Protections From Bleeding Edge Phishing, Malware Attacks (Cloud Next ’19)

October 6, 2019

to Security 204. Hopefully, everyone’s having
a great second day at Next. Just wanted to
introduce the session. It’s Protections From Bleeding
Edge Phishing and Malware Attacks. So before we get
started, I just wanted to get a sense of who’s here, so
who here’s an enterprise admin, or helps enterprise admins
with phishing attacks? Just trying to get a
sense of who we’ve got. OK, well, this is going to
be a great session for you. We’re going to be
going into some of the most complex types
of attacks on the internet, and how you can protect
your enterprises from it. But before we get started,
let me introduce myself. My name is Andy Wen. I’m the product lead
for security and abuse across Google. And let me introduce
my partner here. NEIL KUMARAN: I’m Neil Kumaran. I am the product lead
for Gmail Anti-Abuse, and I’m on Andy’s team. ANDY WEN: OK,
great, thanks for– I’m going to get started
here and just introduce the few things before
we get started. First off, email has
become really pivotal to all of our enterprises. We use it to communicate
with each other. We use it to communicate
with partners and customers. And so it’s very much an open
platform, and all of this goes, somewhat obvious, because
we live in this digital age. And so then, it’s no surprise
that fraudsters and attackers are using that same channel to
try to attack our enterprises, to attempt to
extract information, to steal money, or otherwise
disrupt operations. And so we have a
couple of stats we’ll walk you through that just shows
how profound these attacks can be. The first is that 91% of
cyberattacks on the enterprise start with a phishing email. 91%, that’s an overwhelming
number when you think about it. And this is often
the tip of the sphere because the other
aspect of it is malware. Every 40 seconds, a business is
hit with a ransomware attack. So for those who aren’t
familiar with this, this is malware that can
enter your enterprise and then encrypt all of
your files until you decide, or not decide, to pay a ransom. And the other one, which isn’t
really the topic of this talk, but also shows the prevalence
of network-based attacks, is 84% of organizations
are hit with a DDoS attack. There are some other products
that GCP offers that help with this, called Cloud Armor,
so you can look that up later. But we’re going to
really focus on the first and the third today. So let’s look a little
deeper at trends we’re seeing in phishing. We have a chart here that
shows the capabilities, and what we are finding
with Google’s Safe Browsing technology. What this is, is it
scans the internets to find malicious sites
like phishing and malware. And the trends are
interesting because over time, what you can see is
that malware sites have gone down slowly over time. But phishing sites have gone
up significantly over time. In fact, 30,000
new phishing sites are found each week, which
shows the scale of this threat vector. Gmail sees over a hundred
million phishing emails per day, just gives you a sense
of the size and scale of this, which is amazing when
you think about it. And when you dig a little
bit deeper into it, where are they coming from? They’re coming from everywhere. When we track the IP addresses
of the websites, or the emails, of where they’re
being sent, they’re coming from all over the world. And they’re going to
all over the world. So your victims are
also everywhere. So this is truly a large-scale,
widely-distributed attack. There’s very few people
on the planet that are not subjected to phishing emails. Then let’s look
closely at malware. While malware websites
have gone down, what we see is actually the user
impact of malware is going up. What we see here in
the chart is how often Chrome has presented the
dangerous download warning. What Chrome does is it
tries to protect users who are about to download
a known malicious file, and say, wait a second. That’s that big red
warning that you’ve seen. The rate of this being
displayed to user has actually doubled since 2016. So while the phishing–
while the malware sites have gone down, the impact on
the user has actually doubled. And we are particularly
concerned about malware because this is often
that silent threat. Users are unaware of
what they’ve downloaded, and the risks to
your enterprise are quite profound because
this can be that entry point into your enterprise. So as an enterprise admin
who’s charged with protecting your users, what do you do? These are what appear to be
insurmountable challenges. Well, the good news is the
Gmail Anti-Threat Platform has been in existence
for over 15 years. Gmail’s recently celebrated
its 15th birthday. And so since its very inception,
we focused on security threats, whether it’s spam,
phishing, malware. And you’ll get a sense
of what we call spoofing and impersonation attacks. As new attacks are formed,
the Gmail Anti-Threat Platform is deploying new protections
to protect our users from it. So let’s look a little
bit into how Gmail’s able to leverage all
the resources of Google to protect our users. First is we use
