 He has 12 years in information security experience but he still considers himself a social engineer nude. I'm going to quote him on this. He enjoys all aspects of info security but enjoys creeping on people and infrastructure using OSINT the most. And he's kind of a, even though he's kind of creepy, he has been accused of having a man crush on the human hacker. Okay. Notice that's accused, isn't it? Yes. This talk is not sponsored by his organization and if it was, he may be unemployed after giving it. So let's give him our attention. The theme is Beyond Fishing, Building and Sustaining a Corporate SE Program. Thank you Defcon, SE Village. Thanks Chris and Michelle for this opportunity. I'm a cybersecurity manager at some financial services company. If you Google me, it'd be pretty easy to find. I've managed an ethical hacking team, vulnerability management team, and I have a social engineering team and they're here today. And if you have any questions about this talk, email me or you can follow me on Twitter. But I have an announcement to make. I'm a recovery for social, I've been addicted to social engineering for a long time and I'm in a recovery program for it. But I wasn't always addicted. In fact, I really didn't believe in social engineering about four or five years ago. I used to go to Defcon over when I was in Rio, see the social engineering village come in, take a seat, take a look at people in this smelly box. I stayed there for a couple minutes and I'd leave because I really didn't believe in it and I've managed to ethical hacking team at the time. And then things changed. You see, one day I came to work and my boss said, we want you to fish to people. And I'm like, why would I want to do that? You want me to do what? Fish to people, that's no fun. You know, I was into web applications, thick clients and things of that nature. I did not want to fish to people and no one on my team wanted to do that as well. So, how hard could it be? You put the fish together, send an email out and I did that and it was a disaster. We interrupt operations, the help desk was flooded with calls, the mail team was flooded with calls and the incident response team was flooded with calls. So I started thinking, I got a chance to redeem myself and I had to find a way to answer this question of fishing and organization. So I do what we all do when we have problems, we go to Google. And when I searched Google, I ran on the social-engineer.org website. Why? That's the same website of the team that manages to SE Village. So I went there and I listened to all the podcasts that were there. And I listened to Chris go through puberty in the podcast from number one to podcast 60. I'm just saying Chris, your voice did get deeper as you know, you moved on. And then I listened to podcast 44 because that's when the country Asian first started. I listened to that podcast about three or four times. Yeah, I'm a little creepy. Three or four. And I read all the SE books and then I created a methodology. One of the things in this methodology that I created was to communicate, was to tell the people, okay? And I did that and I had some success. Now, people still failed but I did not interrupt the organization's operations at the time. You see, when you run an ethical hacking or you run a vulnerability assessments, you only need to let the system owner know that you're going to perform an assessment. And they usually complain because you know they're going to end up with findings. But when you test the people and you let them know that it's coming, they're like, oh, okay. And I did that. But see, it comes with a cost. You see that chart at the bottom down there with the line going down. That's not the click rate. That's your popularity. You see, you will not be popular if you're fishing the entire organization continuously. So, started thinking, is this really a career? Do really people get, I mean, do people really get paid for this besides Chris and Michelle? What about the other three deadly social engineering sins, such as USB smishing and fishing? Well, did a Google search and it seems that engineering is in good company. It was listed as one of the top six well-paying jobs of 2014. Right between bond disposal diver and power line helicopter pilot. And it was still right behind the elusive ethical hacker. But where are the jobs really today? You see, I did a search on the Google. Do a little Google dorking. And you see, indeed.com has 8,442 jobs. That's enough for us all. Right? Well, indeed, simply hired had 150 and zip recruiter had one. You see, those aren't real jobs. Those are fake jobs. Kind of like fake news. In fact, what they do is they take any hit against social and list it as a job. So it can be a social worker. It can be someone doing something with social media. And it's listed as a social engineering job. But let's take a closer look at that zip recruiter job. So, this job has benefits, which, you know, we all need benefits. But if you look at the technical skills that you need, you need about five plus years of social engineering planning, five plus years of fishing and fishing exercise experience, five plus years operating a simulated fishing platform and five plus years of training and awareness. Now, who in here would really qualify for that job? No, you wouldn't. It's been four years. One. And you know what? That job is filled. That probably is who applied for it. The job is filled as of July 19th. And don't ask how I know. As was brought out earlier, we all know that the need for social engineering continues. Recently, in the IBM Cyber Security Threat Intelligence Index, 95 percent of all data breaches involved some form of social engineering. In fact, it continues to impact us as people. The U.S. elections. Good old John Podesta getting a fishing email through the DNC. And recently they started to state that the French elections were impacted by social engineering as