Put up a CryptoWall and Locky the Key: Stopping the Explosion of Ransomware

all right welcome to the two o'clock session we have Eric and he's gonna be talking about ransomware what it is and what we can do about it with some of the tools these didn't talk about all right thank you very much sir has anyone here heard of ransomware pretty sure one okay all right so here's the deal I got the post post lunch session right so this is about the time the turkey sandwiches or whatever should be kicking in so we're gonna start off with low calisthenics all right we're gonna do some jumping jacks we're gonna get in the mood and we're gonna get into the talk right all right girls up with me honest now I'm just kidding gonna

have some fun here I hope keep it a little bit light-hearted it's kind of a dark topic but we're gonna you know cover some of that a good-looking guy in the screen that's me I'm I'm humble Ben and I tea and stuff since like the mid-1990s started off back in the fidonet and bulletin board days some of you youngsters may not ever remember the sound of modems connecting and the the pure joy when you get a courier to courier connection cuz all the compression is just fantastic right it was a whole nother world folks but that's kind of when I got NIT and started getting into the security side of things I spent about nine and a half

years down in Arizona supporting the US Army and was the security manager at the second regional cyber center Western Hemisphere which is a terrible name for an organization that's a military because you have to answer the phone like that and we had no acronym okay so any of you guys ex-military in here okay well yeah you don't count as exer okay also cissp so we have any cissp is in here okay you may recognize me if you were around for the email that said now you need 40 credits minimum per year and it's okay that was me I was the director of member relations and services at IAC squared for about two years so been

around been in security for a little bit somehow or another I took a wrong turn in my career and now I work in marketing but the advantages my phone doesn't ring in two o'clock in the morning and I don't have a pager on my hip so it's not all bad but I work for know before we're out of Clearwater Florida which I will tell you is much warmer than this I'm still trying to get used to that a little bit but up here from there we have about 14,000 customers in the a lot of them in the small medium business side but we've actually worked up a little bit in the enterprise as well our competitors just

to give you an idea of what we do no beef no before competes with fish me and wombat those are our top two so we do a security awareness training and simulated fishing platform our idea is try to train users not to click on stupid things and hopefully have better behaviors right now I'm gonna talk a little bit about fishing here because still right now the number one way that ransomware is getting spread is through phishing attacks I can't tell you how many times though RDP open RDP to the Internet is being attacked these days also so if you have open RDP sessions to the internet stop that's kind of the number two we do see a lot of stuff come

in through the web as well through malvert izing and other ads things like that but phishing is really where it's driving in from interestingly enough little number there 91% of successful data breaches start with a spear phishing attack all right we've heard a lot of Red Team stuff here and all that if you talk to any of these teams I'm sure they'll tell you when all else fails turn around hit the user and you're gonna get in it happens far too often that way ransomware a billion-dollar business last year and CEO from w2 scams also come in we're gonna start seeing w-2 scams here real soon first quarter all the tax stuff people suckering people out of tax forms if you're not

already thinking about that think about that in your organization tell your HR people to watch out for that because that's going to be coming so moving on ransomware it's kind of a big deal right billion dollars like we said seven hundred and fifty two percent increase in ransomware families just last year that's a huge number and what's happened is these guys have this billion dollars there's lots of money coming in and this isn't a bunch of guys in their mom's basement doing this this is organized companies organized organizations nation-states involved in some of this stuff and so they've been able to innovate very very well and they're trying a lot of cool and different new things to try to get

these infections and quite frankly it's working right interestingly enough last year 153 thousand users hit by mobile ransomware and I expect that number to go up quite a bit as we move forward I'll give an example of something a little bit later that was a type of ransomware ish that hit mobile phones but there's no reason we can't be doing our typical crypto ransomware through that as well so price-wise ransomware price tags went up to about a thousand seventy seven dollars last year which is ironically about what a Bitcoin cost last year which I'm still kicking myself over right I just cry every time I see what happened to those things I know a guy

