2. Phishing protection and credential reuse

Goal

Demonstration of Harmony Browse real time phishing prevention capabilities and credential reuse protection.

Discussion points

Harmony Browse zero-phishing real time scanning and prevention capabilities protecting organizations from the most common attack vector.
Harmony Browse credential reuse protection, alerting from potential corporate credential theft.

Instructions

2.1 Social engineering phishing protection followed by web download protection

Step

Instructions

From the Jump-Server machine, on the desktop, use the remote desktop link to connect to the Windows-Attacker machine.

On the Windows-Attacker machine , run the following :

Click on the Attacker-Ubuntu-Linux shortcut on the desktop to open SSH session using Mobaxterm application.
On the opened tab , right click and choose "duplicate tab" to open another SSH session.

You will have 2 SSH session tabs to Attacker-Ubuntu-Linux machine.
On the left terminal window execute /root/demo/serve-phish.sh to launch the attacker zero-day phishing website and view the connections.
On the right terminal window execute /root/demo/follow-phish-dump.sh to view the credentials that will be phished from the user.

On the Windows-Attacker machine , Open the Outlook client from the taskbar and send the targeted credential theft email named “URGENT: Policy update – Remote access software” for Bruce Morgan the CFO

The email is at the drafts folder of the SBlab IT Department section.

Minimize the remote desktop window and open a connection to the Windows10-Protected machine, use the remote desktop link from the desktop to connect.

On the Windows10-Protected machine ,

Open the outlook client from the taskbar and review the targeted email…… looks legitimate, right?.

Note - This is how easy it is to perform a social engineering and credential theft attack, and this scenario demonstrates why it is so successful and the critical need for real-time phishing prevention.

Click the download AnyDesk Installer link, and it will open in the chrome browser.

Notice that Bruce’s details are already filled in to build trust with the user, and all that is left for him is to fill in his (Bruce’s) password.

Press the password textbox to fill in any password you would like and notice that zero-phishing scans and detects the site as a phishing site preventing the user from exposing their credentials to the attacker.

Don’t close the user notification tab, and move back to the previous tab to show that the user is now blocked from handing his credentials to the attacker.

We have added in the policy the ability for the user to proceed even after phishing prevention is done in order to progress the scenario and show what happens in case zero-phishing is not implemented.

Go back to the user notification tab and press the “visit this infected site” link.

Now you will be able to fill in any password you want and click download your installer.

Suggestion: use a funny password like “I@mComporm!zed” or “PhishingRulz”

Show that the installer is blocked by the web download protection.

Navigate back to the Windows-Attacker machine to demonstrate that Bruce’s password was successfully stolen and can be used to launch a large scale attack on that organization.

Note - This is a good place to explore the ramifications of a successful phishing attack to an organization.

2.2 Zero-phishing prevention demonstration

Step

Instructions

From the Jump-Server machine use the remote desktop link to connect to the Windows-Server-Protected machine.

You can explore Total Cyber Protection tool of Check Point and share with your potential customers, examples of recent relevant threats, detected by Check Point security products, compared to other security products.

You can use this tool to get insights and demos using actual phishing URLs found in the wild.

Tool is available on PartnerMap:

You can also try and browse to OpenPhish URL using the Chrome bookmark https://openphish.com.

Important: Some links on OpenPhish will be blocked by the browser protection ,try to navigate to malicious site to experience Zero-Phisining protection in case browser protection missed it.

You can review logs and events from the Harmony Browse Management portal.

2.3 Demonstration of Credential reuse protection

Step

Instructions

From the Jump-Server machine use the remote desktop link to connect to the Windows-Server-Protected machine.

Open the chrome browser and browser to a safe site with username and password fields

We recommend using Bank of America : https://www.bankofamerica.com/ site or similar site that has both fields visible.

You will see that zero-phishing verified the site and that you can fill in the credentials.

Enter an email address – it doesn’t matter what – you can use fake@email.com for example.
Enter the following password in the password field: theft123.

You don’t need to press 'Enter'.

Important - The password theft123 is hardcoded string for test purposes.

You will see a notification that alerts the users that their corporate password might be exposed to hackers and that they need to change it immediately.

It will also create a log in the Harmony Browse management portal for administrators.

2.4 Demonstration of Zero-Phishing protection for local HTML files

Step

Instructions

From the Jump server machine, on the desktop, use the remote desktop link to connect to the windows attacker machine.

Open the Outlook client from the taskbar and send the targeted phishing email “Request for Payment Approval” for Bruce Morgan the CFO. The email is at the drafts folder of the SBlab IT Department section.

Minimize the window and open a connection to the Windows 10 Protected machine, use the remote desktop link from the desktop to connect.

Open the outlook client from the taskbar and review the targeted email…… looks legitimate, right?.

This is how easy it is to perform a social engineering and credential theft attack, and this scenario demonstrates why it is so successful and the critical need for real-time phishing prevention.

Click and open html attachment - it will open in the chrome browser.

Notice that the opened local HTML page looks like valid authentication portal and Bruce’s details are already filled in to build trust with the user, and all that is left for him is to fill in his (Bruce’s) password.

Press the password textbox to fill in any password you would like and notice that zero-phishing scans and detects the local HTML page site as a phishing site preventing the user from exposing their credentials to the attacker.

Don’t close the user notification tab, and move back to the previous tab to show that the user is now blocked from handing his credentials to the attacker.

Navigate back to the Jump server and login to the Infinity portal through the chrome browser (Environment Information).

Verify you choose chkp-demodays.xyz account and Harmony Browse application.

Navigate to the LOGS tab and run the following search to show detection log for ZeroPhishing:

resource:”file://”