Phish Happens:

Okay. Welcome, everyone. Good morning. Good afternoon. Thanks for joining us on a webinar. Today, we're gonna talk about phishing because phish happens, and we're gonna discuss the real risks in phished identity exposures and what we can do to mitigate some of the risks. Hosting this webinar today, you have Damon Fleury, who I'll introduce himself. Hi. I'm Damon. I'm the Chief Product Officer here at SpyCloud. And then we have Joe. I'm Joe Roosen, Director of Security Research here at SpyCloud. Perfect. So throughout this webinar, if you have any questions, feel free to use the Q&A section in Zoom, and we'll either address them live or Damon and Joe will do a full Q&A at the end if you have any questions. So covering today's agenda, we're gonna separate this into five sections. We're gonna talk about why phishing keeps winning, what others are missing, and the data and information that SpyCloud recaptures, how phishing has evolved, and why your defenses must follow in that direction, how you can close the post phish protection gap, and then where SpyCloud can help assist in securing the full scope of identity life cycle protection. So I'll pass it off to Damon. Thanks a lot. Yeah. So, you know, what we're gonna talk about today is phishing data and, you know, what's going on in the world of phishing, what's going on with respect to, what we can do, what SpyCloud can do to help you understand what kind of phishes have occurred and how they can impact your business and then what you can do to protect protect your business from them. And so, you know, I think everybody knows the story that, you know, the the phishing environment continues to evolve. They're the the actors that are that are doing this phishing, they keep winning. Right? And it's a it's a little, I don't know, disturbing, mind boggling that after all these years, we have not fully cracked this phishing problem. The actors continue to evolve and find ways to send out these, whether they're emails or SMS messages or anything to try to get information from folks. And, you know, of course, the there's value to that data, and they actors continue to be able to monetize it. So we wanna talk a little bit about kind of the anatomy of what is phishing and, you know, where we can go from here to help you understand what we at SpyCloud see when it comes to your your employees getting phished. So, you know, the stakes are high. Right? The, you know, nearly half of Fortune fifty companies have exposed employee credentials due to phishing attacks, phishing as a, phishing phishing remains the number one entry point for ransomware, ATOs, and online fraud. And I think we all are aware that, you know, even when the entry point, to the actual network wasn't the phish, the phish often gave up the creds, and then the creds later got socialized some other way, like, through a combo list, and that becomes the entry point to the network. And the attacks are getting smarter. We're gonna talk a lot about that today. Right? The different ways that attackers are using to get into our environments and then the things they're trying to steal, that help them with the next attack. Those are, you know, these are evolving all the time. And our we're gonna talk a little bit more about, you know, why or at least what are the things that companies are trying to do and and why are those still not a hundred percent effective. And it it just boils down to the reality that no security product can solve every problem. We still you know, the actors will evolve as soon as we deploy an effective defense, and we always have to work to keep up or stay ahead. But there are more things that you can do to understand, you know, what they've been able to be successful with. So the, you know, what we see here is that the phishing in the in this environment is getting smarter and stealthier and more targeted. We see threat actors that are deploying phishing kits that mimic live login pages. They they use geofencing and bot filtering. There's phishing as a service ecosystems that scale attacks, just like a SaaS system would scale. And we see that traditional security, implementations often miss or I shouldn't say often. They catch a lot, but there are still things that slip through. And that that leads to, stolen identity artifacts. It leads to, real time phishing kits getting that data very rapidly and effectively. And they'll even do things like behavioral fingerprinting, you know, across your own system so that you can, you know, so that those actors can learn about what's on your system and do their own device fingerprinting as well. And I think, you know, one of the takeaways, and we'll walk through how this actually works is that, you know, SpyCloud, we sit at a place where we see the data that the actors have collected. And so we're not, you know, we're not here to understand, you know, how that phish got through the defenses, but we can tell you simply that it did. Because actors collected data, and we can see in that data it somehow connects to your enterprise or to your business. And you should be aware that a credential set or an employee's credit card information or something was was given to an actor, and that you might wanna be aware of whether that is real data. And if it is, you know, what can you do to make sure it's not used to gain access to your business? So, you know, we turn that stolen phish data into actionable identity, information and not just the intelligence itself. We give you the tools to remediate it at the end of the day. And so, overall, you know, we see what others miss. We turn adversary tools into actionable defense. We help you to map those phished identity exposures back to your enterprise identities, enabling real time automated cleanup, and then we feed that information into your SIEM and your SOAR platforms to trigger custom workflows. So we give you not just the data. We give you the tools and the software that you need to respond to that data and to make sure that that data is not being used against your enterprise. So I do just kinda wanna level set before Joe talks a lot more about what's going on in the phishing landscape and what's going on from the dark net perspective. Like, how does this fit within the type of data that SpyCloud collects with respect to the dark net? So we have our team, SpyCloud Labs, which Joe is a member of, that, you know, they spend all of their time monitoring and collecting data from the dark net. There are three primary