Never Surrender: Reducing Social Engineering Risk

hi how's everyone has the conference good awesome today Rob and I will be talking about social engineering we'll be doing kind of a share we talking about the psychological aspect of social engineering why we're so terrible at defending against it and some of the techniques that we can use rubb we'll be talking about yeah I want to talk about some experiences that we had during social engineering engagements that really were inspired this talk because it got the the notion that quite a few organizations were just giving up they didn't really want to do social engineering engagements because they're like well we know that someone can get in we're going to focus all our resources elsewhere and just kind of

ignore the fact that we know someone an organization could be coerced into running a malicious payload or could be tricked into giving their password to someone but before we get into that actually wanted to ask when you're here is performed social engineering assessments before okay a few people um who's been a victim of social engineering are you sure ah who has a concern that their organization may be or may have already been a victim of social engineering attacks okay almost everyone yeah so the the inspiration for this came from kind of some of those experiences but also while I was in the shower listening to the foo fighters like heard this lyric and I thought

about the pretender which made me think of social engineers and also the never surrender that that's really where the inspiration for this game because so many organizations really were kind of giving us that that feedback that they had given up and didn't want to didn't really know what to do to protect themselves against social engineering and the other aspect of this was not the pleasure an opportunity to work with one of the best social engineering talents in the industry which is Christina so I kind of wanted to team up with her and and put this together so just some short introductions I'm Kristina I'm actually from Australia i moved to San Francisco a month ago upon entering

Pittsburgh I saw my first white-tailed deer and my first lightning bugs all yesterday which has been a new experience for me I've participated in the DEF CON social engineering CTF three years in a row and I've won high scoring recent report for two of those I wanted to mention that she's basically going for as many rings as the Steelers but with DEFCON CTF challenges will tell you later um sorry what was I gonna say next I work as a pen tester and social engineering has been an interest of mine for many years admission Fox yeah we we both work at an organization called Bishop Fox that helps organizations secure their applications networks and data and my name is Rob I am a

pittsburgher I was born and raised here I live in Atlanta now but I really started into my hobby and then eventually my profession with security right here at PA 2600 meetings over at the pit Student Union about 12 years ago and actually there's some familiar faces here and I don't know if it's from other conferences or if it's from Pittsburgh security stuff or just like my curse of a photographic memory but um come ask me my IRC handle unlike the PLP I 2600 and pound some work on channels maybe we know each other cool so let's get into it let's get our hands dirty as always I'll start with a definition of social engineering for anyone that doesn't know

this definition is taken from social engineer org and is defined as the act of manipulating people into performing actions or divulging confidential information and I like to think of social engineering as a blend of science psychology and art it taps into basic human emotions and it looks at why we react the way that we do when I talk about social engineers I like to explain them as people that study people truly committed social engineers will study a lot about body language voice control vocal indicators and group dynamics it's also a study of introverted individual personality types that come out through body language and vocal cues a more simple definition of social engineering would be an exploitation of trust it's

someone who can leverage a trust of their victim to gain access to sensitive information or resources or to elicit information about those resources the use of social engineering is successful because it preys not on technology but on the inherit weakness of the human component and this is done by manipulating the human victim with messages that can exploit your trust pick your interests and desires and evoke a strong range of human emotions such as fear anxiety trust human interest and reward but to make this very very simple we are professional liars social engineers are people that can lie and get something that yeah specially gonna say that like being charming is another way that you can put

it and that's not really a compliment if someone calls you charming if the true definition of that is actually very like sly and sneaky not like you rub when people are vulnerable people are lazy people want to be helpful and people want to be nerdist making this field and especially enticing target or making people especially enticing target as a really simple example of this we can spend hours weeks or months to train a brute force our way to a password when crafting the right pretext or sorry when a phone call with the right pretext and the right questions can get you the same information or more in a matter of minutes and that's exactly it social engineering

