GT - Social Engineering: Training The Human Firewall

good afternoon everyone um and today we will have a talk at the bite Las Vegas this talk is about hacking sorry social engineering training human firewall and it will be conducted by Rihanna and Rihanna schz is from cancas City Missouri where she attended the University of Central Missouri Rihanna graduated in 20 18 with her Bachelor of Science in cyber security secure software development and later graduated in 2020 with her Masters of Science in cyber security information assurance while in the industry Rihanna has been exposed to numerous science-based classes and has has a background in endpoint security engineering and network engineering Rihanna works as a team lead out of the security Operation Center at garine and as a part-time C security instructor at UCM Rihanna currently volunteered as a coach for National cyber League additionally Rihanna guest speaks at numerous colleges and high school discuss discussing her industry experience across the Midwest for the Cyber and computer science classes before we start we have few announcement before we begin uh we would first like to thank our sponsors especially our Diamond sponsor Adobe and our gold sponsors Prisma cloud Toyota Sam grab blue blue cat PR pleas track and many more it's their support along with our other sponsors donors and volunteers that make this possible these talks are being streamed live except in underground and as a courtesy to our speakers and audience we ask that you check and make sure your phone is on silence mode if you have a question we have the mic in the at the center of the room room please use it we have a photo policy here and the photo policy prohibits taking pictures with anybody in the frame without explicitly asking their permission and uh we will get started now and thank you welcome [Applause] Brianna thank you um you all can take as many pictures as you want I highly encourage it throughout this presentation and before we begin I personally want to thank each and every one of you for not only attending my speaking session today but for coming to bsize Las Vegas 2023 we're going to be discussing social engineering training the human firewall and as a quick introduction my name is Rena Schultz I am from Kansas City Missouri in fact as stated right I attended the University of Central Missouri I had graduated in 2018 with my bachelor's of Science and cyber security secure soft software development and then later again in 2020 with my Masters of Science and information assurance I have a very big technical background in endpoint security engineering network security engineering and as of today I am a team leader of a security operations center at Garmin besides my love and passion for this FAL thank you I do love science fiction books specifically from the 1980s before I really deep dive into the contents throughout this presentation I am requesting each and every one of you to keep an open mind one of the most amazing things about being in the cyber security Community is how we learn and grow from one another throughout this presentation I'm going to be discussing how to start and how to mature your own fishing program within your business we're going to be doing this by learning a word called user architecture in fact user architecture is built on two concepts how a user thinks and how a user acts towards security threats because once we understand who our users are that make up our business this is how we're going to identify risk and how we can take our fishing metrics to learn more about our business and identify gaps in our education program if fishing education is new to your business that's all right we all have to start somewhere fishing education could be very very expensive I'm going to be presenting you all a tool that you can hopefully bring back to your own corporate environment that is not only affordable but is usable to deploy as well so some historical knowledge about the data I'm going to be presenting throughout this presentation in fact when I was a graduate student I had conducted my own research This research was a psychological study as to why are our users interacting with fishing emails regardless if security education's already present and for me to do this I had taken a participant pool of 100 plus users in fact these users had backgrounds in computer science software engineering and cyber sec security my audience were not novice to security threats specifically fishing and not only did I want to understand why are they interacting with fishing emails but can I grow and mature their security mindset by exposing them to different threats and different levels of difficulty of fishing and for me to do this I had fish them with three campaigns each campaign focused on two threats I focus on fishing a barrel spear fishing and then lastly spoofing each campaign progressively got a little bit harder and for me to measure the difficulty of these fish I had created my own algorithm this algorithm highlighted the fact that the more fishing attributes a fishing email had the higher the likelihood a user should be able to spot that this is a fish so like I said right for me to understand who my users are or specifically my participants throughout my research I had to learn about user architecture user architecture is built on two concepts the first one being how does a user think towards security threats where do our users get their influence from us as Security Professionals and if you have been in the field for a hot minute or in fact if you grew your management career and you're in leadership now it is very difficult for us to put ourselves back in the shoes of a user how does our users think so I like to use this example leadership wants a small click percentage because it shows a awareness is improving in fact if you had first deployed fishing in your environment it probably was not uncommon that your click rate was at a 50 to 60% and as you continue to fish your users that 50 to 60% is no longer sustainable and have probably started plateauing and you're hitting that one to three Mark so leadership is going to see that Trend and go wow when we first started fishing our users clicked a lot yeah they weren't trained right so now as they continue getting involved they're seeing that little bar graph go down at that 1 to 3% they're like yes they're not clicking anymore our fishing program is working why why are they not clicking so now we take ourselves back to the user mindset if we have a user right our day-to-day average user they probably know that cyber security sends out annual fishing reminders