 The next session is a lightning talk by Mbison and the title is up there on the screen. It's talk to user analytics and human Honeypots. It's a research project and because we're tight on time with this one I will hand immediately over and let you introduce yourself Yeah, I've got to take this shot. I'm not one much freer, but here it goes So my talk is targeted user analytics. I Think you will find it interesting. I've like I've been busy trying to explore targeting processes that adversaries use both APT and the less sophisticated adversaries and How social media is leveraged? And that that was really the key driver of this a little bit about me. I'm a beekeeper as you will see I have a few strange hobbies. This is one of them and Mbison is rich wickersham. You can follow me on Twitter. That's who I am. I didn't want to take a bunch of The attention prior to the talk. So that's why I waited until this time I've been in the field for almost 20 years. I've been conducting OSN since Before we really had a name for it. I guess I've got a strong background up and down the stack Insecurity busy in cloud chasing the misconfigurations that have kept us all gamefully employed currently I Really get a lot of enjoyment out of deconstructing adversary attack methods. So You know my things that I like to do So jumping into my talk my hypothesis is that our adversaries are using LinkedIn. We know this To target our users data-driven targeting models can be built and I built one Targets can be externally enriched using breach data and other open source methods and There is internal enrichment data that is only available to us to defend and this is what We need to do So I had to put a shirtless Vladimir Putin in here. This was for my amusement and hopefully you find it funny but Users are still the weakest link, but it's only certain users. It's not everyone. It's those that have a large public footprint Those of us in all of us in the room that have a large breach data set. This is highly problematic and Also the behaviors that are demonstrated by those users I call them habitual clickers, but you need to know who they are in your organization if they map to your models Systems you're trying to protect you need to work against that and the most important thing is the adversaries have Every method and every type of data available to them and as defenders we we can't use it all this is a problem So targeted user analytics the manual workflow This is the thing that my whole deck tracks to this is where I started This project and this is what you can refer to after the fact to to build your own Basically Project along the lines of what I did So I I kicked this this was in my backup slides But I wanted to kick it up to the front after chatting with a few people and I just to show the due diligence that was done in terms of The preconditions and legal pieces and what you can do and the fact that I was unauthenticated When I I did any work against linkedin. I thought that was a key thing and we had a legal precedent for that And also the the way I leveraged breach data was a pull from have I been pwned Hopefully everybody's doing the same thing and assigning one or zeros to Data sets that are available based on how I rated it So the use case for generating my data was swift I think that that's the one that's largest money-moving system and in the world I I've been fortunate enough to build out a swift customer environment And it was right at the time that the Bangladesh and Vietnam Incidents became public. So I got to look deep at those. I had a great headwind I was able to really build a secure environment One of the things I asked when I build that environment or when I do anything is Who has access to the system and more importantly who do the adversaries know it has access to my swift system? So if they know who to target we've got a problem So I went ahead and I footprinted my company and the results were shitty basically So the next question I asked were well, how do how do we look compared to the rest of industry? So I did seven more and the results were bad across the board and and at the same time as this I was I was working on a graduate paper at UVA and I needed a topic. So I was like, well Why don't I build a conditional probability model for this and that's that's what I did so a couple things about swift swift is a secure platform, it's pretty pretty well built It's been a lot of work done against it But the customer implementations of swift are not always good We know this and when you have a weak customer environment, it opens you to two attack vectors one being platform users that access the Alliance access to a web interface for example and the other being infrastructure Administrators you've got route to the platform Then you can do some serious damage and both user types have been targeted by adversaries and we've seen this and Of course, I think there will be more successful in but in Companies with a lower security budget the $50 firewalls are not going to cut it It's with realize this as well. So they built the customer security program And that was that was a good move I think So seeds Seeds the seed files that I built are the keyword files. So I use the same methodology that a good recruiter would use I have a couple friends that are recruiters. I have people trying to recruit me I sort of get a feel for what they're doing and how they're doing it And in the case of this seed file, you wanted to identify a target with access to swift A higher number of matches indicates a target that moves large amounts of money So that's that's the target acquisition that we're looking for and these are the seeds So utilizing the seeds utilizing the seeds actually creates more seeds, which is interesting This is a simple query. You can run in Google. So I've been told it's Google dorking, which I thought it was Google foo That was funny And this is due to my lack of automation and doing something simple here So you can select a fortune 500 a fortune 100 and run this search right now and see what you find In a basic base model five matches out of 32. I would be a successful basic match I've created weight on all my variables. I'd suggest you do the same depending on how you're building this approach out And again, you can play with advanced