is the path of least resistance it's the low-hanging fruit so utilizing techniques such as planning the right pretext sorry pretext is like creating and using a contrived scenario exploiting someone's trust and appealing to sounds emotions often results in obtaining the same piece of information it it's almost unbelievable or you can achieve by simply posing looking we're looking like someone else this is something that we're both very passionate about I think that as an organization how many people in here are information security professionals okay that's what I thought just wanted to make sure I was recently on a panel at interop out in Las Vegas and the first person that kind of kicked off the conversation said users are our biggest

problem if we could just get rid of the users that we'd have no more problems and I just leaned it and I was like I disagree i think that that's really deferring the blame and we as security professionals it's it's our job to help I don't even like calling them users their people that's like kind of even demeaning calling them users ah it's adrian and porter felt she's the head of security for chrome user security for chrome and so she has to deal with a lot of folks that don't really care what ssl is they don't they have no idea no inclination no motivation to understand ssl warnings or even what that acronym means so it's our job as security

professionals to help the firefighters and the blog babysitters and the grandmothers of the world know that they can use the internet and still be safe and striking that balance between usability and security is I think one of the biggest challenges but I would like to stop having the notion that users are our biggest problem and just start coming up with some technical controls and some changes to our policies and our processes and how we interact with people to address the the issue and I'm continuing on from rubs point controlling humans is difficult because it's beyond technological control and absolutely subject to human nature and because we can't put controls on the way each individual thanks making

this a very very challenging aspect of security to handle again to keep this simple people are the root of all evil and we are the reason for all security issues and this is because there is no patch for human stupidity how long do i wait for everyone to read the coming most people probably seen this before in your head this is where I go take a drink when you combine people with technology you will encounter problems humans are unreliable technical systems when we think about technical systems they're reviewed their scanned their penetration their pen tested sorry I don't like seeing penetration tested but how about people how do we measure vulnerabilities in people and the answer

is we don't at least we don't do it effectively we like to make people feel shameful we like to pass blame we like to ignore the problem while not doing anything to help to really help the situation and an on this note I actually had a client tell me well a couple clients tell me once that they did not want to do a social engineering test simply because they knew that they would be vulnerable and then this is absolutely not the right attitude to have

and when I thought about why the client reacted this way I thought well we don't like to do this testing because it makes us feel vulnerable and we don't like to feel vulnerable and when you combine people with technology you get this big blob of mess and the fact that people are really unreliable means that we need to come up with just a whole new approach and I think there's a lot of technical controls that are underutilized there's a lot of the whole going back to the shaming and blaming approach I've heard so many clients that that's their that's their mindset going into solving this problem and it it doesn't work I've seen it seen it tried

over and over again so it becomes our job to try to convince them to take it to take another route and to really assess what their goals are and then really ask themselves is is shaming and blaming your employees or your your co-workers going to help the situation so what Rob saying is people are unreliable and we can't rely on just the human aspect to fix this problem and this is because again people fall victim to basic psychological and physical needs and people can be easily manipulated and persuaded I like to give the example of the sea aldini six which are six useful frames when it comes to social engineering and this affect your persuasion and those can be broken down

into authority so we tend to be influenced by authority positions liking we're influenced by those that we like social proof we look to others to determine good behavior scarcity our value is tied to our availability reciprocation so we feel like we have an obligation to return what other people provide so just like favors commitment and sorry i miss Cassidy Cassidy did I say I did say scarcity social proof is the one I missed differ all right sorry I'll just go to the last one and commitment and consistency so we are pressured to remain consistent with prior engagements I did okay I can't count she also stayed up all night working on these slides and didn't sleep

so Shh I I spent all week working on these I did not leave it to the last minute him so let me tell you a story this is one of my favorite stories at my previous job on an engagement I had I had posed as an internal employee for a law enforcement agency and I did some recon dances recon insists on this person or the person I chose as my target and after doing some research I found that she was on holidays at Hawaii and I found this on her Facebook and from this information i crafted a pretext on the information that I knew and that is that she came back early from her holiday buildings a pretext

