The Audit - Presented by IT Audit Labs
Brought to you by IT Audit Labs. Trusted cyber security experts and their guests discuss common security threats, threat actor techniques and other industry topics.
IT Audit Labs provides your organization with the leverage of a network of partners and specialists suited for your needs.
We are experts at assessing security risk and compliance, while providing administrative and technical controls to improve our clients’ data security. Our threat assessments find the soft spots before the bad guys do, identifying likelihood and impact, while our security control assessments rank the level of maturity relative to the size of your organization.
The Audit - Presented by IT Audit Labs
Phishing: The Number 1 Social Engineering Tactic with James Arndt
In this episode of The Audit, we dive into the world of phishing to uncover the sophisticated tactics that make these scams the leading threat in cybersecurity. Join us as Jamie Arndt, a cybersecurity expert with extensive experience in reverse engineering and analyzing malicious emails, shares his insights and stories from the front lines.
We’ll cover:
• The rise of generative AI in crafting phishing emails that bypass traditional detection methods.
• Real-world stories of phishing attacks, from impersonating school communications to exploiting professional relationships.
• The psychological tactics used by attackers to exploit human nature and gain access to sensitive information.
• Innovative defense strategies and tools that organizations can employ to protect themselves against phishing attempts.
• Practical advice for individuals on recognizing phishing attempts and safeguarding personal information.
This episode arms you with the knowledge of what to look for in phishing emails, emphasizing the importance of vigilance and education in the digital age.
Sure, I got it. Yeah, let me introduce them. Yeah, ready, here we go. Hey, jamie, awesome to have you on today. Have really been looking forward to talking with you. And, for those of you who might not know, jamie, jamie is the guy that can pick apart malicious emails and determine what the payload is in them, where it goes. Is it malicious, is it a phishing email? Is it a phishing email? He'll be able to sort through. He's got an environment that he can run these emails in and see exactly what that malicious actor is doing. So, essentially, jamie, you are a reverse engineer. You've worked for a couple of different companies. You've worked with SANS. You've taught people how to do this. You are a go to guy when it comes to figuring out what's all the bad stuff. That's how to do it. So I'm really excited to talk to you today.
Speaker 2:Thanks, eric, pleasure to be here.
Speaker 1:Nick, did I miss anything on on what Jamie does or what you've seen him do?
Speaker 3:You nailed it. This is very exciting for me because this is one of my favorite areas in the social engineering phishing world, so I haven't had the opportunity to hear all of Jamie's stories, so this is going to be a favor for me.
Speaker 1:Jamie, I'm going to tee it up by saying that over the last. Well, I think we all know that phishing is the number one attack vector and recently it's only gotten worse because of things like generative AI, where malicious actors can craft well sounding emails and no longer have the bad grammar punctuation is the word I was looking for and in really tailor those emails to specific individuals or or really try to make it sound like it's coming from someone in the organization, even taking content and language and patterns of speech that individuals may use, and using generative AI to sound like that individual to get further embedded in that. So really cool stuff from a technology perspective, but really getting hard to block and things like Microsoft's email threat protection just aren't cutting it anymore.
Speaker 2:Yeah, I mean, attackers are always going to do whatever works, so it doesn't necessarily have to be the most complicated thing. You know, it's just oh, this looks like I'm expecting a package from FedEx, here's an email from FedEx or here's a text from FedEx. You know, if they just happened across that, you know what you're expecting versus what they're, versus what they're sending out, that that could get people right there too. However, I am convinced that if a nation state really wants to get into your organization, they will research everything that is needed in order to trick you into thinking that you are dealing with your CEO or somebody else, and you will do what they say.
Speaker 2:Or I remember hearing a story about how I think it was the Chinese wanted to get somebody's access in the Pentagon, and so they researched this guy and everything, everything about him, his wife, his children, where they went to school, and everything. And so they sat and they waited, and then they heard about there was an accident at this guy's school or something. So they quick, created, crafted an email from the school with an attachment with the school's letterhead and everything, saying hey, everything that's going on in the school. Just read this document right here and then you can see it and boom, that's how they got in, you know, I mean, it's so it's. It could be the wide range of complete utter trash, or it can be just we're going to get you, whether you want it or not, it took them almost no time to do that yeah.
Speaker 2:Yeah, yeah, yeah yeah, it's fishing, it's. It's always changing every day to you know, I just read an article today attackers were attacking Pharmacists, trying to get their access, so that they could get access to their applications to make prescriptions for opioids, send them out to themselves and then they would sell them on the street. And I'm thinking that's genius. I mean it's horrible, but it's like okay, I've never worked in the health sector Yet that is a significant threat vector right there that somebody's going to try to get. So I was floored by that. That just, but again, that just like.
