Good afternoon. Welcome to Fishing Without Failure, or Frustration for that matter.
Or, How I Learned to Stop Worrying and Love the Layer 8.
Otherwise known as, Eleven Stories of Fail.
Brought to you by...
Jay Beal.
Larry Pesci.
Yay.
Woo!
Woo!
Welcome to day whatever of DEF CON.
Some of you, this may actually be a continuation of yesterday because you haven't slept yet.
Or some of you, you got lots of sleep, right?
Who got lots of sleep?
Lies.
Lies.
If you see anybody wandering around and kind of looking, if you could either choose one of two takes.
Either ignore them fully.
Like, just...
I would stare right over their shoulder, menacing growl, let them know that there's no way they're getting a seat.
Or, well, let's go for the second option.
Please scoot in, make room, pull your legs back, make friends.
Hopefully you all showered today?
Nope.
Okay.
All right.
Yep, I did.
Thank you.
All right.
So, let's talk about some Fishing Without Failure and Frustration.
So, as us...
For Jay and I and the InGuardians crew, this stuff for Fishing should be really easy.
From the technical side, you know, you create a really witty or crafty email that sends the readers to a website with some URL.
You set the website up.
I mean, this is easy.
You need Apache on Linux.
It takes you about 10 minutes to do.
It's one form.
You build a one form page really crappy with H1 tags and blink and marquee.
And we collect credentials.
We get client approval, steps one and two.
And we send that email to as many email addresses that we can possibly find.
And you watch the passwords fly in.
Yeah.
And you get 10 to 40% of the employees in most cases.
And sometimes you get lucky and it really is this easy.
Yeah.
And now our job is done, right?
So, thanks for coming.
That's how you do Fishing Without Frustration.
No.
Welcome to Fishing.
This is all there is to it.
Thank you.
It doesn't work that way.
It'd be nice if it did.
Sometimes you get really lucky.
However.
Sometimes you get really, really lucky.
Larry Pesci here once had a fishing campaign with a success rate of more than 100%.
He sent an email out to some number of employees of the company.
Like, let's call it half the employees.
And he had the routine scary email that has all the things it needs to have.
It has to have a call to action.
That call to action has to say bad things will happen.
Otherwise or encourage you to be helpful and has to give you a nice, nice deadline, right?
So, he crafted that email great and it scared people hardcore.
So, they forwarded that email.
The people who got it and their colleagues hadn't gotten it, they forwarded it over to them too.
They're like, dude, you have to do this or else your access is going to get cut off.
And then...
But I didn't get that email.
Can you forward it to me?
I'll send you a copy.
And the people who were sending copies out actually sent copies out.
Out to their other accounts.
So, a lot of us, you know, we've got our normal user account.
We've got our admin account.
And then we've got our domain admin account.
And so, you got it on one of the three and you send it to the other two.
And just to make sure that Larry gets domain admin passwords.
Bingo.
It worked out really well.
I hope everybody, I hope I'm not too old.
And everyone does recognize in excess our rates in excess of 100%.
You're too old.
You're too old.
So am I.
Yeah.
All right.
So, why are we doing this phishing to begin with?
So, the intent for doing the phishing to begin with, you probably don't need to tell a lot of you.
But to make sure we're covering all of our bases.
We're here to try to do this phish to, quote, make the organization staff hard-ass mofos.
Right?
We're trying to build the firewall of the human.
Right?
We're trying to train the users to be better at this.
So that they don't click on stuff.
And this stuff works.
After you get through your second or third time finding out that you got caught by a phish, you tend to be a heck of a lot better.
You're a little gun-shy.
Right?
You start looking at every one of those emails rather critically and going, is this real or not?
And sometimes the phishes are so good, you question.
I have actually seen some folks send me some sample phishing emails.
And almost clicked on them, because they were that good.
Like, why did I just get an email from FedEx?
I know I'm waiting for a FedEx package.
No, don't click that.
Don't click that.
So, it's about hardening the humans.
And not necessarily testing the technology.
To prevent it from getting in the organization.
In the first place.
Now, the problem is that most people's, if you're, so we're taking the perspective that you are either a consultant like us.
Or you're in your own organization.
You're trying to get a phishing profile.
You've got a phishing program going to harden your users.
Yep.
Which ultimately, if you're running a phishing campaign in your own organization.
So when we say clients, we mean potential clients that we work with from a consulting perspective.
Or, you are in fact having your users in your organization be your clients.
You are working within your department and your management.
And you are a client of that management staff.
Yeah.
When I was internal, I liked to think of myself as, I like to still think of myself as a consultant.
I still, I like to think of myself as having clients.
Because that got me to understand who I was trying to serve.
