00:00:00.567-->00:00:05.572
 >> Good afternoon... [sigh]
>>Welcome to phishing without
failure, or frustration for that

00:00:08.275-->00:00:13.814
matter. >> Or, how I learned to
stop worrying and love the layer
8. >> Otherwise known as...11

00:00:13.814-->00:00:18.819
stories of fail Brought to you
by... Jay Beale >> Larry Pesce
Yay... [applause] Wooo!

00:00:28.462-->00:00:34.334
[applause] >>Welcome to day
whatever of DEFCON, uhm, some of
you this may actually be a

00:00:34.334-->00:00:38.639
continuation of yesterday
because you haven't slept yet.
Okay. Or some of you, you got

00:00:38.639-->00:00:40.841
lots of sleep, right, who got
lots of sleep? Lies! [laughter]
Lies! >> If you see anyone

00:00:40.841-->00:00:42.843
wandering around and kinda
looking, if you could either
choose one of two takes, either

00:00:42.843-->00:00:47.147
ignore them fully, like, just I
would stare right over their
shoulder, menacing growl, let

00:00:47.147-->00:00:52.152
them know that there's no way
they're getting a seat. Or,
well, uh, let's go for the

00:00:58.492-->00:01:03.430
second option please. Ah, scoot
in, make room, pull your legs
back, uh, make friends. >>

00:01:09.002-->00:01:14.007
Hopefully you all showered
today. Nope? Okay. Alright.
[Laughter] Yup I did, thank you.

00:01:17.411-->00:01:23.183
>>Alright, so lets talk about
some, uh, phishing without
failure and frustration. So, as,

00:01:23.183-->00:01:28.188
as, us for, for Jay and I and
the InGuardians crew, uhm, this
stuff for phishing should be

00:01:31.058-->00:01:36.430
really easy. Uhm, from the
technical side you, know you
create a really witty or crafty

00:01:36.430-->00:01:41.435
email, that sends the readers to
a, a, a website with some URL,
uhm, you set the website up, I

00:01:44.104-->00:01:49.776
mean this is easy, Apache on
Linux, takes you about 10
minutes to do. >> It's one

00:01:49.776-->00:01:55.816
form... >> You, you build the
one form page really crappy with
H1 tags, and blink, and marquee,

00:01:55.816-->00:02:01.621
and we collect credentials, we
get client approval of steps one
and two, and we send that email

00:02:01.621-->00:02:06.994
to as many email addresses as we
can possibly find. And... >> And
you watch the passwords fly in.

00:02:06.994-->00:02:11.698
And its, you get 10 to 40
percent of the employees in most
cases. And uh, sometimes you get

00:02:11.698-->00:02:14.201
lucky and it really is this
easy. >> Yea, and now our job is
done. Right? So thanks for

00:02:14.201-->00:02:19.206
coming. Uhm... That's how you do
phishing without frustration.
No! >> Welcome to phishing,

00:02:21.341-->00:02:26.346
that's all there is to it.
[Applause] >> No, it doesn't
work that way. It'd be nice if

00:02:28.915-->00:02:33.653
it did, sometimes you get really
lucky. However... >> Sometimes
you get really really lucky,

00:02:33.653-->00:02:38.925
Larry Pesce here, uhm, once had
a phishing campaign with a
success rate of more than 100%.

00:02:38.925-->00:02:43.597
He sent an email out to some
number of employees of the
company, like, let's call it

00:02:43.597-->00:02:49.369
half the employees, and uhh.. He
had the, the, the routine scary
email that has all the things it

00:02:49.369-->00:02:53.273
needs to have it has to have a
call to action, that call to
action has to say "Bad things

00:02:53.273-->00:02:58.845
will happen otherwise..." or
engage you to be helpful, and
has to give you nice deadline.

00:02:58.845-->00:03:03.784
Right? So he crafted that email,
great... and, uhm, and it scared
people hardcore so they

00:03:05.986-->00:03:10.323
forwarded that email. The people
who got it, and their, and their
colleagues hadn't gotten it,

00:03:10.323-->00:03:13.393
they forwarded it over to them
to. They're like "Dude you have
to do this or else your access

00:03:13.393-->00:03:17.998
is going to get cut off". And
then.. >> "But I didn't get that
email. Can you forward it to

00:03:17.998-->00:03:22.502
me?" >> "I'll send you a copy".
Uhm, and the people who were
sending copies out actually sent

00:03:22.502-->00:03:27.908
copies out to their, uhm, out to
their other accounts. So a lot
of us you know we've got our

00:03:27.908-->00:03:31.978
normal email user account, we've
got our admin account, and then
we've got our domain admin

00:03:31.978-->00:03:36.149
account, and so you, you got it
on one of the three, you send it
to the other two, and just to

00:03:36.149-->00:03:40.987
make sure whoever gets domain
admin passwords. [pause] >>
Bingo! >> It worked out really

00:03:40.987-->00:03:45.959
well, I hope everybody, I hope
I'm not too old, uhm, and, uhm,
and everyone does recognise in

00:03:45.959-->00:03:51.631
excess uhm, our rates in excess
of 100%. >> No, no you're too
old. >> All the bad jokes are

00:03:51.631-->00:03:58.438
mine. >> You're too old, so am
I. >> Yea. [Audience noise] >>
Alright so, why, why are we

00:03:58.438-->00:04:03.977
doing this phishing to begin
with? So, the intent for doing
the phishing to begin with,

00:04:03.977-->00:04:06.947
probably, don't need to tell a
lot of you, but to make sure
we're covering all of our

00:04:06.947-->00:04:11.952
bases... We're here to try to do
this phish to quote "Make the
organization staff hard ass

00:04:14.221-->00:04:21.027
mofos", right? We're trying to
build the firewall of the human.
Right? We're trying to train the

00:04:21.027-->00:04:27.901
users to be better at this so
that they don't click on stuff.
>> Hey, and this stuff works,

00:04:27.901-->00:04:32.172
after, uh, you know after you
after you get through your
second or third time getting you

00:04:32.172-->00:04:36.543
know finding out that you got
caught by a phish you tend to be
a heck of a lot better. >>

00:04:36.543-->00:04:40.647
You're a little gun shy. Right?
>> Yea. >> You start looking at
every one of those emails rather

00:04:40.647-->00:04:46.853
critically and going is this
real or not? And, sometimes the
phishes are so good you, wa, you

00:04:46.853-->00:04:53.827
question. I have actually seen
some folks send me some sample
phishing emails and almost

00:04:53.827-->00:04:58.598
clicked on them because they
were that good. Like, "Why did I
just get an email form Fedex? I

00:04:58.598-->00:05:03.670
know I'm waiting for a Fedex
package. Oh, no... Don't, don't
click that, don't click that."

00:05:03.670-->00:05:08.942
So it's about hardening the
humans and not necessarily
testing the technology to

00:05:08.942-->00:05:12.812
prevent it from getting in the
organization, in the first
place. >> Now the problem is

00:05:12.812-->00:05:17.150
that most people's, if you're,
so we're taking the, we're
taking the perspective that

00:05:17.150-->00:05:21.621
you're either a consultant like
us, or you're in your own
organization, you're trying to

00:05:21.621-->00:05:25.592
get a phishing program going to
harden your users. >> yup. Which
ultimately if you're running a

00:05:25.592-->00:05:29.930
phishing campaign in your own
organization, uhm, so when we
say clients we mean potential

00:05:29.930-->00:05:35.635
clients that we work with from a
consulting perspective. Or you
are, in fact, having your users

00:05:35.635-->00:05:38.905
in your organisation be your
clients, you are working within
your department and your

00:05:38.905-->00:05:43.076
management, and you're a client
of that management staff. >>
Yea. When I was internal I liked

00:05:43.076-->00:05:47.547
to think of myself as, I like to
still think of myself as a
consultant. Uhm I still like to

00:05:47.547-->00:05:51.785
think of myself as having
clients cause I, that got me to
understand who I was trying to

00:05:51.785-->00:05:57.724
serve. Uhm.. >> Okay so, most
people's attempts don't go this
well. Uh years ago when

00:05:57.724-->00:06:01.695
InGuardian started doing more
regular phishing work, when we
were doing it often, and uhm,

00:06:01.695-->00:06:05.966
we'd watch our consultants get
so frustrated with the situation
when they were, when they were