Speaker 3:I had heard about that.
Speaker 2:Yeah, yeah, yeah. If they, if, if they want access to your whatever any organization you know. You have to understand what is it that we're trying to protect. What's our crown jewels? If you're a pharmacist, it's being able to. There's certain significant controlled substances that other people want. How are they going to try to get that? You know so.
Speaker 3:I actually that's perfect. Jamie, you kind of led right into one of my first questions and thoughts, the crown jewels, and that's one thing when we're doing assessments for organizations that they don't know if they're trying to protect you. Just, you just touched on that. So, kind of going back to ground level here, before we get too deep, you know what are, what are some you know common indicators of for fishing attacks that you're looking for. What you know, what are you diving into what? What would you tell clients?
Speaker 2:Oh sure, Is it money? Is it access into your company, or is it basically they're just trying to scrape it off? They're just trying to scrape as many usernames and passwords as they can get, you know. So hopefully your company has a security team that recognizes. Oh yes, our crown jewels are, in my instance, the electrical utilities. You know generating electricity, which everybody needs. You know that's what we need to protect. So really, how you're going to go about protecting that, you better have layers to your defenses. You know, much like a castle with the moat and the drawbridge and the portcullis and the boiling oil and all that stuff. But the one thing that people can always get right from the outside directly into your organization is going to be an email, because it's meant to do exactly that. So now, were you asking about what to look for in an email, or just, were you still at the 10,000 foot view?
Speaker 3:What you gave was great. I think we're all we wanted to on that as well. But, yeah, indicators that you might, you know, teach you know somebody within your organization to look for.
Speaker 1:And maybe let me, while we're still at the 10,000 foot view. We've got different attack vectors, like we've got smishing, which is the SMS phishing, so text messages, right, same type of thing where you're getting that access to that individual through SMS. We've got quishing, which is the QR codes, malicious payloads. We've got phishing, which is voice, so a voicemail, potentially with some malicious instructions, and then I'm going to make one up right now, call it dishing, which is, which is the document phishing, so embedded links in documents. Right, jamie, you talked about the, the attack vector where they impersonated the school document, the PDF, and I know you've seen this before where there might be almost invisible images in documents, links out to malicious sites in documents. And I hope we can, we can unpack some of that today, because I know we've used documents in order to simulate some of these things, where there's benevolent software that you can embed a one pixel image and you can trace where that document goes. So I'm hoping you've got some stories around what you've seen in the real world from malicious actors.
Speaker 3:I'm dishing, I'm here.
Speaker 2:No, I refuse to use other ishing words. That's why we can't have nice things. No, you're right, there's plenty of ways to try to get them to do something for you. I mean, really what they want you to do is here's an email, please interact with it somehow. Sometimes it's just a conversation back and forth hey, I just happened to have a bunch of money. I want to send it to you for some strange reason, but first you got to give me a little bit of money first, or you have to give me some data about you, and then we can keep going, and that's just a very common way.
Speaker 2:Or the CEO impersonation I think that's your traditional business email compromise umbrella. You know, like hey, oh, hey, I need, I'm stuck in Europe, I need you to wire me a bunch of money, like okay, whatever, or the worst ones, and you'd hope that a business would only this would only happen to them once when a company that looks like it's from them, and they send some person email saying that, hey, we've got a new payment contact portal. You need to send payments over here now rather than over there. And so then they start wiring money over there. Well, a couple hundred thousand dollars later they realize, oh, those were bad guys. Any business that is wiring money elsewhere ought to have some sort of a well-defined process when, if it's a certain amount or it only comes from certain people, if you're going to change any of these things, you need to have a very, very well-defined process for that.
Speaker 3:James, that's a perfect segue, if I just want to jump in. Years ago I dealt with a scenario just like what you're talking about, without a defined process. The organization called us because they had been fraudulent or they had been sending money to the tune of about $350,000 to a different bank account and the controller, her explanation, was well, the owner the company was sending me emails to send these money because he was making investments overseas investments and she fell for it and sent three different transactions and they totaled up to over 350,000. And I just wanted to bring that up because of what you said Just no defined policy and procedures for the employee.