here's a side story back in the day when they were first up you mind a bunch of bitcoins so he could buy a pizza and thought that was really cool so ten bitcoins for a pizza I'll just leave you on that one right that's a lot of money in these days but I expect this to be higher this year because of that the same study showed that small medium businesses were a little bit closer to about $2,500 for the ransom typical attack the the thing you got to think about is when it comes to these attacks it's not just about paying the ransom it's also about what it costs your organization and resources all right

on average 32 man-hours to deal with a ransomware attack it went from 22 to 38 hours depending and that includes a person that can't work in your IT folks doing this and and all of that kind of stuff but that's a considerable amount of money when you when you start having things happen right and time from your already short short-handed staff and then finally I don't really agree with this number I've heard this thrown around in this study they said about less than half the people got their data back I see that number higher than that however we have seen instances now where folks will put out a ransomware strain that really they can't even decrypt the

data it's just kind of riding on the good reputation of those that actually do get the data back these are the scum of the scum that just throw it out there there's really no way they can get the data back we've seen that happen most of the time if you pay the ransom you will get the ransom you will get your data back the problem is sometimes law enforcement will have taken out the command and control infrastructure things like that happen in the meantime while you're messing around trying to get bitcoins to pay this thing so most of the time yeah it works the question is also do you really trust that data and there's some

questions to that as well they've had control of your data if you look at the way HHS looked at it they say if you have suffered a ransomware attack and pH I has been hit then your by your breach by default because somebody is taking control of that data they've rewritten that data and encrypting it and now they've put it back well there's no reason people can't mess with the data there - not only that these crypto ransomware strains are designed to encrypt the data as quickly as possible they're not actually trying to keep it clean so things happen during the encryption process where files could be corrupt and you got to ask yourself how

much do I really trust the data when it comes back we found through our studies about 55% of people in our campaigns will click on the phishing email link within one hour of receiving it so that's very very quick and I'd like to say if we could get 55 percent of our people to actually click on the emails that matter in the first how are they get it right we'd all change the world here okay but the bad guys they know how to get people to understand and react to things I've already heard people touch on it a little bit today about you know those emotional tugs and poles to get people to do things there's a couple of

emotions that drive actions in people and that's outrage and anger those almost always drive an action out of a person if you think about it fear sometimes people back off of something but if you outrage them if you make them angry they're gonna click on whatever it is you put in front of them they're gonna do something that's an actual action they know this they drive into that and unfortunately people still fall for it now with respect to ransomware I love this part um this is kind of us right a couple years ago we're cruising along we knew the threats we know what was going on out there we knew how to handle things right and then ransomware showed

up I just love that picture that's kind of how things felt right it all kind of came off the rails when ransomware really got going here it's changed the way we've had to look at things and deal with things fundamentally I mean I can tell you for four years I mean my biggest concerns were firewalls and email just that kind of stuff like that but when it comes to the way that ransomware really hits things oh I love that he's gonna take a picture tweet this my boss is gonna see that if you all need a speaker just let me know okay I'm just kidding but I mean this really really affected the way we

were and now this is kind of the way that we're having to deal with this sort of thing right the world is on fire around us and we're still trying to figure out how to deal with this because it's not slowing down it's getting worse talk about some recent attacks that's happened a couple days ago employee malicious email attack yeah yeah encrypted the county's files but it also loaded a crypto mining software right as now Bitcoin is worth you know trillions of dollars I think it peaked at like 15,000 or something yesterday and it's just redonkulous nineteen oh thank you okay nineteen all right yeah I'm not even keeping track of this anymore it just kills me when I could have

bought it $35 but anyways watching this stuff happen what's going on here they're starting to do this and what's important to realize about this I mean this is a real-world attack not only can the dropper go out and pull down the ransomware it can pull down other things as well in this case it was a crypto mining software but there's no reason other malware can't be pulled down at the same time and we're starting to see more of these sort of attacks these pseudo hybrid or pseudo ransomware attacks where essentially it's kind of like they light a fire in the trashcan over here and everybody's over there and this big in your face cuz ransomware is