00:06:05.966-->00:06:11.371
phishing. And, uh, they got
better, so the rest of this talk
is talking about all the

00:06:11.371-->00:06:16.443
frustrating situations that we
and others ran into and trying
to tell you, teach you how to

00:06:16.443-->00:06:20.280
avoid them yourselves. So that
you can just have fun with this,
cause phishing, when it goes

00:06:20.280-->00:06:25.051
well, is really really fun. Get
the passwords, harden the users,
make everybody happy, this is

00:06:25.051-->00:06:30.423
awesome. Uhm, but for most
people their first attempt or
two or three ends up being

00:06:30.423-->00:06:35.228
frustrating in a way that leaves
them blaming their client,
blaming themselves, frustrated

00:06:35.228-->00:06:40.400
and, uhm, even though they had
technical success, uh, they end
up just saying "Ah, God, I hope

00:06:40.400-->00:06:46.406
I don't have to do that again."
[pause] >> Alright, so, we're
taking the approach of more of a

00:06:46.406-->00:06:51.411
pen test type of scenario here.
This isn't about, uh, the red
team, although red team is the

00:06:54.281-->00:07:00.654
quote "New sexy". Uhm, we do
that too, but we're talking a
little bit more about doing a

00:07:00.654-->00:07:06.059
generalized-based attack as
opposed to a very specific,
targeted red team type of

00:07:06.059-->00:07:11.798
attack, kay? We're going to
share 11 stories of our, our
failures, and the solutions that

00:07:11.798-->00:07:16.903
we found that seem to work
really well to avoid those. >>
And we're gonna generalize,

00:07:16.903-->00:07:20.840
we're gonna generalize this and
honestly this is, this stuff
should be useful way outside of

00:07:20.840-->00:07:25.345
phishing - it should be useful
in the rest of your professional
life, it should be useful in

00:07:25.345-->00:07:31.117
your family's. Uhm, so, we're
basically gonna say that any
effort that you're, any effort

00:07:31.117-->00:07:35.889
that you're, uh, attempting
professionally it's going to
involve a certain amount of, and

00:07:35.889-->00:07:41.661
hopefully, and usually more than
you realize, communication,
collaboration and negotiation.

00:07:41.661-->00:07:46.333
And, I'll say something, like,
this again but I want you to
know, uh, my rule is "Anything

00:07:46.333-->00:07:50.470
in live that involves one, more
than one person it's a
negotiation, whether you realize

00:07:50.470-->00:07:55.575
it or not." >> Yea, otherwise
you're just playing with
yourself. [laughter] >> You're

00:07:55.575-->00:08:01.214
the expert there. [laughter] >>
Somebody's gotta do it, it's a
dirty job but somebody's got to

00:08:01.214-->00:08:07.153
do it. Alright, so, red team
phishing on the other hand, uh,
as opposed to sorta more

00:08:07.153-->00:08:12.325
traditional pen test type
phishing, uhm, we're looking for
that, not to test everyone,

00:08:12.325-->00:08:17.430
we're looking at for that, or an
access methodology. And it's
going to be a very detailed,

00:08:17.430-->00:08:24.037
tailored, uh, very focused, uh,
attack with a very small pool of
emails - typically one to 10,

00:08:24.037-->00:08:26.039
usually one to two, sometimes
even just one. Uhm, we're going
to do lots of open source

00:08:26.039-->00:08:30.443
intelligence; we're going to be
delving into finding out what
attack is going to work and what

00:08:30.443-->00:08:35.448
attack is going to work the
first time, because that's all
we've got. And we've got to

00:08:41.755-->00:08:47.127
build a lot of infrastructure
around that, uhm, wi.. wi.. with
having, uh, backstories and

00:08:47.127-->00:08:52.866
great pretext and you name it.
We're gonna have to spend lots
and lots of time for a single

00:08:52.866-->00:08:57.871
red team ta, star.. phishing
email may take months to
construct from both the email

00:08:59.939-->00:09:06.146
content to building, uh, fake
LinkedIn profiles to, uh,
setting up domains, and, and,

00:09:06.146-->00:09:10.683
and you name it to build that
specific pretext. >> In getting
those, in getting those domains

00:09:10.683-->00:09:14.621
to have some history behind them
so that'll make it through the,
uh, so they'll to make it

00:09:14.621-->00:09:19.426
through the filters. >> Right,
so that they have some, some
provenance, as it will, uh, so

00:09:19.426-->00:09:24.764
that, that, that those domains
that we wanna use for phishing
have, uh, some trust based on,

00:09:24.764-->00:09:30.070
uhm, use and organizational
application and so forth. And
some of the things that we've

00:09:30.070-->00:09:35.809
found that work really well was
using either Office365 or Gmail,
uh, Google Services, uh, to use

00:09:35.809-->00:09:41.981
their trust, uhm, for all of the
spam, uh, filtering and so
forth. Uh, to have that

00:09:41.981-->00:09:46.419
reputation built by others
first. >> Their mail servers
often get whitelisted so you get

00:09:46.419-->00:09:51.491
the emails through easy. >> So,
like we said we're gonna tell
you 11 stories from real-life

00:09:51.491-->00:09:54.761
experience. Each one of them
inform the way we run our
phishing engagements and

00:09:54.761-->00:09:58.898
honestly, over time, they start
to inform the way that we do
work for clients and run our

00:09:58.898-->00:10:03.570
company. Uhm, so as I've said,
we're going to give you this
advice as if you're either one

00:10:03.570-->00:10:08.308
of us - a consultant or whether,
or if you're inside a company
and trying to do a phishing

00:10:08.308-->00:10:13.413
campaign yourself. >> Kay, so no
plan survives first contact with
the enemy, right? There's

00:10:13.413-->00:10:18.384
possibly no way we can have any
of this phishing fail, I mean,
this is not gonna go wrong,

00:10:18.384-->00:10:22.622
like, this cat attacking this
particular balloon, right? Cause
you know what's gonna happen

00:10:22.622-->00:10:27.827
here - the cat is gonna jump off
the door; the door is gonna
swing.. closed or it doesn't

00:10:27.827-->00:10:32.966
swing closed and they catch the
balloon and plummet to the
floor. Or, they grab the balloon

00:10:32.966-->00:10:37.003
and the balloon pops and then
you know what happens when a cat
has a balloon that pops? It's

00:10:37.003-->00:10:42.008
messy, it's messy... [chatter]
Really messy. Gee, first hand?..
Yes, yes. >> Oh my God... >> Yea

00:10:45.011-->00:10:50.016
it scares the crap out of them,
literally and figuratively
sometimes. [laughter] Alright,

00:10:52.118-->00:10:58.658
so, first one I... schedule
failing. Uhm, you do a great
job, you work with your client,

00:10:58.658-->00:11:04.230
you get, uh, you get a test on a
calendar, uh, it's ready to go,
you talk with the client and

00:11:04.230-->00:11:10.603
uh... You give them three
individual pretexts, uh, to
choose from, uh, you send those

00:11:10.603-->00:11:15.842
over to the client. Uh... the,
the contact that you're working
with, uh, picks the context.

00:11:15.842-->00:11:21.147
Uhm.. you get all of that built
by, by Wednesday, uh, in
preparation to send the email

00:11:21.147-->00:11:26.386
out on Friday so that uh, it's
in their email boxes first thing
on Monday morning so that, that

00:11:26.386-->00:11:31.824
all of the folks are, are
looking at it... Uhm, they get
it Wednesday, send over all the

00:11:31.824-->00:11:36.829
stuff so that they can review
it, looks good, and then you
find out that, uh, on Thursday

00:11:38.898-->00:11:43.336
your contact pushes the email up
the chain a little bit and says
to the manager "Hey, this is

00:11:43.336-->00:11:47.140
the... this is the phishing
pretext that we're gonna use and
you're gonna get these emails

00:11:47.140-->00:11:51.578
somewhere between Friday and
Monday". >> "Just a quick FYI -
I thought, I thought it would be

00:11:51.578-->00:11:55.348
a good idea to show it to you
kind of like a last minute "Here
you go.. just wanna let you see

00:11:55.348-->00:12:00.286
it"." >> And then the manager
says "What the heck is this...
wh... you can't do this! This

00:12:03.256-->00:12:08.261
is, this is all wrong. All our
users are gonna fall for this!"
or, "This is too believable!"

