Jacob Torrey

Jacob is the Head of Labs at Thinkst Applied Research. Prior to that he managed the HW/FW/VMM security team at AWS, and was a Program Manager at DARPA's Information Innovation Office (I2O). At DARPA he managed a cyber security R&D portfolio including the Configuration Security, Transparent Computing, and Cyber Fault-tolerant Attack Recovery programs. Starting his career at Assured Information Security, he led the Computer Architectures group performing bespoke research into low-level systems security and programming languages. Jacob has been a speaker and keynote at conferences around the world, from BlackHat USA, to SysCan, to TROOPERS and many more.


Session

10-24
11:15
45min
From 0 to millions: Protecting against AitM phishing at scale
Jacob Torrey

Phishing has evolved both in the TTPs of attackers, and their targets. From simple clones of a website trying to get a username/password to reverse-proxying systems that steal sessions even with MFA, the target landscape has changed. Many of the defenses against phishing are started to show their age, between block-lists for domains that appear to be illegitimate, SMS/push MFA, and broken functionality cues that may alert someone to the site not being correct. Modern phishing tools, like EvilGinx, Modlishka, and more handle all of these by hiding the phishing content behind a unique "lure" to avoid domain blocking, supporting SMS/push MFA, and seamlessly allowing for login and hand-over once the session has been stolen.

This talk is focused on a Canarytoken type that lets you protect a shared-responsibility platforms that are difficult to gain insight into. These include Azure Entra ID, LogTo, and custom sites. The Cloned Site Canarytoken lets you quickly get alerted if someone is mirroring or reverse-proxying a sensitive login page that has any of your users trying to login--you can get alerted about the phishing site's URL before the user has even entered their password!

After a view of the landscape of modern phishing techniques, defenses, we'll dive into our novel defenses, and look at the data of token alerts from millions of logins every day to build a view of real-world phishing attacks and their TTPs. We'll finish off with how to respond to alerts, and some attacks against our Canarytoken. Finally we'll discuss our mental model for sharing this information via networks like MISP.

topic: CTI
Europe - Main Room