🔒 Staying ahead of phishing and brand impersonation
Presented by: Patrick Donahue, Alexandra Moraru
Originally aired on June 16, 2023 @ 12:30 AM - 1:00 AM EDT
Welcome to Cloudflare Security Week 2023!
During this year's Security Week, we'll make Zero Trust even more accessible and enterprise-ready, better protect brands from phishing and fraud, streamline security management, deliver dynamic machine learning protections and more.
In this episode, tune in for a conversation with Cloudflare's Alexandra Moraru and Patrick Donahue.
Tune in all week for more news, announcements, and thought-provoking discussions!
Read the blog posts:
For more, don't miss the Cloudflare Security Week Hub
English
Security Week
Transcript (Beta)
Good morning. Good afternoon, depending on where you are. My name is Patrick Donahue, and I'd like to welcome you to Security Week 2023.
Really excited to be here. This is our third annual Security Week.
Each one is a bit different. What's really exciting for me is, you know, every year we have a new product manager driving the week.
And this year Reid Tatoris, responsible for bots and API security and challenge platform.
You'll hear a lot from him this week. A lot of exciting announcements on the horizon.
Stay tuned on our blog, both, you know, new innovations, new partnerships, etc.
Today I'm joined by Alex Moraru, who's the newest member of our security product team.
I'm really excited to have her here. Welcome to Security Week, Alex.
Can you start out just by introducing yourself and telling our audience a little bit about yourself?
Yeah.
Hi everyone, and thanks Pat, for the intro. So my name is Alexandra Moraru, Alex for short.
I'm indeed new in this in this role at Cloudflare, so I've recently transitioned over from another role.
I'm now the newest product manager for for our Threat Intel group and I'm really excited to be here.
It's very funny because today it's one month in this role and we're announcing something really, really exciting.
One of the first products that I got to work with and work on in that capacity.
Terrific.
And how has it been sort of getting up to speed so far in product? Obviously, you transitioned from a different role.
One month in, sort of what are your initial thoughts, observations?
How has it been so far? Yeah.
I mean, it's I think it's been exciting. That's a good that's a good way of defining this last month.
You know, at times it's been overwhelming.
At times it's been like really, really fast paced.
And sometimes you just kind of get into a good flow and you don't even realize when time passes, right?
So I think I've had a really good experience so far.
I could do a full Cloudflare TV segment on on how it is to transition from from one role to another in Cloudflare and then particularly into into the product management world.
But overall, it's it's been a really, really good experience, due in fact to all the, you know, the good support that we that we get here and the the other really good product managers I get to learn from every day.
Excellent.
And I think, you know, we're we're definitely a unique place. Obviously we we move at a really high speed and velocity and try to get stuff in our customers' hands very early.
And so we're going to talk about that in a minute. Some some stuff we're announcing today and people are already using and playing with and getting feedback on.
So definitely an adjustment for for product here. And I think it's it's great you have a lot of relationships coming from a different role in the company because a lot of threat intelligence is cross-functional, providing insights and data and observations to other teams that are enforcing those controls elsewhere in sort of a company's infrastructure.
So really excited to have you.
Why don't we dive, jump in a little bit about what we're announcing today or what we've announced today on the blog.
Obviously, we're talking a lot about phishing, very much in the news.
A lot of people probably experience it themselves.
Can you just describe for our audience who may not be, you know, super technical, if folks are listening at home, like what is phishing?
Why is it a big deal?
Why should people be concerned about it? Yeah, yeah.
And indeed, it's all over the place.
And I think everybody is afraid of of being phished, right?
And basically what is a phishing attack is the situation in which somebody sends you, you know, an email or a text message, in some instances, a phone call.
I receive those as well. And then they sound like they're from a trustworthy source.
They could be from your bank or from your insurance or from, you know, a social media platform, something like that.
And then you might be asked to either click on a link to enter your login information, so to identify yourself on the platform or provide some sort of personal information such as your name, your address, complete with your postcode or a credit card number, something like that.