Speaker 2:Yeah, yeah, and you kind of want to at some times blame that one person for doing that thing, but your hands are tied without the process. Exactly, exactly. I mean it's not necessary. People can get fooled. I'm sorry I stole your under there, but yeah, you're right, people can get fooled. And so do you have getting a little bit ahead of here? Do you have processes in place that can stop that? Do you have other security defenses that can stop the person from when they interact with a bad guy? So yeah, things like that. And even if they almost fell for it or it got caught, I mean that's still good because you're supposed to have those defenses in place. Somebody calls the help desk number. They help desk person says oh yeah, download this thing from the super sketchy website. And the person does, and then they execute it and they do, but that sets off alerts somewhere, like, okay, there was a lot of things that failed to get us to this point, but it was still blocked.
Speaker 1:That's good, we have a little bit of remediation work to do DEF CON with the social engineering contest they it builds up to this event at DEF CON, where you're on stage in a booth, and DEF CON held in the late summer in Nevada. It's kind of the hacker homecoming, if you will. But the culmination of the social engineering event is how can you social engineer your target company and how many flags can you get? So a flag might be what operating system are they using? What help desk software are they using? What are the hours of their support desk? So you have this person in this booth and thousands of people watching them and they're going through this social engineering attack.
Speaker 1:And one of the attacks, jamie, like you said, is to get those people to potentially click on a link where you could establish that malicious or, in the case of the security tester, a benevolent link. That is done to get credentials, to teach an organization what are the bad things that can happen. But impersonating a help desk employee is something that a lot of social engineers will do We'll do during pen test exercises where you call up XYZ company hey, I'm so-and-so from help desk, which. You've got that information from your online research about that company that you're doing as your pretext, and then you're impersonating that engineer and shriking the person into thinking that you are a help desk person and getting information about their environment. So it's one thing leads to another, but it's all around the idea of exploiting the human.
Speaker 2:Right, and people generally want to help others. Oh, you've got a problem, I need to help with this. Oh, okay, yes, I'll be happy to help. That's just a big part of the psychological aspect of it, for sure.
Speaker 1:And you can really sorry, and we've heard and read. You know Chris Hagnetti is a person who's written a couple of social engineering books, but there's lots of tricks that you could do, like if you were going to call Nick and try to social engineer him. You know that he's a cat enthusiast with his cat, mr Miyagi, and you know whatever it is right, so you could be sympathetic. That's not true.
Speaker 3:I've got to go to the vet. You know my cat's sick, or?
Speaker 1:whatever that Nick might be sympathetic to that. Or you have a baby crying in the background, or you're pretending that you're an intern and you just have to get this report done for your boss. But lots of ways to play on that human in order to get what you're trying to get, because we all do want to help each other in general. As you said, the crying baby in the background is critical.
Speaker 3:That is such a good one. There was that video I think it was on YouTube of the woman that was an expert in social engineering. She called the bank and she, you know, played the story. I forgot my account my husband's overseas in the military. I don't know the password to our account. She's got a crying baby in the background and she got in After some persuasion right, it wasn't that quick, but you know she's served up what sounds like this sob story right Again, praying on. We want to help this lady her husband's overseas serving the country. She's at home, got a crying baby right, let's make her whole again and help her out. And you know, now she's got the bank account.
Speaker 2:The most fish that I see are the typical ones where there's a URL in them which more often than not leads you to some sort of credential harvesting website and just your basic Office 365 looking portal. You know like, oh, I need access to this document. Okay, I'll put in my business username and then my business password. Very, very common. And those websites, you know they come up very quickly and then they go down very quickly. I think it's just because, you know, word gets out, they start getting on blacklists and everything like.
Speaker 2:All right, well, that one's burned, let's try another one. You know, most common one that I see by far, by far, and to me the least interesting ones too, you know, is like all right, credential, I must block it, let's move on. Then come the ones with some sort of an attachment. Now the attachment could be like an actual, legitimate, just fine, benign PDF. Only the thing is is that embedded in it is a URL. You know it's trying to look like a some sort of login portal. Well, you click on that, it opens the browser window. You're getting a credential harvester right there.
Speaker 1:So, Jamie, if that comes in the document, then would you say that that's dishing.
Speaker 2:No, I refuse, I refuse. No, you heard it here first.
Speaker 3:Folks on ITM. Yeah. So, Jamie, with all the phishing emails that are coming into every organization, you know, if you could give us an example of some of the key indicators that you're looking for?
Speaker 2:Yeah, sure, biggest thing will be who's the sender. Is this somebody that you recognize or not? You know, maybe it sort of looks like it, but upon inspection some of the letters are kind of mangled or twisted around. You know, maybe it is your CEO's name, but the domain from it isn't internal to your company. It's from some you know strange place, or at Gmail. Or something like why would my CEO be sending me something from Gmail?
