How to Build an Effective Phishing Program

Uh, so my name is Timothy DBlock for let's see a lockpicking set here. Can anyone name the podcast I run? >> No. >> Nope. I mean, you guys have phones. This is not No, you can you can cheat if you want. >> Anyone? All right. Just shout it out whenever you get it because I'm going to go ahead and get started. >> Who said that? You did. All right. Yeah. Block for the gentleman in the back with the >> Yep. All right. So, yeah, I run a podcast information security. I don't do a who is about me slide. So, and I have two slides I need to move. So, um do I Let's see. Yeah, there we go. All right.

So, here's what we're going to talk about. You're at the how to build an effective fishing program. Uh, if you're wondering why there's a Big Bang Theory meme. I called this presentation the Timothy DB blocks presents fun with fishes. That did not get picked up in many conferences, so I kind of changed the name. Um, so we're going to talk about why this presentation, uh, the fishing problem, how to build an effective fishing program, metrics, resources, uh, all within a 20 minute period. So, buckle up. Um, so why this presentation? Uh, I'm also reading without notes. I'm kind of riffing a little bit here. So, uh, if you read the Verizon DBI report, which I always recommend reading every

year. 60% of, uh, breaches involve the human element, uh, that has actually changed from previous years because they changed around some of their, uh, how they calculate that statistic. Um, but 60% of 60% involve humans, right? uh I have uh started saying that people um or the security technology has gotten so much better that we are now actually have having to focus on the human element of things, right? Security tooling um has gotten so good that you know you can but humans are still kind of the same way, right? They can be manipulated. Um and if you ask me what's the easiest way in, I'm just going to send a fishing email and even you know

credentials things like that. That's how a lot of these attackers are getting into these organizations. So that's why we, you know, we build these fishing programs, we build security awareness. Security awareness is going to become more of a thing because in all these breaches, the recommendation is do more security awareness training. Um, and a lot of uh security awareness training um in my view uh people just kind of go out there, right? kind of like a check the box type of thing uh that you know people kind of put in their organizations. A lot of people in cyber security are very technical. They don't want to deal with humans. They don't want to you know uh interact with them.

Um so uh that's that's why there's this fishing problem is because we don't want to do it. We keep kind of kicking it down the road. And anyone can get fished. I've gotten myself fished and I run fishing programs, right? Uh, and uh, the time I got fished was in December. We sent out a package fish, which is pretty typical. We send it out over several week or a few weeks during the month. So, we don't send them all at once. We typically send them throughout the the month. Uh, what I did was it was December 20th, 8:45 a.m. Caffeine had kicked in. I was multitasking. I was expecting a package and then I clicked

on my own approved simulated fish. So, if I can get myself, you can get anyone. And I've gotten sisos, I've gotten executives, I've gotten half of it, I've gotten half of security. With the right time, with the right timing, lure scenario, you can get anyone to click, right? And there's a story from earlier this year, as a matter of fact, uh Troy Hunt actually has a blog post about how he actually got fished. Same kind of scenario. He was coming off of a long flight. He was tired. It was a male chimp fish um where they pretty much were able to get in, get him to uh give up his credentials. they got in automatically download his mailing list

and now everybody on have I been pawned you know that was in the mailing list are got compromised um if you don't know who Troy Hunt is he was in application security he's also the creator of have I been pawned so he's very familiar with cyber security and how these attackers are getting in but again with the right scenario right timing right stress levels anyone can fall for a simulated fish how I got half the IT IT security team was I sent out a food fish, right? So people love their food, they will click on free food. Um so again, why do people fail fishing? And again, I think it's it's because we have this security awareness checkbox

type of uh you know, mindset around stuff. So um we need to really focus and trying to change how we're doing some of this stuff. And I'm just focusing on fishing here, security awareness in itself. Um, and I am uh a year and a half into my role as a senior specialist for security awareness. In the past, I've done just about everything else within cyber security. Um, it's a very different environment. There's a lot of marketing. There's a lot of psychology. Not expecting everybody here to do that. But, you know, it's usually a side gig for a lot of people. It was a side gig for me. That's why I kind of jumped into the field because I really enjoyed doing