kinds of data that we collect and, you know, soon to be more. We're always expanding and growing our our offering and the kind of data we collect. But we collect data from infected malware, from malware infected systems, where that malware has stolen as much as it can from that computer, sent it up to a panel or a CNC within the dark net, getting things like usernames and email addresses, passwords, cookies, and the password vault and all the things that malware and facilities deal. We collect that data. We have a very large repository of infections, that we automatically ingest. Breach data artifacts, those are third party breaches. We ingest hundreds of breaches every single week, billions of records every year that are the data that actors stole from other third parties, which include information about all of us. So there's a lot of information in there and the data, the passwords, the Social Security numbers. We could talk a lot about those types of breaches as well. But today, we're gonna talk about our third area, which is the phish data, where that where a victim has fallen prey to an actual phish, given up some information to that actor, and then that information is then taken and somehow moved through the dark net to try to make profit or to, you know, try to distribute that information for harm overall. So today, we're talking primarily about that third box, the phish data artifacts. All of that flows into our, our, repository of dark net data. You can see some of the numbers down below. I'll turn it over. Joe, tell us about what's going on, within the phishing landscape. Thanks, Damon. Phishing has evolved, and so must our defenses. We're going to explore essentially the way, phishing has evolved and also even just the core competencies of what's in a phish, and how this data is actually something that we're growing inside of our data lake. So what is a phish? Sounds like a simple question, but just, go over it in case anybody isn't aware. A phish is an attack that attempts to trick a recipient into taking a quick action, and that action is to give up PII or sensitive information of some sort to that attacker. Phishing, or these phishes have three parts. You'll have the lure, which everybody's probably familiar with. You might get a toll fee, you know, claim on your SMS text, or you might get an email that says, oh, you didn't pay your bill for something and you need to click on that. It always tries to create a sense of urgency though. Sometimes you'll even see this employed in malware campaigns where the initial phishing message indicates that you might be sued or you might have some other sort of type of issue that comes up that makes you feel like I better act on this now. So the whole point of the lure is act quickly. The hook is the next part, and you're probably all familiar with seeing something where it looks like the website itself that actually it's claiming to be or the brand that it's impersonating. But it actually winds up being something that may have sometimes an error in it or it might have something that's a misspelling. But most of the time, the actors are getting more clever now, and they're using legitimate services and trying to basically make things seem like they're official and they're actually validated. There aren't certificate errors when you click on websites. And the essential, point of the whole hook is to actually get that data and get you to log in. So sometimes you may see what I like to call a choose your own adventure sort of thing where you have a very generic phishing kit, and it comes to the first page and it asks you what email account do you have. Do you have Hotmail? Do you have Yahoo? Do you have Office three sixty five? Choose which one, and then it will go through and ish those actual credentials from you and show you a similar page of what you would see going to those websites. So again, just click here. It looks legit. And then the catch is essentially the data that is exfiltrated. The catch consists usually of something along the lines of a username or a password. But also, as we see in the future, or what we've seen recently, we've really been growing it to, have more credit cards or any type of data that might be, seemingly innocuous. So access is granted. Once that happens, and the actor then has something to act on or sell. So you may have seen in our data, we have kind of a couple, dichotomies of how we classify the phishing targeting lists or phishing data. We have phishing records, but we also have phishing targeting lists or phishing email targeting lists. What these lists are essentially doing is their targeted list built by threat actors, and they essentially have a some sort of an assembled, email, almost like a contact list that is targeting a particular, area of the industry, or sometimes it's very generic where it's essentially just a random list of people. And the whole point of it is is to basically spam that list with some sort of phishing lure. And when they do that, there we've seen also, going forward that they've actually used these lists now and incorporated to get into the landing page that might be included in the lure that asks you, what was the email that you got this from? And the reason why they're doing that is essentially to filter out any sort of, researchers or white hat hackers or anybody that might just stumble across the site in order to make sure that they were really a target, and then they can go on to the next level. And that is the actual real phishing site. Phishing pages, may be limited in a lot of cases where you this verification is in place, and it seems to be essentially a growing sort of, adaptation that we've seen particularly this year. We actually have a blog in, SpyCloud Labs about this that we can send to you later. So what this really does for them is it reduces the false data and, essentially bad garbage, you know, data that they're exfilling from it. What is a phishing kit? So a phishing kit is the other portion of that you'll see essentially with the phishing type environment. These kits are package files and services that placed are placed on either a server that's hosted or they're part of a actual phishing as a service kit, that you buy in as a subscription. And, essentially, it includes everything you'd need to do the entire phishing process as an actor. It often includes code that could be customized and changed to suit the actor's needs. And we've even seen in different instances where actors will