Social Engineering: Training The Human Firewall

I'd like to introduce Brianna Schultz she's going to be presenting social engineering training the human firewall please welcome Mercy [Applause] well good morning some of you guys have had your coffee so thank you before we begin I personally want to thank each and every one of you in this room for not only coming on my speaking session today but for becoming to b-sides Knoxville 2023. we're gonna be discussing social engineering training the human firewall and as a quick introduction my name is Rina Schultz I am from Kansas City Missouri in fact I had started my cyber security Journey attending the University of Central Missouri I graduated in 2018 with my bachelor's of Science in cyber security

secure software development and then later again in 2020 with my Masters of Science and information assurance I have a very technical background and endpoint security engineering network security engineering and as today I work as a team leader out of a security operations center at Garmin I'm very involved with my community I work very closely with the Girl Scouts of America being a stem mentor and besides my love and passion for this field I really enjoy 1980 science fiction books if you do want to connect with me on LinkedIn I highly encourage you to scan that QR code located on the top of the slide so before I deep dive into this presentation I want you all to have a

few takeaways one of the things I am going to request of each and every one of you is to keep an open mind one of the most amazing things working in cyber security is the diverse background our community has some of you in this audience might be students maybe sales vendors maybe you might have five to ten years of experience I want you all to really learn about a concept called user architecture user architecture is built on two concepts how our users think towards security threats and risk and how our users act towards security threats and risk and because we're going to understand user architecture we're going to be learning how to identify risk in our business

through our security education program I want you all to learn how to start your own security education program if you do not have one and if you do have one awesome I want to hear what you're doing in your business I'm also going to provide some insights on how you can mature your fishing program on how to set ideal realistic goals and then also what you can do to improve your fishing pool by incorporating mature fish so some historical knowledge about the topics I want to present to you in fact when I was attending UCM and I was getting my master's I had conducted my own research this was a psychological research as to why are our users

clicking on phishing emails regardless if security education is already present and for me to understand this I had taken a participant group of 100 plus users these users had backgrounds in computer science software engineering and cyber security these participants were not novice with computers in fact they were not novice understanding what a phishing email was this is really important right because unlike our business where we have a wide range of users I had a control environment about the backgrounds of my participants and for me to understand why are they clicking on emails I have fished them with three different phishing campaigns each campaign consisted of two fish that progressively got more mature in fact these three campaigns each focused on a

specific threat I focused on fishing a barrel spear fishing and spoofing and for me to measure the difficulty of these fish I had created my own algorithm this algorithm highlighted the more fishing characteristics a fish had the higher the likelihood a user should be able to spot this as a fish because not only am I wanting to see hey why are they clicking but can my users learn and adapt and grow through this different type of threat landscape so like I said user architecture right this was a really important concept for my research to understand why my users are clicking and in fact we take this back in our business this can assist us in identifying risks and gaps

in our education program user architectures built on two concepts the first one being how our users think how do our users think towards security threats where do they get their mindset from well the influence of us as Security Professionals how we project and how we train and hopefully that leaves a positive impact on our users so I like to use two examples to highlight this the first one being leadership wants a small click percentage because it shows our awareness is improving if you had first conducted your fishing program and your environment I guarantee you probably wasn't uncommon for you to see a 50 to 75 percent click rate because this was new this was a new type

of training for your users and as you continue to incorporate fishing and that form of security education those metrics start declining right and now we went from 50 to 75 percent to maybe a two to three percent leadership goes yeah this is working our users aren't clicking now if we take this mindset and we go back to our user right this user works for a company this company sends phishing emails second week of the month in fact this company might also have incentives for when you report a phishing email if you're reported four times in a row they're going to give you a swag item or maybe recondition in a team meeting um I had one person in the audience one

time told me that they give out gift cards if you report security phishing six times in a row I would love to work for a company that gave me gift cards for reporting phishing emails but in this situation this user shows up to work they open up their email and they notice something that's not normal in their email inbox user goes over to their co-worker hey did you by chance see this email are you on this the co-worker goes yep in fact I reported to security it's our fishing awareness for the month user goes ah cool it is second week in the month and in fact I'm one fish report away from getting my cool swag