00:12:10.597-->00:12:16.102
or, "We're gonna get in so much
trouble... no... you have to
start back over again". >> Or,

00:12:16.102-->00:12:20.506
or, "This has objectionable
material in the... you know, you
can't, you can't actually try to

00:12:20.506-->00:12:25.311
sell medicinal drugs to make
things... you know, bigger or
smaller or whatever... >> Or

00:12:25.311-->00:12:28.715
stand up longer... or... >>
We're trying to make side
money... [laughter] >> Yea, so,

00:12:28.715-->00:12:34.654
now the manager comes back and
says "No, there's no way. You
start, start the pretext over,

00:12:34.654-->00:12:41.160
you can't use this one. Uhm, do
this instead!". A.. and... and
now the, your contact comes back

00:12:41.160-->00:12:45.498
to you and says "So, so Larry,
Jay, uh, I'm sorry but we have
to pick a different pretext..."

00:12:45.498-->00:12:48.301
>> And we're gonna start from
scratch. You're gonna have to
build completely new dynamic

00:12:48.301-->00:12:53.206
material, this is gonna take a
little while. And as a
consulting firm we're always

00:12:53.206-->00:12:57.277
worried about schedule because
if somebody starts from scratch
all of a sudden that thing that

00:12:57.277-->00:13:01.648
we were supposed to do next week
- we're gonna be doing something
else. And, uhm, and... we've got

00:13:01.648-->00:13:05.652
someone in the front row, whose
talk actually... who has to
manage changing us to something

00:13:05.652-->00:13:10.790
else and uh... >> Yes, but she
refers to it as "Changing this
schedule" as, uh, "rearranging

00:13:10.790-->00:13:14.961
her Tetris board". Yes, cause
it's like "Where do you fit
these pieces in with these

00:13:14.961-->00:13:19.599
players?" and it becomes a mess
trying to juggle that stuff. >>
But when you do this internally,

00:13:19.599-->00:13:22.902
if you're not us, if you're not
an outside company, you're doing
this as an internal project you

00:13:22.902-->00:13:26.673
might think schedule doesn't
matter. And the thing is if a
project starts to run late, we

00:13:26.673-->00:13:31.611
all know this from IT, the
project starts to run late it
starts to lose credibility. And

00:13:31.611-->00:13:35.515
once that credibility is lost
you risk the project getting
shut down or not repeated or

00:13:35.515-->00:13:40.219
budget or whatever... And so
it's important to not, it's
important to stay on time and

00:13:40.219-->00:13:44.724
it's important to get it right
the first time. So... >> Yes,
so, don't blow your schedule to

00:13:44.724-->00:13:49.228
bits and make sure that you
communicate with the
organizations to let them know

00:13:49.228-->00:13:53.733
what some of the stuff looks
like. And, yes, this is what
happens when apparently you fail

00:13:53.733-->00:13:59.005
to communicate when creating
some label at labelling, and
yes, "Arabic" is spelt different

00:13:59.005-->00:14:05.044
ways because they misspelt it
one of the two times, right?
"Diesel fuel" and "Arbic" and

00:14:05.044-->00:14:10.049
then "Non-smoking" in Arabic.
[pause] So how do we fix it?
This is the opportunity for you

00:14:12.051-->00:14:18.291
to lead... Woohoo! Never thought
you'd be a leader, did you?
Well, guess what, you're gonna

00:14:18.291-->00:14:23.663
be a leader. Hey, we need to
start having, uh, some
conversation with, uh, the folks

00:14:23.663-->00:14:27.700
in your organization to lead
them through this from the
beginning. Hey, we need to have

00:14:27.700-->00:14:31.738
this approved before we even
start building some of the
stuff. Uhm, let them know what

00:14:31.738-->00:14:37.810
you're brainstorming, let them
have some input into some of
the, the pretext development. >>

00:14:37.810-->00:14:42.215
At the end of the day, at the
end of the day, even if, you
know, even if you're... you're

00:14:42.215-->00:14:46.052
not a manager, or, or you're
inside a company you're not a
manager; you're a consultant or

00:14:46.052-->00:14:50.523
what-have you... You may feel
like you're not the boss, right?
It's not, you know... but at the

00:14:50.523-->00:14:54.026
end of the day you're the one
who has the responsibility to
get this project done and to

00:14:54.026-->00:14:59.265
make it work and work well...
And that means you do have to
stand up and lead - you have to;

00:14:59.265-->00:15:04.771
someone has to stand up and say
"This is what we're gonna do".
And, so, what we do is basically

00:15:04.771-->00:15:09.742
what, what we do when we get
this right is we say "Okay, this
is what the process is gonna be,

00:15:09.742-->00:15:15.047
here's where the milestones are
gonna be, here's what's gotta be
done by when". And by the way,

00:15:15.047-->00:15:19.051
you know, and if this doesn't..
if, if this part doesn't work
right, if we don't hit that

00:15:19.051-->00:15:23.689
milestone - this is one of the
things that has happened on the
past. Uhm, so there, there a few

00:15:23.689-->00:15:29.996
other things you find out, find
out before you can start
creating your pretext, you can

00:15:29.996-->00:15:34.534
veto it and you can get them
involved and you tell them the
risk. >> And maybe give them

00:15:34.534-->00:15:38.304
some deadline and figure out how
long the need to get that
reviewed so that you can

00:15:38.304-->00:15:42.909
schedule accordingly. "Hey we're
gonna send this over to you,
uhm, who are you going to send

00:15:42.909-->00:15:46.012
it to to, to take a look at it?
How long do you think it's gonna
take him? Can, can we set a

00:15:46.012-->00:15:50.016
deadline? So that we can now
continue to move forward and we
sorta know what the rest of that

00:15:50.016-->00:15:55.788
schedule's gonna look like." And
give them some called actions
for, for limiting that time

00:15:55.788-->00:15:59.792
frame or for that approval. >>
Make sure they know how long
it's gonna take, make sure you

00:15:59.792-->00:16:05.698
know whether what, time, amount
of time you've set is actually
reasonable. So... >> yup, uhm,

00:16:05.698-->00:16:10.169
don't build your entire
prototype of your pretext until
you actually have approval.

00:16:10.169-->00:16:14.874
Like, don't spin your wheels
building this huge thing for
your pretext - all the

00:16:14.874-->00:16:20.046
background of the pretext to
find out that "I just wasted 40
hours building this pretext and

00:16:20.046-->00:16:24.784
it's no good, well maybe I can
use it on another client but
depending on how tailored it is,

00:16:24.784-->00:16:29.222
to that individual client,
maybe, maybe not so much..." >>
So the other part of this is

00:16:29.222-->00:16:32.725
basically - realize you're
talking to one person, you're
talking to your client, you're

00:16:32.725-->00:16:36.329
talking to your boss. You're in
a multi-party negotiation
whether you realize it or not,

00:16:36.329-->00:16:40.399
because the organization, or
client has got a whole bunch of
people. So you're in a

00:16:40.399-->00:16:44.103
multi-party negotiation and it's
up to you to lead it and rock it
and, uhm, and make sure you're

00:16:44.103-->00:16:46.105
involving enough people. >> So
how many of you guys are
introverts in this room? Don't

00:16:46.105-->00:16:48.107
all raise your hands at once,
kay... I know you're being
introverted, right? Yea that guy

00:16:48.107-->00:16:52.545
in the back, he's clearly an
introvert, right? Yea... >>
Who's not an introvert, who's an

00:16:52.545-->00:16:57.717
extrovert? They tend to raise
their hands more. >> Yea.. and
not many. Not many of you

00:16:57.717-->00:17:02.655
[laughter] I, I sus... >> Whose
arms don't work? [laughter] >>
And that's pretty endemic in

00:17:10.396-->00:17:14.500
our, in our industry, right? I
think the a lot of the folks
that I run into they deal with

00:17:14.500-->00:17:20.706
technology cause they don't
wanna deal with people. Well..
unfortunately, we have to deal

00:17:20.706-->00:17:26.779
with people, right? Yea, so,
some introvert pro-tips, uhm,
it's, it's about when you're

00:17:26.779-->00:17:31.317
going to communicate and
ultimately the type of
communication. So, if you

00:17:31.317-->00:17:36.355
communicate more in the
beginning about this whole
process, then the communication

00:17:36.355-->00:17:42.295
will be much better, you get an
opportunity to excel and to lead
and to have fun... >> Or, if you

00:17:42.295-->00:17:46.299
don't communicate enough you end
in these other, in these last
three bullets which we all...