because the code is customizable, it's actually readable to the actors when they buy into a kit, and then they wind up ripping each other off because they'll create their own kit based on the original code that they got from what they purchased. The phishing kit has three different parts. You have the branding of the kit, which will target a specific brand or have some sort of a, landing page where it's like what I mentioned, the choose your own adventure, which particular, service do you happen to use, or what can we get out of you? This mimics the websites pretty closely to what you would see in inside the actual login pages for these websites. In fact, in some cases, it's so intricate that it will pull down custom branding. So for instance, if you have a three sixty five template, and you essentially, have a particular page for your login with a background or branding that you have on your site for your normal logins to Office three sixty five or Microsoft three sixty five. This will basically go through and proxy that and pull that down when the actor or even when the victim tries to log in to that site. The other part of the, kit basically is that it's essentially a running on some sort of service that is trustworthy in some way, or compromised. So you will see in a lot of instances where we are using things like CloudFlare or, basically, content delivery services that are hard to discern if it's actually basically a, you know, malicious site. And so they hide behind this in bulletproof hosters so they can't be taken down. So they're fully customizable in that way where they can stand it up in multiple environments. And then the last part of it is there's some sort of exfiltration method. And what I mean by that is basically, how do I get the goods, you know, to a a location where I can actually work on it or I can actually sell it? And this is basically where, you the actors have multiple choices most of the time where you can actually have it delivered either by an email, You can put it to a Telegram bot. You could essentially have it dropped to a log, and sometimes you could do all three at once. So as we mentioned, phishing is evolving. Old school phishing was mostly filled mostly focused on logs, basically for email extraction. Business email compromise was pretty often the the goal of it in order to basically leverage other accounts to then spam other people with other stuff. Kits, we mostly run a compromised, infrastructure, and the reason why they did that is in order to gain some sort of, I guess you could say, legitimacy. So if it's a established website or supposedly legitimate website, not something that was stood up randomly, this basically gives it, overall sense where the your, detection system for either your firewall, for your classification, or filtering for URLs may not have actually, flagged it in that case. The phish kits are pretty static. They weren't as dynamic. They didn't use a lot of, services in the cloud, but, obviously, things have become a lot more complex. And so going forward, what we're seeing how the phishing actors have basically worked around this is they've started to employ a lot of different technologies, and it's not much different than what you have for malware distribution. They're leveraging geolocation fingerprinting. So if you're spamming people, for instance, for Orange, which is a telecommunications provider in France, you wouldn't actually accept things from Mexico in that case. You would filter those out. They also have established blacklists of researchers and bots or things that like our robots that, you know, classify sites. So they're trying to hide from things to actually detect what it is in that level. They use traffic direction systems, or bulletproof proxies. What this does for a traffic direction system is it will take a look at the incoming client, evaluate that client, looking at things like the user agent or the user agent, hints in determining if it is really, you know, a Windows machine or whatever their target, client is. And if it is not, it'll send it to an innocuous website kind of like Wikipedia. You it also uses, as I mentioned before, legitimate services like CloudFlare. Email targeting, checklists are used for validation as we mentioned earlier. We also have that blog. Capturing cookies is also something we've seen them to start to do. Some of these kits are coming in ways where they can actually capture the cookie. So they proxy the user logging in, and then they pull that token down as it basically, they're acting as a man in the middle. The dynamic kits, as I mentioned earlier, they pull down some of the branding or the wording that you might use in your actual login page for the official enterprise. We also have kind of some new evolutions where you have, evil proxy or evil NGINX where it does, one time password capture or sometimes even direct actor interaction where some of the stuff is exfiltrated if they got a live one essentially on a website, and they know that this person has entered invalid info because they were able to check it. They may actually go through and spawn a new process for their phishing page to interact with the act the actual victim and actually ask them other questions, maybe like OTP in that point. The other thing is that it targets anything of value. We see a lot of credit cards or even gift cards, which is kind of, surprising to me or essentially something that's kind of a a more of a a major thing that's come up lately. And also probably the most virulent part of this is they will invoke in certain instances if you allow these, to view these sites that they have hidden key loggers or in JavaScript or even autofill forms. So if you allow your users to have forms that will be autofilled within their browser, they will put hidden password sort of fields in the page. So if the user goes to the page, it might auto fill that, but then they have something innocuous for them to enter in, like, are you John Smith? Yes. Yes. And then it submits all those things with that form, and so that's also exfiltrated. So, phishing as a service, as we mentioned, it's really kind of making this a very low bar. The criminals, are not having to be very technically savvy because they're leveraging these sort of softwares and services, Damon had mentioned earlier. We are essentially seeing more kits all the time, or more phishing as a service sort of in, actors spin themselves up. And often, they may be taken down by law enforcement, but