the Safe Browsing’s website-scanning
technology to scan over 700,000 sites per minute. We use our Android
platform to ensure that 400 million
devices are checked for security health every day. Over a billion Gmail
accounts and Chrome users are also protected. And the significance
of this number is that, when one user
encounters a malicious site or file, the rest
of the billion users get the benefit of
this intelligence. And over 10 million spam emails
are stopped every minute. So these are some of the
amazing capabilities that Google offers Gmail and G Suite users. We wanted to talk
a little bit more in depth about how we protect
malicious messages from being delivered to your users. And we’ll reference
these as we go along. So I just wanted to
have this in mind. We identify and filter
malicious messages at every stage of a message’s
lifecycle, from the delivery, to the time that
an email is opened, to the time that the
message is clicked on, downloaded, replied. And as well, if we identify
any malicious activity within this whole chain, we take
that information and reclassify that information so that other
users get the benefit of that. We call that reclassification. So as part of the
billion-user base, we’re able to extract
this information and bring it back
to all the users. And three key capabilities
that allow us to do this– we present this at
a high level, just to give you a flavor of
what’s underneath the hood. First is reputation analysis. We understand and count
the different types of signals and features that
comprise an email message, to sort out what’s
good versus bad. Second is we use what’s
called clustering to identify similar-looking
good versus bad messages. And then the last is something
called content understanding. This is where we’re leveraging
Google’s advanced AI to understand email
messages, either from a text basis, semantic basis, or
visual understanding basis. So actually, as a human
would process the message, we’re actually
applying the same types of techniques using Google AI. So let’s first look at a
number of phishing attacks. Now, phishing is
successful for two reasons. First, you can
send a lot of them. There’s really not
a limit to what a phisher can do in terms
of generating these phishing messages. And the second is that
it really exploits areas where humans often make
mistakes because they have a lapse in judgment, they’re
not paying attention, or maybe they’re not visually
able to see what’s going on. So let’s dive into
a couple of these. The first one is what we call
your classic bulk phishing attack. If you look at this
real phishing email, many of us who’ve been trained,
the savvy internet users, can quickly identify what makes
this email look suspicious. The first is you look at the
sender name, Instagram Help, and the sender, who
comes from Well, wait a second. Most people know
that, like, hey, Instagram is going to send
an email from The second is, as you look at
the text, there’s a few typos. There’s some grammar
errors and layout problems. And finally, when
you look at the link, you realize that it’s actually
not going to It’s going somewhere else. And so this is an example of
something that users often see. But we filter these out before
it even gets to the user by using Feature Reputation. Now, what Feature
Reputation is doing is it’s looking across the
entire set of email, sent to the over billion users, and
counting the different types of signals and identifiers. And just to give you a
more concrete example, we’ll look at who the
sender IP is, the subnet that it comes from, pair
that to other signals and features, like what
domain is it sending from, what’s the top level domain. And what are the links
that are typically sent from those centers? We put all of this
information together, so that we can identify good
emails versus malicious emails. And this is what’s
carrying the weight with much of the bulk phishing
emails that are sent every day. But phishers have understood
what we’re doing here, and they’ve decided to
take a different tact. What they now have
done is taken all of the features out of
the email and put them into the attachment. Because they will
now send an email with very little information
and put the rest of it in the attachment. What the user then does is they
click, open the attachment, and then you look on
the right-hand side. This is actually the content of
what they were trying to send. And in this example,
what they’re attempting to lure
the user to do is to go to a phishing
website, where they would then put in a username and
password, and be phished. It’s a bit of a challenge,
but for Gmail, we leverage the
capabilities of Google by using the Safe
Browsing technology to scan the actual attachment,
and follow the chain of links to attachments, the
attachments back to websites, to get to the lurer. When we identify the lurer,
we then send the signals back to Gmail and say, wait a
second, at the end of this chain is actually a phishing site. And so we should not
deliver the email, or potentially spam-folder it,
or warn the user about this. There’s many variations of this