search, too You sort of learn some things when you're doing this less variables is more friendly in terms of returning Results if you put too much into a search engine, it will it will give you crummy results And try two or three to talk about your seed So what you can expect the harvest from linked in Relevant skill and probability match percentage achieves an initial targeting accuracy score Geo location where the swift infrastructure is located This is important because you will know where the Treasury team is And and also you can use this same data to deanomize targets So the people that had good upset and say they weren't worked in the financial services industry You can align up their skills and you can figure out what company they look for or they work for So Geo is also important another variable is where you move money to so that's indicated by skill type Which is our cross-border payments forex foreign exchange things like that that are in the seed You want to know or an adversary would want to know How do I get the money out? How do I get it out to the point where I can I can take it or cash it out in a casino somewhere? Right a casino. So that's a good analogy and that happened So or chart mapping of relationships to the targets. I've assigned value. I've got five values based on title and that that allows you to build a Fishing use case or a lateral movement use case or a targeting use case So external enrichment once Once you've identified or required your targets You know more OSN a Google search is really effective within a unique game a unique name and your geographic location is super effective in targeting And that's again highly problematic You want to look for the putt the primary key and finding breach information about somebody is their Private email address of course your company email address is not useful But the Yahoo address you had the hotmail address you had There's a lot of phone data sitting behind that So you find that and then you run that against how they've been pwned for a one or zero value And you create your data set based on that so that that'll help to tell you what the bad guys have about your users And I'm listing some of those sample data fields that are really easy to find again with Google search Googles that can't open or the internet So internal enrichment this is the important the most important thing for me and for us. I believe These are the defender actions is what we need to do A great metric to have is to understand your total user base and Then what what percentage that user base were you able to discover? That's that's a metric you can start with Identifying the habitual clipper clickers You need to know who they are You need to start feeding that information into your phishing tests. I You need to correlate these this data with your targeted user analysis and Lots of phishing simulations need to be done Correlating targeted users with past breaches you should do this you may find something you may connect the dots That upset equals more breaches email and span phishing metrics The bad guys aren't going to burn a zero day. They're going to take the simple approach You can look for trends. You can look for the commodity approaches that will be taken against you Also targeted users are the canaries in the coal mine there where we want to spend our effort Because they're who the adversaries know about their who's going to be targeted first at data sets to use against these folks Let's eliminate the password from the equation. Of course in FA. I'll keep saying this repeatedly in my deck examine the the password reset criteria and social engineering risks so human honeypots and operationalizing defenses We have the same harvest data as our adversaries. We have the same enrichment data We know who the targets are and we've separated the weakest links in our companies So let's make it easy for the bad guys to discover these folks and I asked myself What would Arnold do? Let's terminate their attack strategy. Let's make it easy for the bad guys to discover the targeted users Let's let's create honey creds, honey groups, honeypots, infrastructure that's easily enumerated Let's make our jobs easier. Let's add PON passwords to password history You might have to dump the hashes and match them because we can't take that Let's enforce multi-factor auth. We've got to do that. Let's disrupt them. Let's feed this data into our targeting phishing Platforms. Let's provide more offset training. I'll get into that. I've got a training through shaming slide in here, too Let's monitor the targets. Use your behavioral analysis is a new area that I think can be folded into this and Let's create fake length in personas and target skills. Do this at your own peril, but it will work So simple correlation and data to model. I've covered most of these and I want to blast through the deck so you get the whole thing and Get into the data harvest. So In my harvest and I had to redo I had to redo a lot of this because this project Started really 18 19 months ago 223 total users were harvested with a high probability of access to Swift 7 Fortune 100 companies 32 users is the average enumerated size of the Treasury cash management team per company users and for companies leak partners and You know, it's as bad as some users saying I have this set of skills and I move money to these these places I couldn't believe it when I looked at it, but I found it multiple times. So it became believable Domestic international leakage, that's problematic, you know, when you map that against the attack path of like the Lazarus team or Lazarus group Members of anti-fraud teams were easily enumerated at three target companies That's bad because the bad guys like to watch the watchers to make sure they haven't been caught and we can't have that The physical location of the cash management teams have gone through that And again, I was able to de-anonymize those with financial services listed in profiles One potential security officer role was leaked in a profile. That's a very high level of access so I'm hoping that was a fake profile and Other interesting points that I like to point out and this is this is relevant to all targeting models If somebody does something very specific They're gonna be doing it in the next job