00:17:46.299-->00:17:50.369
which sucks and it takes longer
too. So, it's more effort and
that's, you're talking about the

00:17:50.369-->00:17:54.307
frustrations, you're assigning
blame, you're talking about why
the project didn't work. You're,

00:17:54.307-->00:17:59.512
uh, lamenting the failure and...
>> People are getting angry and
finger-pointing, and... that

00:17:59.512-->00:18:03.516
never goes well and it's not
nice. And it, it makes you not
wanna do this and it makes you

00:18:03.516-->00:18:10.456
frustrated, so communicate more
in the beginning. >> Cool... >>
I can't wait until my kids start

00:18:10.456-->00:18:15.461
sending me Fathers Day cards via
email cause they're cheap,
right? >> I already do that...

00:18:18.064-->00:18:24.470
[laughter] >> See, I can't
send... Fathers Day cards, I
can't send Mothers Day cards...

00:18:24.470-->00:18:29.542
my father passed away so I can't
send Mothers Day cards to my mom
via email, you know why? She

00:18:29.542-->00:18:34.180
can't use a computer! [laughter]
She took, I took it away from
her... [laughter] Alright... >>

00:18:34.180-->00:18:39.185
So, what's the point of the
slide again? >> So, what do
you... what do you mean? >>

00:18:39.185-->00:18:45.291
Please don't transcribe that...
[laughter] >> Oh, now we can
mess with the transcriptionists?

00:18:45.291-->00:18:50.296
No.... [laughter] No, stop it,
Jay. Alright, did you check your
spam folder? Yea, what happens

00:18:53.499-->00:18:56.969
when your phish ends up in the
spam folder? >> So there is, uh,
this is something that happened,

00:18:56.969-->00:19:02.908
it used to happen to us, we
actually had one of these happen
to us recently. Uhm, you know,

00:19:02.908-->00:19:07.246
but, in our story you spend a
whole bunch of time developing
that pretext, landing page, go

00:19:07.246-->00:19:10.549
through all the negotiation
we've been talking about - none
of your emails make it through

00:19:10.549-->00:19:15.354
the organizationÕs spam filters.
At this point the organizationÕs
spam filters have been trained

00:19:15.354-->00:19:17.356
on your emails so you don't get
to use them in the future. So
your spam filter's been

00:19:17.356-->00:19:22.995
triggered maybe because your
domain's too new or it, it has
broken SPF, or maybe just the

00:19:22.995-->00:19:28.234
spam filters get lucky and
you're back to the drawing board
schedule suffers, your contact

00:19:28.234-->00:19:34.240
or your contact to your boss is
annoyed. >> Yea! Checkout this
pretext... let's go test it! No,

00:19:34.240-->00:19:38.944
it doesn't work. [sigh] >> Just
think what we did... >> So,
let's do some user testing, on

00:19:38.944-->00:19:44.683
our user testing... We've tested
the test with some user testing,
right? Kay, yo dawg. >> Okay,

00:19:44.683-->00:19:49.422
this is the one technical slide
we have this entire talk. So, on
the technical side, go and

00:19:49.422-->00:19:54.860
configure SPF and DKIM; use, uh,
you know, use a MTA that you've
tested - it's had a domain for

00:19:54.860-->00:20:01.367
at least a week and it's been
assigned to do that. And, uhm...
>> That's a, a pro-tip do your

00:20:01.367-->00:20:07.973
IPv6 assignments for all the
services as well. We recently
had a mail server that would do

00:20:07.973-->00:20:13.479
SP records, one of our clients
had a mail server that did, SPF
record-lookups and preferred

00:20:13.479-->00:20:18.484
IPv6 over IPv4 and the IPv6
lookup would fail and then
because our SPF record wasn't

00:20:21.287-->00:20:27.827
appropriate they would drop the
mail as spam. Because it was via
IPv6 and not IPv4 and it took us

00:20:27.827-->00:20:32.932
forever to figure out why this
stuff was not making it through.
So... >> So, with that said, we

00:20:32.932-->00:20:37.536
like the human fix for this
one... Basically, you talk to
your, you talk to your client,

00:20:37.536-->00:20:42.074
your contact, your boss, and you
say "You're testing the humans,
not the technology". The point

00:20:42.074-->00:20:47.113
of, we've talked about red
teaming and it had a different
focus but in this you look and

00:20:47.113-->00:20:50.449
say "What's the overall
mission?". The overall mission
was to get an email to everybody

00:20:50.449-->00:20:55.855
in the org or a large portion of
the org and see how they respond
to an actual phishing email. So,

00:20:55.855-->00:21:00.493
if the technical solutions get
in the way, uh, then you're not
getting, you're not actually

00:21:00.493-->00:21:04.930
able to do the test, so at this
point we're gonna go and ask to
be whitelisted. "Hey, could you

00:21:04.930-->00:21:10.569
just let our mail server send
through?" >> Right.. >> Make
sure that you budget time and to

00:21:10.569-->00:21:15.808
test the whitelists cause if you
don't you still end up in this
failure. If your whitelist was

00:21:15.808-->00:21:21.180
set up and didn't work. >> Yup.
So for example this is testing
the human not the technology

00:21:21.180-->00:21:27.720
because we know the technology
fails. How many of you folks
have a spam filtering, or some

00:21:27.720-->00:21:32.725
type of solution in your
organization? Yea... How many of
you still get spam?! ... I rest

00:21:34.994-->00:21:40.566
my case. It's broken, it doesn't
always work. So it's not about
testing the technology, you know

00:21:40.566-->00:21:45.771
you have it, you know it doesn't
always work and it takes one
email to get into someone's

00:21:45.771-->00:21:50.242
environment for one person to
click on. And you know it's
gonna get there cause, you know

00:21:50.242-->00:21:55.247
why they keep doing spam? >>
Cause it wo... >> Because it
works! >> Yea, man.. >> So...

00:21:57.416-->00:22:02.354
alright. Mat, math is hard. Find
the volume and surface of the
area right of the cylinder. >>

00:22:04.557-->00:22:10.996
Sushi... >> Sushi [sigh]. So,
the numbers game fail. Kay, so,
some, some interesting things,

00:22:10.996-->00:22:17.436
you know, you're gonna go do a,
a phishing test and you need to
have some emails to send these

00:22:17.436-->00:22:22.608
to. You use all of the best
tools in your arsenal to go
collect email addresses from the

00:22:22.608-->00:22:29.114
internet, uh, Maltego, you, you
name it... Google, a, all of the
tools that you use to populate

00:22:29.114-->00:22:34.253
those lists of emails from
publicly available sources and
you end up with 15 email

00:22:34.253-->00:22:39.925
addresses in a company that has
a 1000 employees. This is not a
good test, key. You're really

00:22:39.925-->00:22:45.798
looking to test all of the
humans and to see how all of the
humans react based on their

00:22:45.798-->00:22:51.704
internal training or to gauge
what type of training that they
need to do. You need a whole lot

00:22:51.704-->00:22:56.742
of email addresses, 15 isn't
going to cut it. >> The, the
thing is, with, the thing is the

00:22:56.742-->00:23:00.879
blockhats they get to
brute-forced mail severs to find
valid email addresses, they get

00:23:00.879-->00:23:05.084
to send you tons of spam to do
that. They get to buy mailing
lists and if they're

00:23:05.084-->00:23:10.889
particularly questionable this,
guy, this guy named Bob, uh,
they can go and say pull all the

00:23:10.889-->00:23:15.527
pager traffic, if their, if
their client is a, their client
or their target - well not their

00:23:15.527-->00:23:21.967
client. If their, uh, if their
victim is a, uh, say a hospital
nearby with tons of pagers going

00:23:21.967-->00:23:25.371
that'll get you some... that'll
get you some addresses. >> Yes,
that'll get you some addresses.