sorry she tell them what a pretext to a pretext I think I mentioned it before but a pretext is like crafting a scenario that you were going to follow when you do a social engineer engagement so in this sense a pretext sorry the pretext that I created for this scenario was that I came back early from her white her holiday to Hawaii and that I needed to urgently finish a report from my manager and that was the story that I created for this scenario and from this story I had created a sense of urgency and when you create that sense of urgency they were naturally inclined to help and from there while I was on the

phone impersonating this person I had managed to get ahold of the IT department using the same sense of urgency and praising them for being so helpful I said to the person on the phone let's call him Rob hey Rob I really really need to finish this report but I know I've forgotten both my domain and my email passwords because I've been on holidays I'm so so sorry can you please help me out and what was most surprising is that I got exactly what I wanted which were both passwords read over to me read to me over the phone with absolutely no cross-checking that I was who I actually said that I was apart from me being the

same gender as her and what was the most amusing is the guy said I'm not supposed to do this but and gave me both passwords he had also asked me what I wanted to set it to you and I said or Mike I'm sorry it's a rub I've been on holidays and i'm still in holiday modes can you please set it to something simple and he said okay sure i'll set it to password one but I pull a dollar sign in front just to make it a little bit more secure thank you rob but the point of this story is that this works because most people trust others by default and respond to social rewards well many

people especially customer service agents help desk receptionists and business assistance or even secretaries who were trained to assist people and not to question the valid a look the validity of each request tend to trust others and I'm naturally helpful that's worth two factor right oh yeah sorry I'm sorry forgot to mention that before i got my passwords read to me over the phone he asked for my TF a token i put the phone down and i went into the background i made lots of noise as if i was looking through my knowledge for about two minutes i came back to the phone and said Rob I've looked everywhere I've turned my luggage inside out and I cannot find my two-factor

authentication 2fa token so they did have the right technical controls in place by bypassing this through psychological means avoided all of that and following on from that I'd also like to mention that this is this inherit trust that we put into social media it was because she posted that she was on holidays on social and media in the first place that I knew how to craft this pretext did you have a question yes so this was back in Australia when I worked in Australia and she was Australian and I am Australian yeah oh

sorry still me so let me show you how this worked or a very simple attack model of this story I just told so we really just need to can you even see that not really gather the right information develop a relationship with whoever your target is be it through small talk or a common interest exploiting that trust and executing your attack now I can hand it over to rob enough about the fluffy stuff barb is going to talk about what we're doing wrong yeah and that scenario arm it was nice that there was two factor authentication but the fact that there was no process to authenticate the person over the phone and it was merely

a christina was able to create this sense of urgency to coerce the gentleman on the other line to give not only a new password tour but also a new 2fa token' value and then allow VPN access into a law enforcement agency so let's go into what we're doing wrong it really is almost everything we have users watch training videos they do elearning modules on they tick boxes and there's posters hanging up in the office but I think that helps folks feel good about themselves from a security awareness training perspective but what we're seeing as consultants that are hired to repeatedly perform these types of assessments is that that these techniques are not working at all

but organizations are still repeating ly putting more and more resources into these types of security awareness campaigns and i think that the big takeaway that we hope they have after some of the things we'd like to show you next is that there are other things that we can spend our time and resources on besides more computer-based training and and posters around the office saying don't don't trust christina when she calls you so some of the things that I've noticed from or different organizations that we perform social engineering on is that they tend to fail with how they track their social engineering assessments the frequency that they're doing security awareness training is also a concern and the

conditioning of their the members of the organization so let's get in a little bit more details tracking stop tracking clicks the number of clicks that occur in a social engineering campaign I haven't really seen be as useful as as folks would hope tracking by Department is something that we've been asked to do as well because as if there's some type of statistical correlation between the number of people in the sales department that click versus the number of people in the Executive Board group or the people in marketing or recruiting division I don't know why a graph that shows that is helpful because statistically the sample size was probably not big enough to make any type

of valuable correlation out of that and we can say that we've done this enough times that it doesn't matter we get senior network system administrators to click on fishing scenarios we get every type of employee it doesn't matter and all we need is one in most cases to compromise an internal network in a lot of old social engineering engagements I've had in the past I had a lot of clients come up to me and ask for the people's names after an engagement so they wanted if I had a pool of 20 people also and six of them fell for the social engineering engagement that come up to me and say Christina can you give me the

