|
|
Object Oriented Cybersecurity Detection Architecture (OOCDA) Suite |
|---|
|
|---|
|
Phishing and Spear-Phishing Analysis
Definitions Definition #1: Phishing tactic is to lure individuals into providing sensitive data such as personally ID, passwords, banking and credit card or any information hackers can use to gain system access. The luring scheme would use any communication media such as emails, text, phone calls, someone posing as legitimate institution to lure individuals, links and websites that look legitimate. Phishing attacks are not personalized to their victims, and are usually sent to a lot of people at the same time. Definition #2: Phishing and Spear-phishing attacks have the same goals and approaches of gaining critical data, but Spear-phishing attacks target a specific victim, and messages. For example, the victim may receive an email that looks legitimate with a link to a site which looks legitimate also. The victim would be populating the site fields with critical data. Spear-phishing attacks require more sophisticated tactics. Attack Type: The attach is aimed at any person with identifiable information to gain critical information to access the target system. How the attack is carried out? The hackers' tactics target persons by the following methods: 1. Emails 2. Text 3. Phone calls 4. Someone posing as legitimate institution to lure individuals 5. Links 6. Websites - look legitimate Victims, Losses, Damages: Anyone who does not check credentials of any emails, phone calls, text, web or cloud usage. By having system or network access, the damages are open based on how sophisticated the hackers. Damages - Victims: Personal: Staff, consultants, customers, anyone with critical data which can be used to gain access or cause damages. Machine - Servers and Storage: Stolen data can be used to access servers, storage. .. etc. Networks: Stolen data can be used to access networks, storage. .. etc. Data: Critical data is at risk. Software: Not necessary software damages, but hacker may upload their viruses, code, ..etc Others: Stolen data and how it can be used to do what? It is an open question. Links may allow hackers to upload their viruses, code, ..etc. Detection: Our approach to detection is done by: • Analysis Using Experts • Automation and Intelligence • Using Tools • Cross Reference Experts' Analysis and Automation • Programming • Testing • Management • Prevention Using Numbers, Formulas and Algorithms: Data is getting big and processing data is getting more complicated and time consuming. We believe turning data into weight-value fields which can be checked, compared, cross referenced, analyzed and stored easier. Adding intelligence to analysis is doable where these numbers are used to make educated guess (intelligence) based on the values in weight-value fields. Plus these number would help in prediction and future decisions based the collected values. For example, if one email used by the hackers was successful in luring 9 employees out 10 whom they received such an email, then the chance of hackers would be using this email and/or its contents again would be 90% (9 luring success of 10 times). This would help the detection team build detection matrices of this email and its contents for further detection, prediction, analysis, scanning and training. Therefore, our analysts need think in terms of Numbers, Formulas and Algorithms. Creating matrices with data would help in speeding processes and making intelligent decisions. Teams and Staff Involved: Everyone involved such as clients, users, developers, security experts, management, vendors, ..etc need to have a cooperative approach and take Phishing seriously. Analysis Using Experts: How to perform analysis on individuals passing or giving critical data to hackers or fraudulent sites? Our answer is to analyze: • The victims-individual actions and thinking • Data being stolen or hacked • How would the stolen data be used • Calculate the risk and how they should be addressed • Create Weight-Value-Fields matrices We need to create analysis matrices of: • Individual actions or conducts • Data hacked. These matrices needed to be checked periodically. Each row must be analyzed with weight and risk factor associated with it. Individual Actions or Conducts: The following are possible check items or a row in the detection-analysis matrices: 1. No such thing as Trust Relationships - everything must be checked for fraudulence 2. Compromised Credentials 3. Strength of username and password 4. The risk posed by a compromised credential 5. Identify suspicious activity 6. Cached Credentials 7. Changing Password periodically 8. Frequently update of software 9. Check the employees and clients training for compliance with detection processes 10. Data protection program 11. Testing employees, users, ..etc Data Hacked: Data hacked or the potential of being compromised, the following table is a matrix example:
Strategies: Our strategies are: • Build analysis matrices to find Vulnerabilities • Build written detection processes for every type of user • Train users, clients, employees, ..etc • Build analysis matrices to look for patterns, events and frequencies • Build a number of Automated detections • Build testing processes • Perform testing on scheduled basis • Use Machine Leaning to perform automated detection and testing Approaches: Everyone using the system must be part of solutions and we need to listen to their views, suggestions, feedback, comments, ..etc. In a nutshell, users are the ones that the system is build for. They are the ones who are using the system and they are the best to help us do our tasks and responsibilities. Plans: Based the running business, we would build plans based on our strategies and approaches. We would develop every processes in our plans. Finding Vulnerabilities: Using the analysis matrices, weight, risk factors and other parameters, we would be able to find Vulnerabilities. Use strategies, approaches, plans and tools to closed these Vulnerabilities and secure the system. Automating Detection Processes-Intelligence and Building Matrices: Detection is not simple when dealing with human factors. Therefore, we recommend following processes. Each process will have weight-value field which can be checked, compared, cross referenced, analyzed and make an educated guess (intelligence) based on the values in weight-value fields. Each process would have its own matrix: 1. We need to ask each individual user the same question more than once and each time with different wording. 