they keep adapting, where this threat isn't going away. And as as you could see in the chart, it's primarily focused on, North America, and that might be a little bit of a sampling bias that we have from where we're getting our data from. But we also have seen a significant portion in Asia, and basically the Latin America, especially. There we go. Phishing data by the numbers. So one thing I wanna emphasize here, it it's really important, is that this is just the initial sort of, infancy of what we're collecting, but we have been able to scale this now where, essentially, these numbers are just just the tip of the iceberg. What we've seen so far, what we collected to date is about five point five million records total. Essentially, those records have about two point four, two excuse me. Two point zero four of those are email, targeting lists, and that means that they just basically are an email address, essentially, that has been targeted by phishing. Does not mean that it was exploited by phishing, basically means that it is essentially something that has received potentially in a phishing lure. The three point seven that you see there for recaptured phish data, those are actually, records that have real sort of data associated with them where it may be a password. It may be something like, a phone number, but there's more that's been collected. It's not just a target. That usually means that somebody, with those credentials or those those assets has actually interacted with the website. Thirty six percent of the phished records come from email targeting lists, overall, but then sixty four percent of them, it's just basic math of from recaptured phishing data. Inside the recaptured records, and this is where it's most interesting, you see you have seventy percent of them are essentially they include an email address, but then you also have seventy three percent of them have a password. That's actually the most common asset that we find in these records. Sixty six percent of them have an IP address or some other fingerprinting. Sometimes we see, again, like, forty seven percent at the bottom there where user agent strings are included. This gives you an idea. You know, was it a mobile device? Was it something from your network? Was it something from, a cellular network? It gives you more of an idea or essentially an event sort of tracking or signal. Then the other thing that's really important that I wanna point out here too is you have sixty percent of these that include a phone number. Often don't include an email. The reason why is because this is where you're seeing, phone numbers being used as an identity essentially in a lot of, countries outside of the West or essentially Europe. In fact, this is extremely common in Asia and inside of Latin America. And then five percent of them include a credit card, a credit card that's valid that, passed basically the Loon's algorithm. And then, Joe, before we go to the next section, on the topic of the phishing landscape, we did get a question. And it is, do you see cybercriminals using AI in phishing attacks in any way? Definitely. Pretty much, if there's an ability to use any sort of technology, you know that they're going to try to use it, especially if they could use it for free or if they could even find accounts that they could exfil, or buy that give them access to these services. So we have actually seen some lures that have been created by AI, and you can even tell it in some cases. In fact, I've seen personally some emails that have come to me that show that they actually were part of a prompt because it shows an error inside the email that, oh, this prompt wasn't generated correctly. I'm sorry. I couldn't answer your question, basically, from the LLM. And then I'm gonna hand it over here to, Damon so he can cover how we can help you with this threat now that we've enumerated it. Absolutely. So thanks, Joe, for going through, you know, kind of what's going on in the Phishing World. To me, it's amazing over the last couple of decades what's happened in the criminal communities and how that evolution has changed from, you know, set some kits that somebody might make on their own to send out, you know, tens of thousands, hundreds of thousands of emails to a fully supported phishing ecosystem where if I'm an actor, I don't have to know much. I can pay a little bit of money to the one of these fast systems, and everything is there for me. The kit gives me the branding, if I wanna make it look like a streaming service, so like a cell phone company. And then it not only does that, but it gives me the whole ecosystem to take the data that's stolen, transmit it through Telegram or through some other forum, and then I can just go easily go and access my data, and then I can use that for whatever my my next purpose is. It's too easy. Right? And at the end of the day, there's millions of issues that are happening that are successfully happening and billions that are being blocked by all the security tools that are out there. And so I guess that's one of the main takeaways that I take from, you know, the work that we've done is that this ecosystem and this environment is is far more scaled out and far more efficient than most people realize. And that's why it keeps happening, and they almost don't care how many fail because they they just send more. Right? And they already moved to smishing. Right? It moves to economies of scale in this case, and we've we've seen essentially a commoditization of some of these cybercrime, enablement services that are done, best of breed. Essentially, you know, somebody has a really good way of exfiltrating data, so people buy into that. It's it's become a real sort of economy, an underground economy. Yeah. Absolutely. And so now I wanna think about, well, there's there's all of these emails. There's all this dishing happening. We've learned a little bit about what actors can do and what they can access. But what do we have as defenders? Right? And what are our opportunities to to stop this? And then what's still getting through? And so if you look at that that, that flow that Joe talked about earlier, where you have the phish activity, you have the email that goes out, you have the lure, the hook, and then the data and, you know, that gets caught. You know, if you're trying to stop so to the security industry, we've created a bunch of products to try to work on each of these different zones, each of these different parts of the problem. One is