and the job after that this data is valuable for years Almost two years ago some of the people I found they switched jobs They've cleaned up some of their upset, but it's easy to connect the dots And you've got to think about the adversary space knowing these people and having already connected the dots So this is my shame slide All right, I'm not going to run a live demo. That looks like a career limiting move so You know, I think it might be the sort of thing that you want to do and and maybe expose your users to and then explain This type of attack model to them It might be a teachable moment. It won't you won't correct the past Which is already going to haunt them and us, but you might be able to correct going forward So seed-based harvest People with I believe a high probability of access to the target system per company. These are the ones anonymized again You want to anonymize this type of data and then my average seed match per user Somewhere better than others and this is pretty fun when you look at it this way Geo data via LinkedIn locations 11 locations in total Of treasury teams, so I was able to find that in every single company. That was relatively easy. Thank you Google partner location and forex skill, so Somebody that's leaking partners and gives you a skill that they might move money outside of the country We got plenty of that Added in Richmond I did just a few of these just to prove that it worked without I've been phoned and I ran out of time because I family vacation and I was getting yelled at for spending too much time on the laptop on the sunny days by the beach That's what you do if you're a researcher So I basically proved prove the model out with the with a few so operationalizing the data as I told you I've assigned a value for Based on role and company and I wanted to show how the spear phishing works And I wanted to be sure to use the hamburger because I find him amusing So anyway, this is showing enumeration targeted spear phishing Basically you can you can generate this whole model based on the data that I got the other thing was operationalizing the Geo data And I wanted to put something simple together Showing the relationships between the companies An action I've taken from yesterday that I need to do is obviously start learning Maltego and saving myself hours and hours of Needless work, but it was still fun because I had the hamburger so Observations based on data and industry predictions users have poor offset. We can't do anything about that we can correct to a point But that's all we can do I really wish LinkedIn had had the damage that Facebook had because You know, they're not forcing security reviews on on people to turn on those new things that have been turned on within the last two years So, you know, I noticed in my data set that the profiles were leaking way more Geo data 18 months ago than they are now So there have been some things that tweaked at the at the LinkedIn level, but not at the user level People are still leaky in terms of writing things themselves in there So I think as cryptocurrencies lose value financial institutions will be more aggressively targeted sure thing is always better than a volatile thing And a BT adversaries with an with an interest in disrupting the global financial System probably have collections using an approach. That's way more sophisticated than what I put together with a simple search engine and low capability actors are Also using this process for W2 fishing I picked swift over W2 fishing because when I started looking at W2 use cases against this I was like, I can't even put this up here I thought it would have been a dangerous thing to do and And bad, but it certainly does work. And I think this is a primary vector of attack and targeted fishing for W2's so and you can guarantee that those are low There's a lot of low dollar environments with weak security protections there. So that's something we've got to work work to So this is this is again the basics we need to predict who will be targeted Whether or not they're being targeted and likely success rates if the user is part of the attack chain Breach data is going to continue to grow. There's nothing we can do about it. We've got a model against it in order to be effective We don't have the same weapons going into the fight as the adversaries, which is a huge problem And I don't know what we can do about that, but Aside from break the rules, but we don't we would not want to do that, right? Yeah so Again, I think this this again, where do you focus you focus on an achievable objective leadership system administrators financial systems and programmers What's what's important to protect your company? Don't try and do your whole company. You'll kill yourselves unless we Automate some of this. So that's just that oh my I Got one minute. So I did it about right so credit given my family. I ate up a ton of their time this summer Troy hunt because we could do one in zero pointers as opposed to Trying to take a breach data and look at it. He's done a huge huge job of making us able to perform our jobs and the folks that reviewed my presentation I've got backup slides that are going to be very effective for you to go back to y'all blast or real fast Why is the job seeker the most likely person to click the phishing email? I thought this was an important precondition I've written a graduate paper for this. I'll eventually publish it out. I could it'll be important to you The arguments against I mean, I don't really think that any of them are valid unless you don't have data that's worth protecting So additional seed files that and things I sort of played around with w2s I think is actually the worst thing in the bigger problem w2 spear phishing and Then I was able to time lock that I was actually looking at this almost two years ago a friend of mine's company got hit And a query and I was able to pick two people that I thought for sure were the ones that got hit That was interesting and I started looking deeper and linked in to and looking for maybe personas in there That's another talk And then I broke down the attack chain And why why we could prevent that attack chain from completing by using a process like this so that's that's it and Yes, I have some questions and stuff. I think we're at the end