Okay, so most people's attempts don't go this well.
Years ago, when InGuardian started doing more regular phishing work.
When we were doing it often.
We'd watch our consultants get so frustrated with the situation when they were phishing.
And we got better.
So the rest of this talk is talking about all the frustrating situations that we and others ran into.
And trying to teach you how to avoid them yourselves.
So you can just have fun with this.
Because phishing, when it goes well, is really, really fun.
Get the passwords.
Harden the users.
Make everybody happy.
This is awesome.
But for most people, their first attempt or two or three ends up being frustrating in a way that leaves them blaming their client.
Blaming themselves.
Frustrated.
And even though they get technical success, they end up just saying, God, I hope I don't have to do that again.
All right.
So we're taking the approach of more of a pen test type of scenario here.
This isn't about the red team.
Although red team is the quote new sexy.
We do that, too.
But we're talking a little bit more about doing a generalized based attack as opposed to a very specific targeted red team type of attack.
We're going to share 11 stories of our failures and the solutions that we found that seemed to work really well to avoid those.
And we're going to generalize this.
And honestly, this time.
This stuff should be useful way outside of phishing.
It should be useful in the rest of your professional life.
It should be useful in your families.
So we're basically going to say that any effort you're attempting professionally, it's going to involve a certain amount of and hopefully and usually more than you realize communication, collaboration, and negotiation.
And I'll say something like this again.
But I want you to know my rule is anything in life that involves more than one person.
It's a negotiation whether you realize it or not.
Yep.
Otherwise, you're just playing with yourself.
You're the expert there.
Somebody's got to do it.
It's a dirty job.
Somebody's got to do it.
All right.
So red team phishing, on the other hand, as opposed to sort of more traditional pen test type phishing, we're looking for that not to test everyone.
We're looking for that for an access methodology.
And it's going to be a very detailed, tailored approach.
Very focused attack with a very small pool of emails, typically one to ten, usually one to two, sometimes even just one.
We're going to do lots of open source intelligence.
We're going to be delving into finding out what attack is going to work and what attack is going to work the first time.
Because that's all we've got.
And we need to build a lot of infrastructure around that with having backstories and great pretexts.
And you name it, we're going to have to spend lots and lots of time for a single red team type phishing email.
It may take months to construct from both the email content to building fake LinkedIn profiles to setting up domains and you name it to build that specific pretext.
And getting those domains to have some history behind them so they'll make it through the filters.
Right.
So that they have some provenance, as it will.
So that those domains that we want to use for phishing have some trust based on use and organizational application and so forth.
And some of the things that we found that work really well is using either Office 365 or Gmail, Google services to use their trust for all of the spam filtering and so forth to have that reputation built by others first.
Their mail servers often get white listed.
So you get the emails through easy.
Okay.
So like we said, we're going to tell you 11 stories from real life experience.
Each one of them inform the way that we run our phishing engagements and honestly over time they start to inform the way that we do work for clients and run our company.
So as I said, we're going to give you this advice as if you're either one of us, a consultant, or if you're inside a company and you're trying to do a phishing campaign yourself.
Okay.
So no plan survives first contact with the enemy.
Right.
There is possibly no way we can have any of this phishing fail.
I mean, this is not going to go wrong.
Like this cat attacking this particular balloon, right?
Because you know what's going to happen here.
The cat is going to jump off the door.
The door is going to swing closed.
Or it doesn't swing closed and they catch the balloon and plummet to the floor.
Or they grab the balloon and the balloon pops.
And then you know what happens when the cat has a balloon that pops?
It's messy.
It's messy.
Really messy.
First hand.
Yes.
Yes.
Yeah.
It scares the crap out of them, literally and figuratively sometimes.
All right.
So first one, schedule failing.
You do a great job.
You work with your client.
You get the test on the calendar.
It's ready to go.
You talk with the client.
And you give them three individual pretexts to choose from.
You send those over to the client.
The contact that you're working with picks the context.
You get all of that built by Wednesday in preparation to send the email out on Friday
so that it's in their email boxes first thing on Monday morning so that all of the folks
are looking at it.
They get it Wednesday.
Send over all the stuff so that they can review it.
Looks good.
And then you find out that on Thursday your contact pushes the email up the chain a little
bit and says to the manager, hey, this is the phishing pretext that we're going to use
and we're going to get these emails somewhere between Friday and Monday.
Just a quick FYI.
I thought it would be a good idea to show it to you.
Kind of like a last minute here you go.
Just want to let you see it.
And the manager says, what the heck is this?
You can't do this.
This is all wrong.
All our users are going to fall for this.
Or this is too believable.
Or we're going to get in so much trouble.
No.
You have to start back over again.