stopping the email itself. There are some great email security tools. I would recommend every business have an email security tool like a Mimecast or Proofpoint. We use them at SpyCloud. And these tools are trying to look at those emails, look for indicators within them, like the message format, suspicious links, sender analysis. They do AI pattern matching within these tools. They do risk profiling of the users that are sending them. These are important for trying to identify the the tools the basics of those emails that that you're trying to see that before they're spam or they're efficient, you wanna stop them before your users get them. But they still get through. We all see this. It's a running joke within SpyCloud that you're not a member of the team until you get your first message from our CEO asking him to send you gift cards because every one of us within a couple of months to start, you can get those things, and somehow they still evolve and get through some of our security tooling. There's the lure, right, which is, trying to understand once you're as an individual, you've seen this message that you're being baited to try to get into this. The tools to try to stop people from doing that, those fall into the security training world or the human risk management world, if you're familiar with that space. And they're you're looking for things like typos and URL formats and the urgency triggers, and we do things like test our users with phish testing. Know Before, you know, is probably one of the larger players in that space. Cofense is another example. There are dozens of of strong companies that offer security training or human risk management tools to help within to stop the lure from being taken. Then there's the hook itself, like, where they try to steal that data from you, secure web gateways or other kind of cloud based security gateway products that use things like IP reputation or URL reputation or sandboxes where they take that page and load it up and look for what happens next. Many of these many email security tools have that as well as secure web gateway tools. Cisco umbrella is a very popular example of tools that, you know, try to stop this, follow-up as much of tools. Proofpoint, Mimecast. I mean, many of these products will kind of go in both of these spaces. All of these products are there. They're all actually very effective, because they're stopping some of the scale of the phishing and smishing that's happening, but some of it is still making it through, which is why actors keep doing it. Even with all these solutions, phish attacks are still successful. And, you know, we need to gain access to the what is happening and what is getting through so that we can then respond to that. And so when you look at can we have the next slide? Oh, we have a question, which is why I was pausing on the topic of efficient product ecosystems, there was a question on recommendations for a gateway service that blocks the exfiltration. And so you do see yeah. So you do see that the secure web gateways try to stop you from giving that information. They try to stop some of the things that those pages steal. Like, you'll see those pages, they actually can run JavaScript in a lot of cases, and that JavaScript will, steal things from your local system. They can steal your cookies. They can steal things that are embedded within your browser, kinda like the way almost like an info stealer does in malware that could that's bleeding into this space as well. And so there are the secure web gateways do deploy tools that try to wrap your browser with things that prevent JavaScript from running and try to prevent that data from being gathered. I think the, you know, the sad reality is if if you're if the phish if the hook gets through that and there you you do put in your credentials or it does run that JavaScript, at that point, the data is gone. It's been exfiltrated. And then that data, we don't have tools to stop it once it leaks out past that point to the dark net, and it gets spread out to the other areas of other criminal activity. And so why does you know, when you're looking at a phish, like, you know, it helps to try to understand why do we really wanna stop the phish and we what can we do if we get this data from the dark net, after the phish has occurred? What else can be done? Well, it helps to think about the phish with respect to the entire attack life cycle. Right? When you're thinking about what an actor is trying to do to your enterprise, there's usually four phases of an actor's life cycle or or a tax life cycle. There's the entry phase where they're trying to find their way in, trying to find any any hook, whether it's a insecure login or whether it's a vulnerability or whether it's a phish that somebody fell prey to. That's what we call the entry phase. The recon phase is where they're establishing themselves to understand what they've gotten access to. They're trying to see trying to get a little bit of control from the command and control. They might run an info stealer. They might map the network. They're trying to understand where they are and what they've gained access to. Once they know a little bit about that, they'll entrench themselves. They'll do lateral movement. They'll establish backdoors. They might do privilege escalation. They might gain access to your domain. Those are all their efforts to try to make sure that when they're in an enterprise, they're or in an application, they've got a way to stay there so that they can perpetrate the next crime. And then all of that, the goal is to get to disruption and some type of monetization or theft, right, for the purposes of monetization. And so this is the whole life cycle. And so when we think about phishing, what we're really talking about is, can we understand that if this has happened, and can we block it to keep the recon phase and the entrenchment phase and the monetization phase, the disruption phase from happening? Of course, our you know, we really need to keep that disruption phase from happening. That there's so many tools and capabilities that we build to try to keep these attached and getting all the way to that phase. But the truth is the sooner in this life cycle that we can detect the problem and stop it, the cheaper it is for us to actually fix the problem. Right? The deeper it gets, the more expensive it gets. And then we had a question come in, but I think, Damon, you'll address it in the next couple of slides around if spy