names of departments of the people that fell fell for the social engineering engagement and this is not the right attitude to have you do not want to victimize anyone you do not want to create a paranoid culture and I always refused on the phone I said no sorry I will not hand over the names for the social engineering engagement because you have to understand that this problem is on a company level not an individual basis you cannot pass blame onto people for this for these sort of engagements all the time that's a good question sir have you been social engineered into giving those results I like we have given those results to some clients that

really it was a part of their motivation to address it on the personal level but that again was an exercise where they spent time and resources on coaching an individual when I guarantee you we can just pick 20 more people to target and we'll get half of them to click as well and then what do you do you just go to talk to every single person and train them one by one and try to make them terrified of of everything that they do with computer resources and on their job what I would suggest instead and I've not I'm not just suggesting this because I think it's a good idea I've seen it work there's some organizations that are

more mature i would say on how they're handling these issues and we've had the fortunate perspective to see what works and what doesn't work and tracking the successes has been tremendous for a couple of organizations that we work really closely with what i mean by that is rather than tracking the clicks or how many people were were compromised track the number of people that reported an incident because our best hope in defending against these types of attacks is going to be our incident response plan that is specific to social engineering attacks and at that point whenever you take the charts and graphs to the executives that are sponsoring the security budget your charts going to be going up ideally

rather than going down rather than trying to get the number of people that clicked to go down which is going to fluctuate what for example one organization that we worked with a we're using like a service like fish me that does teachable moments you send up big pool of emails they click and then it says hey you this was actually fishing here's some training on why you shouldn't have done what you just did which is all fine and well and they were doing it every quarter for three years and with varying a number of emails that they sent because with that bit with the fish meat business model you have to pay per email that sent and they started out

with a few hundred started ramped it up to a few thousand they eventually on the last one that I reviewed with them send an email to every member of the organization through this fishing campaign eight thousand people at this organization how many do you think still clicked after three years of quarterly training on this any guesses a thousand one-eighth still clicked so there's a lot of time and resources sure no Oh

they their internal security team made a really nice Prezi presentation that they would deliver to the different business units that they thought needed more attention that would help raise awareness of all of the types of attacks that they are commonly targeted with isolated a media organization and they do a lot they have a lot of politically motivated threats that are targeting their employees they have a lot of celebrities that work at their organization and they are explicitly targeted for their personal information and having 8,000 employees in an organization like that and a finite budget for their security team and very very motivated attackers became a you know that fortunately they actually did even they have a finite budget it's

still pretty large compared to most organizations and so they it it just that was part of their package was like let's fish me everyone every quarter just because we can afford that but I compare that with another organization that's also very large and I saw them tracking the number of incident response submissions and basically so creating a culture in an environment where rather than try to go give more training to the people that are clicking more they were rewarding the groups that were reporting more incidents you know so ideally that awareness training that's being performed should feed into this strong incident response plan that is specifically geared for social engineering how many people in here have

a detailed incident response plan that the exercise regularly at the organization good on how many have one that's very specific for social engineering for like a fishing campaign or for a phone based social engineering physical some folks some are some organizations one of our clients that they're another media organization actually they have to worry about bomb threats and people bringing guns and knives in and they have like kids on field trips in their organization every day and they worry about very serious physical threats but they don't worry about the geek like me that walks in and plugs in something into the network well Jack in the hallway that is in the elevator lobby that's on a VoIP phone

that still connects into the internal network that's behind that locked door but well this is kind of quintessential to some of our recommendations and takeaways from this presentation is having a plan specifically for social engineering can put a organization in a much better position to react whenever these types of attacks do occur i also have an issue with the frequency that some organizations do awareness training again I think it's a time and resources matter and maybe your organization has a lot of resources to put into awareness training but I think there's actually there I found quite a few there's actually Harvard Business School research paper on the amount of diversity training your organization does starts to have diminishing returns