Or this has objectionable material.
You can't actually try to sell medicinal drugs to make things bigger or smaller or whatever.
Or stand up longer.
We're trying to make some side money.
Yeah.
So now the manager comes back and says, there's no way.
Start the pretext over.
You can't use this one.
Do this instead.
And now your contact comes back to you and says, so Larry, Jay, I'm sorry, but we have
to make a different pretext.
And we've got to start from scratch.
You're going to have to build completely new dynamic material.
This is going to take a little while.
And as a consulting firm, we're always worried about schedule.
Because if somebody starts us from scratch, all of a sudden that thing we were supposed
to do next week, we're going to be doing something else.
And we've got someone in the front row of this talk actually who has to manage changing
us to the something else.
Yes.
Which she refers to it as changing the schedule as rearranging her Tetris board.
Yes.
Because it's like, where do you fit these pieces in with these players?
And it becomes a mess trying to juggle that stuff.
But when you do this internally, if you're not us, if you're not an outside company,
or you're doing this as an internal project, you might think schedules don't matter.
And the thing is, if a project starts to run late, we all know this from IT, if a
project starts to run late, it starts to lose credibility.
And once that credibility is lost, you risk the project getting shut down or not repeated
or budget or whatever.
And so it's important to stay on time.
And it's important to get it right the first time.
So don't blow your schedule to bits.
And make sure that you communicate with the organizations to let them know what some of
this stuff looks like.
And yes, this is what happens when apparently you fail to communicate when creating some
labeling.
And yes, Arabic is spelled two different ways because they misspelled it one of the two
times.
Diesel fuel in Arabic and then non-smoking in Arabic.
So how do we fix it?
This is the opportunity for you to lead.
Woo-hoo!
Never thought you'd be a leader, did you?
Okay, guess what?
You're going to be a leader.
Hey, we need to start having some conversation with the folks in the organization to lead
them through this from the beginning.
Hey, we need to have this approved before we even start building some of this stuff.
Let them know what you're brainstorming.
Let them have some input into some of the pretext development.
At the end of the day, even if you're not a manager or you're inside a company, you're
not a manager, you're a consultant or what have you, you may feel like you're not the
boss, right?
It's not, you know.
But at the end of the day, you're the one who has the responsibility to get this project
done and to make it work and work well.
And that means you do have to stand up and lead.
You have to, someone has to stand up and say, this is what we're going to do.
And so what we do is basically, what we do when we get this right is we're going to have
to say, okay, this is what the process is going to be.
Here's where the milestones are going to be.
Here's what has to be done by when.
And by the way, you know, if this doesn't, if this part doesn't work right, if we don't
hit that milestone, this is one of the things that's happened in the past.
So there are a few other, there are a few other things you find out, find out before
you even start creating your pretext.
Who can veto it?
And you get them involved and you tell them the risk.
And maybe give them some deadlines or figure out how long they need to get that review
so that you can schedule accordingly.
Hey, we're going to send this over to you.
Who are you going to send it to to get to take a look at it?
How long do you think it's going to take them?
Can we set a deadline so that we can now continue to move forward and we sort of know
what the rest of that schedule is going to look like?
And give them some call to actions for limiting that timeframe for that approval.
Make sure they know how long it's going to take.
Make sure you know whether what time out of time you've set is actually reasonable.
So.
Yep.
Okay.
Don't build your entire prototype of your pretext until you actually have approval.
Like don't spin your wheels building this huge thing for your pretext, all the background
of the pretext to find out that I just wasted 40 hours building this pretext and it's no
good.
Well, maybe I can use it on another client, but depending on how tailored it is to that
individual client, maybe not so much.
So the other part of this is basically just realize you're talking to one person.
You're talking to your client.
You're talking to your boss.
You're in a multi-party negotiation whether you realize it or not because the organization
or your client's got a whole bunch of people.
So you're in a multi-party negotiation and it's up to you to lead it and rock it and
make sure that you're involving enough people.
So how many of you guys are introverts in this room?
Don't all raise your hands at once.
Okay.
I know you're being introverted, right?
Yeah.
That guy in the back, he's clearly an introvert, right?
Yeah.
Who's not an introvert?
Who's an extrovert?
They tend to raise their hands more.
Yeah.
Yeah.
Not many of you.
Whose arms don't work?
And that's pretty endemic in our industry, right?
I think a lot of the folks that I run into that they deal with technology because they
don't want to have to deal with people.
Well, unfortunately, we have to deal with people, right?
Yeah.
So some introvert pro tips.
It's about when you're going to communicate and ultimately the type of communication.
So if you communicate more in the beginning about this whole process, the communication
will be much better.
You get an opportunity to excel and to lead and to have fun.