Speaker 2:That doesn't make any sense. You know, looking at the body of the email, that's another big aspect of phishing. Anyway, to try to convince you that this is legit, if they want you to interact with it somehow, like there's a URL in it and it could look like maybe some sort of a FedEx or a UPS email, or you need to find an invoice or you need to log into this thing, what you're going to see in the email body looks legit. But if you just hover over it with your mouse and then look down at the bottom of your browser, you'll see where it's actually taking you. If it's trying to be from the post office, and then you hover over it and underneath it it says you know something? Something dot r? U, it's in Russia. Like well, I'm not getting any Russian mail. I don't think you know that's going to be sketchy right there.
Speaker 2:I mean, that's a huge clue that this doesn't make any sense whatsoever. Your bank is sending you something oh, overdrafts, whatever it is, you know, and you hover over that URL. You look underneath that doesn't look like my bank. It has some words from my bank in it, though. What do you do then? Well then you actually go to your bank not through that link open up a new browser. Open up, you know, and go open up a new tab. Go there directly and see what's going on. You know, so a good company will typically never ask you to, you know, for your password or anything like that.
Speaker 3:You see emails now or on apps, like on my USA website or an app, it'll say we'll never send you or ask for a pin or something right, and that's your point there.
Speaker 2:Yep, yep, yep. So if you know, if you just have that doubt in your head, I don't know about this, open up a new tab, go there directly and see what's going on. It's always that option, right there.
Speaker 3:And now, like one of the key indicators that might have been a couple years ago was grammar, and now, with tool chat, gpt.
Speaker 2:You can't necessarily right right right, Although, although one time the head of our HR department reported a phishing email from our CEO and she's like yeah, I knew it wasn't him. Like how did you know? Because he started the email saying hi, he never does that. That was. That was unusual. And what this CEO was asking for was the W2s of every single employee in a PDF document, as if that's not strange. But the key indicator was he started it off differently. You know, so it's. It should just be one of those things where, like this, this something isn't right here. Well then, you send it into your friendly neighborhood IT guy and he'll tell you if it's good or bad.
Speaker 1:Jamie, was it? Was it you who was telling me the story about your organization, where, if the employee clicks on three phishing emails in a year, they're fired? No five, five Okay.
Speaker 3:I've got that as well.
Speaker 2:Yeah, there's consequences to that, you know. I mean, generally you're putting the organization at risk. I mean that's, that's a huge, serious risk right there that that needs to be dealt with too. Then, as the IT security side of things, you're going to get a lot of emails that are reported, yes, you know. So there's a tradeoff to that sort of cost, you know, and every organization needs to figure out what balance is it that you're looking for? You can't be nice because we live in the real world. You know bad guys want your stuff, right, okay, you can't be nice to everybody. So, yeah, you have to figure out what's your risk tolerance level.
Speaker 1:But let's talk about defenses a little bit. So in the in the customers that we interact with, typically they'll have some form of email security. We'll work with them to enhance that, and there are some pretty good ones out there now. Certainly you want to do your phishing testing, jamie, and I think that's what you're alluding to on if you click on five of those simulated fishes. That has some serious employment consequences. But some of the other things that organizations will do is employ software that will sandbox that URL. So when you go to click on that link in the URL, it will sandbox that entire conversation that you're having. So you're going through a portal, so to speak, and a lot of it's invisible to the user. But that's protecting the user and any data that they may enter. It would prevent entering credentials in that sandboxed window. Are you seeing any other unique defenses that companies are employing?
Speaker 2:Yeah, sure, some companies will. Any sort of attachment will be sent off to be checked and then, if you want to get it, they'll replace that. They'll put a link in the email saying hey, this has an attachment, it was scanned, it's fine. If you want to download it, get it here. That's certainly one way to do it. I've seen other secure email gateways. They'll replace every single URL, they'll wrap it around with their own. You'll click on it, it'll go to them, they'll check it out, give it some sort of judgment and send you on to the rest of it too. Plus, there's just these big players Proofpoint, microsoft, mimecast, those guys. They've got big, gigantic feeds coming in every day of known bad things, known bad senders, known bad hashes, all that stuff. They'll keep updating that, sending it out to all of their customers to try to just cut all of these things off right from the get, go from even entering your organization and stuff still gets in. It's inevitable. It's the eternal cat and mouse game with email.
Speaker 1:There's another company called Abnormal and they're doing something a little bit different. Potentially, I think there's a few players in this space but they're actually looking at the content of the email. They use terms like machine learning and AI, whatever, but they're actually looking at the content of the email and determining, even if there's no link to click on, is that content malicious? Is it trying to get the person to do something? It's great to see innovation in the space where they're not just looking at signatures or sandboxing, but actually trying to go further and look at the behavior side of the email.