cloud can detect if users that fell for phishes on personal devices or accounts outside of corporate oversight. So I think we'll get to that in a couple of slides, unless you wanna talk about it now. Yep. Let's do it on the next slide. Because that I think that's the that's kind of the point. And so what we well, so what this slide is trying to show is, you know, how can we learn about this, and then how can we use this information, or what could SpikeCloud see that can help us to, to detect these phishes and stop it before it turns into a full full blown disruption. And so you have at the top of your screen here this kind of the life cycle of the phish itself, and that is fits into that entry phase that we've talked about. When that phish is successful, if your employee falls for it, then it does go to, it does go to the criminal underground. It gets pushed up to that panel, to that commanding control. By cloud is then able to intercept it. Right? Our researchers, well, on Joe's team in Slack Cloud Labs, have infiltrated those communities, and we are in many of those channels. We're in many of those forums. We've we've infiltrated some of the infrastructure. We're gathering as much as we can of the data that is there and then parsing it and trying to normalize it and get it into our feed. That goes into what we call our enterprise account takeover, solution. And it it can give you notification first that this has happened, that there's been a phish event. But then it feeds that data directly to our what we call our guardian integrations, our most popular of which is our active directory guardian. So that if we detect a username and a password, we will automatically feed that into our active directory guardian that will check it to see if is that the username and password that is used within your environment, and if so, immediately cause the password reset workflow. By doing so, we will automatically block that from being used to enter your network. You can also feed these alerts, excuse me, into your SIM and source so you can issue other automation so you can make sure your SOC is alerted to this problem. And then the goal, of course, is get that data, stop it from being used immediately so that you can stop the transition from an entry to a recon to an entrenchment and hopefully truly stop that disruption phase. So with that data, you can see that it's it's gotten past their training. It's gotten past the tools that you have. Sometimes that email went to their personal accounts, and they just didn't connect that this wasn't a work event. And then, you know, your controls and all the investments you've made, haven't don't don't always carry into their personal lives, but they can still give up some of their their work knowledge. So this is a view of, you know, how this data can plug into your Slack cloud deployment. I know there's a lot of boxes on the screen, and there's a lot of information here. But, you know, you can take these events that feed SkyCloud. You can take, you know, the phish events that into this, and all of that can feed your your identity guardians here kind of on the the top of the page. It can feed your SIM and your source so you can respond specifically to these phish events as well as the other events that we send. And if it's a malware event, you can it can also feed into your own EDR system, and it's all part of your response capability to these events. You know, at SpyCloud, you know, we've we've long believed there's the the the value in collecting this kind of data from the dark net is not just to build your own knowledge base and to build your context. These are actionable elements. These are data about your employees' identities that you can respond to in an automated fashion and protect yourself from the things that are occurring. So this is the kind of data, and this is, I'll go quickly through this because I know Joe talked to the numbers before. But, you know, we are infiltrating that fast infrastructure. We're collecting that data stolen by actors, and and we're giving that data to you, so for automated remediation purposes. On the right side of your screen, you see the types of things, those email addresses, passwords, credit cards, information about your environment, like that visitor IP address or the user agent strings involved. We'll give you the time. And when we can get it, we will give you the URL and the brand. Sometimes we're able to infiltrate at a point where we know a lot about the phish. We know the brand that they're pretending to be. We know the, we know, you know, the URLs that are being used, and you can use that to feed other systems. But a a lot of the time, we don't know those things. We're infiltrating at a point where many of those phish kits or those deployments of phish kits are coming together into one place, and we can't, you know, we can't de intermingle that data. That that those are words. And, you know, in that, we'll we could tell you that a phish happened and it impacted your employee and what time. Typically, we can tell you it happened, but sometimes we can't tell you the brand and the URLs. So all of this is about plugging that gap. Right? We wanna detect that successful phish regardless of where it came. We actually have technologies within our Guardian to be able to do what we call ID link that. So that means that we could take your, your work email and connect it through its usage on other darknet sites, to to your personal emails and to your old work accounts. So even if your employee got phished and he gave up he or she gave up their credentials to a personal account, but it happens to match the credentials that they use for their work account, we will check all of those. Right? If we can make the linkage between from your work email to those personal sites or to those personal emails or former work emails, we can see what passwords are shared. We can check all of those passwords. We can even, fuzz them, which means we can look at up to a thousand variations because you know that many of our employees, certainly not us ourselves, might use our dog's name and then add digits and an exclamation point every time we change our password. So this type of checking can fuzz can do what we call fuzzing and can check those variations as well for a lot of common variations. So in doing so, we can get a broader sense of protecting our company from, the data that was given up by Phish even if it was for a personal Phish if it can be connected back to our work