well. USBs haven't been out of the news. Just last year, there was a study by the University of Illinois that stated about 95 percent of all students would plug in USB drives. And IBM recently shipped USB drives to its customers with malware. And when it comes to fishing, we don't need to go any further than our old family. Yes, your grandparents. Go and ask your grandparents if they've received a vision call, whether from the IRS or the scam that was going around asking if, you know, can you hear me now? And they say yes. And they get signed up for some type of service. They get something in the mail. So the need is still there, whether it's for corporate America, the need for training is still there, whether it's for corporate America or whether it's for us. But let's take a look at the millennials. This is the largest group as of 2015 that's employed in your corporation. They make up of over half of all new hires. This group is the most technologically advanced group ever. They literally grew up with the Internet and they literally grew up with phones in their hands. This group prefers texting over phone calls. And in fact, most of them over 68% admit to texting a lot. Email for them is secondary. But even with this, overall email use continues to rise. So that goes to show you that fishing and smithing will be a vector for this generation that's coming in. I had a chance to do my own survey against millennials and I had some pretty interesting results. 55% claim to know about social engineering. So that's pretty good. You can tell by the audience, by the size of the audience here. But 96% claim to have been phished or received an unsolicited phone call or text message within the last six months. 82% never heard of smithing. 90% never heard of phishing. And only 79% would say that they were not plugging a file in the USB drive or a mobile device. But this arrogant group, 50% of them claim they know how to handle all of the above even though they never heard of two of them. Doing research on some of the data that I have access to, I see a bunch of them still fail phishing attempts. In fact, they fail more than us so-called old folks. Some more research shows that they have poor hygiene as far as security. There was a recent study that showed that of people who reused their e-mail of the total population that reused their, I'm sorry, they reused their passwords. Of the total populace, 92% were millennials. In fact, another study showed that even though they're more comfortable using technology than their elders, that security doesn't flow down into the organization. So this is your organization, right? So how do you move beyond phishing to move to the next three daily sins, smishing USB access, malicious media or phishing? In my experience, I've had to deal with what I call the big three. HR, legal, and people in the politics. So let's start with HR. We know their job. Their role is to help protect the people. They do payroll sometimes. They do benefits and they hire people and they probably regret hiring me. But you want to make sure it's your friends with this group. You want to make sure you build a strong relationship with them, especially if you look to move past phishing. You don't want to do anything hypothetical like sending a payroll phishing e-mail at the end of the month, which impacted payroll and your paycheck was messed up a little bit. And you also want to make sure that your friends are legal. They do the right thing. They do all their lawyer stuff. I don't know much about law. But you want to make sure you understand what the operational impact of sending a phishing e-mail or moving beyond that is. For instance, on a Friday night, you don't want to send any legal related document because they are obligated to stay there. And some poor clerk may be there responding to a phishing e-mail unknowingly. And not that any of this has happened. Now, let's move on to the last of the big three, your company's politics and their ego. You see, I have listed Dr. Paul X-Men's Seven Emotions. There's anger, disgust, fear, joy, sadness, surprise, and contempt. Now, you think about the size of your organization. You think about all of this is always constantly going on, that all these emotions are changing, all these triggers are happening at any moment of the day. And when you start to want to move past phishing and they get wind of it, you know, it may be a problem. I can tell you that I've dealt with anger, disgust, and contempt the most out of all of these seven. And as you look to move forward with this, you may deal with these as well. So how do you tame that? How do you deal with the big three? First off, you got to do your homework. You got to do the boring stuff. You got to go look at your organizational policies and standards. Because that's the only way that you'll be able to make sure that your programs line up with what the organization says. How are you supposed to handle a suspicious phone call? How are you supposed to handle a unsolicited text message on your phone? Also, you want to add more meat by looking at the threat, by using real-time threat intelligence. You want to look at any threats that happen against your organization and any threats that happen against your industry or your stack. And also, you want to read any breach reports you can. Because that will help give you food as you move forward to introducing these new programs or new steps in your program. And most importantly, you want to create a methodology. You see, how are you going to handle USB drives across multiple organizations, multiple areas? How are you going to prepare them? And how are you going to destroy them? Because there's no way that you send them a... Even if a USB drive was brought back, there's no way you should send that back out in the field. The other thing was smishing. As we look into BYOD devices, you run into legal issues about leaving artifacts on there if you