Time
8 hours 28 minutes
Difficulty
Beginner
CEU/CPE
10

Video Transcription

00:00
hello and welcome to another application of the minor attack framework discussion today in the initial access phase of the framework, we're looking at spear phishing links. So what are the objectives of today's discussion? Well, we're going to define what a spear phishing link is.
00:20
We're going to look a Terl A, which is a threat group.
00:23
We're going to review mitigation techniques, and we're going to review some detection techniques. So what, that
00:30
let's go ahead and jump right into our definition.
00:33
It's a spear phishing link. It is an attempt by an intact ER to have a victim used a link to download malware instead of using attachments, or to send them to a malicious site to attempt to steal credential access. And so the goal here is to circumvent filters and
00:54
not send a payload directly to the user via an attachment.
00:58
And so again, techniques here are similar to social engineering, if not exactly the same requires the user to interact with the content and execute the payload. So an example would be you have a link
01:11
that's provided for your bank, but it's actually taking advantage of a redirect vulnerability
01:19
in that particular bank or that may have been discovered. And so you initially long in, and then it redirects you to an evil account, which then allows the attacker to get credentials or have access to those systems. And so
01:34
if you ever receive a link or something of that nature that you don't trust, it's always best to go straight to the site to review information and not use links, even if you think it's a trusted source.
01:46
Now let's talk about a particular threat actor. So in this case, Tula, or Water Bug, is a Russian based group that has impacted organizations and over 45 countries known for watering hole and spear phishing campaigns. And so some of their targets include government
02:04
embassies, military education
02:07
and research and pharmaceutical companies. Now,
02:10
before we move on, I'm just gonna pull up a Web browser world quick, and we're going to go over to the attack framework site,
02:19
and we want to look at this group
02:23
known as Sturla. So let's go back here,
02:29
all right, so
02:30
the great thing again about the framework is that we're able to easily come and see this group
02:37
now what we didn't have in the sides was that they had heightened activities that was seen in the mid 2015. This waterhole and spear fishing campaign has used through in house tools, mainly attacking Windows machines, but they've been known to target other OS is now.
02:55
Some of the techniques used here by the group go beyond just initial fishing. They seem to use encrypted data. They modify registry information. These power shell
03:05
eso. They've got a number of different
03:07
ways once they gain access to a system that they'll move these systems and established persistence and things of that nature.
03:16
Now some of the software is used, many cats empire, so it's just a full list here of different areas. But the great thing again about
03:25
this particular framework in what we can do with it is that if we go to one of the references in this case provided by Kaspersky, it looked like
03:36
we can get some further examples about the operation and some technical appendices and IOC's as far as things that they do when they compromise systems. And so in this case,
03:51
they show some si ves for Adobe. PDF exploits using spear fishing.
03:55
There's some of the social engineering information is far. Some of the extensions and installers
04:01
water holding a Sfar Aziz using this particular job a exploit. And so if you're in the particular vertical, that would make you vulnerable to or a target for Tula, then these air some areas that you can focus on taking advantage of. The other thing that is nice to see here is some examples
04:21
of where they've injected websites with that particular job vulnerability.
04:28
And so these are just some examples of sites that have been hit
04:31
and some of the column R O. C H U sites where they had injected there,
04:41
particular malware. Now you can see it's not huge as far as this particular statistic or this bit of information, but that still can be impactful.
04:49
It also goes into where you can see this particular remote Java script in the victim browser. And so they give an example here toward the bottom in this particular panel.
05:02
So great to come through again and just look at some of the methodologies of these individuals and some of the ways that they attack systems.
05:13
So let's go ahead and get back to our slides. So what are some mitigation techniques that we can take advantage of when dealing with spear, phishing links and threat actors, where we saw a lot of different things, like the Java script injection there, the adobe issues.
05:28
Really, what we want to try to do overall in our mitigation efforts is to restrict the sites that users convince it to those that are necessary to conduct to conduct business operations. Now,