00:23:25.371-->00:23:31.510
So... Math, why are you so
hard?! Right? Why does this have
to be so hard?... Why, how can

00:23:31.510-->00:23:36.915
we get around this whole "one5
email address" problem? And, and
be semi-ethical about it and,

00:23:36.915-->00:23:41.186
or, do this affordably and not
have to buy some expensive
mailing lists? And, or, or do

00:23:41.186-->00:23:45.491
bad things with POCSAG and FLEX
pager traffic. >> So, let's
just... let's just tell the,

00:23:45.491-->00:23:49.495
let's just tell the client or
the boss that an attacker could
get a really comprehensive list

00:23:49.495-->00:23:53.465
of email addresses. >> Cause we
know they can, we know they can.
>> We know they can, we'll when

00:23:53.465-->00:23:58.370
we say, when we tell them that
we gotta prove it. Uhm... >>
Yup, uhm, I, I can brute-force

00:23:58.370-->00:24:04.777
every email address at your mail
server. You're not going to like
it, kay? It's gonna be a bad day

00:24:04.777-->00:24:08.547
for your email admin. >> So the,
the thing that, you know, the,
the objection, you know, the

00:24:08.547-->00:24:12.184
objection that we might get from
purists is like "No, wait a
second, you want this to be an

00:24:12.184-->00:24:16.722
accurate test" and I'll say
"This is where the red teams,
you know, military red teams for

00:24:16.722-->00:24:20.426
a long time have been throwing,
have been saying "This is out
white card". Uhm, we're gonna

00:24:20.426-->00:24:25.030
say "Let's just stipulate that
we could get all the email
addresses you give them to us".

00:24:25.030-->00:24:30.035
Uhm... and that way we'll be
spending our time in smarter
ways. Uhm, so, in our case this

00:24:30.035-->00:24:34.606
is, this is the first place
where the, the negotiations
really, becomes really obvious.

00:24:34.606-->00:24:39.611
Okay, your client may just say
"No, I don't wanna" and at that
point you have the opportunity

00:24:39.611-->00:24:44.717
to walk away, say "Okay, well
I'm gonna, I'm gonna send him 15
emails, this phishing test is

00:24:44.717-->00:24:50.155
gonna suck and you know, it'll
be okay, it'll be his fault. So
I don't care". But most of us,

00:24:50.155-->00:24:53.992
when we do anything in life, we
actually care about the outcomes
and when we say "I don't care"

00:24:53.992-->00:24:59.331
we're usually in some kind of
pain. Uhm, so, what we could do
instead is try to get creative -

00:24:59.331-->00:25:04.236
we can talk to our client, say
"How about this? We'll do the
first step, we'll find all the

00:25:04.236-->00:25:10.042
addresses we can find and if
that's 15, great, if it's a 1000
great. At the end of that we're

00:25:10.042-->00:25:13.512
going to give you those
addresses, we'll put them in the
report, heck, if you want we'll

00:25:13.512-->00:25:17.783
do those first. But ahead of
time, give us the rest of the
email addresses in your

00:25:17.783-->00:25:22.388
organization. That way we get to
do a comprehensive test where we
know that we actually got to

00:25:22.388-->00:25:27.526
test a larger enough number of
users to be helpful. And you get
to get the thing you wanted

00:25:27.526-->00:25:32.898
which was that accuracy you can
kinda see both outcomes." >> And
it won't ruin your day when we

00:25:32.898-->00:25:38.303
topple over your mail server by
sending it too much mail. Right?
And, your, your email admins

00:25:38.303-->00:25:42.341
won't have a bad day for that.
And, you know, maybe not
engaging in illegal behavior for

00:25:42.341-->00:25:47.346
finding, uh, address via, via
other, other means. >> So, next
story. >> Yea, brace yourselves

00:25:50.215-->00:25:56.188
- the open floor plan office is
coming. >> Winter is coming. >>
Winter is coming. So, your

00:25:56.188-->00:26:01.126
email, uh, let's consider a
pretext, I did this once. Uhm,
you says it's from... >> You

00:26:03.562-->00:26:08.400
considered a pretext once? >> I
did. >> Ok good. >> No, I wrote
one, damnit! >> Okay, good. >>

00:26:08.400-->00:26:12.805
Have you been drinking again? >>
Not yet. >> Okay, so the email
says it's from Robert Smith,

00:26:12.805-->00:26:17.242
he's the director of information
technology. You send it out, the
director of information

00:26:17.242-->00:26:21.246
technology says "Anybody who's
given their password is going to
lose their job, blah, blah,

00:26:21.246-->00:26:27.553
blah..." - this kind of thing,
that's my pretext. I didn't
really know my client, the whole

00:26:27.553-->00:26:33.158
organization sat on one floor in
a very large, airplane hangar
style, building, uhm, in an open

00:26:33.158-->00:26:37.429
floor plan. And people just
started going, started walking
over to Robert's desk here, at

00:26:37.429-->00:26:42.901
which point he alerts everybody.
He tells a few of them and then
one of them... >> Stand up and

00:26:42.901-->00:26:48.373
says "Hey, that email from Bob -
don't open it!" >> And your
success rate goes to utter dog

00:26:48.373-->00:26:55.214
sh**... >> Yea, what success
rate? >> Yea... >> Yea.. >> So
having an open floor plan has

00:26:55.214-->00:26:59.651
helped me bond with my
co-workers who also despise
having an open floor plan.

00:26:59.651-->00:27:05.190
Alright, okay. So know your
target, know, know what the
environment looks like, uh, as

00:27:05.190-->00:27:09.795
part of developing that pretext
because, again, you wanna help
the folks that you're testing to

00:27:09.795-->00:27:15.767
become better, you wanna have
some good success and, and not
have the alerts. You wanna test

00:27:15.767-->00:27:20.506
individual people and not have
that alert go out necessarily so
that all of people can get

00:27:20.506-->00:27:25.110
tested. Talk to your client
about "What does the office look
like? Hey, who may be a good

00:27:25.110-->00:27:30.582
person in the organization for
us to send an email in from if
it's a illegitimate source? Uhm,

00:27:30.582-->00:27:34.353
what day is he going to be on
vacation? So they can't go over
to his office and knock on his

00:27:34.353-->00:27:39.057
door and, or, and say "Hey, did
you send that email?"." Now
found out when he is going to be

00:27:39.057-->00:27:44.396
on vacation, uhm, find out where
people sit in the organization -
is it difficult for them to

00:27:44.396-->00:27:49.601
potentially go ask those, those
folks? Uhm, ask about what their
escalation procedure is for, uh,

00:27:49.601-->00:27:55.173
getting, uh, spam emails and
malicious email and those types
of things, so then you can start

00:27:55.173-->00:28:00.012
understanding who they're going
to potentially escalate it to.
So maybe you can notify those

00:28:00.012-->00:28:05.350
people to say "Hey, you just got
an escalation - good! We're
doing a phishing campaign -

00:28:05.350-->00:28:12.357
don't tell anyone. Okay, see how
many people report it." Okay. >>
Absolutely. So, uhm, the other

00:28:12.357-->00:28:19.164
big one for us that we learned
was make, make your client or
your bo.. your contact, uh,

00:28:19.164-->00:28:23.869
within your organization and at
least on level of management
above them part of the pretext

00:28:23.869-->00:28:28.607
brainstorm. See you catch, you
catch things early, they tell
you "Yea, that's, that's not

00:28:28.607-->00:28:32.010
gonna work, we all sit on one
floor." >> Yea, they're, they're
definitely just going to walk

00:28:32.010-->00:28:37.649
over to Bob's office and ask him
if he's sent the email. [pause]
>> I'm gonna let this one speak

00:28:37.649-->00:28:42.654
for itself. >> What the hell is
this? >> Right. [chatter] Kay,
okay. So here's another one,

00:28:45.490-->00:28:49.761
I've gotten nailed by, your
client asks you to send the
email slowly so that you're

00:28:49.761-->00:28:54.733
gonna avoid detection, just, you
know, send one wait 10 more
minutes, send one. By the time

00:28:54.733-->00:29:00.238
you've got 10 emails out, what's
that? Math is hard. An hour and
40 minutes. You've given people

00:29:00.238-->00:29:04.610
plenty of time and someone's
gonna go alert security or
compliance to the help desk,

00:29:04.610-->00:29:08.981
they send out a mass email - the
jig is up! Your... >> Yea,
you've only got a 140 email

00:29:08.981-->00:29:13.652
addresses out of the
organization out of 3000. And
your campaign is effectively

00:29:13.652-->00:29:19.124
over. That wasn't a good test of
the humans. >> Kay, so the only
time you should be doing

00:29:19.124-->00:29:25.864
low-and-slow is barbecue, Carl.
[laughter] Come on! That's how
you do good barbecue - low

00:29:25.864-->00:29:30.869
temperature, long period of
time. G*d! >> F my life.
[laughter] >> Baricue, barbecue,

00:29:32.971-->00:29:39.811
Carl, barbecue! Alright, so
phishing is truly about speed -
you wanna get in as many emails

00:29:39.811-->00:29:46.251
in front of people's eyes before
they can collectively make a
decision that "This is bad" and

00:29:46.251-->00:29:49.421
pass notifications. >> You're
racing the organizationÕs
ability to communicate and

00:29:49.421-->00:29:54.993
collaborate and detect you and
they will - humans are social
creatures. Oh, wait, this whole

00:29:54.993-->00:29:59.297
talk's about communication. >>
Right, you're, you're trying to
exploit the race condition of

00:29:59.297-->00:30:03.235
getting your email in front of
as many eye balls as possible,
uh, before they start

00:30:03.235-->00:30:06.838
communicating internally that
"Hey, maybe we have a problem"
and start doing some reporting.