And then the catch is that the message doesn't actually come from from what you think is a trusted source, but it comes from somebody who just wants to steal your information in order to use it to either access your account, to steal your money, to commit some identity theft of some sort.
Right? So that's why it's really important to be careful with this with these types of messages.
Right? And in the context of an organization, the attack is, is when, you know, the attacker will send the same thing, an email or a message that appears to be from from somebody trusted, such as a trusted vendor or your financial institution or even a colleague from your organization.
Right? So they might include a link or a fake login page, a malicious attachment that, you know, you click on it and then your computer is compromised.
Or like this, they get to steal your credentials and then once the attacker is in, so they gain access to your to your account, to your computer or something like that.
And then they get to steal really sensitive information to launch further attacks within your organization.
So, you know, the organization is only as strong as their weakest link.
And we're all human. Anybody can make a mistake.
Right? So the impact is really, really big when when a company gets gets phished because it can bring significant financial damage, some reputational damage because it might compromise your employees or your customer data.
So that's why customers, our customers need to be very, very careful with how they protect themselves and how they can actually mitigate the risks of of phishing attacks.
Right? So, um, I didn't mention but specifically for organizations, spear phishing is actually the type of attack that is quite common, right?
So it targets a specific group or a specific person and it will include some information that is pertinent to that group or to that person, something that is is of interest to the target.
So that makes it even more credible. And it's so, so much harder to actually dismiss it as a phishing attack initially because you're confused.
So I've had I've had a situation in the past in which I received an email. I was working for for a small startup, right?
And I received an email from from my CEO mentioning some some things about, you know, we're changing some accounts and some details and they needed some, a specific piece of information from me and it was a bit weird, like, why would they send me that information?
But I really thought about it like my first instinct was, okay, we might be in trouble.
I need to respond.
It's my CEO, they need something right now. Um, and it. Yeah, of course I didn't click on the link.
I didn't send the information. Um, but it got me thinking for a moment, right?
And it could have been very easy to, to fool me and I'm sure many people are in that situation.
Yeah, no, absolutely.
And I think just that playing on that trust is really the crux of it.
And so I've actually, at Cloudflare received, you know, messages from, from our CEO, you know, that say, Hey, I'm tied up in a meeting.
Can you go buy me a Best Buy gift card or a, you know, an iTunes gift card and send me the contents and kind of get a chuckle, you know, thinking that that was that was a real request.
I think the other thing that is important to our viewers is that there's a lot of things that happen both from the corporate perspective, you're going to get these at work.
But as you mentioned, Alex, like there's, you know, personal phishes that you'll get.
And actually I'm quite proud, I've trained my mom, she she sends me, you know, suspicious messages that come in and a lot of a lot of the attacks, you know, are sort of leveraging people that are less technically sophisticated, and will go after those types of individuals because they typically have a higher success rate.
And so really unfortunate, but I think as we, as an industry, it's it's a really important problem to to focus on.
I think we'll get into some of the the stats later.
One other thing that I think is actually, you probably have seen in the news quite a bit, is the the whole concept of, you know, these these generative AI tools that can write, you know, language in a much more natural way and might be more easy to actually craft messaging that that appears authentic.
And so something absolutely to keep an eye on. The last point I want to make before we move on to talking about a little bit about how common this is and sort of what we actually launched today is what you mentioned that that email from your CEO that's that's what we call a business email compromise, or BEC.
And if you look at the statistics, I think the FBI published this, the amount of losses here, it's tens of billions of dollars.
Right? It just dwarfs losses really from other types of vectors.
And so people, when they think about security, they're often thinking about, okay, it's this, you know, hacker in a hoodie coding the zero day attack to to compromise this application, when in reality most of this is actually starting with an email.
So let's actually jump into that.
So one of the things I'm curious about and I've seen different statistics here and there, but like how common is phishing as a as a attack vector?
So I think by far it's the most common attack vector.
So according to to a stat, yeah, fairly recent from from the Cyber Security and Infrastructure Security Agency in the US, they say that about 90% of data breaches occur, start with a with a with a phishing attack.