decide to drop payload and also the information that you pulled back on those devices. And then, vishing, pretexting. This is new language for them. They're not going to understand what a pretext is, so you're going to have to explain it. And also, you're going to have to explain what the target should be and what the success rate is. If someone receives a vision phone call, what are they supposed to do? You want to review your local privacy laws, just like they've done here in Nevada. And you also want to explain how often you're going to do big three. And you also want to sustain your program. You're going to want to do data analysis. You want to get all the data that you can from your fishing and smishing results. You want information like their age and their gender and their language and department of job roles. Getting this information will help you understand what the attack surface looks like in your organization when it comes to people. You'll be able to work with training and awareness and have them target their training towards certain things. And you'll be able to get all the data that you receive from smishing and from fishing includes system and device patch information. You can use that to share with the vulnerability management team to help understand gaps in your environment for patching. And another thing you want to do, get real incidents. Work with the IR team. Find out the people who get real fishing emails. And check to see what the test results are for them in those fishing applications. You can also get training awareness and use that to help get specialized training. And again, continue that line of communication with the big three and continue that moving on. And overall, you want that to help improve your overall program. And also you want to get creative. You know, the organization gets tired or gets used to seeing just your normal fluorescent USB drives with something written across it. You know, you got a comic books or comic characters, things of that nature. And in your organization, people may be starving for hardware. Use mice. And I'm not saying you have to program the USB drives, but just use generic USB drives next to a mouse. You will be surprised what people plug in. Even if your organizational policy states that they're not supposed to plug in USB drives, they still plug in a bunch of other things. And if you don't believe me, get access to your scene logs. Also try to boil the ocean. Get access to open source tools. Use the social engineering tool kit. Use Kingfisher. And just recently, we started looking at the smartphone pentest framework from Georgia Weedman. Other factors that may impact you as you want to move beyond phishing? The size of your organization. This may not work if it's about 100 people inside your organization. And you also want to make sure you get your executive and leadership buy-in. My organization is fortunate to have that. To have our leaders believe in all four aspects of social engineering. And your budget. Again, when it comes to USB drives, not everybody can afford to get 200 rubber duckies, so you have to get creative. You may have to write batch files or scripts on those drives. And last but not least, your company culture. That plays a big part, because again, as you go against the third legged at big three, that can be quite challenging to get past. You can't get through any of them. Don't try to boil the ocean as the last speaker said. Choose just one. Maybe it's just missing, or maybe it's just phishing, depending on if your organization has a large customer service base, or a large mobile workforce. So the goal is to reduce the impact from all social engineering attacks. Most organizations are doing phishing today. We want to push past phishing. And one of the ways to do that is create a methodology. We have to communicate with other parts of the organization as we move past phishing. And we also want to do continuous testing. Frequency depends up on your culture. And also you want to take all your findings and make sure that you can get that tied into social engineering awareness training programs. So in conclusion, if you're phishing and you're trying to move past those other, move past that and get to the other three, other four, don't give up. It's taken me about four years to get to this point. And also, there's a real need for more social engineering jobs, not just fake ones out there on the web. So hopefully in the future, one day when you do a job search for social engineer, you'll find about 200 plus jobs. Thanks. Any questions? I think that SaaS services play a part. And I've especially when you do a large scale phishing. But there are a lot of things that you can do. Each tool has its particular place, but I still prefer to use open source tools for certain techniques and attacks. There's one in the back. Yes, I do. That saying that it is a threat, right? I mean, phishing, you know, everyone is phishing right now, right? That still continues to be a threat. In fact, I think the IRS has a training program now that you can take for phishing. You know, we still have phishing attacks and submission attacks that happen, and especially not only against us personally, but against us in corporations. But yeah, phishing will still be number one for a while, such as Slack. Think about that one. So the question is, what about other channels such as Slack? That is a good attack vector, and I'll have to do some more research on that, but that's good. Using Slack and other methods of communication. Any more questions? I'm sorry. Hey, Helen. That's a good question. Which of the four have the least amount of coverage? I would say most people know about phishing, and they know about phishing. They know of it or they've experienced it. And you hear more people start talking about USB attacks, and the last would be submission. They don't know what a smidge is, basically a spear phishing against a phone, and