'm gonna end with this. The work that we do, we keep people employed. We keep kids in college. We keep generations going on. I'm not trying to give you
all any value of what you do. You hopefully already have that. But if any point in time, the work that you're doing, the analysis that
you're performing, the things that
you're uncovering, you come across it at some point and you say what value is
someone getting out of this? A whole family of people
working at a company together were still able to make money
to send their kids to college, were still able to do
what they wanted to do. This is not a dream moment. The work that we do here, whether you see it or not, keeps dreams alive. So, continue fighting
the good fight, work together, share indicators, share techniques, do what we can to
make this work. Thanks everyone. Appreciate it. (clapping) (dramatic music)
