Security Bsides Las Vegas 2024

login

EHLO World: Spear-Phishing at Scale using Generative AI
.ical
2024-08-06 , Florentine E

Email-based attacks remain at the forefront of the cybersecurity threat landscape, ever-evolving to circumvent defenses and trick unsuspecting users. In this presentation, we discuss the risks of Generative AI in the context of the email threat landscape. Specifically, we examine how Generative AI facilitates the automation of targeted email attack creation, resulting in increased campaign reach, diversity, and the likelihood of success.

We'll show real, in-the-wild attacks with completely fabricated contents, including conversations between multiple individuals that never happened, to demonstrate the sophistication LLMs can afford attackers in conducting convincing phishing campaigns at scale.

Attendees will leave this talk with an understanding of the impact of Generative AI on the email threat landscape and what to expect in the coming years.

  1. Introduction (2 mins)
    • Agenda
    • $whoami
    • Brief overview of email attacks and their significance in the cybersecurity threat landscape
    • Recent examples of how attackers continue to rapidly evolve their tactics:: QR code phishing, callback phishing, PikaBot, etc.
  2. Generative AI Overview (3 mins)
    1. Brief background on GenAI and LLMs
    2. Practical applications in cybersecurity: defensive and offensive
    3. AI as an enhanced productivity tool for attackers
  3. Deep Dive: Generative AI in Email-based Attacks (7 mins)
    1. Real-world case study
    2. Completely fabricated message threads with multiple non-existent personas discussing an event that doesn’t exist
    3. Discuss Tactics & Techniques
    4. Net-result: More convincing attacks, better grammar, increased reach (land in the inbox instead of Spam), increased campaign diversity, feel more targeted
  4. Defensive techniques (5 mins)
    1. Right now detecting these attacks is not all that different than normal BEC attacks or other things we've seen in the past
    2. The recreation of fake threads is a signal in and of itself. As attackers create these automations, they often leave a trail that can be used for defensive purposes. This is an important mindset/framework to have going forward as we see more attackers adapt LLMs not just in email but throughout the rest of their attack chains
    3. User education is crucial! Show users examples of these sophisticated attacks. It’s important for them to know that phishing attacks can look very real and convincing. Some users have a misconception that phishing is totally obvious — bad grammar, etc.
    4. Defense-in-depth is also key. Email is the initial access vector, so remember attacker intents. To protect against credential phishing, roll out hardware based MFA. To protect against BEC, have multi-layered, multi-modal approval processes for large transactions. To protect against malware/ransomware delivery, have endpoint security, device isolation, etc.
  5. Conclusion and Q&A (3 mins)
    1. The threat landscape is rapidly changing. Attacks becoming more convincing due to GenAI, and not just email-based attacks
    2. Be prepared for our adversaries to leverage these new technologies for their benefit
    3. Future / looking ahead: What to expect in the coming years as GenAI becomes even better and more accessible
    4. Q&A
The speaker’s profile picture
Josh Kamdjou

Josh has been doing offensive security-related things for the past 12 years. He's spent most of his professional career breaking into networks via spear-phishing and other methods, and building software for both the public (Department of Defense) and private sectors. Josh is the Founder and CEO of Sublime Security, and in his private life enjoys weight lifting, Martial Arts, soccer, and spending time with his niece and nephew.

This speaker also appears in: