Everybody’s Phishing - An Interview with Joe Gray of Advanced Persistent Security

Interview with Joe Gray of Advanced Persistent Security

Cyber Security Dispatch: Season 2, Episode 06
 

Show Notes:
Today on the show we welcome Joe Gray. Joe joined the U.S. Navy directly out of High School and served for seven years as a Submarine Navigation Electronics Technician. Today, Joe is a Senior Security Architect and lead blogger and podcaster at Advanced Persistence Security. He is also the inaugural winner of the DerbyCon Social Engineering Capture the Flag (SECTF) and has contributed material for the likes of AlienVault, ITSP Magazine, CSO Online, and Dark Reading, among others. In this episode, we learn all about phishing for awareness. Joe shares how you can mitigate the damage that can be caused by phishing and how white box pen testing relates to phishing overall. We also discuss the current cyber security landscape from a national and international perspective and the importance of companies setting up phishing engagements against their employees. Joe also shares some useful tips on how to limit the damage in securities within IOT devices, as well as how to use disinformation to protect your personal accounts. In an industry that focuses a lot on protecting business, Joe believes that we need to take a step back and look at how we protect people. By the end of this episode, you’ll have a more human perspective on phishing and cyber security and want to share this mindset with your colleagues, family and friends.

Key Points From This Episode:

• Learn more about phishing for awareness and what this entails.
• How Joe helps companies set up phishing engagements against their employees.
• Incident response and why phishing attempts are never going to be 100% effective.
• Assuring those who have been phished that their credentials aren’t necessarily useable.
• The difference between pen testing and red teaming in light of Haroon Meer’s work.
• Why less black box pen testing and more white box red teaming could be the way.
• How are organizations measuring both potential vulnerabilities and risk taking.
• Compliance versus privacy versus security: Why GDPR is winter and winter is coming.
• Learn more about national and international regulations for cyber security response.
• Find out more about the threats out there today (like IOT) that are terrifying Joe.
• Seriously, why would you need a Bluetooth controlled water heater in your home?
• Hear more about the $29 Amazon home router that Joe easily attacked.
• Why we need to go back to protecting people before protecting business.
• Joe gives a few simple steps toward better cyber security in the home.
• Learn more about using deceptive technologies and disinformation to secure yourself.
• Disinformation, trolls and bots and their influence on the on the US election.
• A current update on various state approaches to cyber security laws and bills.
• The positive movements that Joe is seeing in the field of cyber security today.
• And much more!

Links Mentioned in Today’s Episode:
Joe Gray – https://advancedpersistentsecurity.net/about-us/joe/
Joe Gray LinkedIn – https://www.linkedin.com/in/joegrayinfosec/
Advanced Persistence Security – https://advancedpersistentsecurity.net/
HackNYC – https://q22018.hacknyc.com/en/
Key Findings From ISTR Security Report 2017 – https://www.websecurity.symantec.com/security-topics/istr-2017-infographic
DMarc – https://dmarc.org/
Mimecast – https://www.mimecast.com/
Adrian Senabre’s “Killing The Pen Test” – https://www.infosecurity-magazine.com/news/rsac-time-to-kill-pen-test/
Haroon Meer - https://www.biznews.com/global-citizen/2017/09/13/haroon-meer-buzz-global-tech/
Have I Been Pwned – https://haveibeenpwned.com/
DerbyCon Capture the Flag – https://www.social-engineer.org/wp-content/uploads/2017/11/SECTF-2017.pdf
Decepticon by Joe Gray – https://www.youtube.com/watch?v=ZFvKmJbL924
Georgia’s 2018 Threat to Cyber Security Bill – https://www.the-parallax.com/2018/02/08/georgia-315-cybersecurity-rights/

Introduction:
Welcome to another edition of Cyber Security Dispatch, this is your host Andy Anderson and in this episode, Everybody’s Phishing, we talk with Joe Gray, blogger and podcaster with Advanced Persistence Security. In this episode, Joe shares how you can mitigate the damage that can be caused by phishing and how white box pen testing relates to phishing overall.
Lastly, we hit upon how to limit the damage in securities within IOT devices. It was a great chat, I think you’ll enjoy it.