Speaker 2:There's always the certain keywords that you could try to look for that could either raise your suspicions about an email. I remember I wrote a rule one time that would look for a certain string of just characters in a row, a Bitcoin address or a Bitcoin wallet number, because there was just a big, huge influx of phishing emails coming and saying hey, I've hacked your computer, I know what websites you're looking at, I've even hacked your webcam. I know what you're doing. You need to send me a bunch of money to this Bitcoin wallet. It's like well, okay, Nice, try. Certainly a lot of keyword indicators. Invoice, that's a huge one. Login password.
Speaker 1:I think you mentioned it too new domains these things are pretty ephemeral. They spin them up and then they shut down. Is there any reason why you would be getting business email from a domain that was registered 30 days ago? Probably not.
Speaker 2:Right Now, as a normal user, I wouldn't look into that, but maybe there's some sort of a SOAR platform that you could have that emails that come in and you could go out and check how old is this. If there's a certain threshold where it's older than 30 days, less than 30 days, maybe only seven days, you could automatically categorize those things that way.
Speaker 3:Yeah, James. One thing that we're seeing, too, is just the advancement in AI Right as part of this what you're talking about. Do you have any idea on how that's advancing the industry or attackers ability?
Speaker 2:I do not, I can't answer that one, I don't know. I mean, it seems like it's been a while for me that bad grammar has been one of the key indicators. It's certainly not always the case, although when it is, it really does stick out like a SOAR thumb. I can't think of any good examples of that where I thought, oh, this is AI generated. Or some paragraph there, right, look, if it's going to work, attackers are going to do it, you know. So you've got to be prepared for that.
Speaker 1:What's one of the cooler attacks that you've seen.
Speaker 2:Well, attack or phishing email, because I got a good phishing email that I've never seen.
Speaker 2:Yeah, all right, my absolute favorite one of all time, and I wish I had kept it for proof that I could prove that this happened. Somebody reported if email is phishing. I looked at it and the email said look, I'm a hired assassin and I've been hired to kill you, but I've been following you for the past three weeks and I can tell you're a good person, but I've got bad guys on my tail. So, in order to you know, you need to send me a bunch of money so that I can disappear and everything. I'm like, oh crap, this is amazing. It was a work of art and, yeah, I've never seen anything like that again. That one was above you. No, someone in my company. They got that one. And yeah, although my sister got a text that my lawyer in Africa said that I had died in a car accident, you know, gosh, yeah.
Speaker 2:Yeah.
Speaker 3:So yeah, I mean, we're seeing so much happening with crypto right now, especially with the markets are going a little crazy right now. If anybody takes that, and I don't know if you're familiar with the pig bushing. It's a technique attackers use and what they're doing is they're trying to get you to invest in crypto or something or continue to send money, and you know they'll set up a fake crypto site and you know you keep putting money in because you see it keep going up and down.
Speaker 3:But the phishing email markets start like, hey, you know, getting engaging this person, getting into a relationship or what have you? So really so heavily social engineering. And once you kind of trust this person, you start investing. You see, making money hand over fist. You keep putting money in, not knowing the accounts fake and you know when the account gets big enough they that's why they call it pig butchering they Wow, they take all the money and they're off to the races. And there's a lot of stories about this right Like.
Speaker 3:One that I can key in on is that I recently heard about or read about was a gentleman. He was close to retirement age, I think you know, between 65 and 70. And he hit some part of his portfolio was was for properties, homes that he owned, and his account his fake crypto account was getting was growing. Right, he sees it. He sees it growing so big. He takes out mortgages on all four of the houses again that were paid off, puts that money into the account. Now he's in two I think they said a little bit over $3 million into this big account. They butcher. The big money is gone. Yeah, he's at retirement age and now he's got four new mortgages that are brand new.
Speaker 3:So you know, we see the crypto stuff just just shows how, where you have to be. Yeah, boy, that's one extreme of things, good Lord so extreme there, but I thought the story was interesting that I wanted to key in on it.
Speaker 2:Yeah, and, on that note, thanks for coming to this podcast.
Speaker 1:Yeah, it's to do a little work in the state and local government sector and there was an attack on a local municipality, made the paper and everything about a year and a half ago. What had happened was they were going through a contract negotiation for I believe it was some sort of large sewer project. So, with state and local government, all of the contracts and the project work is public so the public could see who was awarded that contract. The malicious actors spun up a look alike domain very similar to the Organization that was announced to have one, the project, and shortly after I think it was within 30 days or so they issued a Payments. I'm change is is jayme had mentioned earlier where I'm were actually switching banks and you know, whatever, whatever. This is our new a, c, h information.