attack, as you might imagine. And the combinations
that phishers use are practically endless, but
this is where Gmail and Google Safe Browsing is involved,
ensuring that phishing lurers do not get to your users. And the next set of
attacks are areas where phishers are attempting
to leverage the reputation of reputable senders. Now, we’re going to use a
couple of real Google examples. The first one is the traditional
tech-spoofing attack. Small typo– if you look
very closely at the sender, it’s not actually Google. And if you look
closely at the sender, it’s not actually
coming from Google. And what we’ll do here
is we will identify– let’s look at
another example here. Here’s another one
where, OK, the sender name sounds about right,
but maybe the sender domain is incorrect. But the rest of
the email actually looks plausible, for someone who
is not familiar with a Google account message. And what Gmail is doing is
it’s looking at similarities. When it identifies
that, wait a second– the features that
are getting extracted are similar to a reputable
sender like Google and others that we’re also building
spoofing intelligence for, it says, wait. Match detected. This is a spoof. Do not deliver to the user. Now, let’s get a little
bit more sophisticated. There is something called
Unicode which phishers are utilizing because
it is something that machines can read,
but humans sometimes have a hard time with. And these are– the
Unicode is often used to support
other character sets, when people aren’t
necessarily using English. They’re using other languages. But these Unicode characters
can be used inside of emails to attempt to fool
the classifier, but get through to the human. And example you can see
here is, if you look closely at the “verify your
recovery” details, this might be a feature that
Gmail is typically looking for, for spoofing, but
the phisher has decided to inject invisible
Unicode characters inside. And so that’s pretty clever. Let’s go on to other really
interesting exploits. Use of logos– humans
interpret information visually, so you can use images
that represent a logo. And oftentimes, these are
not exact representations of a reputable logo. They can be either
more compressed. They can be stretched. They may be using
different colors. But to the human being,
it looks like Google and infuses that level of trust. And the last type of spoofing
that I want to talk about here is interface spoofing. So typically, an attachment
that is sent to a user in Gmail is represented at the
bottom of the email with a special icon that
looks like an attachment and invites the user to open it. Well, what the phishers have
now done is recreated this image and put it into the body of
the email to do the same thing, incentivize the user
to click on that link and download a message. And in all of these different
types of spoofing, what we’re employing is Google AI
technology to identify how might a human misinterpret this
as the true reputable entity, whether it’s text, whether
it’s Unicode inside of text, or whether it’s actually a logo. We’re using our AI classifiers
to actually interpret this as a human would
interpret, so that we can identify sufficient
similarity that means that it’s malicious. And as a G Suite user, you
get the benefit of this. And the last type
of attack that we’re going to delve a
little bit into is one we call contact and
employee spoofing attack. In this scenario, it
doesn’t happen at bulk, but it happens more when you’re
targeted as an enterprise. Someone from the outside
will study your enterprise and understand who might be
its leaders and executives. And then they’ll also research
who are the administrators who communicate with these
influencers and leaders, and then send them
urgent-sounding emails. In this example here, you have
myself, Andy, sending a note over to Neil, and it’s
looking kind of urgent, and Neil recognizes who this is. He might not be paying
attention that the email address is actually not from
the one I usually send from. It’d be very easy on a
mobile device, or if you’re in a hurry, not to pay attention
and to quickly send off a document. So typically, these been used
to get access to W2 files, get access to other
sensitive documents, and even to send to, like,
money transfers for invoices and things like that. What Gmail is able
to do is identify, who are the people that you’re
commonly interfacing with, and then it looks into
your company directory and identifies
other common names. And when an incoming
email attempts to match up with someone who
is already in your enterprise, we display a warning
banner so that your users are paying extra special
attention to an outside email, which is attempting
to spoof someone from within your enterprise. And this is where we’re able
to bring more intelligence to the email
experience to identify these kinds of threats. Now, I’m going to bring up Neil
to talk about malware attacks as well. NEIL KUMARAN: All right. Thanks for covering some of
the phishing attacks, Andy. Now let’s spend a little
time talking about malware. As Andy mentioned
earlier, malware attacks are on the rise. This is something