item so the user reports it to security they get that confirmation saying hey thanks for participating in our phishing assessment so this user who was a great user and is an ideal team player what are they going to do they're going to set the rest of their team up for Success they're going to screenshot this email and post it in slack teams Discord whatever their communication platform is for their environment and now everyone else knows what the phishing email is from the month but you know what leadership sees that two to three percent click rate because obviously our users are not clicking phishing emails so what was the mindset that we trained our users not how to read emails not how

to hover and go through hey is this suspicious is this a shorten URL when I hover over this link uh is there bad spelling no we trained our users to adapt to our environment to think what is happening in the business second week of the month those incentives what I can do to share this with the rest of my team so then I have a second mindset annual education Refreshers are important and must be mandated absolutely if you have cyber insurance or even if you do compliance and Oddity annual Refreshers are important because we can't force our users to interact with our phishing emails and our phishing assessments but we can for sure check a box on our compliance checklist

that they watched a video now I don't know about you I personally do not love my annual HR training videos I know they're important but especially this time of the year we are almost six months into our calendar year which means the holidays is around the corner a lot of companies are already doing their Sprints they're finishing up their projects their deadlines and then of course the last minute of oh we need to add this on for this calendar year we need to get this project going so if I'm this user who is juggling 15 different things and I show up to work and I open my email and I see hey you have required

training due by end of the week I'm not gonna be a happy camper so what do our users typically do right they're not going to sit there and watch a video as to why plugging a USB into a computer is bad no they're going to pull this video up run it in the background in fact uh we always have that one person we work with that goes to the vending machine and gets all their snacks and then they come back and the video's done and they take their two to three questions and pass so again our security mindset is yes we're checking a box off compliance for our insurance our users mindset is yes I'm checking a

box just to get this over with so again what are we training our users we're not training them how to think like Security Professionals not showing and displaying the importance of security threats and providing that passion back to our business our users are learning how to adapt to security mechanics so then the second part of user architecture is understanding how do our users Act and this is important because user architecture is something we cannot control this is why it's a risk in our business so for us to understand how our users act we have to know our users in our business and I'm not talking about a personal level I do not care about people's favorite colors or what they

had for lunch unless it's a really good recommended restaurant but Know Thy audience meaning what type of users are making up in your business and I like to use two types of audiences we have Dave in finance I feel like we always work with the Dave and finance here Dave in finance works from Monday to Friday he is an ideal team player really supports the mission and vision a culture of the business and if we think about Dave and finance what does this angle traffic look like probably works very closely with payroll um benefits and 401K Services if he works with those accounts where does the money go for these packages maybe customer accounts and then we have the opposite Spectrum

we have Steven sales Steve is also a great employee but what could we think that Steve's email traffic looks like Steve probably works very closely with customers business relations maybe communication and marketing because he is building that reputation for his company and selling products and making Revenue hypothetically they even Steve worked for the same company this company got targeted with a fishing attack this fishing attack is very sophisticated it's a new type of threat and so a lot of email network security appliances might not have seen enough of these threats in the wild to update their scanners to update their signatures to stop it this email made it to the end user where both Dave and Steve got it in fact the

contents of this phishing email States hey there was an error in our system you have been under enrolled in benefits if this is a mistake and you are a benefit provider please click that link below within the next 24 hours so you can be re-enrolled and have benefits Dave who works in finance who works very closely with benefits and 401K Services sees this email goes this is not an authorized benefit provider Dave submits this to security Now what is the likelihood that Steve is going to have this exact same reaction that is a gap and that is a risk because Steve might be one of those users who doesn't really do the research on the benefits and gets the annual

reminder once a year that says hey you need re-enroll benefits and they just click the link and then boom they have health insurance so Steve is probably going to have a different reaction than Dave based off their job and what they do for the business so security education software can be very expensive there is a lot of good reputable Brands out there that do provide decent security education proof point being one they do a pay by user but again if security education is new to your business the reality is cyber security does not make a company money we do not make them Revenue in fact we cost them money and it's always hard when you have to