address. And then, of course, all that we were talking about, the goal here is to automate remediation with the true goal being blocking that entrenchment phase and that disruption phase, as quickly as we can so that you're you're protected from the next crunch. And so, you know, again, you know, we just kind of wanted to review one more time because sometimes a common question is, do does this still really happen? I think we've shown a lot that this is a already, this is a pretty built out system. It absolutely does happen, but but why does it happen? Right? And why are we still seeing these phishes get through all the efforts we're making and all the defensive, measures we put in place? So there's still issues in human risk management. Training cannot be perfect. Email security does depend on known markers, and the bad guys are constantly working against us, coming up with new mechanisms. Reputation lists are heavily used in that world, like a list of URLs that are known to be phishing sites or malicious. Those have to lag reality by definition. They're tracking, you know, once a site is established, and so they cannot be a a comprehensive view of any particular moment. They're still very effective, but they can't catch everything. And then, of course, of course, you get policy management issues. We've all had that employee that had something happen. They're on a special trip or they were doing a presentation, and that email software or that endpoint software was causing them trouble. So they had to you know, they got help and they disabled that. And it just took a long time before they got it turned back on or they forgot, right, or somebody forgot. Those types of things are those are real problems, and they allow these things to they help these situations to slip through. And then, of course, there's constant attack evolution, and Joe talked to this. We see ephemeral phish sites that are there for moments. Then they come then then that DNS results to a different, different URL or to a different domain. We see innovative smishing attacks. I think Joe and I, we we we all laugh a lot about the, the the toll tags that are just everywhere, the toll tag messages that are kind of all over the place right now. Probably shouldn't laugh because it's a serious problem. But, those things are out there, and they're getting more innovative, and they're getting cleverer, and they're using AI to make the grammar look more appropriate, so that, you know, the language barriers are less of an issue now. The improved quality of phish content, data enrichment for targeting, like Joe talked about, where these actors, they have access to that wealth of third party data. They can now know that you're, they can know that because of the Equifax breach or because of some other breach of a of a of a financial services company that you just bought a house or that your credit score is low or that you have three children. And all this kind of information is available through breaches on the dark net, and that's really, really healthy data for an actor to say to to set that lure and to make you think, oh, I do know you. Okay. Well, I need to click on this and learn more about it. Yeah. Like, when I used to do a lot of incident response in a prior role, one of the worst attacks we saw was that, we had a organization that the actor had figured out what their procurement system was. And they then sent emails to everybody in finance and accounting and to the management teams that they could find. So they had specifically targeted those users and not everybody else. They did not target IT, specifically. They did not target people that could've that figured this out, like, on the risk side and management side. They targeted those specific groups, and those emails are crafted to look exactly like there's a procurement request or there's an RFP that's been submitted, and here's the details of it. And you are very encouraged to open that PDF or to log in and to reconcile things, and it created a massive problem. That that that business had, you know, many issues with their access to their environment was then remarketed. And so those date using the wealth of data that's on the dark net or on the Internet has become very much a a common tactic. And all of this just makes it so hard for us, right, to figure out, you know, what is really going on and whether that's a malicious attack or not. So at the end of the day, the goal here is to secure the full identity life cycle, whether we're talking about third party breaches or malware or phishing data or other sources where identities are under siege by actors. And they're under siege because they're a great entry point. And we can do a lot if we can figure out what the actors know about your organization. We can plug that into your own tooling or give you visibility into it, but we can actually, you know, plug that into automation to stop those attacks from from becoming worse. Okay. Joe, what do you what do we know, Joe? We'll go over what, we have for some takeaways from this. Whether you buy products from us or not, we want to help. So here's some enterprise tips. Don't click on any email or RCS or SMS links that you might get, sent to you, especially if they're unexpected, especially if they're urging you to work quickly or do something quickly. My advice always has been when I've managed networks for many years is go to the official website, and most users nowadays will still type in basically a search for the website. No. I need you to go to the actual website and type in what the company is. Don't look at the ads. Look at the actual websites. This is the best way that I can think of that to prevent yourself from falling for a phish. You always go and check it through another process. And you learn from phish data. You wanna improve your employee training based on what type of phishes that you've seen in the past, and this is something that's dynamic. It's a total cat and mouse game. There is always some sort of new tactic or or lure or something that that they come up with, and it's it's all about, again, making you act quickly, know the signs, and basically improve your training. Obviously, like Damon was mentioning, there's a lot of third parties that do this great sort of work on that, like, it's known before or Cofense or anything else. Escalate your risk profiles on riskiest users, and that's one of the things that this data can actually help you with is, particularly from that ID perspective or