TRANSCRIPT

[0:00:36.3] Andy Anderson: Welcome, thanks for coming on. Just introduce yourself, your name, your company.
[0:00:39.7] Joe Gray: I am Joe Gray, I’m the principal blogger and podcaster with Advanced Persistent Security. I’m here at HackNYC and I’m going to be talking about phishing for awareness today.
[0:00:50.1] AA: Okay, walk us through kind of what phishing for awareness might mean for people who aren’t familiar with the topic.
[0:00:55.3] JG: If you have an email account, you’ve likely seen a phishing email, it’s something that’s trying to get a piece of data out of you or get you to do something like open the file, click the link, give your credit card data, something to that effect. What I’m talking about today is, I’m advocating for companies to run those types of engagements against their employees in a controlled manner to condition the employees to be cognizant of what they’re opening.
And build the relationships so that employees could report things that they see that may be a little bit abnormal and ultimately, bring the awareness of “This is a big problem, this is what we need to do about it. Is this a legitimate email?” to the forefront.
[0:01:36.4] AA: Yeah, I’ve heard some really creative ways that people are thinking about running phishing campaigns. I mean, certainly the campaign itself is interesting like how you come up with cool emails but literally making it sort of like an inter-office, inter-department sort of competition where people are like looking to perform really well against those metrics and as fun as March Madness is, right?
[0:01:59.0] JG: No one wants to be the manger whose entire team fell for the phish.
[0:02:02.5] AA: Yeah. 
[0:02:02.6] JG: But at the same time, if you have a manager who, no one on their team fell for the phish, there may be something wrong as well because globally, Symantec, through their ISTR, the security report they put out every year, the 2017 ISTR speculates that 13% of all phishing emails are successful. 
As with anything, we’re not going to reach an absolute – we’re not going to be 100% effective with training, phishing attempts are not going to be 100% effective, you’re not going to get phishing attempts to be 0% effective, it’s just not feasible. So you’re just trying to get it at such a level to where it’s mitigated and people can report it to the incident response team or the security team as appropriate based on what your organization wants, so that you can trigger incident response when necessary.
[0:02:46.7] AA: Yeah, we all sort of hear about phishing sort of in general, “Okay, they ask for my credentials whatever I gave it to them.” Sort of the strategies, understanding that obviously, we want to drop down the number of people who respond to that but also, multi-factor is one sort of strategy.
What else is out there in terms of like assuring that even those individuals who do get phished, those credentials aren’t necessarily useable?
[0:03:09.9] JG: There are technical solutions out there but having been a social engineering pen tester in a past life, I found ways to get around a lot of those just based on where I get my email provider. For example, if I pay for a cloud email service. I’ll stay vendor neutral there, I don’t want to give too much secret sauce, that may be trusted by any technical controls like Proof Point, or something called SPFD - center policy framework, or Deacon -domain keys identity management, or DMarc - Domain Message Authentication and Response Compliance, you can get past all of that so – that’s the big point I’m making, even with a tool like Mimecast, you can get past these things if you're a persistent phisherman that takes the time to understand your organization that you’re attacking.
That’s why I heavily advocate awareness. I accept the fact that someone’s going to click it. It’s just as security professionals, we have to say: We have these things in place to protect you. You need to do your part and report it to us so that we can take the actions.” Because I don’t want to punish a user that comes to me and says, “I’m sorry, I clicked an email, something executed in my screen and it did something funny.” They’re telling me that so that I have context to go and perform incident response as opposed to waiting until everything gets ransomed and I have to pay four or five Bitcoin to be able to get access to my systems again.
[0:04:30.6] AA: Yeah, I mean, I think you know, those of us who sort of like watch ads and Joe Q Public, it’s like suddenly, the hacker, you know, once you click that email within – you know, sometimes within milliseconds stuff starts to kick off but sometimes it takes a lot longer for them, you know, they gain access and then they wait and see what happened and there’s a bell curve in terms of performance in that sense as well.
[0:04:50.8] JG: Absolutely. A good friend of mine from the Knoxville area, Adrian Sanabria, at RSA, he provided a talk called “Killing The Pen Test.” He’s advocating for less black box pen testing and more white box red teaming. At initial thought, you know, everybody’s like “No, this is a terrible idea…” But when you break it down and we talk about dwell time which I’m not one to really spout buzz words - but dwell time is a real thing and when an attacker is able to get in via phishing or whatever.
A lot of times they sit and wait three, six, nine, 12 months before anything bad happens. During that time they’re collecting information, they’re understanding what is considered normal for this target which effectively makes a white box test.
Then to look at pen testing versus red teaming. Basically, the difference between the two is pen testing, you’re coming in and your Haroon Meer and this is coming secondhand from Adrian, Haroon Meer said that pen testers have stopped emulating attackers. They just emulate other pen testers now.