justify when you get a budget and you have to fight for where that budget should go should it go into our EDR should it go into more of our Network maybe we need more resources what about security education now this is also a factor so a tool that I had used for my research is called go get fish go get fish is a free open source platform and sometimes I get questions that's like is this great open source can be kind of skeptical and I agree I am personally skeptical of Open Source because you get those developers that make their project and then they'll post it and forget about it and then you're like well that

was great while it lasted go get fish developers are a little different they're very involved with their Community um they pose frequent updates new features in fact if there's even bugs or patches they post it immediately and also what was also great about this is that it integrated very well with reputable SMTP services such as Microsoft Google Yahoo and by no means am I a software engineer or an application developer I had stood my fishing environment up in less than two hours with 100 plus users in my three fishing campaigns this was great I will not be surprised if this tool is not free in the next two to three years honestly but again I'm

not trying to sell you guys a product I'm providing you a resource because if you do not have security education in your business right this is a risk you were saying hey I'm approving the risk that my email security that my network security that my EDR is going to stop threats threats evolve so fast and it's almost near impossible for us to continuously have our security appliances updated if you do believe this awesome this is why it's important for you to keep an open mind this presentation this is why we grow as a community so my research environment I had hosted a Linux virtual machine on my own desktop and this is where I hosted that

go get fish service in fact I had hand developed all of my fishing campaign emails through HTML CSS and some fancy bootstrap here and there uh I will show the emails that I use for my campaign you are more than welcome to steal the ideas of some of these I know when I've done this historically um I've had a lot of positive feedback of people in their business filing for email so it's kind of a good cat-of-mouse game I did not want to send 100 plus emails six different times from my personal email account so what I did is I created a few other email accounts through Microsoft Gmail Yahoo and I even had a

couple AOL ones I used a web Hook from this SMTP service back to my go get fish environment as a form of authentication so when I sent those emails out in fact I sent them dynamically meaning no user received the same email at the same time because I didn't know if they lived together I didn't know if my participants worked together or had class it brought another level of sophistication to my campaign so when those emails got sent out through those email accounts out to my users my users had two options to click an email or to not click an email and if they did click an email they went to a SurveyMonkey website and

why did I use SurveyMonkey because it's free but also it provided me a way to track click metrics SurveyMonkey does this for you and when a user clicked on it it prompted them with hey you fell for a phishing campaign here are some steps for you to recognize fishing in the future and here's a survey you had an option to take the survey or not as to why did you click on this so like I said I'm trying to find why are my users clicking on phishing emails regardless if security education is present and then also can my users grow their mindset and how they interact with phishing threats three fishing campaigns the first campaign I had focused on fishing a

barrel and if you do not know anything about fishing a barrel it comes from a very Western term where a fisherman would go out go fishing every fish he caught he threw in a wooden barrel at end of the day he would stick his hand the barrel pull out a fish and that's what he was having for dinner today's fishing is a little different right so similar concept but we put this in a throat doctor mindset emails sometimes these might look like marketing ads or just junk right there's not really a specific audience or type that they're really aiming for so they're looking for that one click that one interaction because that's all they need

I had talked about my algorithm this campaign had a high scoring algorithm meaning there are a large number of fishing characteristics in these emails thus the user should have a high likelihood to spot this as a fish in fact if we look at my very first fish I have here it says hello please see the given information so please review now sincerely your professor it's a pretty bad email right there's a lot of grammatical errors there's a a period and a comma and a bunch of space and just bad spelling there's a lot of red flags here there were clicks on this email why especially right we remember my participant background being software engineering computer science

cyber security why are you clicking this email you should know better the user responded with I was curious