in your face right so they've lit this fire over here the trashcan and while everyone's responding to that we've seen some very targeted phishing attacks over on the other side against the leadership while everyone else is busy trying to deal with this fire so we're seeing more and more of that we expect to see more and more of this sort of thing as well it's why we recommend if you get infected don't trust that machine don't just restore the data which we find that a lot of small medium businesses do that you want to nuke the Machine from orbit it's the only way to be sure right nuke it wipe it start over from scratch be

careful with the data that you put back on it I love this and this just kind of tells you how much people don't understand what's going on anymore this was a lock credit $23,000 ransom hit 48 of 500 servers I love this quote I don't think we were targeted I don't think we were at fault there have been many many institutions that have been breached I think we do everything we can to keep our firewall secure ok so this is the leadership talking about our firewall is secure and you know we it's not our fault so many organizations don't understand or at least their leadership doesn't understand what's going on and what they're up against and as long as

that keeps happening we're gonna keep having problems like this another one here fertility clinic in Minneapolis that was in October their servers had been impacted in a ransomware attack okay so this right here although there was no evidence it was actually accessed or viewed bla bla bla bla bla this to me sounds like something going back to that HHS sort of thing they had to claim they had to say that this was a breach and reported as a breach even though it was likely just crypto ransomware because the HHS says if pH I is encrypted it's a breach and if you're in a medical situation you don't want to have to go out and do breaches and breach

notifications and have to deal with all that kind of stuff but if there's 500 records that were touched by ransomware and you can't prove that it was encrypted beforehand you're now in breach so keep that in mind that's something you got to watch out for when it comes to that I'm a big proponent of obviously encrypting data especially Phin stuff but unfortunately a lot of organizations still don't do that should I pose for you all right all right I got the thumbs up there this is another good one here chakra ho Police Department in Texas so serous got hit by that strain yeah so eight years of Police Department evidence gone fortunately it didn't affect a whole lot of current the things

that were going on and they said well we have all the paper copies which to me translates into some intern is going to be living in hell for the next couple of years as they rescan those and re digitize all that stuff that's how this kind of works but this could be really bad you know and of course it was a phishing email our automatic backup started after the infection so it just backed up infected files now most of the time that sounds more like a replication to me or somebody's doing a real poor job however we've seen some strains now that are trying to get in there they're trying to be persistent and they will

lay low for a while to try to get into your backups that way when you do your restoration if you restore that machine it kicks off writing right away it hits that command and control server kicks off right away you're back in that boat before you know it and all of your backups are infected so something to think about something to be careful with and finally Licking County Ohio ransomware took online access and landline phones down thousand government computers shut down nine eleven eleven pewters were down and they had to log contacts manually how reassuring is that when you're calling in and they're like writing down your 9-1-1 call I'm sorry sir we were you dying or almost dying

hold on sir oh my pencil broke hold on you know I mean this is just a bad idea think about this when you're thinking about like incident response plans and continuity of operations and how bad it can really be and I love what the county auditor here said apparently our clock still works that was like the highlight of the whole thing is their clocks still work right and so this is this is my own original joke folks I'm going to leave you with this this was in Licking County so the clock took a licking and kept on ticking I'll be here all afternoon yeah I got something thank you thank you thank you all right so this is one I mentioned a

little bit earlier this is leaker locker so leaker locker I don't know some people call everything ransomware these days right anything that involves something that happens that they call for money back people are calling ransomware these days this was actually more of a daxing sort of thing but what's important about this is individuals downloaded this from the Google Play stores from a legitimate store and then when I went to install and it said hey we want access to all of these things that the people were having this game up through and then they hit ok at the end of it because they don't know any better right so what this did is then it would take care of some

things and we'll pop up a lock screen it said you have 72 hours to pay us 50 bucks or we take all of these documents and enlist it out all of the things that you get to and we send them to everybody on your contact list so that could be embarrassing for people it could be a real problem for people who use their phones for corporate business - how many times have you downloaded a document on your phone to read it or something like that you could have some serious issues with this if it starts blasting out all of this information all the people on your phone now there's no reason this couldn't be a typical crypto ransomware