and actually the opposite effect on people's mindsets the more you kind of shove diversity training down their throat I think the same thing happens with security awareness training and I want to tell a story about an organization that asked us to do very frequent training and it really tried to convince them otherwise but the other thing was the conditioning aspect the negative reinforcement and and rather than rubbing the people in the organization's nose in this problem like they're a dog and like demeaning and degrading them for clicking on a fishing link which very well anyone could make a very very convincing email or very very convincing web application and some people are very tricky and can talk you

into doing almost anything over the phone I think using positive reinforcement to if the person the organization reported that incident track that reward them and make them a good example for others to follow and I think if we're asking how can we get organization on the defensive against social engineering it's making reporting these incidents easy making it the default behavior and making it rewarding so another story was specifically around a an organization that came to us and wanted us to develop their social engineering defenses for the customer support representatives they had 4,000 approx customer support representatives around the world some of them local to the US some of them in India some other offshore areas and some are just entire

external third parties that they don't have a lot of control over what goes on inside those those organizations other than what their legal team can get into a contract so arm currently they were kind of training and simulating se scenarios when they came to us on an ad hoc basis and they were had some incidents they had attackers calling in and coercing customer service representatives into giving them access to personally identifiable information access to customer accounts and on top of that they were regularly receiving emails that were actually a phishing scam so that was like risk number one as they're describing to me all their problems I didn't have a risk number ones you're already having these

incidents you're already getting these regulatory phishing scam emails and these emails would prompt them to reset their passwords on regular occurrence and then kind of trick these representatives into giving up their passwords the second risk identified from the problems they were describing was that they were occasionally getting malware infections on the customer the CSRs terminals just for not they probably weren't even sure how that was happening they just would they're incident response was just to image it not really get to a root cause analysis of why that was happening and the there was kind of a lot of different problems that they were describing and they wanted us to do monthly security awareness training it's basically

sending phishing emails and sending and doing phone calls on a monthly basis and then their plan was to fire repeat offenders and I they had a new see so join recently and I know that she was actually firing heads of departments because in the security unit because they didn't have a good relationship with the other business units and she felt that they couldn't anything effectively done because they had the reputation of will steamroll you or will go around you or will you'll get fired if you don't do what security says and that was creating all kinds of office politics that I think we had identified as consultants that I've been working with them for a while so we're

basically tried to recommend a multi-phased approach that involved doing some social engineering and security awareness training but perhaps monthly was overkill until they had some other plans in place to review those terminals that the customer service representatives were using like asking policy questions like why do they have internet access do they really need access to everything can we just give them an iPad to surf the internet on if they're bored at work in between customer support calls can we whitelist every application and software that runs on those systems as well and detect any anomalies and abnormal behavior to prevent that risk of the malware infections that were occurring on a regular basis can we redesign the

security questions that they use as the authentication process whenever customers call in and say that they need to change their address or change their phone number or change the billing update the billing information on their account are they really doing a good job of or do they know that there's websites out there that you can pay 99 cents and get anyone's social security number with just their name and their maybe one address that they've had in their life so kind of bringing that some of those to lighten and asking them to take this approach where we use social engineering as the tip of a spear integrate that with penetration testing of some of their internal applications and the

applications that the customer support representives rely on a regular basis reviewing their incident response plan and how they're going to handle us incidents that were already happening on a regular basis there what there was no specific incident response plan for it and really analyzing what their plan was for the their people their processes and their policies are related to social engineering flowing that into what enterprise security technical controls can we implement and we have actually like a list of 12 of them that I want to want to get into would you talking a little bit more about some of the technical controls and defenses around like well I pull this up sorry about like what you see

it's your decks

I'm just going to wait for you to pull these up I can tell Don story dude all right I'll tell another story in the meantime I wanted to in this presentation talk a little bit about the trust that we put in social media and at the Def Con and social engineering CTF one of the challenges was we got a fortune 100 company and sat a dinosaur my company was was bowing and the goal of this CTF was there was a list of 35 questions that you had to answer and they ranged from whose the garbage disposal company to getting someone internally to click on a link that you sent them and the way that I did this