05:43
depending on who you ask,
05:45
depending on the type of organization that you run,
05:49
this may you know, be seen, is restrictive or is, you know, non productive or is non beneficial to the workforce. It may make people feel like you're oppressive,
06:00
but really, when you implement these types of controls, it's best to peer that within user awareness, training and education. You want to explain to folks why it is that you're blocking, you know, sites and aren't necessary for business operations or limiting those sites to maybe us based or regional based
06:19
organizations.
06:21
And if you pair that within, use your training and you educate them on the type of threats that are out there and what it is that they are, you know, looking for and how they should be protecting the organization.
06:32
It can make these types of controls less impactful to morale and things of that nature.
06:38
Now, some detection techniques that we can use email you are l inspection. And so, if you've got a particular
06:46
platform that will inspect the or L 2 may be executed in, ah, sandbox type environment and see if it goes to something malicious or attempts to download a malicious payload that could be beneficial block and alert on no malicious sites. Access attempts. Of course, this is not helpful for new sites, meaning
07:05
that in most cases were social engineering campaigns or spear phishing campaigns or phishing campaigns in general come into play threat actors or
07:15
pretty good at spinning up a new sites to avoid blocking and black listening and things of that nature. They'll run that site for a day or two, and then they'll pull up another site and do something of that nature, so this may be beneficial to a degree, but maybe not form or current attacks were thrown actors or actively
07:32
changing sites and things of that nature
07:35
and then, you know, have a system in place for users to report suspicious emails, and I can hear the administrators out there, the network administrators rolling. They're as real hard and gasping at the thought of end users. Being able to report anything
07:51
as potential phishing emails or spam or whatever the case may be, which is what we see a lot of times is that and users report more spam than they do legitimate, you know, emails that could be threatening. But
08:03
because they get in the habit of reporting so many different things, we do often times see a pattern where three or four users will report the same email that is, in fact, malicious in nature.
08:16
Or they'll report suspicious emails that don't seem to be the normal communication patterns of executives and things of that nature. So it could be cumbersome initially. But again, with proper training, it's really beneficial and can help to limit the ability of these spirits efficient links from being successful.
08:35
Now let's do a quick check on learning
08:37
spear phishing links. Use a link to download malware instead of using attachments, or to send a victim to a malicious site to attempt to steal credentials or access. True or false.
08:50
So please, if you need additional time to evaluate this statement or look into anything. Please pause the video. So this is in fact, a true statement. Spear phishing links are used or are links. Use a link to download malware instead of using attachments to send a victim and, uh,
09:09
or descend the victim to a malicious site to attempt to steal credentials or access.
09:13
So this is a true statement. Congratulations. If you got that correct. If not, that's OK. Re read some of the information and try again
09:22
Now. In summary, we define what a spear phishing link is and looked at some examples. We went to the minor site and look at some information on Terl A and reviewed some examples off their job. A injection attacks again. If they send you a link, it can redirect you to one of those sites that could then,
09:41
you know, maliciously download something or download something that is militias.
09:46
And, you know, that's kind of how they could gain initial access or get information from a system. We reviewed the mitigation techniques, talking about blocking sites that are not necessary for business functions and pairing that with education and ensuring that we talked to end users.
10:05
And then we did a review of some detection techniques. So all of this is beneficial with respect, Teoh initial access and understanding this particular attack vector and how you can apply controls and take needs to mitigating risks using the minor attack framework. So with that in mind,
10:24
I want to thank you for your time today
10:26
and I look forward to seeing you again, Sim.

Up Next

Application of the MITRE ATT&CK Framework

This MITRE ATT&CK training is designed to teach students how to apply the matrix to help mitigate current threats. Students will move through the 12 core areas of the framework to develop a thorough understanding of various access ATT&CK vectors.

Instructed By

Instructor Profile Image
Robert Smith
Director of Security Services at Corsica
Instructor