the presentations and talking to people and getting involved. And you know, humans are the most complex systems on this planet, right? Computers at the end of the day, they're ones and zeros, but humans are the most complex and each one's different. So, how do you get human behavior change? And that's what we really need to be focused on uh when we're talking about fishing. Um because like I said, anybody can actually be uh manipulated and um do something that they they weren't expected to be doing. So, how do you build an actual uh effective fishing program? Um, first thing you need uh leadership buyin. Um, and this is from the very top. Uh, the the higher up you can get, the higher,

you know, the more freedom you're going to have to be able to build this fishing program and make it as as effective as possible. There is some caveat to that because I have been given free reign at every fishing program I have. They say anything's on the on the table. They understand how attackers work. And so they've told CIOS, CEOs have told me directly, yeah, you can fish. Anything's on the table. But not everything's on the table. There are certain ethical safeguards you need to have or to consider because you can get yourself in trouble. Um uh I usually stay away from sex, religion, politics, other sensitive topics. Uh during the pandemic, we actually shut down our fishing program

for several months. I was working I work in healthcare and we didn't want to add on to the frustration or stress of what you know these healthcare providers as they're trying to get through a pandemic. Um so you want to take that into consideration. Another example, uh is I don't know if anybody remembers this. GoDaddy during 2020, by the way, sent out a uh fishing email right around Christmas offering a $650 bonus, right? And who's not going to click on something for a free $650 from the company? Instead, they were told they failed a simulated fish and they were assigned training instead, right? These topics tend to get people fired up. And so while yes, a CEO says anything's on

the table, not everything's on the table because if the if the company, you know, has lashback um or uh you know makes the news, for example, this security team probably had their fishing program crippled and people could have potentially been fired as well too. So not everything's on the table and just because attacker could do it doesn't mean that they're actually going to do it. Uh and you're actually being targeted with that. Another example um is uh a at UC Santa Cruz they had to apologize for sending out a false alert about the Ebola ca Ebola virus. They said someone just came back from South Africa had Ebola. It started a whole thing on campus got the security team in

trouble. Clearly also made its way into the local news. So again you have to be very careful about what you're doing with some of these simulated fishes. And again, just because an attacker could do it doesn't necessarily mean that you should do it. And we've even um had cases where we pulled back on some of this stuff. And you need this is also where uh leadership support comes in because e even if you send in um you know a good fish, people are still going to push back. Again, working in healthcare, there's a lot of egos. I've been told how much people make and that this is not a you know um uh a uh worth their time. And

so, you know, my response having that is usually if someone says that to me, hey, I need to be excluded from these fishing simulations because I need to be able to provide care, things like that. Uh, I've always said, hey, the CEO uh says that, you know, this is a top priority. We don't have an exclusion list, but I'll send your name up to him to see if, you know, we want to create an exclusion list just for you and other people. That that usually stops people from pushing back, but you're still going to get push back from people. And again, we don't want people to um, you know, feel bad about the simulated fishes. Uh,

so we need to set our goals and objectives. What do you want out of a fishing program? Um, for me, it's behavior change. I want people reporting, right? I want them to let me know when something happens because we can deal with something now versus three months down the road and we've got a full-blown incident that we have to actually respond to. Uh, so those are usually my goals and objectives. You really need to decide what yours are. I would recommend reporting is the big one that you want to do. Report report because if we get reported on one things that we're being targeted with or two I clicked on something um then that's going to allow you know that's the

behavior change we want uh people to have within the organization. So how do you position that? You talk about practice. Um you want to you want to position this and you communicate this. I communicate out, hey, this is this is we're practicing, right? And in the healthcare industry, right, when I'm sending out simulated fishes, I'm telling them that they are getting exposed like a vaccine would uh to you're getting exposed to that kind of stuff so you can respond better to it. And that's the behavior change you want is again, I want people to report to it. Um, so how I and this is kind of the big reveal of this talk is use what's out