Red teamers on the other hand, you have a specific objective, you want to be detected, you want to accomplish this, you want to test this specific control of this. With that, that’s a little bit more focused because you know, for some attacks, the attacker’s not trying to get domain admin.
Sometimes they’re just trying to get the keys to the kingdom and sneak right back out the door without having that kind of thing. Most pen test are trying to get domain admin. I’ve been part of a pen test where the objective was to get domain admin and the test stopped once we had it. We didn’t have to do a port skin because we did a clever phishing scheme against a C level of the organization and we’re able to get it that way.
[0:06:31.7] AA: Right, we just won, right? We don’t have to do much more.
[0:06:35.0] JG: Instead of you know, spending 24 hours on this contract, we spent two and like another half hour for reporting.
[0:06:40.9] AA: I’m curious sort of like, what are the sort of like, what are the sort of metrics that you think are kind of interesting when you see organizations that are doing their kind of protection as well as their sort of analysis well - how are they sort of measuring both the potential vulnerabilities or sort of risk that they’re undertaking as well as like the mitigation kind of elements.
[0:07:04.3] JG: It kind of varies because you could have an organization that’s very heavy into monitoring, they have a load of protective measures in place, but they may be missing one specific thing. They may be investing very heavily in vulnerability management, they may be investing in firewalls but their application security is garbage and they put some web application up that allows someone to walk right in the door.
It could vary, I would say that organizations that do security well are doing exceptionally well. Those who are not doing at all are doing it exceptionally poorly and then everybody else is pretty much a hodgepodge in between on varying levels of success.
[0:07:39.2] AA: When you see those folks that are doing it well, are they sort of measuring themselves against like one of the frameworks or the standards. I mean, certainly, a lot of those standards kind of get sort of bandied about as like, you know, checklist compliance but at least – anything can be, right? You should go to the motions but – 
[0:07:59.5] JG: Those companies, they acknowledge the compliance and security have their individual places. It comes down to the argument of compliance versus privacy versus security. A good organization understands compliance has its place; that’s for influencing the boardroom really, because that’s the language they speak. Then they also have a direct line of communication with the boardroom to understand that that’s just the beginning, that the word negligent can be tied to the company if they don’t do the other following things.
That’s where everything else comes into play. They’ll have very verbose programs though, they’ll use documented standards like COBIT (Control Objectives for Information and related Technology) NIST, some will even use FISMA (Federal Information Security Management Act), of course we’ve got PCI ((Payment Card Industry Data Security Standard), HIPAA (Health Insurance Portability and Accountability Act), FFIEC (Federal Financial Institutions Examination Council), GDPR (General Data Protection Regulations) is coming. I just jokingly say that GDPR is winter and “Winter is coming” to get the Game of Thrones nerd reference out there. But I’m interested honestly to see what GDPR is going to do to security as a whole worldwide because the way the regulation is written is, it has global authority to pedal as a company up to 4% of their global annual revenue per occurrence. For large Fortune 10 companies, they’re scrambling, they’re terrified, they’re shaking in their boots because it’s not just them, it’s their vendors, it’s their customers, it’s their partners, it’s everybody that they have any controlling relationship with.
[0:09:22.0] AA: Yeah, I mean, I think there’s good and there’s bad, right? I think the certainly, the European authority could just simply use it as a weapon, as like, as a great kind of traffic cop to just start writing tickets and run up a lot of revenue.
My hope is that that’s not their - that’s not the goal of why they put that regulation in, is that a lot of organizations really aren’t worth taking privacy seriously - they weren’t taking security seriously and so they said, you know, “Get religion on this or” – and put up that very large potential fine, we’ve all sat a sort of rooms where, I don’t really know what the risk would be, I don’t know what the potential loss will be.
We can sort of kind of pass the buck along in terms of – 
[0:10:07.2] JG: Absolutely.
[0:10:08.2] AA: - not doing things.
[0:10:10.7] JG: With that, I would like to believe that this is a Draconian measure that will be further refined as time goes on. My hope is that it’s going to get enough of the attention and then subsequent revisions will come out to, not necessarily make it any simpler or lessen the impact but put a little bit more logic in it because honestly, this has been a long time coming.
A lot of people in the US say that we need something like that here. There’s another directive from the EU. Understand, it’s a directive - not a law, as in a regulation - that directs that all member states come up with their own regulation, dealing with mandatory data breach notification and participation in the European Union incident response efforts, the CSIRT. That’s another one that’s on the horizon as well and if GDPR weren’t the monster it is in play like it is right now. We would be hearing a lot about the other directive.
[0:11:03.2] AA: Yeah, that’s sort of like, we’re going to get through this tidal wave and then we’ll see the other one on the horizon. What about - just to sort of switch gears a little bit - what are sort of the kind of threats that you are most concerned about, whether that’s individual threats or areas where you're sort of worried about on the horizon or hitting now?