attack because it used the user's ignorance of just saying sure I'll give it access to all these things to to hit so I expect we're gonna see more sorts of things like this I expect to see more mobile devices being targeted as we move forward there's a lot of things that tie back into networks that poke holes back into our networks that people are walking around on the street with and not only that back in my day when I started I mean it was BYOD was your little cell phone that could do a few things here and there your blackberry now people are bringing in tablets and their own personal stuff it rates we've never seen before it's kind of scary I

can't wait to see everybody in the office with a little you know echo dot over there going Alexa you know add this to my calendar I mean who knows what we're going to be trying to connect to these networks as we move forward I'm sorry youngsters but you Millennials love your tech and you want to bring it to work with you I get it it's tools you're used to doing but we have to consider how that impacts you organizations because these things are being spread now talking a little bit about some things ransomware as a service is something that has me very concerned these days and ransomware as a service if you haven't heard of it is

this fantastic new thing that the bad guys are doing and basically it boils down to they didn't want to get left out of the game right I told you they were innovating so they said well there's infrastructure as a service and software as a service and platform as a service let's make ransomware as a service so what they're doing now is they're actually building out the command and control infrastructure even down to the point of processing the payments and laundering the Bitcoin payments and all that kind of good stuff they're building that out and then renting it to people so what's happening now is non-technical people that just have no morals are able to get into the

ransomware game all right used to have to be pretty technical to do this anymore all you really need is a list of email addresses or the ability to social engineer people well which let's face it there's a lot of very good non-technical scammers and con men out there now all they have to do is be able to send the emails to people and all of the technical stuff is taken care of this top one here that's called Philadelphia Philadelphia is the there's actually a youtube video that has Philadelphia it's a marketing video for this strain and it's amazing all of the things that you can do on this it's very customizable everything up there from the Russian

Roulette to all of the text in the middle to everything else it's amazing this cost four hundred dollars that's it all right and they handle all of the infrastructure stuff you're in the game for four hundred bucks the bottom one here this is called dot dot is the same sort of way you walk through a wizard you build out this this ransomware and what's cool about this is it's absolutely free it's got a 50/50 profit sharing with the bad guys all right so they actually provide you with guidance and tips and tricks and how much to charge in different regions and what types of phishing emails work well in these regions because they want you to

be successful because they're taking half the money this is why I think ransomware is gonna get worse in 2018 before it gets better there's other strains out there Satan some other ones that I can't say that striveth see did but these things are out there and and they're happening over and over again and again these guys are getting very creative on how they're doing things any of you all have heard of a popcorntime the ransomware right so popcorn time you get infected and it gives you a link and if you send that link to other people and to other people get infected and paid you get your data back free it's like the Ponzi scheme of

ransomware okay pretty pretty impressive ways of thinking about this stuff but it's going on and it's happening out there because quite frankly they're making a ton of money off of this stuff so I love this picture I've been using this for a while and never gets old for me if you haven't seen it before I recommend you take a look at it may not be able to read it all but this really covers so much of what's going on in the ransomware world and still so valid today even though it's about a year and a half old this actually was done before the the Dyne DNS thing you may have remembered there was this little thing that shut

down like a third of the internet and like Twitter went down and I was that really hurt me I was having to write things on post-it notes and stick it on the window in my office like I need to share things with people but the ironic part is you got these right here excuses what we participate in a DDoS attack it's the camera and the bulb like hey what happened right this guy's a prophet all right but it's fantastic when you look at this and you think about some of these things my favorite one honestly is this one down here send me 25 bucks or I'll tell everyone on your social network you were stupid enough to buy an

internet-connected broom right we're connecting everything in the world to the Internet in our homes these days I still haven't figured out why you need an Internet connected refrigerator now I'm the biggest nerd in the world right you got an idea why [Music] okay oh yeah yeah connecting beds to the Internet yes yeah actually so I'm sort of into the home automation thing I've been screwing around with that and there's actually proximity sensors you can tie in with that so you can tell if somebody's in bed and you could turn off the light there's all kinds of nerdy stuff you can do right I yeah it could be for Sleep Number and all that it's pretty crazy