Speaker 1:So then the, the municipality, ended up sending a significant amount of money, hundreds of thousands, and I think they did this three times, where they sent it to three different Accounts because they the malicious actor and said actually, where we've changed again or whatever they did. But they constructed it so that the entity that was paying the money, what continued to send in these payments and it, the way it got caught, was the, the actual company that won the contract 90 days later says that, hey, we were actually not getting paid. And then they looked into it, discovered that it was. It was all fraudulent, and I think the silver lining is they were able to trace it and get some of the money back. I forget the exact numbers, but over a million in total was lost and they may have recovered several hundreds of thousands.
Speaker 1:But those, those really good actors, are able to stay one step ahead. They're waiting for these contract announcements to come out, and if they do that across 100 municipalities, good chance. They'll get one to bite. And even better, if they can get embedded in the email system, catch those emails that are coming in from the real Company that won the bid and delete them. Were victims of our own processes, right, you know that we have to announce who were doing business with, and it just breeds that malicious actor that is able to take advantage of the information that's already out there.
Speaker 2:That's a good one. Wow, we had my least favorite type of fishing attacker from the third party vendors. You know another business that somebody in your company is doing business with, yes, and the attacker either compromises that other company and then start sending you emails where it looks like it is actually coming from you. Look at the headers of the email and everything like yeah, it came from them. It has this malicious thing and they'll, just, you know, slip right into a conversation that, if you're to scroll down, you would see the exact same conversation that, yes, you had with this person.
Speaker 2:One time we had a guy who received an email like that and downloaded the attachment. It was a malicious document. He opened it up, the macro ran in the background, the power shell executed and everything and it called out it was blocked, but we saw it on the call out, like what in the world happened here? Well, you're rewind back and we found the email and it's like, holy crap, third party compromise and the email was tailored to what this conversation with this guy knew about each other. There's like some duck pictures that he wanted to share here here in this attachment. And the guy in my company is like, how did they know I like ducks, because the bad guy was in there.
Speaker 2:And the cats then yeah, yeah, mr Meowgi so it was yeah, yeah, I hate those ones. Those are the worst because you already have this trusted relationship with the person on the other end. Yeah, how do you?
Speaker 3:fight that game. How do you fight that? You know we're really we're going off onto the worst case scenarios here. Before we get to these points where somebody's extracted 100,000, whatever it is, at what point do you think, like the attack is becoming a problem? Like when do we have a serious issue? Yeah, what point does it be before it gets to the money? Where where's the problem start?
Speaker 2:Yeah, well, this kind of comes back to what are the warning signs about the email that you should look at before you interact with it? Because some people I've heard them say like oh, I never even open those emails was like, well, okay, it's not necessarily the case, it's simply opening it is going to cause some malicious sort of activity on your endpoint. It's really not. It's when you start interacting with it, talking with the person back and forth, clicking on the thing, downloading the thing, when you start doing that, that's when you really start playing with fire. Now I can do that because I'm a professional Right.
Speaker 2:Yeah right and and I understand why people do this because it's fun, right? It's a lot of fun to click on something and not know what's going to happen.
Speaker 3:it's going to be great but again Bon in the wind, james.
Speaker 1:Jamie, talk through. What is that you know? You say you're a professional. What does that mean and what tools do you use to inspect this stuff?
Speaker 2:Yeah, so if I'm going to be interacting with something that is suspect or possibly malicious, very likely malicious always take the email and I'll bring it off onto a separate, off company network, off company device, some sort of virtual machine that set up similar to what a company, a corporate device would be. It's got all the same security software and everything on it that they have on the company and I'll just, you know, start looking at it. If it's the URL, that's pretty no brainer. You just click on it and see where it takes you.
Speaker 2:If it's some sort of file, there's a lot of tools out there that you can use to try to indicate is this Bad, generally bad, but then what's actually going to do? You know what happens when somebody starts to interact with it and you know malware can hide, but it must run and if it's running, that means it's visible and you can hopefully start writing detections and then import those detections into your security software so that you can detect if such things are happening. I like that. Yeah, that line came from a sans instructor. He said malware can hide.
Speaker 3:No, no, no, that's not mine.
Speaker 2:I like that a lot yeah, when I took the reverse engineering malware course which changed my career, by the way, that was one of the things he said, like that's, that's good I didn't realize how profound it was until you know, over a decade later now.
Speaker 3:James, I guess if you could dive into some of your favorite or main tools that you're using on a daily basis to yeah, sure, sure.