00:30:06.838-->00:30:10.842
>> And so make sure your
deadline is really soon, don't
give them two days, don't tell

00:30:10.842-->00:30:14.680
them, don't even give them a
day. You wanna get people into
the lizard brain part that's

00:30:14.680-->00:30:19.351
scared and has to act fast and
the other reason you wanna make
them to act fast is that they

00:30:19.351-->00:30:23.388
don't have a chance to talk to
each other. Cause communication
is their big, their big defense.

00:30:23.388-->00:30:27.526
>> yup, that's, that's one of
the other things sort of as a,
as a design that's worked really

00:30:27.526-->00:30:33.432
well, uhm, in the, in the
phishing. If you're asking
someone to perform some action,

00:30:33.432-->00:30:38.904
give them a call to action and
have some penalty behind it.
Uhm, "Hey, if you don't go to

00:30:38.904-->00:30:43.075
this website and put in your
username and password in the
next 15 minutes we're cutting

00:30:43.075-->00:30:48.146
off your access." And what
happens when you cut off their
access? You can't do your job!

00:30:48.146-->00:30:53.719
And then your manager gets mad
at you... So what do they do?
"Oh, crap, I better go do this",

00:30:53.719-->00:30:59.524
before the lizard part of the
brain catches up and says "This
is not, where did my tail go?

00:30:59.524-->00:31:04.463
Oh, right." So your exploiting
that risk condition. >> Okay,
so... >> Is, is, is my tail

00:31:08.500-->00:31:13.505
sticking out? [laughter] Okay..
So, this poor gentleman, he
chose poorly. This is in fact

00:31:15.607-->00:31:21.880
NOT Indy, he was not named after
the dog, right? >> I remember he
didn't do that, right? >> Yea,

00:31:21.880-->00:31:26.885
he drank from the wrong chalice.
>> Okay... >> So, Jay? >> Sure,
poor domain choice - we, uh,

00:31:29.488-->00:31:34.493
everyone learns this one really
early on - you choose a domain
badly, uhm, one of the great

00:31:36.862-->00:31:41.900
things that most, uh, most of
the people, most noobs will try,
uhm, and I'm not gonna admit

00:31:41.900-->00:31:45.170
whether I've done this too, is
they will pick, uh, you know,
they pick, they've got their

00:31:45.170-->00:31:50.876
target - Eli Lily and we've
never done work for Eli Lily, so
I felt safe putting them inhere.

00:31:50.876-->00:31:54.546
>> They just happened to have a
company name that have lots of
Is and Ls that could be replaced

00:31:54.546-->00:31:59.951
with ones. >> So, you know, you
try something along the lines of
changing an L or an I to a one,

00:31:59.951-->00:32:05.390
or changing an I to an L, or an
L to an I. Uh, the problem is...
>> Fo.. font collision attack.

00:32:05.390-->00:32:08.460
[laughter] >> Nice. The problem
is the employees are trained to
catch this, this is like one of

00:32:08.460-->00:32:12.764
the few things that user
awareness training does tend to
get consistently right across

00:32:12.764-->00:32:18.804
the organization. So, nobody's
fooled, your numbers are awful
and everyone says "Uh, yea, they

00:32:18.804-->00:32:23.809
don't do good phishing tests." -
you don't want that to be you.
>> So choose wisely! Alright,

00:32:25.844-->00:32:31.082
choose wisely, drink from the
woodcutter's, the, uh, the, uh,
carpenter's chalice. Right, not

00:32:31.082-->00:32:36.021
the most lavish one because,
yea, that's not the right one.
Kay, so pick really good domain,

00:32:36.021-->00:32:42.160
use the, use the customer or use
your name in the domain but add
additional code entropy to it.

00:32:42.160-->00:32:47.165
Uhm, you know, in this case uh,
say "elilily-benefits", uhm, or
pick a domain that, uh, you, you

00:32:49.901-->00:32:54.906
can use for multiple clients and
then use sub-domains per. Uh, to
sorta try and make it look like

00:32:54.906-->00:32:59.978
you've partnered with a third
party, uhm, so that the, they
now have multiple sub-domains

00:32:59.978-->00:33:04.916
for each one of the, uh, uh
clients and so forth. Uhm... >>
And honestly, figure out what

00:33:04.916-->00:33:09.087
will work. So, you're gonna come
up with those ideas and before
you just standup the domain and

00:33:09.087-->00:33:14.960
go on ahead, uhm, go and talk to
your client but also go and talk
to your co-workers. You know,

00:33:14.960-->00:33:18.363
one of my co-workers is sitting
in the front row, John Sawyers,
the one who got us all, the one

00:33:18.363-->00:33:22.801
who got, who got me to pick
better domain names and told me
what kinds of things worked and

00:33:22.801-->00:33:26.738
all the other co-workers, uh,
was also sitting upfront is the
guy who said "You know what we

00:33:26.738-->00:33:30.508
shouldn't use domains, we should
buy domains and keep them for
the long term and start using

00:33:30.508-->00:33:35.580
sub-domains of those". And
honestly, just talk to other
people and collaborate, that's

00:33:35.580-->00:33:40.719
the... the biggest thing with
phishing is one of those things
where we all just think "Okay,

00:33:40.719-->00:33:44.589
it's a one-person job, I'm gonna
sit down and I'm gonna do it
myself", and uhm, whatever goes

00:33:44.589-->00:33:49.527
wrong you're like "Agh, sh**, we
could have avoided that". But if
you talked to more people,

00:33:49.527-->00:33:53.431
whether it's at your client,
whether it's in your company -
that collaboration ends up

00:33:53.431-->00:34:00.372
producing better results. >>
Yea, don't do it in a vacuum. >>
Yea. >> So, uh, so what if your

00:34:00.372-->00:34:04.910
client, this is where we're
gonna break from those story or
talk a little bit more about

00:34:04.910-->00:34:08.246
this story. What if your client
is the one who asked you to take
their Eli Lily domain name, or

00:34:08.246-->00:34:12.350
what have you, and change the L
to a one? >> So, the client in
fact wants to choose poorly...

00:34:12.350-->00:34:15.720
>> The client wants to choose
poorly, you know it's, you know
it's not gonna work, you know

00:34:15.720-->00:34:20.625
why it's not gonna work, or, or,
you think it's, it's...really
unlikely to work all that well.

00:34:20.625-->00:34:24.195
And now you're, you have to
realize that you're in a
negotiation, you know, you can

00:34:24.195-->00:34:28.633
just say "Uh, he made me do it,
he made me pick a bad domain, so
it didn't work out so well, so

00:34:28.633-->00:34:32.938
it's all his fault. Who cares?"
>> I don't care. >> Yea, screw
that. >> As humans that's not

00:34:32.938-->00:34:37.008
what we're about - we care about
what we do. >> Yea. >> So we
want to make it better. >> So,

00:34:37.008-->00:34:41.413
so realize that this adverts for
collaborating, about
communicating, about

00:34:41.413-->00:34:47.519
negotiating, so the, the easiest
way to lose in a negotiation,
uhm, is to not realize your in

00:34:47.519-->00:34:53.258
one and you're basically always
in one. Uhm, but, sometimes that
means that you, you have

00:34:53.258-->00:34:58.730
something besides just "Yes" or
"No", besides "Just go with his
idea", or, you know, stomp a..

