shooting phish in a barrel
TRANSCRIPT
Shooting Phish in a Barrel
and other terrible fish related
puns...
Amanda Berlin@InfoSystir
Stuff I do
@InfoSystir
CompanyX Metrics
• +/- 2,000 employees
• +/- 30 sites
• Decent structure and security already
• Some c-level buy in
• No user education on security
• $1,000 budget
@InfoSystir
First Phish
@InfoSystir
First Results
• No warning
• Gathered with theharvester.py
• SET bombed out on me
• 50 emails sent
• 16 usernames/passwords = 32%
• 4 reports = 8%
@InfoSystir
Second Phish
@InfoSystir
Second Results
• 250 emails sent
• 54 usernames/passwords = 22%
• 4 reports = 2%
@InfoSystir
Program
@InfoSystir
Something Smells Phishy
@InfoSystir
Phishing:
• is the act of attempting to acquire
information such as
usernames, passwords, and credit card
details (and sometimes, indirectly, money)
by masquerading as a trustworthy entity in
an electronic communication.
@InfoSystir
CompanyX Hackers
• We’ll be putting on our hacker hats and trying to get you
to fall for our security tests.
• While we won’t be trying to gather your credit card
details, there are currently real hackers out in the world
trying to get every bit of information they can.
• They are the real bad guys and the whole point behind
this campaign
@InfoSystir
Key Points to remember
• Don’t click on links in email.
• Don’t open attachments that you aren’t
expecting.
• Never give your username/password to
anyone.
• If it smells phishy REPORT IT!
@InfoSystir
Things that should be reported
• Suspicious emails trying to get your
information (usernames, passwords, what
software we use, banking info, etc.).
• Suspicious emails with attachments that
you didn’t expect.
• People attempting to access your
computer that you haven’t authorized
@InfoSystir
Contest Rules
• Phishing emails must be forwarded to the
helpdesk along with calling about
suspicious activity.
• Both internal (COMPANYX IT) and
external (real hacker) emails count.
• It is up to the COMPANYX hackers to
determine if the email is a true phishing
attempt or just spam.
@InfoSystir
Contest Rules
• Other suspicious electronic activity may
count on a case by case basis.
• All COMPANYX email users except IS
department employees are eligible to win.
• Pseudo-random COMPANYX staff members
will be selected to draw winners.
• A person may not win twice for the same
drawing but is eligible to win in all other
drawings.
@InfoSystir
Awards!
• Winners drawn from our “Phish Bowl” will win these phishy prizes!
• Monthly – Two winners drawn– Each unique phishing report results in one entry
– Drawings are held first regular business day of month for preceding month
– Both monthly winners will receive $10 Java City gift cards
@InfoSystir
Awards!
• Quarterly – Two winners drawn
– First quarterly winner drawn will receive a $50
Bass Pro gift card
– Second quarterly winner drawn will receive a
$50 Red Lobster gift card.
@InfoSystir
Awards!
• End of Year Grand Prize– One winner
drawn
– $300 Amazon gift card
@InfoSystir
The Phish
@InfoSystir
The most important part
@InfoSystir
9 months of spreadsheets
@InfoSystir
January Phish
@InfoSystir
January Results
• 934 emails sent
• 322 usernames/passwords = 34%
• 103 reports = 11%
@InfoSystir
February Phish
@InfoSystir
February Results
• 567 emails sent
• 89 usernames/passwords = 16%
• 49 reports = 9%
@InfoSystir
March Phish
@InfoSystir
March Results
• 1095 emails sent
• 4 usernames/passwords = 0.4%
• 37 reports = 3%
@InfoSystir
March Results, cont.
• First real phish caught and reported!
@InfoSystir
April Phish
@InfoSystir
April Results
• 1159 emails sent
• Goal was to look for reporting only
• 261 reports = 23%
@InfoSystir
May/June Phish
@InfoSystir
May/June Results
• Both external pentesting phishing attempts
• 41 emails sent
• 0 phished
• 6 reports
• 59 emails sent
• 1 phished (post test time period)@InfoSystir
ZOMG IR
@InfoSystir
May/June Results cont.
• 10:30 campaign begins
• 10:33 C-level dude forwarded email, and called
• 10:34 Regular user forwarded email
• 10:35 Regular user forwarded
• 10:41 I.T. dept was discussing null routing the IP address and blackholing the domain name
• 10:46 I.T. member forwarded the second version of the email
• 11:05 Director forwarded the email
• 11:20 Director forwarded the email@InfoSystir
July Phish
@InfoSystir
July Results
• 511 emails sent
• 15 people clicked through
• 8 reports
@InfoSystir
August Phish
@InfoSystir
August Results
• 402 emails sent
• 31 reports
@InfoSystir
September Phish
@InfoSystir
September Results
• 2264 emails sent
• 17 reports
@InfoSystir
GRAPHS!!!!
0
200
400
600
800
1000
1200
1400
Jul-13 Aug-13 Sep-13 Oct-13 Nov-13 Dec-13 Jan-14 Feb-14 Mar-14 Apr-14 May-14 Jun-14 Jul-14 Aug-14 Sep-14
Hard Numbers
Emails Sent Phished Reported
@InfoSystir
GRAPHS!!!!
0%
5%
10%
15%
20%
25%
30%
35%
40%
Jul-13 Aug-13 Sep-13 Oct-13 Nov-13 Dec-13 Jan-14 Feb-14 Mar-14 Apr-14 May-14 Jun-14 Jul-14 Aug-14 Sep-14
%
Phished % Reported %
@InfoSystir
What I’ve learned
• Bi-directional positive response
@InfoSystir
What I’ve learned
• Someone is always going to click
@InfoSystir
What I’ve learned
• No one exempt
@InfoSystir
What I’ve learned
• Getting the point across
@InfoSystir
What I would change
• More formalized process for the
helpdesk/first line of defense
• More automation
• Add vishing/physical
• More measurements
@InfoSystir
Stuff
• Infosystir.blogspot.com
– Email Templates
– Training Modules
– Meme posters
– “You’ve Been Hacked” phish response
– Awards program
@InfoSystir
Other cool things
• https://www.trustedsec.com/march-2013/the-debate-on-security-education-and-awareness/
• http://ben0xa.com/security-awareness-education/
• http://www.csoonline.com/article/2134189/strategic-planning-erm/how-to-create-security-awareness-with-incentives.html
• http://www.irongeek.com/i.php?page=videos/derbycon2/2-2-7-benjamin-mauch-creating-a-powerful-user-defense-against-attackers
• Building an Information Security Awareness Program: Defending Against Social Engineering and Technical Threats – Bill Gardner & Valerie Thomas - http://amzn.com/0124199674
• Phishing Frenzy - http://www.phishingfrenzy.com/
@InfoSystir
@InfoSystir