was I created a very fictitious character called naomi wolf and naomi wolf was completely fabricated she did not exist in real life but fur Naomi I created her a fake facebook fate linkedin fake Twitter and over a few weeks I built up these profiles i added people from boeing who worked their managers co-workers everyone that i could get ahold of just through social media and and after a few weeks i found that the job was doing itself i started getting friend requests linkedin requests from people that worked for the company i actually got a manager that worked for boeing messaging me on facebook and say hey Naomi how's your internship sorry so I was posing as an

intern an aeronautical engineer intern and he messaged me saying Naomi how are you enjoying your internship thus far I would love to meet up with you and get to know you and get some feedback on our internship program and I thought that was absolutely frightening that this this person that I created completely from like this person I completely made up in just a few weeks she was considered to be a real person a real employee that worked for Boeing and using those connections I was able to get people to click links that I had crafted I was able to get payroll information i was able to get a lot of internal information about the company

just because people thought I worked there yeah I've more stories yeah question

so I also had another slide on genders and I get this question all the time every time I do a social engineering presentation I I get a question so it's because you're female isn't it and the answer is no so both genders have their their benefits and some syrup to to give some examples I did some studying and i found that females were terrible at posing in authority of positions in higher positions like managers ceos and technical positions so any time I tried to pose as someone that knew what she was talking about technically or someone that was trying to give authorities sorry that I was in authority position and tell other people what to do that

did not work out well so so males have the advantage in this case and also on physical social engineering engagements females couldn't dress up as like engineers or auditors or people that came in to fix something or take the garbage disposal away males have the advantage here as well so it's utilizing your gender and the benefits that come along with those both genders have their yeah positives and negatives I would agree with that I just with a change in the tone of my voice can affect the way that people are listening and it's it's very effective over the phone whenever you are pretending to be a manager from the IT department you're asking someone to help get their system up to date and

install a patch on it and they're their systems the only one that's that's not up to date in their department and getting them to go to a website that looks like it belongs the organization that has fake green progress bar saying has this patch has this patch has this patch and then a red one that says oh you're missing this one just click download and put that on there and then we'll get you a compliant I've even had members of the organization say well is this legit and basically using some of their a they would then go on to tell me that they recently went through security awareness training and I kind of use that against

the organization even instead well yeah we were following up with not only making sure you did the security where nurse training but also that your computer has all the patches installed we can't get the automated deployment to deploy but I'm feeling kind of ill today I didn't have to come by your desk and now and get you sick as well so if you could just do this over the over the the web app that we set up for it would be save a lot of time and then they just want to be helpful so I wanted to show you what i have found to be yeah so I'm sorry for the text blob some of the

these like that kind of top 12 things that I found that work well and would really put a hampering on what we do when we're performing these social engineering assessments and I'll walk through these and explain what we mean an alias for reporting incidents this is goes back to making it easy to four members of the organization having like stranger danger at example.com so that whenever someone thinks they got a phishing email they can just forward it to stranger danger and there's someone on the other end in the security team that's ready to review and respond to them and say maybe even automated message like we are currently looking at this and we were planning on letting you

know as soon as possible what the next steps are implementing since 2006 there's there's been some things that prevent email spoofing right now from our research ninety-nine point nine percent of the lexa top 1 million allow email spoofing and that means we can send likely an email from the CEO of your organization to any member of your organization and it would appear in their inbox just as that person and asking them to do whatever we want and there are things like SPF that a lot of organizations have in place and the stands for sender policy framework but it actually is it doesn't work unless you also have D command D mark and that we found that a lot of organizations

don't know that they think that they've set up the sender policy framework which is a white list of IP addresses or domains that are allowed to send an email from your organization but it doesn't work without some of the signing and crypto components that are in D command D mark that almost no one has implemented and therefore it still is possible to spoof email from most organizations this one's probably a little bit overkill for most organizations but maybe you're a military organization or a law-enforcement organization and removing the HTML from your email automatically takes away a lot of tricks an attacker can use up their sleeve that involve spoofing links hiding links hiding information in an email or making