Or if you don't communicate enough, you end up in these last three bullets, which
sucks.
And it takes longer, too.
So it's more effort.
And you're talking about the frustrations.
You're assigning blame.
You're talking about why the project didn't work.
You're lamenting the failure.
Yeah.
People are getting angry and finger pointing.
And that never goes away.
And it's not nice.
And it makes you not want to do this.
And it makes you frustrated.
So communicate more in the beginning.
Cool.
I can't wait until my kids start sending me Father's Day cards via email because they're
cheap, right?
I already do that.
See, I can't send Father's Day cards.
Well, I can't send Mother's Day cards.
My father passed away.
So I can't send Mother's Day cards to my mom via email.
You know why?
She can't.
She has a computer.
Okay.
I took it away from her.
All right.
What's the point of this slide again?
So what do you mean?
Please don't transcribe that.
Oh, now we can mess with the transcriptionists?
No.
No, stop it, Jay.
All right.
So did you check your spam folder?
Yeah.
What happens when your phish ends up in the spam folder?
So this is something that happened that used to happen to us.
We actually had, you know, we had a bunch of people that were like,
we had one of these happen to us recently.
You know, but in our story, you spend a whole bunch of time developing that pretext, landing
page, go through all the negotiation we've been talking about.
None of your emails make it through the organization's spam filters.
At this point, the spam filters have been trained on your email so you don't get to
use it in the future.
So your spam filters trigger maybe because your domain's too new or it has broken SPF
or maybe just the spam filters get lucky.
And you're back to the drawing board.
Schedule suffers.
Your contact or your boss is in no hurry.
Check out this pretext.
Let's go test it.
No, it doesn't work.
Testing would be good.
So let's do some user testing.
On our user testing.
So we've tested the test with some user testing.
Right.
Okay.
Yo, dawg.
Okay.
This is the one technical slide we have this entire talk.
So on the technical side, go and configure SPF and DKIM.
Use a, you know, use an MTA that you've tested.
It's had a domain for, it's had a domain for at least a week and it's been assigned
to do that.
And...
It's been assigned to do that.
So the way you can do this is just pro tip, do your IPV6 assignments for all the services
as well.
We recently had a mail server that would do SPF record.
One of our clients had a mail server that did SPF record lookups and preferred IPV6
over IPV4.
And the IPV6 lookup would fail.
And then because our SPF record wasn't appropriate, they would drop the mail as spam because it
was the IPV6 and not IPV4.
And it took us forever to figure out why this stuff was not, you know, real.
making it through so so with that said we like the human fix for this one basically you talk to your
you talk to your client your contact your boss and you say you're testing the humans not the
technology the point of we talked about red teaming and it had a different focus but in this
you look and say what's the overall mission the overall mission was to get an email to everybody
in the org or to a large portion of the org and see how they respond to an actual phishing email
so if the technical solutions get in the way uh then you're not getting you're not actually able
to do the test so at this point we're gonna go and ask to be whitelisted hey could you just let
our mail server send through and make sure that you budget time and to test the whitelist because
if you don't then you still end up in this failure if your whitelist was set up and didn't work yep
so for example this is testing the human not the technology because we know the technology fails
how many of you folks
have a spam filtering or some type of solution in your organization
yeah how many of you still get spam
i rest my case right it's broken it doesn't always work so it's not about testing the
technology you know you have it you know it doesn't always work and it takes one email to
get into someone's environment for one person to click on and you know what's going to get there
because do you know why they keep doing spam because it works
yeah
it so all right math is hard find the volume and surface of the area right of the cylinder
sushi sushi so the numbers game fail okay so some some interesting things you know
you're going to go do a a phishing test and you need to have some emails to send these to
you use all of the best tools in your arsenal to go collect email addresses from the internet
maltigo
you you name it google all of the tools that you use to populate those list of emails from
publicly available sources and you end up with fifteen email addresses in a company that has
a thousand employees this is not a good test okay so you're really looking to test all of
the humans and to see how all of the humans react to based on some of their internal training or to
gauge how what type of training that they need to do you need a whole lot of email addresses
fifteen isn't going to cut it
the thing is what the thing is the block hats they get to brute force the mail servers to
find valid email addresses they get to send you tons of spam to do that they get to buy
mailing lists and if they're particularly questionable this this guy named bob uh
they can go and say pull all the pager traffic if if their client is a their client or their target
well not their client if they're uh if their victim is a uh say a hospital nearby with tons
of pagers going uh that'll get you some that'll get you some address yes that'll get you some
addresses so math why are you so hard right why why does this have to be so hard why how can we
get around this whole 15 email address problem and and be semi-ethical about it and or do this
affordably not have to buy really expensive mailing lists and or do bad things with pox