holistic ID. There is essentially some things that you can look at, to see if a particular user has some personal hygiene, you know, issues, not physical, but, you know, digital personal hygiene issues. And and, basically, they may have issues, along the lines of they've been, phished successfully forward for their local accounts on their local PC. And because of that, you know, maybe they're allowed to use that particular PC to access certain things in your enterprise. And that means that the the hygiene issue for their digitally might actually bleed over into your environment. The holistic identity lens. Again, it gonna keep pounding this point just because the actors also have, as Damon had just finished mentioning, the aggregated sort of data out there in general from these leaks as well. In fact, there are some things on the Chinese side, in particular. They call them worker, group libraries or SGKs. And, essentially, they are a a sort of a system like a free tech sort of search. Like, give me everything on Joe Ruzin. And it goes through and it pulls everything about that person, tries to give you anything that it has from any breach at any point in time. And all you need is, you know, that sort of data a lot of times to build a spearphish. So this is why that is so important. They're working almost as tirelessly as we are in order to create their own datasets or data lake in order to do that. And then password hygiene. Damon already mentioned this as well. But the the classic story is, you know, it's your dog's name. It's basically, you know, the year, and it's a bang at the end being an exclamation point. Obviously, try to change your policies internally for passwords to try to force them to be unique. Make them resilient from fuzzy. And then enhanced authentication doesn't I mean, that we're gonna keep saying this. I know it's trite, but, you know, there are some things in these phishing kits that can actually work around MFA, especially with one time passwords. But, essentially, this is still your best defense. Even if it is, you know, somehow worked around in some of these phishing kits, it's still gonna block the majority. And then tips for end users, this one's pretty simple. Don't click. Don't click. Don't click. There's really nothing more that I could tell you that would be more helpful in both your personal and your professional life to not click on those links that come from any type of email that urges you to do something quickly. Always go outside of that email and start your own thread and look for that website or type it in and basically go and evaluate if that is really true. Alright. And while we talk about how this can, you know, how this what, you know, what steps you can take today, please do shoot us any q and a that you have through that q and a chat. We'd love to take any questions. But, you know, this just kinda walks through what are the ways in which you can protect your identities if you partner with SpyCloud. There's enterprise protection, which is primarily what we've been talking about today, to protect your workforce from these types of identity risks through integration into your own ecosystem, like your identity provider or your EDR, your, your shipments or anything you connect to that. We have a lot of capabilities and programs to help you to do so. Consumer risk protection, this if you have a consumer facing Internet presence, that has value to those accounts, you know, whether it's loyalty program or whether you can place orders or gain access to PII, then you're you you have faced ATO. Like, there's no way you have it. This is just a problem we all face. There's a lot of tools to be able to use all of the types of data this Blackbaud Connects, collects in order to protect your identities or to stop session hijacking, and stop those types of attacks against your business. And then last but not least, you know, there is the ability to use this type of information to investigate cybercrime if you're trying to understand how you found the particular email as a part of a business email compromise or maybe a ransom attack or a particular indicator. What else is known about this data on the dark net? You know, give you access to the same type of resources the criminals have access to so you can try to connect those dots. This is very been very impactful in understanding and then thwarting the next crime or in chasing down the bad guys if that's something your organization is capable of doing. So if you guys have any additional questions, Damon and Joe will hang out for a few more minutes to have further discussion. They're here to help you and answer your questions. If you want it as a follow-up, you can also check your exposure on SpyCloud, with the URL slug, just check your exposure. And we'll also make sure, for all attendees to send out a recorded version of this webinar so you can repeat this if this was of interest to you. Any other questions for anyone else? Or, Damon, Joe, any closing remarks that you wanna share? Somebody's got anything else to say. I I've got one thing to to mention. The the cost of entry for the phishing as a service is very low. In fact, one of the things I wanna drive home on this is that not only are they kind of crowdsourcing the best solutions, they're monetizing it, and then they're monetizing it for a pretty low amount. Some of these kits only cost maybe a hundred bucks in order to get unlimited sort of, you know, access to deploy phishing sites in targeting and then exfilling everything. So it it is it is really an economy of scale thing. And as Damon had mentioned, there is not, there there's not a big issue if, you know, ninety nine percent of them basically get blocked. It's that one that one out of all of them that causes this issue. And that's why it's so important to kinda have your eyes on the deep and dark web because, basically, it's part of that security onion that you have. There's no single layer will protect everything. You have to have multiple layers. Yeah. Well said, Joe. Yep. And, you know, certainly feel free to reach out to us. Like Colette said, if there's any more questions you have, you know, we'll be happy to, you know, engage with the right folks here at SpyCloud to give you access to your information and to help you understand, you know, what we can see from the dark net perspective as well. And thanks everyone for your time today. We really appreciate the conversation, and, have a good rest of the day. Thank you, everyone.