in fact they probably talk about this in new employee orientation saying hey you're going to get fished this associate probably also knows that fishing campaign happens end of the month maybe the third or fourth week of the month right so if this user comes into work they open up their email and they notice that there's something unexpected they look at the calendar of by by sure right third week of the month they're going to ask their coworker hey did you see this cooworker goes yeah I saw it I reported to cyber security I got that automated notification user goes okay cool they for it they also got that notification now what if this company has Awards right he send and Report six of those fishing emails in the year you might get a swag item recognition a team meeting right so not only do they understand when fishing is occurring and that there is a fishing assessment but now they too want to set their team up for Success because everyone should get an award here they screenshot that email and they post it in their slack their teams their Discord whatever communication platform they have right because now everyone could be part of cyber security of course that 1 to 3% it's going to look good for leadership but there's a story behind it so we're not training our users to think like security analysts to be inspired to protect against threats we're training our users to adapt to our environments so the second part of user architecture is oh sorry is knowing thy audience right who makes up the bodies of her business how do you know the users and I'm not talking about taking them to happy hour learning their favorite color their birthday their mother's made a name no I don't care about that I want to know the types of departments that make up my business and I use this two example here we have Dave Dave works in finance feel like we all work with a Dave right Dave is a great employee Works money the Friday 9 to5 really supports that culture and mission and vision of the company what can we say that Dave's email traffic looks like Dave who works in finance probably works very closely with customer accounts maybe payroll what about benefits in 401K Services right Dave's responsibility is to understand where the money is going what about Steve Steve Works in sales Steve is also a great employee what about Steve's email Traffic Steve who works in sales probably works very closely with customers a lot of external entities Steve probably also works very closely with marketing and Communications and public relations because he is advertising the product that's making the business Revenue since we want to know not only who our users are this is important because this is how they're going to act towards security threats Dave and Steve in this hypothetical scenario work at the same company this company got targeted with a fishing attack in fact this might be a new form of fishing meaning that a lot of email signatures and firewall signat haven't scanned enough of this threat to stop it at the point this fishing email made it to the end user both Dave and Steve got this the contents of this email State hey there was an error in our benefit system you have been dropped from benefits you have 24 hours to click the link below if this is a mistake please reenroll Dave who works in finance who works very closely with 401K and benefits sees this and goes this is not an authorized email in fact this is even our benefits provider we don't do benefits through a Ru Dave is going to forward this to cyber security what is the likelihood Steve is going to have the same reaction we work and the reality is we work with users who don't even think about their benefits until they get that annual reminder at end of the year I see some of you in this room so what is the likelihood Steve's going to have that same reaction this is why user architecture is very important because we need to know how to train our users across all different types of threats so if fishing is a new topic for you I use a platform called go get fish go get fish is a open- source tool it is free I am very skeptical Sometimes using projects with open source just because the developers might publish this on GitHub and then they forget about it and move on to the next big thing right the developers are very in tuned with the community they post a lot of feature requests even patches updates because they want to make sure security education is present in businesses if you do not know this fun fact cyber security 90% of the time does not make a business Revenue we cost the business Revenue so when you get to that point in the year and you get a stack of money it is not uncommon that cyber security is at the bottom of that Tona Pole right because you have to support your firewalls you have to do logging logging is very expensive right sore Etc right security education might be at the very bottom and reputable tools are usually a pay per user basis so by no means am I trying to sell you on a product this is me providing you a tool that you can use and bring back um also I am not an application developer this was very usable for me to deploy when I had conducted my research environment I had deployed this on a Linux virtual machine on my desktop I had 100 plus par participants one of the nice usable features was that I was able to bulk upload all of these users at once instead of manually adding them I do not have time for that also this is the fishing assessment I'm not sending fishing emails from my personal email address so I have created emails through Gmail Microsoft Yahoo AOL and it was nice as I had a web hook integration back to my goget fish service and that way I can authenticate back to these SMTP services lastly I wanted a level of maturity go get fish allow me to dynamically send these emails out meaning no user received the same email at the same time because I don't know if they work together I don't know if they live together they're college students right so when I crafted my emails in the service it authenticated back to the SMTP server SMTP server said yep these are ballot credentials go get fish said all right send these emails out and they distributed out to my participants my participants had two options interact with the email or not and if they did interact with the email they clicked on it and it went to a survey hosted website called survey monkey.com surveymonkey.com was great for me because a it's free and also if a user had clicked on the email that was a metric and automatically collected I have presented my participant hey you clicked on a fishing email it happens here's some resources on how