sag and flex pager traffic so let's just let's just tell the let's just tell the client or the
boss that an attacker could get a really comprehensive list of email addresses
because we know they can we know they can because we know they can we'll when we say when we tell
we're going to prove it um yep i i can brute force every email address at your mail server
you're not going to like it okay it's going to be a bad day for your email admin so the the thing
that you know the the objection you know the objection that we might get from purists is like
no wait a second you want this to be an accurate test and i'll say this is where the red teams you
know military red teams for a long time have been throwing uh have been saying this is our white
card um we're going to say let's just stipulate that we could get all the email addresses you
give them to us
and that way we're spending our time in smarter ways um so in our case
this is this is the first place where the negotiations really becomes really obvious
okay your client may just say no i don't wanna and at that point you have the opportunity to
just walk away say okay well i'm gonna i'm gonna send him 15 emails this phishing test is gonna
suck and you know it's okay it'll be his fault so i don't care but most of us when we do anything
in life we actually care about the outcomes and when we say i don't care we're usually a
in some kind of pain so what we could do instead is try to get creative we can talk to our clients
say how about this we'll do the first step we'll find all the addresses we can find and if that's
15 great if it's a thousand great at the end of that we're going to give you those addresses we'll
put them in the report heck if you want we'll do those first but ahead of time give us the rest of
the email address of the organization that way we get to do a comprehensive test where we know that
we actually got to test a large large enough number of users to be helpful and you get to get
that thing you wanted which was that accuracy you can kind of see both outcomes and it won't ruin
your day when we topple over your mail server by sending it too much mail right and you your email
admins will have a bad day for that and you know maybe not engaging in illegal behavior for finding
uh addresses via other other means okay so next story you brace yourselves the open floor plan
offers you the ability to test a large large number of users to be helpful and you get to get
the decision you aim at that point and this is missing in from this update third one Matteo
that we've all kinda split the test
if we've come to the point we're not going to test the paper well I don't think we've done this
technically we haven't a minute
this kind of thing. That's my pretext.
I didn't really know
my client. The whole
organization sat on one floor in a very
large airplane hangar style building
in an open floor
plan. And so people just started going, walking
over to Robert's desk here, at which
point he alerts everybody.
He tells a few of them and then
one of them stands up and says,
Hey, that email from Bob, don't open it!
And your success rate goes to
utter dog.
What success rate?
So, having
an open floor plan has helped me
bond with my coworkers who also
despise having an open floor plan.
So, know your target.
Know what the environment looks like
as part of developing that pretext because
again, you want to help the folks that you're
testing to become better. You want to have
some good success
and not have the alerts. You want
to test individual people and not have
that alert go out necessarily so
that all those people
can get tested.
Talk with your client about what does the office
look like? Hey, who may be a good person
in the organization for us to send an email
in from if it's a legitimate source?
What day is he going to be on vacation
so they can't go over to his office and knock on
his door and see, Hey, did
you send that email? Now find out what
do you when he's going to be on vacation.
Find out where people sit in the organization.
Is it difficult for them to potentially go ask those
those folks? Talk
about what their escalation procedure is
for
getting spam emails and malicious emails and
those types of things. So then you can start
understanding who they're going to potentially escalated
to. So maybe you can notify those people
to say, hey, you just got an escalation.
Good. We're doing a phishing campaign. Don't tell
anyone. See how many people report it.
Absolutely. So the other big one for us that
we learned was make your make your client
or your boss or your your contact within your organization.
And at least one level of management above them.
Part of the pretext brainstorm. So you catch you catch
things early. They tell you, yeah, that that's not
going to work. We all sit on one floor.
Yeah, they're everybody's just going to walk over to Bob's
office and ask him if he sent the email.
I'm going to let this one speak for itself, right?
Okay. Okay. So here's another one I've I've gotten
nailed by your client asks you to send the email slowly so
that you're going to avoid detection. Just, you know, send one, wait 10
more minutes, send one. By the time you've got 10
emails out, what's that? Math is hard. An hour and
40 minutes. You've given people plenty of time and someone's
gone and alerted security or compliance or the help
desk. They send out a mass email. The jig is
up. You're you've only got 140 email addresses into
the organization out of 3000 and your campaign is effectively over. That wasn't a
good test of the humans. Okay. So the only time you
should be doing low and.
Low is barbecue, Carl. Come on. That's how you do
good barbecue, low temperature, long period of time. God. F my life.
Barbecue, barbecue, coral barbecue. All right. So fishing is truly about
speed. You want to get it as many emails in
front of people's eyes before they can collectively make a decision that
this is bad and pass notifications. You're racing the organization's
ability to communicate.