Speaker 2:If it's some sort of office document you're typically going to need, you know the microsoft office suite, your typical malicious office document is going to have some sort of macro in the background and within the document itself. You can actually access the macro and see it and start to know, debugging it and going through it line by line to see what it is that it's trying to do. If it's some sort of executable really kind of depends on the type of executable. If you're trying to do static analysis where you think doing the really deep, nerdy things, we're looking at it and assembly and you just completely disassembling the whole thing, it takes a lot of work and you really gotta want to know what's going on.
Speaker 2:I'm not the best at that, I'll tell you right now, but there's plenty of online sandboxes where, if you don't mind the sample being available for the rest of the public, including the bad guys, you know, there's plenty of online sandboxes where, where you can do, where you can do that too, and they do a generally pretty good job of breaking down what this executable is doing what's it calling out to, what's it downloading, what sort of child processes making? Finally, what sort of network traffic is outbound for your command and control. Things like that. There's plenty of online ones that are good for that.
Speaker 1:do you recommend one Like Joe's sandbox?
Speaker 2:no, I haven't used Joe sandbox watch a lot. I like any dot run. That's a favorite one, although, yeah, any dot run, they've got a free thing where you can interact with it. And then a hatching triage by recorded future that's probably my favorite one, that, but I really like. I think they do a really good job. Hash and triage no hatching, hatching, recorded future, hatching triage that one out there, there's that. But there's plenty of things to do when it comes to there's doing behavioral analysis. On your end point, you know there's process hacker, which is basically like your process manager on steroids, though we can really just see all of the different processes that breaking out who's making network connections and what. You can even pause the process as it's running and download it and look through its strings and all that other stuff. Proc mon, which is process monitor, that really digs down deep into all the different things on the end point that are happening as you run the malware red shot, which is taking one shot of your Computers registry, the complete thing. Then you run the malware and then you take a second shot of your registry and then it does a diff. It compares the two and it's like okay, what has changed is any new registry keys been added? Now again, these are all these things that these online sandboxes can do, but it really depends, like I said, do you want the sample to be made public to everybody, including the bad guys, because they're going to know they've been burned, you know? After a time it's like, alright, everybody knows the hash of this thing. Well then, we have to change our game and we'll start sending out new malware instead. So, yeah, behavioral analysis, static analysis, it's all fun.
Speaker 2:I was just messing with one today where there was an email. It had a zip attachment. I extracted it and it was aimg file, an image file. You mounted it up and it contained only one VBS script. Well, I was looking at that and it was just all written in VBS and it had these big, gigantic strings of encoded letters that the VBS file would then decode and then extract. Well, when it decoded, those were all PowerShell. Well, that PowerShell contained more encoded strings and so, really, just notepad, notepad plus, plus. I mean, that's a great tool for just decoding these and looking through them just to see what it is that they're trying to do. Keeping it simple.
Speaker 1:So, jamie, as an end user who may not have the interest or the sophistication to go through this level of detail in their personal lives, to unpack these, what are some of the indicators that people can look for? I know we touched on some things funny domains, things like that but is there something that people should do in their personal lives to protect themselves?
Speaker 2:I would say that all of the same rules for trying to identify a suspect email, this training that you're getting at your business, it all completely applies to emails coming at home too. The thing is that you just don't necessarily have all of the same layers of protections. You don't have your firewalls and web proxies that can try to block outbound malicious traffic.
Speaker 3:James, I thought it was kind of interesting earlier and we're kind of touching on it again about how it's okay to click on the email, but you don't want to have an action, right?
Speaker 2:to the email. Open the email, not click on the email. Yeah, it's pretty quick to click on it, but yeah, to open it.
Speaker 3:I was thinking about this as we've been having conversation and I wonder if a part of that thinking is due to the culture that we're creating, because we're training and teaching our staffs or organizations to not be a clicker. That's a metric and, for example, no before is you're a clicker, you've clicked into the email. So thoughts on that.
Speaker 2:Yeah, it's interesting where some people it's like I don't even want to look at it, it's not going to hurt you. But then again, maybe for a lot of people computers in general, let alone IT, cybersecurity and things it's just kind of like a big black box and I don't know what it is. I just know that I should be scared and people told me that I should be scared and I read to the news about how scary it is, so I'm just going to not touch it and I could understand why people would be that way.