00:34:58.730-->00:35:03.601
stomp your feet on your own idea
and that's to get more creative.
Uhm... Sometimes that's as

00:35:03.601-->00:35:08.974
simple as just saying "Okay, I,
I'm not really sure about that
one, before we lock in on it,

00:35:08.974-->00:35:12.143
could we brainstorm as part of a
larger group? Can we, a, you
know, can we get some more

00:35:12.143-->00:35:17.415
people from your organization
in?" And yea, somebody else
calls, somebody else calls

00:35:17.415-->00:35:24.155
"Bull..." on the, on the domain
and, and that makes it easier.
>> Yea.. So more choosing

00:35:24.155-->00:35:29.160
poorly, right? "The amount of
people who has poor grammar is
two damn high!" [sigh]

00:35:31.229-->00:35:35.200
[laughter] So, one of the ones
the we used to get hit with
early on are client, the client

00:35:35.200-->00:35:39.404
would ask us to use broken
grammar and spelling to simulate
what they get. Uhm, you get

00:35:39.404-->00:35:43.775
frustrated cause you know
that'll lower your success rate.
Heck, maybe you go ahead and do

00:35:43.775-->00:35:48.413
it and you send out the broken
grammar, you end up frustrated,
the client's given the company a

00:35:48.413-->00:35:53.418
false sense of security. So, by
winning, by winning the
negotiation when the client was

00:35:53.418-->00:35:59.991
pushing you to, uh, the client
was pushing you to use broken
grammar he just lost. And that's

00:35:59.991-->00:36:05.263
a... that's my number one rule
of negotiating: If anyone loses,
everyone loses. It's kinda like

00:36:05.263-->00:36:09.167
the "If mama ain't happy, ain't
nobody happy", it's actually
like "If anybody ain't happy,

00:36:09.167-->00:36:14.172
ain't nobody gonna be happy". >>
Yup.. So, grammar Nazis be like
"Wait, no "are" like, okay...".

00:36:18.376-->00:36:23.681
Alright, so, communicate with
your organization and tell them,
how... exactly that happens that

00:36:23.681-->00:36:27.719
the broken grammar actually
reduces the effectiveness of
testing the humans. You...

00:36:27.719-->00:36:32.724
they're trained, they know that
if user's sending email to look
like it's coming from a company

00:36:32.724-->00:36:38.530
as part of a, a phishing
campaign, uh, to have it be
somewhat legitimate and there's

00:36:38.530-->00:36:44.102
incorrect grammar? Do you think
many people send out emails as
their corporate organization, as

00:36:44.102-->00:36:49.407
part of some marketing type of
thing with incorrect grammar?
Uh, yea, not usually cause that

00:36:49.407-->00:36:56.081
probably goes through about 12
rounds of proofing, uhm, an, and
absolutely. No start going into

00:36:56.081-->00:37:01.152
and digging in your spam and
showing them to the people
you're working with, like "Look,

00:37:01.152-->00:37:06.491
I just got this email, it was
spam!" "And the grammar is
immaculate!". >> This is, this

00:37:06.491-->00:37:10.295
is key, you know, like, if
you're in that situation the
client just fee... it seems like

00:37:10.295-->00:37:15.366
the client just won't listen to
reason, your goal, or your, you
know, your boss won't listen to

00:37:15.366-->00:37:21.573
reason or what have you, your
goal is to, you know, kind of
take a breath, stay present and

00:37:21.573-->00:37:27.078
get creative. And if you could
just stick with it and try
again, you'll often get a much

00:37:27.078-->00:37:31.382
better result. And so it's like
"Okay, well, tell me more about
what your concern is, why are

00:37:31.382-->00:37:35.420
you digging your heals in?" and
they say "All the stuff we ever
get has broken grammar?" and you

00:37:35.420-->00:37:40.792
say "Okay, lemme show you some
of the stuff that I get that
isn't.". And that ends up being

00:37:40.792-->00:37:46.865
convincing. >> And, and, be
willing to, uh, to do both. Send
some with broken- and send some

00:37:46.865-->00:37:51.703
with good grammar. And send it
two different groups within the
organization and see how the

00:37:51.703-->00:37:57.342
numbers turn out. >> And that's
where creativity gets you that
better result. >> Yup. I love

00:37:57.342-->00:38:02.514
this one. Some cops are Jedi -
they're just holding this fence
back with the Jedi mind trick,

00:38:02.514-->00:38:07.519
right? [laughter] Kay. [sigh]
So, sometimes your phish is so
good that some federal authority

00:38:14.959-->00:38:19.464
gives you a call and says "What
in the hell are you doing'?"
Yea, so, yes. Why? Because in

00:38:19.464-->00:38:24.469
many of the cases the
organization your sending the
email into, uh, doesn't involve

00:38:26.871-->00:38:32.377
enough people to tell them "Hey,
where doing a phishing
campaign!" and then they

00:38:32.377-->00:38:38.283
escalate appropriately and they
escalate way too far. [chatter]
>> When we've... so we've had

00:38:38.283-->00:38:43.555
this kind of thing happen a
couple times and, uh, and when
it happens it usually starts

00:38:43.555-->00:38:48.493
with the engagement where the
client says "The only people
that are going to know about

00:38:48.493-->00:38:52.530
this phishing exercise are gonna
be me and my boss, we're both on
the phone. No one else is gonna

00:38:52.530-->00:38:58.903
know about it". >> Not the help
desk, not HR, not legal... >>
Not audit, not whoever... No

00:38:58.903-->00:39:04.776
one. And then what happens, they
get one, it goes to some C-level
manager and the C-level manager

00:39:04.776-->00:39:10.281
freaks out and says "Oh my gosh,
this is super illegal, we need
to report this!". And so they

00:39:10.281-->00:39:15.119
contact someone and they call
the IT-department and, uh, the
IT security guy calls - reaches

00:39:15.119-->00:39:19.490
out to their InfraGard contact
and next thing you know the
federal authorities are

00:39:19.490-->00:39:25.897
involved. >> Yea.. [chuckles]
Yea, that's not a good day. >>
Trust me, we're invincible, or

00:39:25.897-->00:39:31.236
invisible rather. Yea... "Nope,
nope... didn't see that, didn't
see that". Kay.. >> So like

00:39:31.236-->00:39:35.707
we've said before - this is your
project, whether, whether you're
the outside, whether you're the

00:39:35.707-->00:39:39.277
outside consultant or wheth, or
whether you're a mid-level
manager, whether you're the

00:39:39.277-->00:39:44.115
person, you know, lowest on the
totem pole - nobody works for
you. Realize you have to lead,

00:39:44.115-->00:39:48.386
you make this a mandatory part
of the test, when you're
explaining what the test is it

00:39:48.386-->00:39:52.090
manages everyone's expectations
- "Here the steps of the test,
we're gonna follow all steps -

00:39:52.090-->00:39:57.695
one through, one through 8 and
step 3 is... you've got to,
you've got to involve HR and

00:39:57.695-->00:40:01.566
Legal.". And that, and that may,
and that usually means that
somewhere right there you're

00:40:01.566-->00:40:06.104
gonna sit down with your client
and brainstorm - "Who needs to,
uh, who might get called in the

00:40:06.104-->00:40:11.843
escalation and so who need to
know about this?" Uhm, in terms
of effective ways to do that,

00:40:11.843-->00:40:17.615
tell this story, tell our
stories or tell other people's
stories. The human mind is

00:40:17.615-->00:40:23.154
basically set to remember
stories and to pass them along -
it's what kept us alive. So, use

00:40:23.154-->00:40:27.558
stories. And then friendly know
your organization. >> yup, and
tell them about some of the

00:40:27.558-->00:40:31.496
escalation paths and maybe have
some of those folks that some at
the top of the escalation know

00:40:31.496-->00:40:35.566
about the phishing test, uhm, so
that they can, you know, they
can, they can put off calling

00:40:35.566-->00:40:42.006
the authorities and involving
all sorts of legal actions. Kay,
if at first you don't succeed,