And they will humans are social creatures. Oh, wait, this whole talk about
communication, right? You're you're trying to exploit the race condition of getting your
emails in front of as many eyeballs as possible before they start communicating
internally that, hey, maybe we have a problem and start doing some reporting.
And so make sure your deadline is really soon. Don't give him two days. Don't tell,
don't even give them a day. You want to get people into the lizard brain part that scared
and has to act fast. And the other reason you want to make them act fast is they don't have a
chance to talk to each other because communication is their big, their big defense. Yep. And that's
one of the other things sort of as a, as an aside that we found that has worked really well, um,
in the, in the fishing. If you're asking someone to perform some action, give them a call to action
and have some penalty behind it. Um, Hey, if you don't go to this website and put in your username
and password in the next 15 minutes, we're cutting off your access. And what happens when you cut
off their access? You can't do your job. And then your manager gets mad at you. So what do they do?
Oh crap. I better go do this before the lizard part of the brain catches up and says, this is
not, where did my tail go? Oh, right. So you're exploiting that race condition. Okay. Okay. So
is my tail sticking out? Okay. So this poor gentleman, he chose poorly. This is in fact,
not Indy. He was not named after the dog, right? I remember he didn't do that, right? Yeah. Yeah.
He dropped, he drank from the wrong chalice, right? Okay. So Jay. Sure. So poor domain choice.
We, uh, everyone learns this one really early on. You choose a domain badly. Um, one of the
great things that most, uh, the most people, most noobs will try. Um, and I'm not going to
admit whether I've done this too, is they will pick a, they'll, you know, they've got their
target Eli Lilly and we've never done work for Eli Lilly. So I felt safe putting them in here.
They just happen to have a company name that has lots of I's and L's that can be replaced with
ones. So, you know, you try something along the lines of changing an L or an I to a one or
changing an I to an L or an L to an I. Uh, the problem is font collision attack. Nice. The problem
is the employees are trained to catch this. This is like one of the few things that user awareness
training does tend to get consistently right across the organization. So nobody's fooled.
Numbers are awful and everyone says, uh, yeah, they didn't, they don't do good fishing tests. You
don't want that to be you. Nope. So choose wisely, right? Okay. Drink from the wood cutters. Uh,
the, uh, the carpenter's chalice, right? Not the most lavish one because yeah, that's not the
right one. Okay. So pick a really good domain. Use the, use the customer or use your name in the
domain, but add additional quote entropy to it. Um, you know, in this case, uh, say Eli Lilly
benefits, um, or pick a domain that, uh, you, you can use for multiple clients and then use
subdomains per, uh, to sort of make it look like maybe you've partnered with a third party, um, so
that the, they now have multiple subdomains for each one of the, the, the clients and so forth.
Um, and, and honestly figure out what will work. So you're going to come up with those ideas and
before you just stand up the domain and go on ahead, um, go and talk to your client, but also go
and talk to your coworkers.
Um, you know, one of my coworkers that's sitting in the front row, John Sawyer is the one who got us on,
who got, who got me to pick better domain names and told me what kinds of things worked. And one of the
other coworkers, uh, who's also sitting up front is the guy who said, you know what, we should use
domains. We should buy domains, keep them for the longterm and start using subdomains of those.
And, um, honestly just talk to other people and collaborate. That's the, the biggest thing with, so
phishing is, is one of those things where we all just think, okay, it's a one person job. I'm going to
sit down, I'm going to do it myself.
And, um, and then whatever goes wrong, you're like, ah, shit, we could have avoided that. But if you
talk to more people, whether it's at your client, whether it's in your company, that collaboration
ends up producing better results.
Don't do it in a vacuum.
Yeah.
Okay.
So, um, so what if your clients, this is where we're going to break from the story or, or talk a
little bit more about this story. What if your client is the one who asked you to take their Eli Lilly
domain name or what have you and change the L to a one?
So the client in fact wants to choose poorly.
The client wants to choose poorly.
You know, it's, you know, it's not going to work. You know why it's not going to work or, or you
think it's, it's really unlikely to work all that well. And now you're real. Now you have to realize
you're in a negotiation. You know, you can just say, ah, he made me do it. He made me pick a bad
domain, so it didn't work out so well. It's all his fault. Who cares?
I don't care.
Yeah.
Screw that.
As humans, that's not what we're about. We care about what we do.
Yeah.
So we want to make it better.
So, so realize that this efforts about collaborating, about communicating, about negotiating. So the, the
easiest way to lose in a negotiation is to not realize you're in one and you're basically
always in one. But sometimes that means that you, you have something besides just yes or
no, besides just go with his idea or, you know, stomp, stomp your feet on your own
idea and that's to get more creative. Sometimes that's as simple as just saying, okay, I, I'm
not really sure about that one. Before we lock in on it, can we brainstorm as part of
a larger group? Can we, you know, can we get some more people from your organization?
