Reanna Schultz - Social Engineering: Training The Human Firewall

I'd like to introduce Brianna Schultz she's going to be presenting social engineering training the human firewall please welcome Mercy [Applause] well good morning some of you guys have had your coffee so thank you before we begin I personally want to thank each and every one of you in this room for not only coming on my speaking session today but for becoming to b-sides Knoxville 2023. we're gonna be discussing social engineering training the human firewall and as a quick introduction my name is Rina Schultz I am from Kansas City Missouri in fact I had started my cyber security Journey attending the University of Central Missouri I graduated in 2018 with my bachelor's of Science in cyber security secure software development and then later again in 2020 with my Masters of Science and information assurance I have a very technical background and endpoint security engineering network security engineering and as today I work as a team leader out of a security operations center at Garmin I'm very involved with my community I work very closely with the Girl Scouts of America being a stem mentor and besides my love and passion for this field I really enjoy 1980 science fiction books if you do want to connect with me on LinkedIn I highly encourage you to scan that QR code located on the top of the slide so before I deep dive into this presentation I want you all to have a few takeaways one of the things I am going to request of each and every one of you is to keep an open mind one of the most amazing things working in cyber security is the diverse background our community has some of you in this audience might be students maybe sales vendors maybe you might have five to ten years of experience I want you all to really learn about a concept called user architecture user architecture is built on two concepts how our users think towards security threats and risk and how our users act towards security threats and risk and because we're going to understand user architecture we're going to be learning how to identify risk in our business through our security education program I want you all to learn how to start your own security education program if you do not have one and if you do have one awesome I want to hear what you're doing in your business I'm also going to provide some insights on how you can mature your fishing program on how to set ideal realistic goals and then also what you can do to improve your fishing pool by incorporating mature fish so some historical knowledge about the topics I want to present to you in fact when I was attending UCM and I was getting my master's I had conducted my own research this was a psychological research as to why are our users clicking on phishing emails regardless if security education is already present and for me to understand this I had taken a participant group of 100 plus users these users had backgrounds in computer science software engineering and cyber security these participants were not novice with computers in fact they were not novice understanding what a phishing email was this is really important right because unlike our business where we have a wide range of users I had a control environment about the backgrounds of my participants and for me to understand why are they clicking on emails I have fished them with three different phishing campaigns each campaign consisted of two fish that progressively got more mature in fact these three campaigns each focused on a specific threat I focused on fishing a barrel spear fishing and spoofing and for me to measure the difficulty of these fish I had created my own algorithm this algorithm highlighted the more fishing characteristics a fish had the higher the likelihood a user should be able to spot this as a fish because not only am I wanting to see hey why are they clicking but can my users learn and adapt and grow through this different type of threat landscape so like I said user architecture right this was a really important concept for my research to understand why my users are clicking and in fact we take this back in our business this can assist us in identifying risks and gaps in our education program user architectures built on two concepts the first one being how our users think how do our users think towards security threats where do they get their mindset from well the influence of us as Security Professionals how we project and how we train and hopefully that leaves a positive impact on our users so I like to use two examples to highlight this the first one being leadership wants a small click percentage because it shows our awareness is improving if you had first conducted your fishing program and your environment I guarantee you probably wasn't uncommon for you to see a 50 to 75 percent click rate because this was new this was a new type of training for your users and as you continue to incorporate fishing and that form of security education those metrics start declining right and now we went from 50 to 75 percent to maybe a two to three percent leadership goes yeah this is working our users aren't clicking now if we take this mindset and we go back to our user right this user works for a company this company sends phishing emails second week of the month in fact this company might also have incentives for when you report a phishing email if you're reported four times in a row they're going to give you a swag item or maybe recondition in a team meeting um I had one person in the audience one time told me that they give out gift cards if you report security phishing six times in a row I would love to work for a company that gave me gift cards for reporting phishing emails but in this situation this user shows up to work they open up their email and they notice something that's not normal in their email inbox user goes over to their co-worker hey did you by chance see this email are you on this the co-worker goes yep in fact I reported to security it's our fishing awareness for the month user goes ah cool it is second week in the month and in fact I'm one fish report away from getting my cool swag item so the user reports it to security they get that confirmation saying hey thanks for participating in our phishing assessment so this user who was a great user and is an ideal team player what are they going to do they're going to set the rest of their team up for Success they're going to screenshot this email and post it in slack teams Discord whatever their communication platform is for their environment and now everyone else knows what the phishing email is from the month but you know what leadership