Speaker 3:Yeah, I think that's one thing that I've seen in the past too, and I think it's probably actually a good thing. One organization they were giving out like I think they were like $5 coffee gift cards If you spotted a phishing email or something and you sent it in like not every time, but like if you did a good, oh yeah, you spotted this phishing email you sent to the help desk. Here's a $5 gift card for doing a great job. And that's part of that culture for education policy procedure, creating that environment where people are educated on these things and you reward them for that.
Speaker 2:Yeah, yeah, I've done plenty of demos or analyses within my organization too, where it's like, hey, let's open up this box here, let's see what's actually happening, so that they get an appreciation of like, okay, here's what's going on. Here's what I did one for the entire IT department one time. So you've got technical people right. So we tore apart a malicious document and we were looking at the strange, crazy code in it and we're like, oh yeah, that's what they do. That's interesting, they've never seen this before. So like, all right, I get it now. Whereas other people it's just like, hey, look at this fake email from the CEO, what, no way, that's amazing. So you get a wide range. But it's just that reach out, that it's not just dangerous because we say so, here's really what's going on and that can really just kind of start to expand people's minds.
Speaker 3:James, one thing that we well, one of my quick tips is always if you get an email from somebody that you think is your boss or CEO or something, maybe go ask them or give them a call and say this doesn't sound like you. You know, did you send this email, but you know turning it back to you. What are some of your top five things that you're looking for or would do if you fall victim to a fake Sure?
Speaker 2:Fall victim to a fish. It kind of really depends on what is it that you did? Did you give up using a password? Well then, the obvious thing is to change your password, and everywhere else you're using that same password, which you totally shouldn't do but which everybody does. Anyway, yeah, you should totally change your password, because that's what you gave the bad guy.
Speaker 2:All right, did you give the bad guy financial information, credit card number, something like that? Call your credit card number, call your credit card company immediately. The number is on the back of your credit card. Tell them hey, this needs to be canceled right away. Look at any sort of charges that were made to it, get those canceled and get a new credit card. Did you give up bank information? Well then, you need to talk to your bank on how to figure that out.
Speaker 2:Do were you just surfing and you saw some strange pop-up thing that took over your whole screen, saying you've got all the viruses in the world.
Speaker 2:And now it's like well, okay, don't, maybe you did interact with it, and now your computer is full of, just like you know, bloatware and just other just sort of dumb, malicious things. So maybe you need to reinstall your operating system then maybe, or call your favorite nephew who likes computers to go, go, go, figure it out. You know I mean because, typically the times that I've been that nephew and I've had to go clean up things for people, it's what they're doing, it has some sort of name, and there's plenty of guides online that you can go and try to clean it up as best you can without having to do a full reinstall. My general advice for anybody, though, is especially you know my older folks that I know it's never click on anything that you didn't go searching for. You know I've had to clean up plenty of things because, oh, they said, I had all the viruses like, and I clicked on the thing. Well, you gave her permission to a bunch of stuff on your endpoint there.
Speaker 3:Yeah, a lot of really good points. I think one more that I would also add is if you're not actively using your credit and we've talked about this before lock, freeze and lock your credit. You know, go on to their major websites for the organizations and freeze your credit unless you're actively actively using it. But yeah, really really good points, james, thank you.
Speaker 1:Yeah, tell us. We want to know if you clicked on something or you thought you clicked on something or you saw somebody click on something. Tell us, we want to know. You're not going to get in trouble for telling your security organization about something that's happening. It's much better to catch the problem early than later. And if you're involved in a phishing campaign at work, so they'll do simulated phishing, don't tell your neighbor that, hey, they're sending out state fare tickets. That's a phishing email, right? The emails are crafted so that we can test the organization's security and we want to know how well the organization is doing so by telling everybody that, yeah, they're doing phishing emails. Now, this is what it looks like. That's not helping the organization. Just hit that. Report a suspicious email, get the thumbs up and go on about your day.
Speaker 2:I really like that point of if you click on something and you think it was malicious within your company, you know, just to report it to the security team and say, hey, I think I messed up. So you really have to foster that culture ahead of time. You have to tell people look, this can happen, let us know, because we need to clean it up. That's not going to happen without that sort of a trusting culture between the security team and the rest of the organization.
Speaker 3:That is a great point. I think this has been such a great time chatting with you, james, and I think this is such a great topic to continue to have, because, in some way or another, everybody can relate to this. You don't have to be a cybersecurity professional to think you know what was going to happen to me or understand, like you know, the reverse engineering that you're talking about.
Speaker 3:Well, we've all got the phone calls from mom, grandma, dad, whoever, uncle, aunt that have had this situation, or yourself, so I think everybody can resonate with what we're talking about today. So thank you so much for coming on.
Speaker 2:You bet my pleasure to be here. Bye.