I believed my antivirus protects me from all types of security threats in fact if you're curious they were running Norton on their computer followed by not paying attention right when I say good grief okay let's try this again fish number two the contents basically highlight hey um I know you're a student people that typically or students don't have a lot of money blah blah blah take the survey link and you'll get a gift card for your time unlike the first fish there were a significant less amount of clicks on the second one but again I had a user saying that they weren't paying attention and they still had a habit of clicking on emails habits are hard to break

so all right through the second campaign what's going to happen now spear fishing spear fishing spear fishing spear fishing I wanted to Target specifically them being students and in fact not only did I want to Target them being students I wanted to have a psychological relationship with my participants we go back to the phishing algorithm right it had a medium score meaning that there was more of a risk that maybe these users probably aren't going to spot that this is a fish but there's still a decent number of fishing characteristics to show that hey there's something weird here there's something wrong now the first fish I sent and I'm not gonna lie I was kind of mean about this

and I had a lot of fun the content said hey you were using the university Network in fact you were looking up inappropriate content on the network you got violated a policy you need to take training click the link there were a lot of clicks on this in fact that other column was an apology letter I don't know if you know any college students I personally do not want to look at their browser history or proxy data so what was the main reason there was a sense of urgency that influenced their thinking but again right there's also a pretty decent high level column over there that says they weren't paying attention they had a habit of

clicking on emails and I also had another user State they were still curious oh boy so I said okay cool I scared them that was cool that was fun um let's do the second fish but instead of me focusing on scaring them I wanted to have a sense of trust right I want them to trust me trust that I was to a student and so I said hey we have a homework consignment a lot of us are working on it on the below Google doc link if you want to collaborate with us and then if you're not familiar with University environments it's not uncommon that students are hybrid right some of them are remote some of them are

in class maybe the class itself is hybrid where it's one in-person class and then online or full remote and then you also tie in international students right so having these sharing platforms is not uncommon in a university just like my first campaign that I had set the first fish had a high number of clicks but then that second fish had a significant low number but again I'm still seeing a pattern as to why they're clicking curious not paying attention they just have a habit of clicking emails so now I'm thinking well are my users learning are they being trained on these types of threats if I'm exposing them especially with a different level of difficulty and this is why I had three

campaigns because that Third campaign is going to either break that pattern or it's going to prove that pattern is going to exist spoofing was my Third phishing campaign and spoofing can be a very scary serious threat if you do not have demarc or D Kim signing in your business I highly highly highly encourage you to add this as a roadmap for this year if not 2024 because this will help you against spoofing emails now unlike my first two campaigns where they had a high level a medium level this one had a very low score algorithm meaning there was a little to no fishing characteristics present in this email and if you think about spoofing it's not uncommon

spoofing emails or this sophisticated so the first email I had sent I had spooked my own University address and I said hey I just personally want to thank each and every one of you for participating in this as a form of gratitude here's a gift card for your time there were a lot of clicks because the number one reason was that it seemed legit and of course we also have a user not paying attention but I said okay we'll see if this pattern continues right let's send another spiffy an email this email I had actually carved from a legit technology office email I scraped the contents and kind of modified it to seem you know a little more precedence

then reset your password and to make it even more mature I went on the University website and looked up their office hours to include in their email signature block I took it a step further I went to Google looked up the logo of the university and added that to the signature block right it looks like a legit email the contents say hey your credentials were part of a breach you need to reset your password so that way the university can stay secure please follow the instructions below if you want to learn more about cyber threats please see the below link as additional the number one reason it seemed legit and then of course there's a user in the

other column that thought they were curious about this as well so again right unlike my first two campaigns High number of clicks significant less this thorough campaign was the outlier it broke that pattern now if I had conducted this exact same experience but in my corporate environment and my leadership comes back and goes what just happened to our metrics what is going on is do our users not know how to spot phishing emails like are we failing a security and I would say just stop just stop for a second pause our users are growing and becoming educated why because they're being challenged they're being exposed to different types of threats user architecture is important here

because those second phishing emails of campaign one and two show how they're thinking and reacting differently user architecture here has identified a risk in our business so I'm going to say back to my leadership not only are they growing but we have identified a gap because if we get spoofed these are actual metrics to show that our users have a high likelihood that they might fall for a spoofing email let's continue to add this in our fishing pool let's get them exposed we are training our users so what can you do to improve your security education mindset right I had said before SS Security Professionals we're an influence to our users and our user base they learn from us because we

