浏览器是新战场.pdf

1、Social Engineering Defensein a Browser-First WorldThe Critical Blind Spots Every CISO Must AddressJerich Beason|CISO,WM|Summit Co-ChairSocial Engineering Is the#1 Attack Vector74%of all breaches involvethe human element90%+of successful SE attackshappen in the browser10 xincrease in AI-poweredphishi

2、ng campaigns YoYThe question is not whether your people will be targeted.It is whether your defenses will catch it when they are.The Browser Has Become the Operating SystemWork has shifted from the desktop to the browser and adversaries have followed.75%of the workday is spentin a browser90%of enter

3、prise apps arenow SaaS-delivered#1initial access vectorfor attacksThe browser is the new perimeter yet most security stacks treat it as an afterthought.And the apps you think are desktop Outlook,Teams,Word are browsers too.The Uncomfortable TruthYour desktop apps are browsers.And attackers know it.E

4、lectron=Chromium Under the HoodOutlook,Teams,Word,Excel,OneNote,and most of the M365 suite are Electron apps built on Chromium.They are browsers.When a user clicks a phishing link in Outlook,they are not opening a browser.They are already in one.Same rendering engine.Same JavaScript runtime.Same att

5、ack surface.What This Means for DefendersPhishing emails render in a browser context before the user ever leaves OutlookOAuth consent phishing,session hijacking,and credential harvesting happen at the browser layerEndpoint security sees Outlook.exe not the malicious content rendering insideYour emai

6、l gateway is the first wall.The browser is the last wall.Most orgs have no last wall.How Social Engineering Has EvolvedFrom spray-and-pray phishing to precision,AI-powered manipulation at scale.THEN2015-2020Mass phishing with bad grammarNigerian prince and gift card scamsBasic credential harvesting