And yeah, somebody else calls, somebody else calls bull on the, on the domain and, and
that makes it easier.
Yeah. So more choosing poorly, right? The amount of people who has incorrect grammar
is too damn high.
So one of the ones we used to get hit with early on our clients, the client would ask
us to use broken grammar and spelling to simulate what they get. Um, you get frustrated
because you know, that'll lower your success rate.
Heck, maybe you go ahead and do it and you send out the broken grammar. You end up frustrated.
The client's given his company a false sense of security. So by winning, by winning the
negotiation when the client was pushing you to, when the client was, was pushing you
to use the broken grammar, he just lost. And that's a, that's my number one rule of negotiating.
If anyone loses, everyone loses. It's kind of like the, if mama ain't happy, ain't nobody
happy. It's actually, if anybody ain't happy, ain't nobody going to be happy. Yep. So,
grammar Nazis be like, wait, no are like, okay. All right. So communicate with the
organization and tell them how exactly that happens at the broken grammar actually reduces
the effectiveness of testing the humans. They're trained. They know that if you're
sending email to look like it's coming from a company as part of a fishing campaign, uh,
to have it be somewhat legitimate and there's incorrect grammar. Do you think many people
send out emails?
As their corporate organization as part of some marketing type of thing with incorrect
grammar? Not usually. Cause that probably goes through about 12 rounds of proofing.
Um, and absolutely now start going and digging into your spam and showing them to the people
you're working with. Like, look, I just got this email. It was spam and the grammar is
immaculate. This is, this is key. You know, like if you're in that situation, the client
just feel, it seems like the client just won't listen to reason.
Your goal or your, you know, your boss won't listen to reason, what have you, your goal
is to, you know, kind of take a breath, stay present and get creative. And if you can just
stick with it and try again, you'll often get a much better result. And so it's like,
okay, well tell me more about what your concern is. Why are you digging your heels in? And
they say all the stuff we ever get has broken grammar and you say, okay, let me show you
some of the stuff that I get that isn't. And that ends up being convinced.
Yep.
And be willing to do both.
Send some with broken and send some with good grammar
and send it to two disparate groups within the organization
and see how the numbers turn out.
And that's where creativity gets you that better result.
Yep.
I love this one.
Some cops are Jedi.
They're just holding this fence back with the Jedi mind trick.
All right?
Okay.
So sometimes your fish is so good
that some federal authority gives you a call
and said, what in the hell are you doing?
Yeah.
So, yes.
Why?
Because in many of the cases,
the organization that you're sending the email into
doesn't involve enough people to tell them that,
hey, we're doing a fishing campaign.
And then they escalate appropriately
and they escalate way too far.
So we've had this kind of thing happen a couple times.
And when it happens,
it usually starts with the engagement
where the client says,
the only people who are going to know about this fishing exercise
are me and my boss.
We're both on the phone.
No one else is going to know about it.
Not the help desk, not HR, not legal.
Not audit, not whoever.
No one.
And then what happens?
They get one.
It goes to some C-level manager
and the C-level manager freaks out and says,
oh my gosh, this is super illegal.
We need to report this.
And so they contact someone
and they call the IT department
and the IT security guy calls,
reaches out to their InfraGard contact
and next thing you know,
the federal authorities are involved.
Yeah.
That's not a good day.
Trust me, we're invincible.
Or invisible, rather.
Yeah.
Nope, didn't see that.
Didn't see that.
Okay.
So like we said before,
this is your project.
Whether you're the outside consultant,
whether you're a mid-level manager,
whether you're the person,
you know, lowest in the totem pole,
nobody works for you,
realize you have to lead.
You make this a mandatory part of the test.
When you're explaining what the test is,
you manage everyone's expectations.
Here are the steps in the test.
We're going to follow steps one through eight.
And step three is,
you've got to involve HR and legal.
And that usually means that somewhere right there,
you're going to sit down with your client
and brainstorm who might get called in the escalation
and so who needs to know about this.
In terms of effective ways to do that,
tell this story.
So tell our stories or tell other people's stories.
The human mind is basically set to remember stories
and to pass them along.
It's what kept us alive.
So use stories.
And then finally know your organization.
Yep.
And tell them about some of the escalation paths
and maybe have some of those folks at some of the top
of the escalation know about the phishing test
so that they can put off calling the authorities
and involving all sorts of legal actions.
Okay.
So first, you don't succeed.
Fail, fail again.
Okay.
I love Grumpy Cat.