are their source of Truth and for us to improve our mindset what can we do well the easy one is to evaluate your goals why do you have fishing education okay so maybe it's a compliance checkbox okay nice this is real data that you can use to improve the security in your business if you are averaging that two to three percent click rate this is proof that your users are plateauing they understand where they're at they're not feeling challenged they're not growing so what you can do is look at your fishing pool maybe you have a high number scoring fish that have a lot of fishing characteristics in it that make it easy for users to spot

maybe you have a lot of the same similar emails in your fishing pool I feel like everyone has a UPS or Amazon notification email in their fishing pool how many of those are you sending a year hopefully not 12 months of the year so throw in a different fish that's not really seen in your pool maybe something a little more sophisticated you're more than welcome to steal any of my spoofing ones what happens to your users right okay well maybe your two to three percent click rate went from a 10 to 12. so now you see that there might be potentially an education Gap you know where your users are being challenged so aim for that middle spot

aim for maybe that five to seven percent because that's gonna mean the metric to show that your users are growing and being challenged you don't want your click rate being too high because then your users are gonna be frustrated they're not going to want to participate in security because maybe they keep falling for emails and now they're not getting those incentives right so we have to have a growth medium that's both usable and allows us to have Security in our business next thing you can look at is have a different mindset us as Security Professionals it is engraved in our brain to participate in Patch Tuesday to Forever update our blacklisting our iocs to do scanning in

our environment to update our firewalls and other security appliances why do we not have the same mindset with our users to evolve and grow our users because security threats are constantly evolving that's why we do updates that's why we do patches we need to update our user mindset because they too need to be set up for Success when they get fished so another question I frequently get is I don't know how to improve my fishing pool in fact if you don't have fishing that's you know you get to start fresh and I always tell people you do not have to be Bob Ross of creating a fish as much as we would all strive to be

that it's okay so good news for you there are resources in fact the news right is a great place to start and if you were like I don't know what news to read start simple bleepingcomputer.com the hackernews.com two great resources to start and then even go on LinkedIn go on Twitter right follow influencers or even threat researchers that are seeing stuff that are in the wild in fact Microsoft about eight or nine months ago had posted an advisory about an o365 credential harvesting fish this fish was scary because how the emo presented itself it was bypassing all of those security mechanics and when I made it to the end user the end user would click the link to log

into o365 to access their document the fish scraped the o365 login of a company sometimes companies have different fonts or logos but their o365 login it scraped it and made it look legit so it was another layer of maturity to that attack chain now apparently a lot of companies had issues with this fish and we're personally reaching out to Microsoft or even submitting stuff to threat researchers on social media and Microsoft said oh my gosh we need to post something about this fact not only do they post iocs about this fish they posted screenshots of what the email contents of this fish looked like this is where us as Security Professionals should be looking at these

examples that are having you know huge impact in our community why are we not training our users on real threats that are happening in the world these are things you could put back in your fishing pool right you're preparing your users for battle against these threats now another way you can look at it is not only do you have the option to see things in the wild what about internally I think it's important that people can have communication a great relationship with not only their tier one help desk but their security operations center these people are your first eyes and ears of being First Responders for your business towards security threats what is being sent to them

maybe if we go back to the Dave and Steve scenario maybe your sock is seeing a lot of emails from Dave's Department regarding benefits right this is a metric how many people in sales submitted this email what about your I.T Department people that have admin accounts people that have access to very sensitive information in the business right they get compromised that's a whole other type of level that we need to protect against but again take things that your users are submitting incorporate that into your fishing campaigns what about the things that are getting blocked things that your business is actually being targeted at so if your email security Appliance or even your firewall went down and there's