they don't know how to respond to that. No, thank you. So how do we handle the limitations of the team size and getting used to the voice? I'm in a large organization, so I do a lot of training awareness, so I don't do any of the calls. But our teams, they're pretty good. So the question is, have we ever brought in a third party, or had a third part assessment, people fail, or victimize, and their feelings? Yes. So that's one of the downsides of kind of doing this, is that you hear a lot of complaints, and we have mailboxes or social networking groups set up for people to express themselves. And in fact, on one of the slides I was going to mention that I think we've received maybe less than five to ten people who've actually sent emails saying thank you. Most of them are you know, why are you doing this, I don't have time for it in my day, this is my job, I don't care, things of that nature. So one of the things that we do is I try to give real attacks. I try to get incidents that come across from incident response, and say here, so you don't care about clicking an email, this is a real attack that came up against this person and the impact would have been X. And that's one thing that I find helps out a lot, real attacks. Using can examples from a SAS tool doesn't work, but when you show real examples of a CEO who was attacked or just a phishing attack against someone within the organization that turns the lights on. So I believe that people should have the ability to express themselves, but at the same time they need to understand why we're doing this. So again, communicating, I like real world information, I like using real world attacks to show them the need. I think it's a little bit of both. So when you read some of the reviews that we received back, it is some point to training, you know, I haven't had enough training or we haven't had XMOM training, or it may be I was in the middle of something and I clicked the link because X, you know, and this was unfair because my day's busy. So it's a little bit of both. Good one. So return of investment when you have a we use open source tools that keep down the cost, right, trying to disperse a boatload of USB drives on a on a frequent basis. I can't say how many you use you use cheap drives, you know, like I couldn't afford to use rubber duckies all the time, right, because of cost. But the return of investment on the overall program itself. So for me, I really don't have to worry about the click rate going down. I'm not judged by that. That's another department which is great. But on the other hand, you want to define what your success factor is. And that success factor is really defined by what a user does when they receive a suspicious email or call. Did they follow the right thing? Did they do the right thing which is either or they didn't report it. So when you look at real world tax I can use this. So the the attack against the DNC I believe had a spearfishing email that was targeted toward cybersecurity actually, right. When you look at attacks like that and you look at the operational impact. So generally in most organizations finance, HR, payroll those are pretty much your high value organizations and of course you have your executive levels and things of that nature. So when we target those groups we want to communicate with someone that's in there, in that area. You want to have someone that's in there that champions you and understands what's going on. So when you do send that off you want to communicate basically. So there's not mass panic with one of those types of scenarios go off. So how do you address someone that doesn't care? That's a good question because they came up last week in the conversation that I had. How do you know that someone doesn't care? How do you know if someone fails 12 times a year and they just consistently fail how do you know that that's egregious? So one of the thoughts that I had was if you want people to do the right thing no matter if they fail or not you want them to report. Is this person doing the right thing or are they just failing on purpose? And I think that's probably the only thing that I can really think of. Are they following the proper process for a fail within the organization? So if they're in power and they continues to fail the cameras still aren't right. There is another group that's responsible for training executives at my organization I told you I might be unemployed after this. There were three tools I had listed. One was the WSET, social engineering toolkit. The other was Kingfisher. And the last one was the smart phone framework by Georgia Weidman. I got two minutes. What do we do to stop vision calls? Because do not call this does not work. That's a good one. FTC. Let it go to voicemail. One of the problems is that a lot of times these guys are using VoIP. You block that number and it's going to pop up like a whack-a-mole. So I think the most important thing is to try to document where those numbers are coming from. Communicate to people on what actions to take. At this point with all of the options out there to spoof phone numbers, it's really hard to say that I'm going to block numbers from this certain range. But FTC, that's the start. That's it. Thank you. One more question. We're going to try to sum this up. Users who have elevated access who don't care. Right? Well, actually users who have elevated access our organization do treat them a little differently. I shouldn't be saying that. But when you have someone that has elevated privilege they should be treated differently as far as training and awareness and also they should be held to a higher standard. If you have admin access and you fail continuously you're putting the organization at risk a little bit more than someone that's a customer service on a box with less access. Again, that's my opinion. Not the organization. I'm getting pushed out of here. Thanks a lot. I really appreciate it.