though that sorts of things that we're connecting to the internet and by the way I'm super thrilled with these these are really cool little things for home automation I'd love to talk that stuff if anyone wants to but as we keep attaching these things to our networks every time we do that that's another attack vector all right now I have a bunch of there - wah or something I didn't know if I'd say array cameras in my house and they're known to call back to China right okay so I took the steps and I segregating them on their own network they can't get out to the internet but your average consumer is not going to do this sort of thing and

that's a little bit scary we need to start thinking about that even when it comes to businesses tell you what those cameras I have are really good quality cameras they have a great picture they do good stuff they're inexpensive how many organizations are plugging those into their businesses because they're inexpensive and work well right well there's your trade-off youyou don't know what they're doing we keep seeing these things that end up calling home and doing bad things right so we got to be careful with that we're also seeing areas where you know we had a hotel last year that was hit with ransomware and it basically locked down all of the door systems for the cards so people couldn't

get into their hotel rooms because that whole system was locked down and we've seen apartment complexes where they've shut down the heating and cooling system and then wanted to ransom for that so this stuff is just gonna get crazy anything you can plug in or get to and has value especially could be a target now what can you do well first thing number one it does work train your users if you want to tell me the users are stupid and can't learn have an off a little off to the side chat about that I absolutely disagree with that I see it all the time it's a matter of how we as professionals train the users and our ability to relate to

them all right I'm a technical guy I'm a nerd you do not want me training your users okay the stuff that I think is cool is not going to be cool to them that's the problem a lot of times when people say that people aren't stupid they're educated and domains that we may not be and we need to understand that but it's the number one way to get people to quit letting these bad things in your network number two is what we call weapons-grade backups now when it comes to backups entirely too often we get lazy we see that email that came in and the subject line is backup successful and then we walk away oh yeah

it's good right I cannot tell you how many times I've heard stories of people that got that email but didn't realize that half of the stuff that they thought was getting backed up isn't or that there's a problem with it somewhere maybe something changed in the the folder structure and now this other stuff isn't being backed up but boy your software thought it was backing up it was great don't trust that and when we talk about weapons-grade backups what we mean also is keep your backups off your regular network story again last week same sort of thing people got hit their network got hit their backups were network accessible they were also hit with ransomware does you no good if you

can't get back and decrypt your backups right test it test the ability to restore I say at least twice a year restore everything you've got it King beyond non-enterprise disk you can be on something like that there's advantages to doing it on the real world like you know exactly how long it takes that's actually kind of important but if you have if you can't make sure you can get the data back and at least once a month pick some of your critical data randomize it pick some critical data and make sure you can get that back things go wrong with backups it's a fact has anyone in here tried to restore a bunch of data and how to backup

only you you are lucky that I honestly that is one of the worst feelings in the world it's a sinking feeling it's an icy feeling in your gut and quite frankly when you go to talk to leadership it's a lot easier to say some bad hacker got into our system and stole all of our stuff than it is to go huh I kind of missed the email that said it was failing and didn't check it and all of our data's gone boss right that's the quickest way to generate a cardboard box and and a way out the door usually after you've cleaned up the mess mind you they're not going to fire you before you

fix all this stuff but it's not an easy thing to get past unfortunately we rely too much on the automated stuff so make sure that you're actually testing those things make sure that they're secure there's the three to one method three copies of the data two of them off-site or two different types of media one of them off-site follow that whether it's tape being the other kind of media or somewhere in the cloud and don't rely on Dropbox don't rely on Google we've actually seen strains where if you have the connector installed on the machine they will target those sorts of things so you don't have a way to get back at it they know their bread and butter is

you not having a way to restore your files so they're targeting the sinks the volume shadow copies all of that stuff different strains do different things but they know to go after those things so it's really important you do that segmenting the network you know some of you may realize a lot of this stuff is security 101 but what's happened is we've become so reliant on technology to do all the work especially the junior folks they haven't necessarily been told the importance of a good foundation right so segmenting the network and what that means is if you're marketing computer your receptionist computer doesn't need to get to say a login screen on a production sequel server