90% is a lot. And they say yeah, 90%, meaning that a company has had one or more successful phishing attacks.
Right? Successful data breaches ultimately.
And I think that's quite scary, you know. And it just goes back to to what we were saying earlier.
It's, I mean, the human element here is the is what triggers it, right?
You can very easily make a mistake.
Yeah. And I know that all the all the companies actually that I've worked for, we've always had, you know, training and we've had awareness every year going over What is phishing?
How does this happen? How can you be protected by it?
But it just only takes one second or split second of not paying attention of what's what you're clicking on because maybe you're on the phone and you're also checking your your email and you're done for.
Absolutely, so what about Cloudflare?
I mean, we're we're a security company employing a lot of people that are sort of experts in this.
Do people ever come after us?
Do we ever get phished? You'd think not, but actually, no, we get phished all the time.
Yeah. So, um, I was, I was actually quite, find this quite funny as well because you'd think, okay, this is this is a company where people know better.
Um, but I don't, I don't think that attackers necessarily take that into consideration.
Right? So we get phished all the time.
And um, I think what, what saves us is the fact that we talk a lot about our security process and, you know, how, how do you react when you, when you see something that's fishy, you know, no pun intended, but we have we have this really, really clear, and I think it's a fairly friendly process, with our security incident response team.
And we're encouraged to just flag anything that we're not certain about.
Yeah? So if you're not certain, just flag it and, um, I end up reporting quite a lot of stuff and I have absolutely no shame in thinking, okay, maybe I should know better.
Maybe I should recognize this vendor or that.
No, I'm fine. I would rather, you know, get the green light than do something silly.
And, um, actually, it's quite encouraged. It's not a problem.
And I've been in other groups in which, you know, you kind of get slapped on the hand, like this was a mistake.
You shouldn't have raised this. You should have known better.
I don't know. I don't think that's the right approach.
The right approach is to be very welcoming to flagging all these things. Right?
So, um, we're, we encourage people to do this so much, so much so that a couple of months ago we received this, this email from our swag vendor, right?
So they were saying that, hey, it's time for you to pick your Cloudflare gift, you know, your Christmas gift it was.
And I started laughing when I saw, Oh, Cloudflare gift.
Give me a break. I'm just going to report you. So I reported them. And what happens is that it automatically creates a JIRA ticket.
Right? And, um, I got a really fast feedback loop from our from our security teams saying, actually, this is legitimate.
Go ahead and click on the link. But I saw on our, on our system that other people have responded exactly in the same way.
Right? Um, so I found that pretty funny, right?
Because, um, I was so skeptical, but probably I should have just been super excited.
I'm getting a gift, right? And I think that's, that's exactly how a lot of people react, right?
I'm getting a gift.
I'm getting a refund or sort of playing on the other side of it, right, where, you know, you're in trouble with the IRS and if you don't pay these fines, you know, we're going to come to your house and take you away in front of your kids and sort of all the the scary tactics on the other side.
I think just to go back to the security culture, um, in reporting culture, I think that's incredibly important and something that, again, was novel for me here as well and something that's encouraged all the way to the top of the company because you know, what other way to know that you may need to respond to things or what better way when you've got people reporting things, because in some cases, these these attacks can be very targeted on an individual.
Right? So it may be something that's, as you mentioned before, going to the finance team purporting to be from our CFO, wanting to pay a bill.
And so, um, you know, getting people to to report stuff is critical.
And in some cases it may be somebody has already done something, right?
They've already clicked on something. And to your, your your gift example, you know, that's asking for personal information, right?
Where do you want to have this shipped to?
And it sort of looks like a phishing attack, but sometimes people will only realize after the fact they did something.
And of course, you know, we we need to design our systems, and I want to talk to you a little bit about how how Cloudflare protects against phishing against ourselves.
But we need to design systems so that even if somebody does make a mistake, that's not the end of the road.
Right? That doesn't mean that they're that they're able to compromise an account.