it look like it's got the letterhead of your organization and it really eliminates a lot of tricks that we use in our email spoofing I'll stay in boxing the the browser or the email client can also help sandboxie is one that actually every person that uses a Windows machine at our organization also utilizes that basically forces all changes that are made to the system from anything that's running on the sandbox to be done on a copy of that on the file system or any like registry changes that something may make that may be downloaded in your browser or any file system changes that actually made to a copy of that file that you can clean up

and throw away if it was something malicious or something that caused damage browser plug-ins one of the organization's we not want I've multiple that we've targeted have been using things that actually harm mature enough that they have all their customer service representatives on mac mini's running chrome with no script and other other security extensions that are really making it more difficult for us to compromise a member of their their csr team with social engineering tactics having an organization wide web proxy that tracks every URL that was visited is instrumental in instant response we're going to weave a financial institution that we had repeatedly year after year compromise with social engineering got a little bit wise to actually being able to implement

in their incident response plan to go into websites and look at once they had the incident reported we maybe we registered a fake website or flight domain and then once that was reported they were to go see every user name and work station ID that visited that URL and then treat that as now part of the incident response and they called us up and they said was uh was this email with this don't link to this domain you guys yep did you in fact Jessica so-and-so's computer only yep all right okay we feel we feel better this year we found it and it was because they had that organization wide web proxy although users were going through and they could

track down the every user that click the link and then go and reimage their machine and force them to change their password even they also started setting up things where they would alert on domain names that contain their organization's name in the domain and they actually thought that it was us registering some but it was actually another part of the organization that they weren't aware of registering some new domains and Rob fuller moob Ock's actually talks about like these attacker ghost stories and one that he he shared was not only taking the list of all the domains that you know that may be variations or typos of your domain or replacing the letter o with 0 and things

along those lines taking that list and even don't even necessarily have to alert on or register all those domains although if you have the resources you might as well but you can put them in internal dns entries and then have your internal users go to a site that says hey this was probably a phishing attack or you made a typo because we don't have a zero in our domain name please report this incident if you received an email that coerced you into going to this link customization of authentication processes this is something maybe your bank does where they make you pick a picture to recognize when you're logging in can help prevent social engineering as well or fishing basically if the

attacker has does not have a piece of information it's almost in that sense a element of two factor authentication it's something that they don't know but you do you pick the picture of the race car when you're logging into your bank and if you don't see that there then it's not really your bank's website application whitelisting would be having a list of all the approved apps that a customer service representatives machine needs to run and if you see anything else pop up that's bad news bears and some of the basic defense in depth techniques that we're talking about earlier today encrypting data in transit and at rest to mitigate the risk of an already compromised machine or a

compromised application from pilfering other sensitive data one of the financial organizations we work with a and force that whenever their users take their laptop home they can't connect to the internet without going through the corporate VPN and then they can still do the things like monitor the web traffic through a web since the proxy and make sure that they are kind of overseeing what what websites that go to on a corporate issued laptop and basically performing regular social engineering assessments for the purpose of training the incident response team more so than training the users I always ask whenever we start out on scoping for a social engineer engagement is your motivation to for this to get a better idea of

security awareness levels at your organization or is it to get an idea of how well you'd send responses for social engineering and often they say both but I think a trend towards spending more time training the incident response team than trying to Train everyone in the sales marketing or recruiting departments who can caneel a lot better return on investment time

yeah sorry I didn't mean to knock posters too much I just I do think there's value in security awareness training I think gamification and I think you may have some comments on this is a great way to make it rewarding and make it somewhat competitive even maybe between co-workers to be the best at reporting social engineering incidents and I think that depending on that it's really got any custom the recommendations but depending on your organization if you're an organization has a very small security team and very limited finite budget you may want to only do the minimum amount of training that's required for compliance she may have a different opinion all right great this talk was not meant to sound like