[0:11:23.2] JG: There’s a lot of stuff out there. IOT just terrifies me because we all know that the S in IOT stands for Security. The thing is, you have these things you have echoes, guts, Alexa, Google Home, all these things at people’s houses that connect them. You have smart oven, smart refrigerators, blenders, water heaters. I saw a Bluetooth controlled water heater I was like, “Why? Why?” I could understand like a barbeque or a smoker being bluetooth enabled or WiFi enabled - because I mean, it’s the fall, it’s Saturday, if you’re in the south, you know, college football or if you're anywhere else, it’s Sunday. You’ve got your brisket, your ribs, your whatever on – you’re consuming some adult beverages you don’t feel like getting off the couch until it’s time to eat. Okay, well you can control it via your phone, that’s cool.
But what happens when someone’s walking by with a device that could be a small as a deck of cards in their pocket and they take over your entire home network and it just so happens that your wife’s in the home office working on some accounting stuff for you and just happens to be logged in to your bank’s website. What happens then? I think a lot of companies aren’t looking at that.
Recently, I just got my first CVE, Common Vulnerability Exposure, to a home wireless router and the security on it was just so weak. For example, it had no HTTPS support, it truncated all passwords to 15 characters - I verified that I can log in with the 17-character password I entered and the 15 character password and it truncated it too. You don’t have to know the password to change the password. Then when you change the password, it passes it to the application on the back end in clear text. When you log in, it does it via bay 64 encoding which is not much better in fact, I wouldn’t say it’s any better, but it might stop someone that’s really not that persistent. But while we’re still making mistakes like that, it’s hard to even fathom what nation states or advanced malware, or advanced actors could even do. I think we need to go back to the basics really. It’s almost to the point to where I would say, let’s just take a dry erase board and wipe it all off and say, “We’ve got a clean slate, let’s do a do over.”
[0:13:29.7] AA: Yeah, I mean, although, people are lining up at Best Buy or ordering off Amazon and whatever sort of the cheapest, easiest thing that they can buy.
[0:13:38.9] JG: Absolutely, the router that I attacked was $29 on Amazon. The whole reason I got it was because I’m thinking about doing the offensive security wireless professional, it’s a wireless pen tester and it’s the one that they recommended that you get.
They didn’t recommend it because the application, they recommended it because of its implementation of wireless, it’s easy to penetrate. The irony there is just amazing. As an industry we focus a lot on the business. We focus on how to protect business. We need to take a step back and look at how we protect people. To tie this back into my presentation today; I am an advocate for protecting people because if you teach people how to protect themselves and their families, they are going to take that home, they are going to apply it, they are going to think about it, and they are going to bring it back to work and do it better at work. 
[0:14:22.5] AA: Okay so you’ve got the audience, what would be the kind of what would be the top three or five things that they should think about? Let’s say they are, I mean is it just really avoid making their – we’ll start with the house, is it avoid just buying IOT devices or how do you know what’s good and what’s not?
[0:14:38.5] JG: Segment your IOT devices. So for example you set up a second wireless network, put all of them on the same wireless network, put a few networking rules in place to where it can’t communicate with other things. It is just like in a business environment, we segregate the cardholder data environment from everything else in a PCI environment why don’t I do something similar at home?
[0:14:56.8] AA: So like in my router, I have the router from a large cable or I won’t say which one. 
[0:15:03.4] JG: I already know. 
[0:15:04.3] AA: You know they provide like the 5G and the normal wireless network, you would just throw one on one and the others in the other?
[0:15:10.1] JG: I would put the router downstream of it. So have all of your regular stuff on one network. I would say on the main one, the one going to ISP and then have another router connected to that, put it in a different channel, it would still be the same frequency. Put it on a different channel so that they don’t try to interfere too much and put all your IOT stuff on that one and then you can set up a routing rule saying that you can only access this network from this system, just like using a jump box. Something to that effect and then don’t allow them to communicate back to the other things.
[0:15:43.4] AA: Okay so literary just slice and dice.
[0:15:46.5] JG: Yeah, the other things I would recommend use a password manager. Don’t reuse passwords, subscribe to Have I Been Pwned so you know when your passwords are null and void. When you don’t use the same password on every website you only have to change it for one site when it gets breached not every site. Take your email seriously. If Google is telling you this may be a scheme or a scam or a phish, they’ve got a lot of intelligence to prove it because look at how many Gmail users we have. So I mean just be cautious about what you are doing. I really hate to sound cliché but stop, think and do it. You know be secure. 
[0:16:19.3] AA: Yeah, I am curious - as I look forward, right? I mean part of the issue for individuals is that some of the data that businesses is use is relatively available, right? 
[0:16:33.1] JG: Oh easily. 