And so, um, obviously a lot of, a lot of people saw the news last year about the so so-called Oktapus attack compromise, you know, well over 100 companies.
We were, you know, pretty public about sort of describing how this this went down and sort of how we stopped the attack against ourselves.
And we were one of the few companies, frankly, that that was able to fend this off without issue, even if even when people internally clicked and, you know, submitted credentials.
And so can you talk a little bit about that and like how we sort of protect ourselves from from phishing?
Yeah.
So, so, so particularly on this, um, actually, let's, let's talk in general how we protect ourselves from phishing, right?
Because, um, so we're, we offer these services to our customers.
So we're also dog food. We consume our own services, fortunately.
Right? So we have, we have some Zero Trust tools that, that, that we offer that are used by by our own employees as well.
Right? So I think there's a there's a variety there, depending obviously on the configuration, but we look at, we look at email and email protection, particularly filtering the inbound emails that that we get, right?
And and we do that with with the services from, from Area One.
It's a it's a company that we've we've integrated. So we we acquired last year and we've integrated quite well with with the team and with the product.
So that's one capability we have . Another, another product that we we use is our Gateway product, right?
So this, this actually helps us configure, configure our system and our network in such a way so that potential threats simply don't get resolved.
You know, when when an employee tries to, tries to access.
Right?
So you can't really browse there and you just get this message like Gateway, this is the error.
And then that's that's a flag already that you're trying to access something that might not be safe.
So look into it. Yeah. And then we also have the Remote Browser Isolation, for example, where we have specific browsing sessions that that that run remotely and then they have these built in controls to protect us against such such phishing attacks.
Right? And like when, when we see an incident like a really high risk site and then we can we can run that that session and and we're protected.
Right? So that's that's one of the things that that we do.
And and that's kind of the the suite of of products that we offer our customers.
Um, but then we also have, you know, hard control. We have hardware that, that protects us from that.
So we have these small YubiKeys that, that we actually use.
I'm trying to get one out of my laptop just to show. They're, they're stuck in there pretty good, so...
Exactly.
It's this teeny tiny one. I think we can just describe it for, for the audience at home.
Yeah.
And then then it's really easy to use. It's so tiny that when I first received it, I thought, oh my God, I'm going to lose this in the first week.
However, it just stays stuck in the in the laptop and that's fine.
And for the phone I have the one on my on my keychain and I'm not losing my keys.
So. So we're, we're good in that sense.
Yeah.
And just to drill into that, such an important point. Really, at the end of the day, you know, people are going to type in credentials and phishing attacks are going to get even more sophisticated and we can build in all the tools and detections and so on.
But at the end of the day, you know, the sort of the two-factor authentication methods of one time passwords, time based, one time passwords or getting an SMS sent to your cell phone, those are all potential to be compromised, right?
You can type that in to a phishing page and somebody can forward that along to the real site.
The hard keys that we press when we log into Cloudflare every day, those are unphishable.
They're only going to send, the computer is not going to make a mistake and see oh, it's Cloudflare.
You know, and I think in this particular case, and this would be a good segue to what we announced today, but Cloudflare-okta.com I think was the the domain that was registered to go after us.
The the hard key and the configuration knows that that's not the legitimate site that the credentials are registered with.
So it's not going to send the authentication there for somebody to pass it along.
And so, you know, public service announcement, if you don't have hard keys in your organization, please get them deployed.
Cloudflare Access makes it super easy to use it. So anyway, with that, let's let's jump in to sort of what we learned from this last attack and sort of how that informed what we announced today.
Can you tell me a little bit about that, those learnings?
And then let's let's jump into what we actually built. Yeah.
So, so like really quickly. Yeah, because I think it was all started with the Oktapus attack and we realized, yeah, we have, we have some tools that protected us and our clients could have been protected as well, right?
So what one of the learning points that I found really, really interesting and I still think about it, is the speed with which the attackers acted.
So they were registering the domains and then they were launching the attacks almost immediately.