you should forget about the human aspect absolutely you should still consider training humans but there's also technological controls that you need to consider you cannot rely on a human because like I said three lated we fall victim to psychological attacks and again gamifying security awareness training try to make it fun don't make it a paranoid culture don't make people bored of like reading your e-learning module with this clip art and tick boxes you need to make it fun you need to make it engaging you need to make the end user want to do this training or at least not hate doing the training yeah it's going to say as pen testers we're often required to still do the the

training before we're allowed to use that internal domain account and oh man have seen some really bad ones ones that I can just keep cooking the multiple choice until lets me through or just like disassemble the flash and go to the end link that says yep you completed it here's your certificate but it my training so we can do better than that if you are going to be training at least make sure that you're measuring the effectiveness of it a lot of organizations I've asked them was like what how are you measuring the effectiveness of your training and like huh we just do it I just remembered something very interesting that someone said to me last time I presented on this

topic and that is when you get a phishing email or went all sorry when you get an email or a phone call that makes you want to react in some sort of psychological way like something that is creating a sense of urgency something that is a to your desires just stop and think for a second saying why does this person need this information from you right now what emotions is appealing to me so if it seems fishy at all think about what the email is asking or what the person over the phone is asking from you in a psychological sense so I hope that makes sense yep we didn't sleep last night sleep dinner was good

we have a hundred percent success rate of at least getting one person to fall victim to our campaigns and one is all we need and it's really kind of it's rough to be on the other side of that be on the defensive side and say like I have this Hydra of attacks like coming at my organization and I like can cut off one head but that the six other ones still got me but I really would like to see it treated as a finite resource problem say okay I have X amount of people I have X amount of dollars in my budget here's what I'm going to do with it here's my priorities and here's i'm

going to mature my organization security so i can sleep better at night as a defender and say that I got my organization this this year to implement spfd Kim and demark properly so now at least attackers can't spoof email from our organization and that's their progress and then they can show that to their management and say we did good we're making progress

we did sure um and and it really is it's kind of funny because we work with a lot of different industries we work with a lot of different sizes of organizations from fortune 100 to startups and really have to be cognizant of this above you're gonna be able to do here and now and here's what we should we should hire you know for these these guys did you forget we have one more celeb yeah I think we're seeing a lot of organizations actually want to outsource their there I are there is a response even to us and lungs like we at a decline because we all have the expertise in-house to take I think I trend we're seeing is just a

outsourcing get some of its an expert in into their response and out of the organization I one more really cool side of the show that question I could

yeah I someone earlier reading this book on how to lie with statistics it's a very old book like from the written my twenties or thirties maybe it's a product of it actually is the attitude the organization is really helping me for the better amazed pitched in the presentations to management but the organizations that I see that are tracking their Incident Response successes they feel much better please they're still getting compromised remediation they're able to do a lot better analytics on what should we change what technical controls may help what policies may help what processes are broken what are our people's attitudes when it comes to we had an incident to sit down to talk about it

and kind of generally treating that as a team effort that we're going to help solve down and change some things to prevent that and keep getting more people in the sales department this quarter that are clicking efficiently that's not really knowing them much other than sales people I don't see your question before about having listened to the hiring process to have but the reality is or what I've seen a lot is when when a new person comes on board the corporation's they have a huge onboarding process they have heaps of security modules they have heaps of training about how to write reports or powder comes this huge confronting list of the stuff that mean to do and serious

I guess that they're not engage unless they don't that security training so it's difficult balance strike training the use of people they into the organization and also very very fluid

yeah the attitudes of fire people just need you to have to train the new people all over again from the start so we have like a really cool it's very penguins you know getting a cold because your imagination any requests ? oh yeah big numbers how often you get people to go hey you don't work not often enough all they say hey your number is up around or hey we don't have an AR people working at our organization so it does happen and that's because we like to report on yeah that's happened that's one over here sure in the back why Oh

gamification game they're like

yeah know your audience and it's really important for writing any whether you're pitching to the Executive Board on your social learning results or you're pitching to the technical folks or just the general culture the organizations and yeah it's just tailing you training too the people like that you