[0:16:35.4] AA: So security numbers, address, like all of those sorts of things - I am wondering if we are quickly moving to a place where the banks are not going to take those basic data points. 
[0:16:47.6] JG: Well I mean for me as a social engineer, for context, I won the DerbyCon Social Engineering Capture The Flag this last year. So I’ve got a little experience with this, all that is considered open source intelligence when you are going out and finding out what your mother’s maiden name was, it’s open source intelligence. I can find that out via your Facebook or genealogy websites. I can find out where you went to school via LinkedIn or other things. 
It’s all out there and I think financial institutions and other sensitive entities to put it that way, they should be looking at other questions. Honestly, all my password reset questions, they all come – they are just randomly generated strings out of my password manager. So my mother, she has a maiden name but I don’t use it. 
[0:17:33.0] AA: That isn’t what you put in. 
[0:17:34.1] JG: No, her maiden name is like a 16 character random generated string. I mean she’s even got ampersand in her maiden name. How many people could say that about their mother? 
[0:17:45.6] AA: Yeah, I mean you can just sort of start to be creative in terms of your own responses to that. 
[0:17:50.6] JG: Oh absolutely and then you could minimize what you put out there as well. You could put deceptive technologies out there. You could do disinformation, those are all great ideas. I have another talk I’m giving I believe Thursday at Source Boston on the topic. It is called Decepticon. It’s already been given a couple of times. It is out there on YouTube and Iron Geeks website if anyone wants to take a look at it, but it is about using deceptive technologies and disinformation to secure yourself. 
[0:18:15.9] AA: Yeah, what are sort of the highlights from that? 
[0:18:18.1] JG: Be very cautious about what you post on social media. Don’t all together avoid social media, control what’s there and make sure that you are routinely checking to see what’s out there about you. If you feel so inclined, opt out of all the things you can opt out of. If you really want to be secure create a few bogus accounts in your name with pictures that aren’t you. 
[0:18:39.6] AA: Yeah, I think those are great ideas and we’ll definitely link to that presentation in the notes for this. You know I think one of the areas this year that has kind of gotten sort of cyber-attacks and sort of some of the issues about privacy kind of to another level have been some of the things that happened around the election, right? I know that’s an area that you have been involved with as well and are interested in, and so walk us through what you are seeing on that side? 
[0:19:06.5] JG: So, I have not personally touched any specific evidence to state in one way or another whether there was any collusion, or anything involved with the election. Based on what I’ve read, I think it is a reasonable person could presume that there was some level of disinformation from trolls and bots to lean in that direction, but I am not sure how much influence that truly had on the American populous. Because for us to say that one party won or lost the election through the use of disinformation and trolls, that’s really devaluing the level of knowledge and commonsense of the American people. 
So I mean is it possible? Yes. Could other countries have tampered with our election? Yes. I watched a lot of the voting Machine Village unfold at a Hack West back in March and they were able to access things but to my knowledge they weren’t able to change any votes. So, if anything it is voter databases which again makes for some interesting targeting but maybe not necessarily to sway how you vote, but more like sway how your credit score is. 
[0:20:08.3] AA: Yeah, although I think you’ll miss my talk today, but we touched upon a little bit kind of the problems if you do start messing with the registration system.