So in in our case, in Cloudflare's case, it was, I think, a gap of 40 minutes.
So can you imagine, you know, 40 minutes, you register, you register a domain, and then 40 minutes later you already launched the attack on the on the employees.
So, I mean, many groups didn't stand a chance, right? So even if they would have had like really sophisticated ways of identifying them or like manually checking, in 40 minutes, you're not going to find that, right.
So, um, that's, that's one, one thing we thought of, okay, like what's a mechanism that, that can help customers be alerted immediately, but also kind of help them take action really, really quickly in order to protect themselves because it's not enough to know about about these things, but you must also have a pathway to to do something about it as well.
Yeah? Um, so, so that was probably one of the, one of the interesting things we learned and one of, you know, the problems we were trying to address, right?
The ability to quickly identify and and block potential phishing, phishing attacks or phishing infrastructure in order to prevent us and our customers to fall victim to to these attacks.
Right? So, of course, as I mentioned, blocking these sites manually is time consuming and very difficult, especially when you have a lot to, a lot of sites to monitor.
So, um, because the phishing attacks will additionally involve this rapidly changing infrastructure, it's a challenge to keep up with them in real time.
That's why you need, you need a tool or a set of tools to, to do that, right?
Um, yeah. And I think this, this is kind of how we started talking about brand protection and how we can provide these tools to our customers.
Um, and that's what we did. And this is what we're announcing today, right?
Our brand and phishing protection tools, which, which is now something that sits within our security center on the Cloudflare dashboard.
And I'm really, really excited about it and seeing how, you know, customers slowly start to use it and bringing results.
Cool.
Yeah. No, I'm super excited to see, um, again the sort of the Cloudflare product methodology, getting stuff in our customers hands early, getting feedback.
We've got a lot of people...
You know, you know, it's going to be popular and successful when you have people just sort of saying, Hey, when can I get access to this?
When can I get access to this? I want to be a beta tester. And we've got a number of those.
And I know I've been connecting you with a number of people that I've spoken to previous to you taking on the role and so excited to, to to build that out.
But I think the piece that you mentioned of like detection is one part. And sometimes we get people asking us, Hey, I'd like to have a takedown notice sent or, you know, have a legal department, send a cease and desist and so on.
And that process takes time, right? That's a legal process that plays out. And, you know, whether we do that ourselves directly or partner with somebody over time, that's not sort of the the that's not fast enough, right, for what we're trying to do.
And so I think pairing that detection with that immediate kind of Zero Trust enforcement is is really what makes our offering unique.
And so tell me a little bit about what what people can actually see in Security Center and what can they actually, what is the capabilities that we've built?
Yeah.
Yeah. So if you think, if you think of what like the basic functionality there.
The users have have three main actions they can take, right?
So they can go in right now and start searching for domains to try to understand, okay, this is my, my domain, you know, um, cloudflare.com.
Let's use this example.
Um, what domains that are confusable, so common misspellings or concatenation services, things like that, have been registered recently.
So we, we look at the last 30 days, um, that might be, you know, something that a potential phishing attack in the making, right?
So they can just go in, put in a search and get the results and that that happens immediately.
You know, you wait for a couple of seconds and then you have a whole list if there, if there are matches.
Right? Um, and and we do, we query trillions of, of of DNS results and we match that also with our 1.1.1.1 resolver.
Um, and we provide, so we have this ability to, to match this within seconds for, for customers.
So that's one, you can just go in and just have this ad hoc search, let's call it.
Um, and then if, if the search you're making is something that you want to monitor, maybe constantly, you have the ability to save it, to save it as a query for yourself and then and then always come back to it without having to, to configure it again in order to get the results, right?
And then the third piece of it, you are able to to also set up alerts, which I think it's quite, it's quite important for the feature, right?
You you get the ability to, to set up an immediate alert.
So the moment we we find a match, because we constantly run against the same search, saved queries.
Right? Um once once you get an alert you you receive, you receive a note, a notification, and then you, you can just go in into the dashboard directly and take some action.