that we observe in a lot of different
parts of our system. But as attacks are
evolving, so are we. So how do we protect your
organizations from malware? I’d like to introduce you to
the Google Antivirus Service. This is our internal
stack that we use to protect against malware. What you see on the
right-hand side of the slide is a simplified picture of
the types of protections that we employ to
protect your domains. Starting at the top,
we can talk about policy-based enforcements. So these are rules,
and rules that we employ to protect against
specific types of threats, and reduce the surface
area of those threats. You can think about
this as simple policies, like the fact that
we do not allow executable files on
Gmail, or we don’t allow JavaScript to be sent in. Next, we have our
suite of AV engines. We run a number of
different engines on every payload
that enters Gmail. Some of these engines are first
party-built by our security teams, that are targeted
towards specific threats. And some of these
are third parties that we have partnerships with. This allows us to catch
the bulk of malware. Below that, we have a few
different unique things that we also employ. The first are what we call
context-based protections. So an easy example, or a
way to think about this is if you look at a traditional
mail-filtering system that receives a malware
attack, first, the mail filter will
take a look at the email. It will take a look at
attributes of the message, who the sender is from,
a lot of the things that Andy discussed earlier,
to try and determine whether the message
is good or bad. Then it will take the payload,
and it will throw it over to the AV scanner, who will
scan the attachment to determine whether it is good or bad. Traditionally, these things
operate in isolation. What we do, in a number
of different cases, is we use signals across
the different components to combine them together. So we’ll look at
attributes of the mail, but then also take a look at
attributes of the payload. And by doing this,
and combining this inside a machine-learning
model, we can take weaker signals
across these components and combine them for a
better outcome or decision. The bottom part of our stack
is our security sandboxing technology. Here, we take an
attachment, we execute it within a virtual
machine, and we analyze what the attachment’s actually
doing on the operating system. And we can use that to identify
a lot of zero-day threats. We’ll talk about this feature
a little more in detail a few slides later. Now let’s take a look
at some specific types of threats outside of sort
of core malware attacks. The first, we can talk about
our encrypted attachments. You may have seen
these on your domain, but malware authors will
commonly encrypt attachments, attach a password to them, so
that AV engines cannot unpack and scan the contents
of what’s inside. The passwords are then
commonly transmitted via another channel,
via another message, or sometimes within the
contents of the email itself. By default, we apply
anomaly, or warning banners, to these, letting
users know that we were unable to
scan the contents, and alerting them to
the fact that they should be a little more
suspicious unless they trust the sender. But in G Suite, you can
actually raise the protections a little bit more. So within the Admin console,
under the safety settings in Gmail, we have what we called
our Advanced Safety Settings features. In here, there’s a feature
around encrypted attachments, and allowing you
to protect users on your domain against
encrypted attachments from untrusted senders. What this will
allow you to do is, say, in addition to the
anomaly banners that we apply, if we find encrypted
attachments from somebody that the user does not
commonly interact with, we will move those messages
to the spam folder, or remove them entirely
from user control and place them in
an admin quarantine. We’ll talk about some of the
other settings in this section a little while later. So how about zero-day threats? New threats are popping
up all the time. How do we react, and
what are the things that we do to protect
you against this? In addition to making sure
that our engines are constantly up to date, I and
our security analysts are taking a look at threat
intel to update our engines. We also use sandboxing. So the Security
Sandbox feature is very effective at catching
unknown and zero-day malware. It detects the presence
of this unknown malware by executing attachments in
a private, secure sandboxing environment. The attachments are
detonated within the sandbox, as if a user was opening it,
interacting with the attachment to try and get it to
spring its payload. This is all done in
a matter of minutes, prior to the delivery
of the email, ensuring that contents pass
through this additional layer of security before they
reach your users’ inboxes. Security Sandbox has been
developed with a focus to provide coverage against
the malware propagated through malicious
embedded scripts, like a Word file
with macros, or a zip file containing
JavaScript, to protect against a lot of