[0:20:17.6] JG: Of course, absolutely because ultimately what – so even if they tampered with things, the biggest thing it is going to do is create doubt and that right there is the most – for the people of the country to doubt their government is the biggest weapon another adversary could use against them. 
[0:20:33.8] AA: Yeah sort of create, sort of lack of cohesion. 
[0:20:37.6] JG: When people start using terms like double speak, think speak, and comrade as a byproduct that’s when we have to get a little bit concerned on. 
[0:20:46.5] AA: How about some of the unique things that are happening in different states? I know different states are approaching some of these issues and perhaps troubling with?
[0:20:55.8] JG: Some states are doing it very well, some other states - some Peach states in the south aren’t doing so peachy. They’ve got some legislation currently sitting on the governor’s desk in the form of State Bill 315, that effectively what makes security research illegal and it came across because someone was able to find the Georgia election database on the internet publicly and when they disclosed it, then he was seen as a criminal.
It’s like, “I disclosed it. I am not misusing this. I am not the person who found it but I know of the person” and then ultimately, other things aside that I’ll just leave as is, they of course in a way is consistent with government. They have to have a knee-jerk over-compensating reaction and this bill is that I know a lot of people in the metro area, guys like Xavier Ash, Frank Rietta, Scott Jones, Kate Bennett have all done amazing things with trying to talk to the people and the legislators. They’ve had some time with the governor’s office to help with this but the problem is whether the governor signs it or doesn’t, if he doesn’t explicitly veto it, it goes into effect. And I think today is the do or die day.
[0:22:06.1] AA: Wow so we’ll be watching the news. I mean, you’d think that we would understand that sort of like keeping things behind closed doors and trying to lock up our secrets, systems, whatever they are – would be understood to be not exactly the best way to secure it, right? 
[00:22:25.0] JG: We are in the social media generation, nothing can be hit. Even you could put behind top-flight encryption but all it takes is someone to come in, take a selfie with it and it’s on the internet forever.
It's definitely an interesting time that we live in, sometimes I fear that we’re in the 11th month of 1983. Sometimes I fear that the temperature is approximately 449 degrees Fahrenheit, sometimes the world is a little bit brave and new but all dystopia aside, we’ve also got a look at the positives as well. Because positives exist, it’s just unfortunately positive media stories just don’t typically make the news because people don’t watch things for feel good. That’s what sitcoms are for.
[0:23:08.1] AA: Yeah, I mean, I think the part of the reason we launched this podcast was to kind of at least try and go a couple of levels deep enough that we could really talk about issues with the sort of full perspective that they deserve.
What do you see sort of on the positive side of the scale? What are you seeing that you’re sort of encouraged by, or think is really potentially moving the needle from a security or a privacy perspective?
[0:23:32.8] JG: Password managers are becoming more of the norm. We have bug bounty programs, I can go have a conversation with non-security people and they understand what I’m talking about because it came so far to the mainstream. People are more apt to ask questions now, we’re not seen quite as the smelly nerds that we used to be. The whole perspective is changing and in many ways, for the better.
[0:23:53.3] AA: Yeah, I think that cultural shift is you know, it’s touchy, it’s feely, it’s not, perhaps what a lot of engineers are most comfortable talking about - we always want to sort of seek a technical solutio - “How do we fix this with code or with hardware” or whatever but if you can change the perspective, change the sort of perception of things, that is incredibly effective, 
[0:24:14.6] JG: Absolutely.
[0:24:16.3] AA: Joe, thanks so much, really appreciate it, this is great.
[0:24:19.6] JG: Thanks for having me.