00:40:42.006-->00:40:48.346
fail, fail again. [laughter]
Okay, I love grumpy cat. [pause]
So the story of the unhappy

00:40:48.346-->00:40:54.218
client, right? You do this
awesome phishing campaign, you
had a high success rate... or

00:40:54.218-->00:40:58.456
depending on what success is for
a customer or for the people
you're working with. The, the,

00:40:58.456-->00:41:02.460
the outcome for this phishing
campaign was fantastic, you got
it in front of a bunch of eyes

00:41:02.460-->00:41:06.064
and they didn't fall for it
because they had great training.
Or they did fall for it cause

00:41:06.064-->00:41:11.502
they had really poor training...
And then you start writing the
report and you're, you're almost

00:41:11.502-->00:41:14.372
done with the report and you're
ready to turn it in to the
client and say "Hey, did you

00:41:14.372-->00:41:20.178
guys finish the test?" [reply]
"Uh, uhm... like two weeks ago."
[chuckles] Uh, yea.. >> Or, or

00:41:20.178-->00:41:26.551
maybe just otherwise which is
you do the, you do the test, you
achieve great results, you feel

00:41:26.551-->00:41:31.422
like it was totally a success,
and your, and your client, uhm,
your client if you're outside,

00:41:31.422-->00:41:34.792
or your boss just feels like it,
the effort didn't go well. They
didn't feel the love, they

00:41:34.792-->00:41:38.029
didn't feel like they were
getting the... >> "How, how many
results? Hey, how many results?"

00:41:38.029-->00:41:41.632
>> That's the other one: >>
"Hey, how many results?" >> What
if the client calls you, what if

00:41:41.632-->00:41:44.535
your client or somebody calls
you every 30 minutes? You're
trying to get your darn job

00:41:44.535-->00:41:47.672
done. You're trying to do the
phishing and yo keep getting all
these phone calls, what do you

00:41:47.672-->00:41:52.944
do about it? >> "Hey, how many
results?" Yea.. SUCCESS!
[chuckles]. Alright, happy

00:41:52.944-->00:41:57.949
client is good client, right? A
good client is a happy client,
kay? Set some expectations about

00:42:02.653-->00:42:06.724
the types of communication
you're gonna give to them during
the engagement. Uhm, manage

00:42:06.724-->00:42:10.428
their expectations, "Hey, we're
gonna give you some, some
updates, here, a couple of times

00:42:10.428-->00:42:14.665
on the first day cause it's
typically when a lot of the
results come in and then we're

00:42:14.665-->00:42:17.802
gonna.. I'm gonna call you end
of day tomorrow and, uh, will
call you at the end of the day

00:42:17.802-->00:42:21.339
after that and let you know how
many results... uh, and then
we'll let you know when it's

00:42:21.339-->00:42:25.309
over. And you know when it
should be over the call to
action, uh, but some people are

00:42:25.309-->00:42:29.647
still gonna do stuff after the
call to action, so we'll let you
know some of these come in while

00:42:29.647-->00:42:34.318
we're writing the report. Uh,
so... next thing you know we
will write the report. We will

00:42:34.318-->00:42:38.022
tell you when the report will be
there." Uhm, set the stage for
when you're going to do the

00:42:38.022-->00:42:41.392
communication so there's no
surprises. >> Manage
expectations and then firmly

00:42:41.392-->00:42:46.597
emphasize with your client. Your
client usually has been rooting
for this for a long time. Or

00:42:46.597-->00:42:51.736
your boss has been rooting for
some kind of security test for a
long time because they think

00:42:51.736-->00:42:57.909
that there's something to be
worried about. >> Yup. Don't
reinvent the wheel! Kay? Don't

00:42:57.909-->00:43:00.912
do this every time you do a
phishing campaign, if you do
multiple, even if you're doing

00:43:00.912-->00:43:05.383
it in your own organization -
retain the infrastructure that
you've built and fix the

00:43:05.383-->00:43:09.620
infrastructure based on lesson
learned from your engagement.
Don't spool the stuff every

00:43:09.620-->00:43:14.992
time. What we found many years
ago was that when we were doing
the stuff, everyone one of our,

00:43:14.992-->00:43:19.197
our, uh, consultants would spool
up new infrastructure for every
test and every one of them did

00:43:19.197-->00:43:23.835
it differently. And everyone had
different problems. >> And we
weren't learning anything. >>

00:43:23.835-->00:43:30.007
Yea, cause we were too busy
trying to fix problems. Kay? So,
we want you to fail more - you

00:43:30.007-->00:43:34.412
guys are so innovative, right?
Create, Maintain, Publicize...
>> So the fix is, the fix is

00:43:34.412-->00:43:38.950
either use existing, good, free
tools. We like Phishing Frenzy a
lot, or develop your own ad

00:43:38.950-->00:43:43.120
whatever you choose, lock in on
it for a while and teach
everybody how to use it. Maybe

00:43:43.120-->00:43:47.158
even record that, maybe even
record when you teach everybody
how to use this. You can get

00:43:47.158-->00:43:51.529
everybody on the same page and
that means that every assessment
you do after that makes you

00:43:51.529-->00:43:54.966
better at doing this. Because
now, if you build and renew it,
it you build onto the

00:43:54.966-->00:44:00.371
infrastructure you building a
capacity you didn't have before.
>> yup... automate and script it

00:44:00.371-->00:44:02.473
so that you can use it multiple
times. I love this one: "Roses
are red, my names is not Dave,

00:44:02.473-->00:44:04.475
this makes no sense, microwave",
right? Kay... >> Sounds like my
poetry... >> But what? ... Wha,

00:44:04.475-->00:44:06.477
what are you talking about?
Exactly.... We have no idea what
we're talking about cause we

00:44:06.477-->00:44:08.479
didn't follow up with the right
people after the engagement to
see how they thought it went,

00:44:08.479-->00:44:10.481
kay. What, and what did they do
after the campaign? >> This is
one that we didn't even know was

00:44:10.481-->00:44:15.887
a failure, this is one we didn't
even know we were failing at.
So... >> Because we had an

00:44:15.887-->00:44:21.959
unknown hard error. We had no
idea, what, what their outcome
was. >> And we learned when a

00:44:21.959-->00:44:26.964
client called us and started
telling us about the results of
the phishing, they said "Okay,

00:44:42.480-->00:44:46.517
ever since you, ever since you
did that phishing you've raised
the reporting rates, you've

00:44:46.517-->00:44:49.453
reduced our click rates" - cause
they're still testing
themselves. And they said "We're

00:44:49.453-->00:44:51.455
getting higher report rates,
we're getting what we want" and
I said... >> "GOOD!" >> I've

00:44:51.455-->00:44:53.457
never bothered to ask a client
before how that worked out for
them, like I'd come back to them

00:44:53.457-->00:44:55.459
a year later but I didn't ask
them for specific numbers. And,
uhm, yea... find out. >> So

00:44:55.459-->00:45:00.398
needless to say we've done a lot
of frustration with phishing to
the point that, uh, Mr. Beale

00:45:06.437-->00:45:11.442
used to have hair. Kay..
[chatter] >> I pulled it all
out. >> All of it. Kay... So the

00:45:18.783-->00:45:25.489
overall lesson: what's the
takeaway? Phishing is all about
collaboration, kay? Again, if

00:45:25.489-->00:45:30.595
you're having a conversation
with two people you're having a
negotiation whether you know it

00:45:30.595-->00:45:35.166
or not. Jay and I negotiated
several times on this stage...
>> We did, we did. And before

00:45:35.166-->00:45:39.537
here and with goons so most of
the failures, most of the
failures that we're describing

00:45:39.537-->00:45:45.509
are failures needed to think
ahead and communicate,
collaborate and lead. Even that

00:45:45.509-->00:45:50.648
means, even when that means
"lead with...". So we hope that
you'll use these stories to

00:45:50.648-->00:45:57.021
persuade and plan and win at
phishing, at your work, at life.
Uhm, for whatever definition

00:45:57.021-->00:46:01.892
winning is, remember, remember
the final sto... remember the
final lesson. If anyone loses a

00:46:01.892-->00:46:06.897
negotiation - everyone loses! >>
So don't lose! >> Ugh... Thank
you very much. >> And don't, and

00:46:09.400-->00:46:14.405
don't let, and don't let the
other half lose. [applause]
Thank you! [applause]