sees that two to three percent click rate because obviously our users are not clicking phishing emails so what was the mindset that we trained our users not how to read emails not how to hover and go through hey is this suspicious is this a shorten URL when I hover over this link uh is there bad spelling no we trained our users to adapt to our environment to think what is happening in the business second week of the month those incentives what I can do to share this with the rest of my team so then I have a second mindset annual education Refreshers are important and must be mandated absolutely if you have cyber insurance or even if you do compliance and Oddity annual Refreshers are important because we can't force our users to interact with our phishing emails and our phishing assessments but we can for sure check a box on our compliance checklist that they watched a video now I don't know about you I personally do not love my annual HR training videos I know they're important but especially this time of the year we are almost six months into our calendar year which means the holidays is around the corner a lot of companies are already doing their Sprints they're finishing up their projects their deadlines and then of course the last minute of oh we need to add this on for this calendar year we need to get this project going so if I'm this user who is juggling 15 different things and I show up to work and I open my email and I see hey you have required training due by end of the week I'm not gonna be a happy camper so what do our users typically do right they're not going to sit there and watch a video as to why plugging a USB into a computer is bad no they're going to pull this video up run it in the background in fact uh we always have that one person we work with that goes to the vending machine and gets all their snacks and then they come back and the video's done and they take their two to three questions and pass so again our security mindset is yes we're checking a box off compliance for our insurance our users mindset is yes I'm checking a box just to get this over with so again what are we training our users we're not training them how to think like Security Professionals not showing and displaying the importance of security threats and providing that passion back to our business our users are learning how to adapt to security mechanics so then the second part of user architecture is understanding how do our users Act and this is important because user architecture is something we cannot control this is why it's a risk in our business so for us to understand how our users act we have to know our users in our business and I'm not talking about a personal level I do not care about people's favorite colors or what they had for lunch unless it's a really good recommended restaurant but Know Thy audience meaning what type of users are making up in your business and I like to use two types of audiences we have Dave in finance I feel like we always work with the Dave and finance here Dave in finance works from Monday to Friday he is an ideal team player really supports the mission and vision a culture of the business and if we think about Dave and finance what does this angle traffic look like probably works very closely with payroll um benefits and 401K Services if he works with those accounts where does the money go for these packages maybe customer accounts and then we have the opposite Spectrum we have Steven sales Steve is also a great employee but what could we think that Steve's email traffic looks like Steve probably works very closely with customers business relations maybe communication and marketing because he is building that reputation for his company and selling products and making Revenue hypothetically they even Steve worked for the same company this company got targeted with a fishing attack this fishing attack is very sophisticated it's a new type of threat and so a lot of email network security appliances might not have seen enough of these threats in the wild to update their scanners to update their signatures to stop it this email made it to the end user where both Dave and Steve got it in fact the contents of this phishing email States hey there was an error in our system you have been under enrolled in benefits if this is a mistake and you are a benefit provider please click that link below within the next 24 hours so you can be re-enrolled and have benefits Dave who works in finance who works very closely with benefits and 401K Services sees this email goes this is not an authorized benefit provider Dave submits this to security Now what is the likelihood that Steve is going to have this exact same reaction that is a gap and that is a risk because Steve might be one of those users who doesn't really do the research on the benefits and gets the annual reminder once a year that says hey you need re-enroll benefits and they just click the link and then boom they have health insurance so Steve is probably going to have a different reaction than Dave based off their job and what they do for the business so security education software can be very expensive there is a lot of good reputable Brands out there that do provide decent security education proof point being one they do a pay by user but again if security education is new to your business the reality is cyber security does not make a company money we do not make them Revenue in fact we cost them money and it's always hard when you have to justify when you get a budget and you have to fight for where that budget should go should it go into our EDR should it go into more of our Network maybe we need more resources what about security education now this is also a factor so a tool that I had used for my research is called go get fish go get fish is a free open source platform and sometimes I get questions that's like is this great open source can be kind of skeptical and I agree I am personally skeptical of Open Source because you get those developers that make their project and then they'll post it and forget about it and then you're like well that was great while it lasted go get fish developers are a little different they're very involved with their Community um they pose frequent updates new features in fact if there's even bugs or patches they post it immediately and also what was also great about this is that it integrated very well with reputable SMTP services such as Microsoft Google Yahoo and by no means am I a software engineer or an application developer I had stood my fishing environment up in less than two hours with 100 plus users in my three fishing campaigns this was