there. You see, you know, you see malicious fishes coming in, use those. And a lot of these uh security awareness platforms can actually flip the the um malicious fishes you're seeing and sending them out. And that also then gives you an opportunity when someone pushes back to you going, "Hey, we're being targeted with this stuff. We saw this target this many people." Um and usually people are understanding. I've run into like one person so far that hasn't been they're like it's entrament blah blah. Um clearly they don't get it. Maybe need to go have a conversation with HR about, you know, their employment at the company, right? that they might be a high risk. But if you

use what's out there, you don't have to think about, you know, this month's fish. You don't have to think, oh, should we do a coupon fish? Should we do a package? You know, you can kind of just flip what you have out there. And ideally, I haven't even gotten there yet, but ideally, anytime you have something new malicious come in that you're seeing, you can just flip that and send that out almost immediately to your organization. Now, what's holding me back is I have a policy that says anywhere from one to four clicks, uh, you'll get in trouble, right? you get written up for one, two, we're talking to you and your manager. Three, we're

going to talk to HR. Four might be termination, right? So, I've got to work on changing policies internally before I can send out stuff on a more regular basis. But that would be the ideal thing because again, the fishing program shouldn't be a gotcha program. Um, and that's how I see a lot of security teams feel. It does feel good to be like get as many people to click on stuff as you know, as you like. Um, I usually reserve that for trying to get the security team to click on stuff. I will tell you too, they don't like it when I do that. Uh but they also like to talk a lot of crap

in the office about the fact of haha you're never going to get me things like that right and again like I said I' I've seen the scenarios where you can just get about anyone um when I got half of it we were a little bit more aggressive we sent like an internal email um uh and I had two senior executives walk up to me and say I've never fallen for a fish until now. So again, uh you can still uh take off some people internally, but if you have that relationship, you let them know, hey, the security team again too, I am a little bit more aggressive with them. I take that as like a gotcha

program. Um but for the general population, to me, it's about practice. It's about getting them uh exposed to the things that they're actually being targeted with. And we know attackers are changing their techniques, right? So you can just change some of the techniques. Uh and we'll walk through an actual malicious uh fish that I was able to flip back around. Another thing to consider um too from the ethical standards is don't send stuff that's going to be internal. Uh so if you have internal communications, you don't need to muddy the waters with marketing. You're not going to make a lot of friends there. Um you don't want to send anything that you would consider internal that shouldn't be on the

outside. Yes, it can get leaked out there, yada yada yada. But don't muddy the waters internal with internal communications. I see stuff reported all the time, but I've said I'm not going to send something from marketering. stay away from things like open enrollment, which is probably going on right now. I've had two people come up to me and I said, "No, we're not doing an open enrollment fish." Yes, we probably get a lot of people, but it's not what I'm seeing the attackers do. Now, I have this past year in January uh we had a HR survey uh fish, like an actual malicious fish come in. We did flip that around and that also still got people fired up,

but because we were seeing it, we were able to point back to that. that doesn't necessarily and it wasn't anything close to what we send out for communications internally. So that's why we sent that out. But a lot of people still got fired up because they were expecting to click a link that they could vent their kind of frustrations to HR and that that the company would listen to. So again, context with all this stuff is very important. Um so this is the actual uh this is an actual docuign fish. I'm sure a lot of you if you've worked in the field doing instant response or fishing actual fishing emails, this is a fish. This is

why click rate is not as important these days as it was uh back uh back uh several years ago is a lot of attackers have shifted to using third party platforms. Um and they will uh you know so the click rate doesn't matter. Someone clicking on it didn't get them in trouble. What got them in trouble is going to this document where there that is an actual malicious fish or malicious link clicking on that but even then it's not malware. I don't see a lot of malware nowadays in email. There are still some out there but it's mostly credential harvesting uh as we'll see here in a moment. So you click on that link you get this fun little cloud shut