2. These questions must be changed periodically so users would not be able to see repetitions. 3. The answers of the same question must have the same value otherwise, it is a red flag. 4. Audit trail each user and every access or usage of the system 5. The frequency and time of access must logged and analyzed 6. Audit trail and track the number of login name and password are being used and time of their usage 7. Every user must perform a check list of Individual Actions or Conducts 8. Evaluate weight-values for suspicious activity, users type and data compromised 9. Cross reference all matrices and look for mismatch or missing values 10. Perform data weight-factor and user type analysis 11. Identify Vulnerabilities 12. Perform remedy processes In short, we turning actions into numbers for processing. System architects, analysts, Cybersecurity experts, management and staff would be brainstorming building these matrices and value-weight of each item in these matrices. Servers and Storage: Our approach to protecting data (emails, texts, phone calls or any communication data) is to create an independent and a separate data storage not linked nor connected to any existing system data storage. We recommend the following: • Use separate bare-mental server for email services software • Use NAS for storage with compression and encryption of data with timestamps • Back up the backup with cheap NAS • Data are scanned and timestamp before stored Tools Virtualization, Intelligence, Automation and Integration are virtual tools to help scale any cloud system vertically and horizontally. DevOps and DataOps would be using these tools to run and secure the running system. Intelligence: We believe turning data into weight-value fields which can be checked, compared, cross referenced, analyzed and stored easier. Adding intelligence to analysis is doable where these numbers are used to make educated guess (intelligence) based on the values in weight-value fields. Plus these number would help in prediction and future decisions based the collected values. Our Analysis Example: 
Image #1 Image #1 represents three Phishing emails. Looking at Samples of Phishing Emails #1,2 and 3, as sample data to be processed using our intelligent system or what we call numbers values analysis. We recommend the development of the following: • Dictionaries (Different Languages Token-Value) • Business Rules • Parsers • Engines • Processes • Services • Decision Makers • Statistic Engines - History Trackers Words Dictionaries (Different Languages Token -Value): Our dictionary is nothing but a list key tokens with a value or weight associated with each token. For example the following words: "IRS", "restricted", "frozen", ..etc. Token-Value is how big of a red flag is this word or token. Such dictionaries can grow and edit for new words as well as not used any more. We would create different dictionary for different languages, English, German, ..etc. We may need to create a separate dictionary for names since names may have different spelling in different languages. Phrases Dictionaries (Different Languages Token -Value): This dictionary follow the same concept as Words dictionary, but it uses expression, such as: "will expire in X hours", "Update your password", "account has been restricted" Again, we would create different dictionary for different languages, English, German, ..etc. Business Rules: Business Rules would give the system the dynamic and intelligence in analysis, processes and decision making. Business Rule eliminate recoding where these rules would coding options and conditions. Parsers: Parsers parse emails, phone call, text, images or any electric media to create the Keyword Tokens. • Keyword Parser • Expression Parser Engines: Token-Value Engines: They put value-weight to each token plus add new tokens to the dictionaries. • Keyword Value-Weight • Expression Value-Weight Services: Services are tools which use engines to build their services. They also create matrices. They would be using the engines to populate the matrices. The columns' names in Table #1 represent a specific action or finding. For example, a word such as "responsible" in an email would have "Guilt" column values 7 out of 10 or 70%. Hackers would be using such words to make their victims respond quickly. The same thing would apply for the word "penalty" for the "Loss" column. We are open to any suggestion to make our services intelligent and practical. Our Intelligent services created matrices to be checked, compared, cross referenced, analyzed and s tored easier. Processors: Processors uses services do perform the needed processes. Decision Makers: As the name implies, they make decision Dynamically based on Business Rules. Statistic Engine - History Trackers: This adds intelligence based on history and performance. Automation: DevOps and DataOps would provide containers with their components (application and services) to users as a cloud services. Such services are the automation of running any user's requests for cloud applications. Integration: Integration is the extension of Virtualization and Automation where virtual containers with their components can be called, run, placed at any network or remote ones. |
|---|