Okay.
All right.
So the story of the unhappy client, right?
You do this awesome phishing campaign.
You had a high success rate.
Or depending on what success is for your customer
or for the people you're working with,
the outcome for this phishing campaign was fantastic.
You got it in front of a bunch of eyes
and they didn't fall for it because they had great training
or they did fall for it because they had really poor training.
And then you start writing the report
and you're almost done with the report
and you're ready to turn it into the client
and they said, hey, did you guys finish the test?
Like two weeks ago?
Yeah.
Or maybe just otherwise.
You do the test.
You achieve great results.
You feel like it was totally success.
And your client, if you're outside or your boss,
just feels like the effort didn't go well.
They didn't feel the love.
They didn't feel like they were going to make a decision.
Hey, how many results?
That's the other one.
Hey, how many results?
What if your client or somebody calls you every 30 minutes?
You're trying to get your darn job done.
You're trying to do the phishing
and you keep getting all these phone calls.
What do you do about it?
How many results?
Yeah.
Success.
All right.
Happy client is a good client, right?
A good client is a happy client, okay?
Set some expectations about the types of communication
you're going to give to them during the engagement.
Manage their expectations.
Hey, we're going to give you some updates a couple of times
on the first day because it's typically when a lot of the results come in.
And then I'm going to call you at the end of the day tomorrow.
And I'll call you at the end of the day after that
and let you know how many results.
And then we'll let you know when it's over
and when it should be over, the call to action.
But some people are still going to do stuff after the call to action.
So we'll let you know when some of these come in
while we're writing the report.
So next thing you know, you're going to write the report.
We'll tell you when the report will be there.
Set the stage for...
Or when you're going to do the communication
so there's no surprises.
Manage expectations.
And then finally, empathize with your client.
Your client usually has been rooting for this for a long time, right?
Your boss has been rooting for some kind of security test
for a long time because they think
that there's something to be worried about.
Don't reinvent the wheel.
Don't do this every time you do a phishing campaign
if you do multiple.
Even if you're doing it in your own organization,
retain the infrastructure that you built
and fix the infrastructure based on lessons learned.
And from your engagement,
don't spool this stuff every time.
What we found many years ago
is that when we were doing this stuff,
every one of our consultants
would spool up new infrastructure for every test
and every one of them did it differently.
And every one had different problems.
And we weren't learning anything.
Yep, because we were too busy trying to fix problems.
So we want you to fail more.
You guys are so innovative.
Create, maintain, and publicize.
The fix is either use existing good free tools.
We like phishing frenzy.
We like phishing a lot.
Or develop your own.
And whatever you choose,
lock in on it for a while
and teach everybody how to use it.
Maybe even record that.
Maybe even record when you teach everybody how to use it
so you can get everybody on the same page.
And that means that every assessment you do after that
makes you better at doing this
because now if you build onto the infrastructure,
you're building a capacity you didn't have before.
Yep.
Automate and script it
so that you can reuse it multiple times.
Okay.
I love this one.
Roses are red.
My name is not Dave.
This makes no sense.
Microwave.
Right?
Okay.
Sounds like my poetry.
What are you talking about?
Exactly.
We have no idea what we're talking about
because we didn't follow up with the right people
after the engagement to see how they thought it went.
Okay.
And what did they do after the campaign?
And this is one we didn't even know was a failure.
This is one we didn't even know we were failing at.
Because we had an unknown hard error.
Right?
We had no idea what the...
And we learned when a client called us
and started telling us about the results of the phishing.
They said, okay, ever since you did that phishing,
you've raised our reporting rates,
you've reduced our click rates
because they're still testing themselves.
And they said, we're getting higher report rates,
we're getting what we want.
And I said,
I've never bothered to ask a client
before how that worked out for them.
Like, I'd come back to them a year later,
but I didn't ask them for specific numbers.
And, yeah, find out.
Yeah.
So needless to say,
we've done a lot of frustration with phishing,
to the point that Mr. Beal used to have hair.
I pull it all out.
All of it.
Okay.
So the overall lesson, what's the takeaway?
Phishing is all about collaboration.
Okay?
Again, if you're having a conversation with two people,
you're having a negotiation whether you know it or not.
Jay and I negotiated several times on this stage.
We did.
We did.
And before here, and with goons.
So most of the...
Most of the failures we've been describing
are failures either to think ahead
and communicate, collaborate, and lead.
Even when that means lead with.
Yep.
So we hope that you'll use these stories
to persuade and plan and win at phishing,
at your work, at life,
for whatever definition winning is.
Remember the final lesson.
If anyone loses a negotiation, everyone loses.
So don't lose.
Yeah.
Cool.
Don't let the other half lose.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.