great I will not be surprised if this tool is not free in the next two to three years honestly but again I'm not trying to sell you guys a product I'm providing you a resource because if you do not have security education in your business right this is a risk you were saying hey I'm approving the risk that my email security that my network security that my EDR is going to stop threats threats evolve so fast and it's almost near impossible for us to continuously have our security appliances updated if you do believe this awesome this is why it's important for you to keep an open mind this presentation this is why we grow as a community so my research environment I had hosted a Linux virtual machine on my own desktop and this is where I hosted that go get fish service in fact I had hand developed all of my fishing campaign emails through HTML CSS and some fancy bootstrap here and there uh I will show the emails that I use for my campaign you are more than welcome to steal the ideas of some of these I know when I've done this historically um I've had a lot of positive feedback of people in their business filing for email so it's kind of a good cat-of-mouse game I did not want to send 100 plus emails six different times from my personal email account so what I did is I created a few other email accounts through Microsoft Gmail Yahoo and I even had a couple AOL ones I used a web Hook from this SMTP service back to my go get fish environment as a form of authentication so when I sent those emails out in fact I sent them dynamically meaning no user received the same email at the same time because I didn't know if they lived together I didn't know if my participants worked together or had class it brought another level of sophistication to my campaign so when those emails got sent out through those email accounts out to my users my users had two options to click an email or to not click an email and if they did click an email they went to a SurveyMonkey website and why did I use SurveyMonkey because it's free but also it provided me a way to track click metrics SurveyMonkey does this for you and when a user clicked on it it prompted them with hey you fell for a phishing campaign here are some steps for you to recognize fishing in the future and here's a survey you had an option to take the survey or not as to why did you click on this so like I said I'm trying to find why are my users clicking on phishing emails regardless if security education is present and then also can my users grow their mindset and how they interact with phishing threats three fishing campaigns the first campaign I had focused on fishing a barrel and if you do not know anything about fishing a barrel it comes from a very Western term where a fisherman would go out go fishing every fish he caught he threw in a wooden barrel at end of the day he would stick his hand the barrel pull out a fish and that's what he was having for dinner today's fishing is a little different right so similar concept but we put this in a throat doctor mindset emails sometimes these might look like marketing ads or just junk right there's not really a specific audience or type that they're really aiming for so they're looking for that one click that one interaction because that's all they need I had talked about my algorithm this campaign had a high scoring algorithm meaning there are a large number of fishing characteristics in these emails thus the user should have a high likelihood to spot this as a fish in fact if we look at my very first fish I have here it says hello please see the given information so please review now sincerely your professor it's a pretty bad email right there's a lot of grammatical errors there's a a period and a comma and a bunch of space and just bad spelling there's a lot of red flags here there were clicks on this email why especially right we remember my participant background being software engineering computer science cyber security why are you clicking this email you should know better the user responded with I was curious I believed my antivirus protects me from all types of security threats in fact if you're curious they were running Norton on their computer followed by not paying attention right when I say good grief okay let's try this again fish number two the contents basically highlight hey um I know you're a student people that typically or students don't have a lot of money blah blah blah take the survey link and you'll get a gift card for your time unlike the first fish there were a significant less amount of clicks on the second one but again I had a user saying that they weren't paying attention and they still had a habit of clicking on emails habits are hard to break so all right through the second campaign what's going to happen now spear fishing spear fishing spear fishing spear fishing I wanted to Target specifically them being students and in fact not only did I want to Target them being students I wanted to have a psychological relationship with my participants we go back to the phishing algorithm right it had a medium score meaning that there was more of a risk that maybe these users probably aren't going to spot that this is a fish but there's still a decent number of fishing characteristics to show that hey there's something weird here there's something wrong now the first fish I sent and I'm not gonna lie I was kind of mean about this and I had a lot of fun the content said hey you were using the university Network in fact you were looking up inappropriate content on the network you got violated a policy you need to take training click the link there were a lot of clicks on this in fact that other column was an apology letter I don't know if you know any college students I personally do not want to look at their browser history or proxy data so what was the main reason there was a sense of urgency that influenced their thinking but again right there's also a pretty decent high level column over there that says they weren't paying attention they had a habit of clicking on emails and I also had another user State they were still curious oh boy so I said okay cool I scared them that was cool that was fun um let's do the second fish but instead of me focusing on scaring them I wanted to have a sense of trust right I want them to trust me trust that I was to a student and so I said hey we have a homework consignment a lot of us are working on it on the below Google doc link if you want to collaborate with us and then if you're not familiar with University environments it's not uncommon that students are hybrid right some of them are remote some of them are in class maybe the