no protection for maybe five minutes you have to have trust in your users to spot the threats that your business is being attacked by so again I personally want to thank each and every one of you for coming on my speaking session and I really hope that maybe you could take something back to your business whether it's a refueled passion for security education and wanting to fight that cyber fight that we do every day or ideas that you can mature your own fishing pool as well if you had missed any of the QR codes that I have presented throughout my presentation you're more than welcome to scan these at this time I will be taking

any comments or questions that you might have for me yes

okay there we go so you mentioned effectively about the threat of having someone with an admin account being compromised would be a good idea to have them have like a specific uh account for like the sensitive things such as the benefits and stuff that isn't connected to um their admin credentials would that be if feasible and reasonable expectation so you're asking I'm making sure I understand this right you're asking separate account credentials for your benefits right yeah yeah in fact a lot of companies um they don't really use their same network passwords for their benefits page because you know they might go through a third party for benefits and stuff like that so that helps bring that

layer you know separation from the business thank you you're welcome thank you for the top yeah um did you see any correlation by people who have clicked on fishing campaigns by the number of emails they've got foreign

did you see any correlation in that so from me personally in my industry experience right um this goes back to knowing your your users and not only a security education very important right your email is a digital footprint to the internet and so people that might receive a lot of emails and stuff like that that is my a possibility as to why they have a habit of clicking right they just have so much and then also to think about in a business is is there a policy enforcing what you can use your Corporate email for right do we have people using their Corporate email to sign up for Bed Bath and Beyond coupons or even Chipotle discounts right so now

you're creating more exposure to your email of possibly getting those threats if those parties get breached if that answered your question somebody yeah for the most part yes it's all types of knowing your audience yes again because obviously finding I say Obviously Finance may not get as many emails yeah uh or the type of emails maybe a lot less versus sales you've been bombarded by uh he's trying everything yeah technical account managers I would not went through an inbox any other questions anyone down here all the way at the side okay oh I see hold on I know this guy

okay this is gonna be a good question a bit oh boy

I'm gonna be honest um are you talking about like from when they interacted with the email yeah I'm gonna be honest I did not track that metric but that would be an awesome metric to see what happens so that's a good idea yeah any other questions for our speaker put your hand up real high so I can see you across the room I I had one question actually did you have to um for This research since you uh your subjects were humans did you have to go through like an Institutional review board or you can collaborate on that process yeah it was kind of uh so if you guys don't do University Research uh especially if you do side studies you

have to go through an Institutional review board and it's ethics saying what you're going to do and how you're going to conduct your research is not going to cause harm to the participants and yes I did have to go through an IRB and it was it was a little different than your standard IRB because I didn't want to tell my users they were part of a study because you know that's the whole point of fishing right is for the unexpected and see the reaction so how I talk to my users was like hey you guys are going to be part of a social engineering study I'm gonna go ahead assume that you're gonna be automatically enrolled in the

study if you you do not want to be a participant let me know and I'll drop you as you know someone that wants to participate in this and there are actually my original email I think had like 500 students on it so a good 40 of them said no no no no no I don't want nothing to do with cyber security social engineering this semester and I was like I totally get it so um yes I had to go through an IRB for it okay oh one more question

oh yeah this this has to deal with your research but with the go fishing they didn't have like a like could you see some metrics on if it was limited to junk it wasn't delivered um yes it was very uh the UI for it actually showed it to you um so when I sent my emails I had a timeline of when the emails were sent and then if an email failed that's where it would display the error as to what happened and in fact the logs for the application was very usable so it tells you like hey uh maybe the user undelivered because recipient not found you know stuff like that and then their email protections I guess it

was the University mail was it did it block any of this stuff it absolutely did um my spoofing campaign I actually got blocked at both I think I use Gmail Gmail stopped my campaigns so I had to create like another Gmail account real quick and in fact my husband he's sitting in the back corner when you create Gmail accounts you have to use phone numbers my phone number got blacklisted for a couple of weeks so I had to use his so just letting you know [Laughter] yeah any other questions hands off my mind anybody you know gallery no okay okay uh with that I say uh let's thank our speaker that was an excellent talk

thank you thank you thank you