to spot fishing in the future and then it presented them with some open and close into questions so I'm pretty sure you might be curious as to the types of emails that I sent my participants and like I said I wanted to understand why are they clicking on emails and can I grow their education mindset the first campaign focused on fish in a barrel if you're not familiar with fish in a barrel it's a very Western term it comes from when a fisherman will go out fishing all of their winnings they would throw it in a wooden barrel end of the day when it's time for dinner they just grabbed their hand in the barrel picked out a random fish and that's where they're eating fishing today has a a little bit of a different concept thread actors would sent out mass quantities of emails specifically looking at spam marketing maybe shopping ads they just want that one click so this campaign had a very high severity score meaning there were a lot of fishing attributes and you can kind of see specifically with the first one right says hello please see the given for more information random spaces random punctuation sincerely your professor as also a reminder my participant background was computer science software engineering cyber security there were a lot of clicks on this I was shocked I said why well one of the reasons was they have a habit of clicking on emails before analyzing them and if you can also see here in the very other column um followed by I was curious I don't care and my anti virus protects me from all the threats they were running Windows Defender so I said okay cool what happens if I send the same type of threat with the same level severity a second time right because I'm trying to learn about the users that are in my participant poll the second fish highlights hey we know Financial might be hard if you're a college student fill out the survey for your time we'll send you a gift card help us help you there were a significant less amount of clicks on this but again right we have users that weren't paying attention and users that have a habit of clicking on emails before analyzing them it's probably the same participant from the first fish so I said all right let's do this again let's increase the level of difficulty so I took away some fishing attributes and I focused on a different type of threat focused on spear fishing I wanted to have a cyclogical relationship with my participants the first fish I wanted to scare them and the email contents say Hey you were using the university Network in fact you were looking up inappropriate content while on the University Network please click this link to enroll it in training so you know how to use the network appropriately in the future there were a lot of clicks I don't know about you I personally do not want to look at a college students proxy data let alone browse our history in fact there was an apology letter on that other column but the number one reason being there was a sense of urgency that Flex their way of thinking I said all right let's send a second fish am I going to have that same result from the first campaign and instead of a sense of scare I want to have a sense of trust and if you're not familiar with University networks or how the environment is set up it's not uncommon people work on sharing platforms that's because there's International students there's remote students right so having an online Cloud platform is very common and that's what this fish focused on it said hey we're all working on a homework assignment please click the Google if you want to collaborate with us there were significant less amount of clicks about this and some of the reasonings right weren't paying attention seemed legit um that other column another one for curiosity and I don't care so I said all right this is why I had three campaigns because now I might start seeing a pattern develop I'm starting to learn about my users how they're thinking and how they're acting that Third campaign is going to show if there is actually a pattern this is a coincidence to me I want to identify a pattern and so I focused on spoofing as my very last campaign if you do not have Demar or dkm signing in your environment this is a big risk I highly highly encourage you to put that on the rap for 2024 as a former security for your environment now unlike the first two campaigns this campaign had little to no fishing attributes so this should be very difficult for a user to spot the first email I had actually spoed my University address and it highlights thank you for participating in my research as a form of gratitude please retrieve the gift card below for your time and there were a lot of clicks with the number one reason being it seems legit which is awesome right that is the focus of spooking it's supposed to look like a legit email so then I said all right let's do this a second time I want to see if there's a pattern with my user architecture so the second one I this one's personally my favorite cuz I was a little mean about this um I had taken a University of Technology office email I had scraped the contents and adjusted the words so it's a little more scary and I had also took the signature and their office hours off of the University website and it says hey your University credentials were found in a recent cyber breach please reset your credentials so that way you can help keep the university secure thank you for your time again there were a lot of clicks with the number one reason being that it seemed legit so if you remember my first two campaigns the first fish had a high number of clicks the second fish had a significant less amount this campaign was an outlier in fact if I had conducted these exact same fish in my corporate environment and my leadership goes what happened to our metrics they were all over the place and I would say stop just pause for a second because this isn't bad this is a gap that we have with security education this is a risk stating if we got fish with spoofing there is a likely higher percentage our users are going to interact with it let's fish them again because we need to train our users we need to evolve their mindset because they too are part of a fireball in our business so what can you do as Security Professionals to improve your mindset right because again our users are getting their influence from us as Security Professionals set a realistic fishing goal that is number one right I hear so many times how people just deploy fishing programs and then they do nothing with the data your data is telling a story about your business so if you're at a 1 to 3% right now with a click that is showing your user