don't let it but it's amazing how often we see flat networks in this world and that's bad news not only for ransomware but hackers as well so hacker gets in there somebody gets in there they get into a machine are they gonna be happy on that one person's machine no they're not to be happy there they're gonna try to pivot and move around right unless there's something great on the receptionist machine they're not gonna hang out there right they're moving somewhere else limit where they can get and that's gonna reduce the amount of damage that can happen and it kind of makes sense but a lot of folks don't think about that you will you know we

all know about wanna cry want to cry it's that little thing that hit this year that was actually I was doing actually this talk at converge in Detroit 3 o'clock on the day that hit that was a pretty interesting one because everyone's like hey what's going on you know everyone wanted to know I'm like hey whose phones are on fire because they're on a IR team and most the place raises her hand but when that hit it spreads so fast and so far it was phenomenal had organizations done a better job of segmenting things into smaller areas and blocking what had to go to other things or had the ability that would have been so much more

contained and so much less disastrous unfortunately you know well fortunately the attack kind of opened the door for us for executives when they're seeing this stuff in the magazines they read we can go look this is a big problem that opened the door for us but it could have been so much less disastrous had those networks been segmented and they limited the ports and protocols and data that could go across those areas then principle of least privilege kind of the same only on the network ACL levels right a lot of organizations you have a an S Drive or something a shared Drive that has accounting and marketing and every other department in that place and

people have access to just everything in there right well ransomware typically starts off by you know launching in the context of the user that launched it some of it will try to gain permissions but not all of it it'll just whatever it can do in the context of that user if your receptionist doesn't need access to the accounting share or your marketing team doesn't need access to an IT share don't let them have it because if it doesn't have the rights to modify that file it can encrypt it so this is another great way to kind of limit the damage that can happen in an organization is by understanding who has permissions to what I also want to say

think about service accounts in your organization what service accounts are running what you know how long it's been since passwords were changed typically those have a whole lot of permissions and the password gets changed once every well next time the company gets built right yeah those are pretty nasty you got to have a way to either switch those up a little bit get them contained maybe in different segments or whatever or limit the amount of permissions they have it's super easy to go into somewhere and go hey this service account needs all these kind of permissions to do its job gosh I tried it twice it failed now I just made it an admin or worse he had a domain admin

because all service accounts need domain admin but it works like that so I'm gonna go now tackle this other problem such a bad idea alright but we see it over and over again it's unfortunate gotta think about that and then monitoring the network of course some sort of a sim some sort of a way to see what's going on there's a lot of free open source stuff out there that you can deploy IPS IDs something that's gonna report on weird crap happening especially feeding your endpoint protection into something like this if things start hitting off in different areas you know you have a problem you can go do it but if you're waiting for the report to get emailed to you from

semantics console the next day it goes hey all hell broke loose over here that's probably not the email you're waiting for right you want to know what's going on there and there's there's just so many products out there that can get you started to help get visibility into that sort of thing and then keeping up with patches there's gonna be a collective groan around here patching stinks okay and a lot of people pontificate on patching they'll stand up here and go you have to patch no matter what I'm more of a realist because I've been doing this a long time and I know sometimes patching is a it's a break home addict right you apply the patches

the world catches on fire you roll back the patches you got to fix everything alright I've been in very very large enterprise environments and we had to take special care of our patches because they could break a whole lot of things like the army as we ran the active directory for all of North America for the army right things can go wrong when that happens well the key is making a good process around it and taking it seriously you have to take patching seriously if you don't patch or can't patch and there are a lot of cases where you can't I've done time in the medical industry you got this beautiful MRI machine that does wonderful images

it's a fantastic piece of equipment it runs on Windows XP the company's been bought or sold 17 times since you put it in but to replace it as three million dollars and there's no reason to this happens out there okay so if you can't patch a machine though do your due diligence and look at other controls you could put in place in other words can I block this vulnerability can i isolate this machine can I only allow it to talk to one or two machines on the outside that it can relay to something like that don't just go I can't patch it and walk away a lot of organizations they get to the point that they're like oh that XP

machine we can't patch anymore they don't even consider it when it comes time for vulnerability you know considerations and and risk analysis and that gets people in trouble when it all really goes down so that's kind of my spiel on that I know it's not easy but it's something we have to take seriously we have to build into a very deep company culture too because in organizations that have security and say an IT staff I've struggled with that before where I'm going to the ops guys and I'm like man we need to patch this and they're going yeah but we need this equal servers to work and you buttheads like that by making a good process that