from Cloudflare. Really crappy design. Um it's a loading Microsoft loading. You see we're still on Cloudflare storage.com. get the login page there and that's where you sign in. Right? This is where they're harvesting credentials from uh from these people. Put your username in, try signing in uh and it doesn't do anything. It fails or you know uh it'll either fail or go to some like fake document things like that. So what I do with these simulated fishes now is I I will send out the docyign fish. I'll flip it around have them click on the link and then I give them a a login credential page. So I don't actually fail them either on the

clicks. Now I'm filling them. Are they actually putting the data? And then we assign training. So again, I'm using what's out there. I'm using the same thing. It's not I've looked at trying to add like a capture to to then do a login page, but we're kind of not there with the simulated, you know, uh fishing platforms. Um I'm hoping we get there at some point because again, this is all about practice and giving people an opportunity to see kind of what's out there, what are they being targeted with because I want them to practice on what I have versus uh them actually falling for malicious uh email. Um, couple other things to avoid. If you're going to use

a thirdparty vendor internally, uh, be mindful that, uh, they might go to that thirdparty vendor, which I've had this happen before. They went to the third party vendor and said, "You've been hacked. You're sending us fishing emails, right?" And I was like, "Whoa, whoa, no, that was our simulated fish, but, you know, this flared up." It didn't get me in a lot of trouble, but it can uh it can flare up stuff um internally. So, uh, be mindful of that. Um, again, I also slow roll throughout the, uh, throughout the month typically. So, I don't send it all at once because if you send it all at once, you might have, some people don't even hit the

report button. They send it into service desk, they email people, you know, the sock might see a huge influx. Um, so I typically soul roll it. A lot of people don't like doing that because they're like, well, uh, then they're going to tell each other about it. I'm going, that's what I want. I want them to let each other know that there's an actual malicious or a fish out there whether it's simulator or malicious is not. >> I didn't quite understand when you're talking about like a third party is that a vendor or something happening there is >> correct. Yeah. So the question was the third third party vendor. Um so like exa we use a lot of third parties

internally. You can think you know you might send like a sales force because of the recent one or some other stuff. If the person that gets fished with it, right, if they have a relationship with the vendor, they could then uh go out to the vendor instead of reporting the fish or coming and talk to us first. They might go to the vendor and go, you've been hacked because this is an actual fish, right? And it's a lot of people are really good at identifying some of this stuff. So, they wouldn't follow it all the way through and see that, hey, this is a um uh this, you know, the the you failed a fish page, right? Or you

clicked on a fish. They're not going to see that. that they might just identify it quickly and go, "Hey, you guys have been hacked and you're sending us uh malicious fishes." Does that make sense? >> Okay, cool. Thank you. Thank you for the question. Feel free to interrupt me, too. Here, actually, I'm going to give you this because you asked the question. USB adapter router. >> Hey, you're welcome. Good question. I'm not going to have questions at the end. So, uh I am around, so if you have any questions, uh feel free to come up and talk to me. Um yeah, so I want people to actually uh talk to each other because I've had

actual people reach out to me and going, "Hey, hey, I see your your simulated fish." And I go, "That's that's not mine. Please report that. That's an actual malicious fish." Right? So, that's that's uh that's a behavior. And again, that's my goal and objective is to um uh do behavior change within the organization. That's how we get them to get better. Uh so, metrics. Yeah. Again, metrics like I've mentioned already, stop worrying about the click rates. it's volatile monthtomonth because they're using thirdparty platforms. People shouldn't necessarily be dinged for because um you know docuign is something they have to go to to look at agreements, right? Um so the the the click rate I will use it for

difficulty. So I will use it over a time period, usually three to six months. If I see a click rate going down, we will increase the difficulty of our fishes, right? And if you're just starting a program, you want to start at level one and then kind of and level one is like you leave a lot of indicators in there that would say this is a uh actual simulated fish. And then as the organization gets better at spotting this stuff, reporting it, not clicking on stuff, um you can kind of take away some of those um indicators that would indicated a fish. Uh what I focus on though, like I mentioned, um so I do still track click