zero-day threats. Security sandboxing can
be enabled in the Advanced Settings section in Gmail,
within the Admin Control Panel, and it is available to G
Suite for enterprise users. So those are some of the common
techniques that we employ, but what about emerging threats? Stepping back, phishers
and malware authors are well-funded entities. They’re persistent, and
they’re continuously evolving their techniques. We need to not only be effective
against the current threats that we know about, but make
sure that we can react quickly to upcoming threats as well. So it’s a significant challenge,
but here are some of the ways that we’re planning
to protect you. The first is a new
feature that we have called Outbreak Banners. These warnings are generated
by an AI model that we have, that considers reports
from a particular domain, and combines it with other
indicators of suspicion to try and catch new campaigns
within a domain very, very early. What we will do is we will start
to spring up a warning that alerts users that other
members of their domain have found this
to be suspicious, and we ask them for
their opinions as well. And based on the
feedback from the users, as well as the evolving
reputational features that we have as
time progresses, we will either boost the
signal, releasing the warning to a wider population. And at some point, we will
actually reclassify the emails and move them to spam for
everybody on the domain. Or if we get feedback that
the email is actually benign, we will drop the warning. The next way that we react
to new and incoming threats is our layered defenses. So you’ll commonly hear about
defense-in-depth strategies, but this is how we think about
it from a Gmail perspective. So you can think about this as
the lifecycle of the message, and it maps to what Andy
was talking about earlier. First, at the entry
point, we will take a look at authentication
factors about an email, things like the DMARC policy,
or signs of overt spamminess or maliciousness, and we will
reject those emails before they ever enter our systems. Next, predelivery,
our AI-based filters will run through the
contents of the message using the techniques that Andy
talked about before, and our AV stack will scan
any attachments for malware. When the message opens,
an additional– so when a user opens a message, an
additional layer of protections will kick in. An additional AV
check is run, ensuring that the most up-to-date
verdicts about an attachment are leveraged. We will also apply the warning
banners that we discussed, and add some additional checks. If a user continues
further and starts to interact with a message,
we have additional protections that kick in. When a user interacts
with an attachment, we will first preview
them by default, making sure that
users don’t interact with the documents themselves,
unless they want to take one step further and download them. If a user clicks a link, there
are a few things that we do. First, using all of the
reputational features that we calculate, we will
throw a suspicious prompt, warning the user that a
link looks suspicious, and making sure that
they wish to continue. If a user wishes to continue,
we will additionally run a Safe Browsing check to
make sure that the link comes back as being benign. Taking that flow
one step further, if a user goes to a
malicious web page, if they enter their password,
2-step verification, and additional
authentication mechanisms will come in to
protect the account. If a user tries to grant access
to their account using OAuth, we will respect the
white-listing features on a domain. So as an admin, you’re
empowered to dictate which applications your
users will have access to, and how they can give
out their information. Another way a user can
interact with a message is through a reply, and
there’s a few protections that we have there as well. When a user
initially replies, we will throw
out-of-domain warnings and attach them to
the email, making sure that people know that they’re
communicating with somebody outside of their domain,
and ensuring that this is something they intend to do. And finally, at the
time of message sending, the digital loss prevention
layer will kick in. And DLP will try to flag
any sensitive information that may be trying to be
exfiltrated from the domain. So looking at it from a
lifecycle perspective, these are the steps that occur
at every step in the journey. And underlying this all is our
reclassification technology. Using the data that we have
from the 1.5 billion users, we are constantly
recalculating reputation. And we will go
through and make sure that the intelligence
is applied, and messages are moved
to spam if appropriate. The final way that we adapt to
evolving threats is making sure that we’ll continue
to leverage advanced AI to keep bad things out. So today, we leverage the
best of what’s available, things like deep
learning, neural networks, and visual similarity detection
are all employed extensively within our stack. And tomorrow, we’ll
continue to leverage the next developments in
AI to make sure that we keep our organization safe. So what should you do next? We have some