says you know what anything that's a cbss score above six or seven or whatever we're gonna have patched within 72 hours having that process gets everyone on the same boat at least if you can all agree to that and you know what you're doing maybe the other ones that are gonna be a little longer because quite frankly most people are not getting owned by zero days unless you're a big company or a nation-state they're not gonna get to you as zero days okay it's usually things that have had a patch out for 30 days or 60 days or something like that there have been time to patch these sort of things so I'll get off my soapbox now

so protecting your users right I thought this was great the Verizon dbi are this year said train your employees with regard to fishing provide him a quick and easy way to report suspicious emails all right we have a tool that you can download it's free you don't have to be a customer works on office 365 Outlook and Gmail and what it does is it basically it's an msi deploy it goes in there reports the NSA no I'm kidding Gesine who's still awake but what it does is it allows users to click the button and if they suspect it's an email they hit the button it wraps it up headers and also you don't have to go

back to them and try to explain the difference between forwarding and and dragging and dropping right all that kind of stuff it wraps it up it sends it to you or your sock or whatever with all of that information what's cool about this is if you deploy this and you get four or five people that have now hit you up with these sorts of things and you're getting several of these fish alert button alerts quickly you know that you're under attack so you can warn the users we do it all the time send it out hey we're seeing a lot of this one that looks like an Amazon gift card or whatever keep an eye on it or you can go

a step further you can go wipe it off the mail server so most of your individuals never even see the thing right or you can take it and have a little fun with it defang it pull the the bad stuff out put in some simulated phishing links and send it back out to your people and get them used to seeing what's real out there and what the attacks really are so there's a lot that you can do by doing this you can do it by having people also send a like a fishing hat or whatever it is in your organization the problem is people often forget yet what those email addresses is that's why having some sort of a button like

this makes it a lot easier to forget what the email address is or who to send it to and then you know obviously they just give up and the other thing is nice about this is by taking it out of their inbox they don't come back later at lunch and go I wonder if that really is an Amazon thing and then end up clicking on it right get it out of their mind what people don't understand when it comes to training again people aren't stupid but what we're not trying to do here is we're not trying to make them technical geniuses you don't want to get them into header manipulation or our checking or analysis or any of that kind

of stuff right what you really want people to do is to get that email that feels a little weird and work on that something's a little off on this reflex right how many times have you seen a user do something that that we deemed stupid and you go to amigo why did you do that well I thought something was a little weird about that but I went ahead and clicked on it anyways I did right that happens too often because they don't have another something to do about it or they haven't tuned that instinct so that's what you're trying to do is you're trying to just tune that instinct a little bit get them to report it and

then have somebody that's actually technical take a look at these things so let's see moving on other threat vectors yeah so as we all walk around here with these lovely little Wi-Fi enabled things transmitting god-knows-what around our necks I'm gonna talk about other threat vectors and what to watch out for right I do love these by the way but who knows what's on these okay fact is I have two rules it's this one in the next one don't plug random junk into your devices all right it makes sense all right you won't believe how effective USB drops are still today a couple years ago this was from blackhat or one of those ADA to talk 300 thumb drives dropped at the

University of Illinois we can blame he'll annoy for that 98% were picked up in 45 percent of those picked up the drives and clicked on the files so they asked him why did you do that I don't know I want to see what it was you know what bad hygiene is that so teach people to do that I don't have you guys watch mr. robot alright okay so early on in the seasons there was the the USB drop thing and okay fine the guy caught or whatever but these are actually real attacks people will leave stuff out like that and see what they plug in it's unfortunate but folks don't think about that or they take it home and they plug

it into their home machine which doesn't seem like anything to us right but what if that home machine is VPN din to our network or VPNs into our network right these attacks don't just affect things at home so you got to be careful with what you're doing people need to understand okay on that note I'm gonna wrap it up thank you very much we can talk afterwards please don't catch on fire on your way out