rate, but I use it more for a difficulty thing than an actual, you know, you're you're uh the risk of a person. Um because some months too, uh a click can be higher than you expect or lower than you expect. So it's very volatile. That's why I do it over three to six months because usually that's a good baseline and I've seen some consistency across those longer periods. Um so these metrics again are how I kind of carve up people within the organization. This is from Chris Had Naggie's book, Fishing Dark Waters. Uh, so you you you carve people up into clicked and reported, clicked and not reported, no click and reported, and no click and not reported.

And the two you want to focus on are the reported people, right? The no click and reported, you know, those are kind of the people that are spotting this stuff. Your clicked and reported is going to be probably about 2% of the population. um which means they're not reporting. And so that's another thing we want people to do. We want people to be accountable. Like I said, if they clicked on something, we want to know about it. So if they clicked on even a simulated fish and this is something you have to communicate out to the organization and you know, make sure that you let people know this is practice. This is us exposing you. We want you to actually if

you click on something, go ahead and report it as well too. You could potentially build that into the policy, right? Um, every month we give out a raffle to people for reporting a fish. So that motivates people to even if they clicked on it, then they've, you know, actually reported it as well, they can be entered into the raffle. You could potentially build some policy around of, you know, I've seen people clicking on everything, but they're also reporting everything that is don't want the person clicking on it. But sometimes, especially in healthcare where we're intaking people, they have to click on absolute everything. Um, again, if if it's a credentials thing, maybe a different story, but even if they're

still reporting it, that means that they are reporting it. They would let us know if there's some actual uh issue going on. Uh, resources. Um, this is if you don't have a uh an actual enterprise platform, these are some open- source uh fishing tools. Uh, do not fish other organizations. You're not supposed to. Don't fish your own organization if you're not allowed to. But these are things I just like to pull out um as you know if you need something at at a company you're working at like a small company you might need some of that stuff. Let some people take some pictures. Good. All right. Um and then uh another thing I like to recommend is doing some

sort of threat intelligence. Uh this is not like your hardcore threat intelligence where you're doing security research. This is just paying attention to what's going on out there. These are some of my RSS feeds. um whether or not I'm using these products in organizations. These are just uh the first two are the blog posts from um uh email from uh proof point which is an email gateway and PaloAlto Networks. I think they have some really good research and they provide a lot of really good things on simulated or on actual malicious fishes you're seeing out there targeting certain uh sectors uh you know of industries and um some months you know attackers we've actually seen a decrease in malicious uh fishes

because they're all at the Black Sea on vacation right um so we see a lower volume usually around like August September uh and so at that point we'll we might look at some of the what are some of these uh threat reports telling us. So, I did this this past August where we did an Adobe sign uh fish. We hadn't seen any, but I went ahead and did one. We saw one two weeks later. So, these threat reports can help you get ahead of some of these actual malicious fishes. And again, it was good to expose our uh population to that. And then risky.biz biz. Uh that is the podcast I listen to when I write into work and um

uh it just helps me keep a thumb on the pulse of what's going on within the entire industry, right? Uh and they also have newsletters and other stuff. So key takeaways, um fishing is a people problem. No one is immune to it. Uh build a program that encourages behavior behavior change. Like what do you want them to do? Report uh things like that. Uh flip the malicious fishes you're being targeted with for practice. That's probably my best piece of advice is do that. Then you don't have to think about what you're doing each month. You can just use what's out there. Report rate is the most important metric. This is something I've communicated up to my

leadership as well too. Um and it took a little bit to kind of get them away from click rate and more focused on report rate. And then fishing will continue to evolve. So that's it. I don't have time for questions. Um you can come hit me up afterwards. Explore.com um is my website. I have podcasts. Uh, I have a podcast that I run, um, blogs, and then I've, uh, I'm working on a community right now. So, with that, thank you.