homework for you when you get back to your offices. First, we encourage you to take
a look at the Advanced Phishing and Malware Controls. You can find this
within the Control Panel by going to the Settings
section of Gmail. Within there, we have three
categories of controls that you should
evaluate to see if it makes sense for your business. The first is attachments. These are settings such as
the encrypted attachment settings we discussed before. There are other
settings in there as well, things like
protecting against attachments with scripts. The second category that we have
is links and external images. So these are settings, like,
the giving us the ability to scan linked images
for phishing indicators, or to expand shortened URLs to
follow links all the way down and determine whether
they are malicious. The third general category
of controls we have are spoofing and
authentication protections. So these are things
that will allow us to flag domains that attempt
to be spoofing yours, that look visually similar,
things like the anomaly banners that Andy
discussed earlier that flag employee spoofing, and settings
are on unauthenticated email entering your domain. For all of these policies,
you can apply them on a per-organizational
unit basis, and you can take a
variety of actions. For anything you
enable, you can choose to leave messages
that are flagged by that setting in the
inbox and apply a banner. You can choose to move
messages that are flagged by these settings to spam. Or you can remove them
entirely from user control and place them within
an admin quarantine so you can triage them later. For every one of
these sections, there is also a checkbox that says
Turn On Future Settings. So as we evolve, and we
add additional settings, your organization can
make sure that the best protections we offer are
always enabled for your domain. We encourage you to take
a look and select that. We’ve talked a little bit about
the Security sandboxing feature today, and we would encourage
you to take a look at that and adopt it for
your domain as well. This week, we’re announcing
some additional features into sandboxing that
allow you to apply rules to the sandboxing
technology as well. These are things like
exempting intradomain traffic, so that email is not
delayed, but everything from outside your
domain are scanned. And additionally, emails that
are caught by the Sandbox can now be placed in
quarantine as well. You can find this feature
under the Admin console. Click on Menu, then Apps,
and under the Gmail settings, in Advanced Settings, you
can turn this feature on, as well as configure rules. The next question
that we get asked is, if I turn on 2-step
verification of my domain, isn’t that enough to protect
against phishing attacks? We view these protections
as a gradient. 2SV is certainly preferable
to not having anything at all, but it’s still quite phishable. We’ve recently seen an increase
in man-in-the-middle attacks. Let me show you how that works. So in man-in-the-middle attacks,
phishers send a phishing email to their target. The target will open the message
and enter their credentials into the phisher’s site. Real-time, the phishers
will take those credentials and enter them into
the legitimate site, triggering the request for
a 2-step verification code to the user. The user will receive the
2-step verification code on their device, enter
it into the phishy site, and the phisher will turn
around and enter it back into the legitimate
site, getting access to the user’s account. These attacks are
growing in prevalence, and there are a few things
you can do to stop them. But what we recommend is for the
strongest phishing resistance possible, we recommend that
you adopt FIDO or U2F tokens. These are security keys
that cannot be spoofed. There’s nothing for
the user to type in. When they enter their
credentials into a site, they simply tap
the security key, and it validates both of the
machines who it purports to be and that the site that
it’s communicating with is the site that the user
intends to interact with. This method provides a
seamless experience for users. And it also provides the
strongest protections against man-in-the-middle attacks. Not only do we think you
should adopt security keys, we encourage you
to consider making it mandatory for
authentication on your domain. To give you a little motivation
to do so, what we’ve noticed is that when enterprises
utilize security keys, hijacking is
virtually eliminated. As a proof point, for
every G Suite domain that has adopted
security keys, we have seen zero account
hijackings after these security keys have been deployed. Google uniquely offers
support for security keys across all of our product lines. So finally, we wanted to
leave you with a recent quote from a customer
of ours that shows you the results of
all of the techniques that we’ve discussed today. We hope the session’s
been informational, that you’ve learned a
little bit about how we aim to keep you
safe, and that we’ve given you a few things to
explore when you get home. [MUSIC PLAYING]

You Might Also Like

No Comments

Leave a Reply