So those are the three main, three main steps you can you can currently take.
And I think what's more important even, because you you touched on it briefly just now, for for for the users of our Zero Trust product suite.
It's it's important to say that actually you can okay you can of course have access to all of this.
But the feature itself becomes much, much more effective because you can easily find, you know, block any confusable domains directly, um, by, by creating a gateway policy or a DNS policy rule, right?
So that will immediately stop, stop your users from actually browsing to that, to that domain, right?
So to any potentially malicious sites. So, um, of course that website won't be taken down.
However, your employees will be protected.
They won't be able to to click on those links even if they launch the attack, even if anything, and even if they click on it, they just simply won't get there.
Yeah, no, absolutely.
And and that's, I know people can do this today with, you know, getting notifications and and automatically, you know, that webhook kind of scripting it to to to proactively block it.
I think what I'm really excited about and as a company we try to make things as easy as possible.
So you click one button and we take care of you or ideally you click zero buttons.
And so excited to see the roadmap that you've laid out with the team, you know, built and get executed.
The other thing I think that that just to to emphasize a bit.
What makes this unique from a speed perspective in terms of finding this is that a lot of people that do this today, they get, you know, end of day feeds from registrars and they sort of look through things or they try to go to a company that has DNS data and, you know, try to get access to that in some fashion.
What what is very unique about our threat intel offerings is, as you're well aware, is that we have this sort of first party data sets, right?
So we have a vantage point where we're getting trillions of queries per day just made to our infrastructure that we can we can pair and match against those filters.
And in the future, just automatically tell people, without them even having to say, I want this pattern, Hey, we saw this domain name that was registered or resolved.
It looks like yours, and maybe maybe it's being resolved by your employees or from, you know, where your employees are in the world and concentrated.
And so there's there's a layer on top of of the data that we can actually add some intelligence to.
And so we're really excited about that.
The other thing I know that I believe you're working on with the team, but the concept of like certificate transparency logs, right?
So when when somebody spins up infrastructure, you know, they'll get a VPS, you know, a virtual machine somewhere, they'll get a domain name.
And then, of course, you know, they want to get an SSL or TLS certificate because they they want this to appear legitimate, right?
They want to, they don't want the browser flagging that this is not encrypted.
And so all the modern browsers today, they support something called certificate transparency.
And so that these certificates have to have been logged and published to a CT log, of course, which which we operate one of the main ones that Google and Apple and others trust.
And so that's an additional data source that I'm really excited to see brought into the fold because I think it'll give us another sort of real time source there.
Yeah, me too.
I'm excited about being able, you know, to to push this. And it's true.
It's one of the next things on the, on the roadmap, which is quite exciting. Yeah.
Cool.
So we just have a couple more minutes left. Want to sort of spend a couple of minutes thinking about, you know, we talked about what's coming next.
Um, people obviously will read the blog post to go get started.
Um, is there anything else sort of up and coming that you're excited about, you want to mention ?
I think you have some other Cloudflare TV segments this week, and so if you want to plug anything, you know, feel free to do that and we can wrap up here in a second.
Yeah, thanks.
I mean, we have so many amazing announcements this this week on Cloudflare TV.
But one of the things that we're going to be talking about, I think it's Wednesday, um, with, with with our email team basically, we're going to be soon surfacing email insights in in our Insights feature under the Security Center, right?
So for example if you have um, unapproved senders, they will be flagged up and then you will have a really, really quick way for you to, to see them, to evaluate that and then, and they, and then take action.
So that's, that's one small feature from what we will be announcing with, with with email.
But I don't know if I should be talking more about all of that.
You're right.
You're right. Maybe I'm, maybe I'm spoiling some of the announcements.
So let's, um, let's, let's leave it at that. I'm really excited for that announcement.
And if you if you did catch this segment, you get a little bit of sneak peek of what's coming.
Alex, thank you so much for your time. Learned a lot, really hope those at home did as well.
And so with that have a great security week and we'll talk to you soon.
Yeah.
Thank you.