cR0w

cR0w, 4 months ago

@jerry There are a lot of residential solar systems running bluetooth and it would be cool to see someone dig into them. 🤔​

cR0w, 4 months ago

@jerry With everything going on, probably Glassdoor. 🙁​

cR0w, 4 months ago

@hacks4pancakes Teslas are the Ubiquiti of cars.

cR0w, 4 months ago

@micahflee I've been waiting for mine to arrive and checked on it this weekend. Turns out I accidentally got the ebook so this is convenient timing. 😆​

cR0w, 4 months ago

@SecureOwl

cR0w, 4 months ago

@0xabad1dea @jerry That's a good point. I wonder how long until that cycles around with all the RTO and in-person school.

cR0w, 4 months ago

@jerry :mind_blown:​

cR0w, 4 months ago

@GossiTheDog @wdormann Pretty sure I've seen a recent thread from @reverseics about this whole ../.. thing.

cR0w, 4 months ago

@reverseics @wdormann @GossiTheDog @chort It is funny how many orgs are like "glad we use PAN or F5 instead of Cisco, Fortinet, Juniper, Ivanti, Sonicwall, etc." like their turn isn't coming.

cR0w, 5 months ago

User discretion is not a security boundary.

cR0w, 5 months ago

To prove the point that users will continue to click links, regardless of how obvious it is that they shouldn't, I worked with the person in charge of the monthly phishing trainings at $dayjob last month. Historically, they have used the hated ruses like fake gift cards, and I wanted to try to get away from that, especially during the holidays. We ended up using something to the effect of the following:

---

Hello <first name>,

Happy Holidays. This is the monthly phishing test. Yes, really. It's not a trick. Use the <phishing reporting function> to report this as phishing. If you do not know how to use <phishing reporting function>, feel free to ask a colleague. If you still have questions, search for <phishing reporting function> on <internal docs site>.

Do not click the following link as it is there for metrics and will cause you to be assigned phishing awareness training: <phishing training 'malicious' link>

Sincerely,
IT Security Team

I don't know how well it was received by users, but I do know that we still had more clicks than two other months in 2023, despite being explicitly told not to click the link. Users will always click links with their link-clicking machines. Relying on their discretion is either ignorant, or I expect in some cases, malicious in that there will always be a scapegoat to blame for the inevitable breach.

#phishing #infosec

cR0w, 5 months ago

@ashar I disagree. Users are generally more productive than any of us in security. We should be there to protect and enable them, not fight them. Knowing that there will always be clicks is important knowledge and should be built into the various security strategies.

Another thing that is difficult to capture is how many of those clicks were intentional. Once you reach a certain number of users, it is inevitable for people to accidentally click on links. I would argue it's even more likely to happen accidentally with an errant tap on mobile, which leads into the BYOD discussion and why security should be working with IT to securely enable users, not getting in their way.

cR0w, 5 months ago

@shaknais I don't think either of those is bad. What was bad was how confident management was that there would be zero clicks because everyone has had training and "knows better."

cR0w, 5 months ago

@shaknais How many of those clicks were accidental though? Given enough users, it's bound to happen, especially on mobile.

This was a great exercise to be able to say that no matter what, we should expect that at least x% of links that make it to inboxes will be clicked. We need to architect and build for that reality.

cR0w, 5 months ago

@shaknais Yes. Also disgruntled or malicious employees and those who think that if they "download a virus" then they can get the new laptop they've been asking for.

cR0w, 5 months ago

This got more responses than I'm used to, which is brilliant, but I don't think I can respond to them all. And based on some of the responses, I don't think I was entirely clear, so here's a bit of a follow-up:

It's possible there is a baseline of clicks recorded by previews, scanners, and users attempting to be careful in how they approach the link ( i.e. curl | less ). However, this is an enterprise product that has been in use for a while, including by this org, and if it was assigning users training that didn't click, I would think it would have been addressed. I don't know for sure though since I don't run that software.

Several people mentioned potential reasons for users clicking: They're curious, they don't care about the org, they're trying to get a new laptop, the training makes for an easy workload for part of a day, etc. The thing is, I don't care. At all. My point in this was to prove that links will continue to get clicked, regardless of how well users are trained or informed. Intent and blame are meaningless here. What matters is that systems are built with that expectation in mind from the start. And while basic user training is beneficial, beyond checking a compliance checkbox, it provides no security benefit.

As far as metrics in relation to other months of "training" in 2023 go, the number of views were roughly the same as other months, the number of reported emails were above average, but not as high as some months with attempted ruses, and the number of clicks was higher than two of the other months. Read into that what you will, but my only takeaway from that is that links get clicked.

I also didn't mention that a big part of why I approached the phishing trainer when I did is because of the human element. End of year with the holidays and layoffs all over the place are a stressful time on their own. Creating a false hope for something like a bonus or gift in the name of security or training is an idea that needs to die. Users, otherwise known as the people who actually keep the org running, are already stressed. Don't make things worse.

cR0w, 5 months ago

If your org uses a third-party solution for phishing training, it is likely that all of the testing emails contain a specific header. Mail filtering is generally configured to allow them to bypass rules and make it to all inboxes as intended. It is also often used to prevent rewriting the URLs in links if your org has a system that does so ( Proofpoint, Barracuda, etc. ).

As an employee, if you don't want to bother with the regular phishing training, look at the message details and see if you can find the header used to bypass protections in your org. Some of the common ones are:
X-Phishtest
X-ThreatSim-Header
X-ThreatSim-ID
X-PhishMeTracking
X-PhishMe

Then in your mail client, set up a rule to take whatever action you wish. You can create an alert, move the message to a specific folder, or even execute a program or script if IT hasn't disabled that function.

I fully support those of you of a chaotic persuasion to take the URLs from your org's phishing messages and fully enumerate the unique identifier section. Just brute force it and see if everyone gets assigned phishing training.

It used to be that as an attacker, you could put all of those headers in and likely bypass filters due to the org setting a basic allow rule for one of them for phishing training. However, more orgs have finally either moved to third-party mail service that usually does a better job at filtering, or they are getting around properly configuring SPF, DKIM, and DMARC with strict rules that specify sending domains that are allowed with the header mentioned above. YMMV, of course.

#phishing #infosec

cR0w, 5 months ago

@juliank I would argue that all metrics related to phishing training are bad metrics. My goal was simply to show that people will click links, regardless of training or even what the email says. Yes, there may be some false-positives on clicks, but if the org is already using those metrics to say "users suck and need more training," then why not use their same metrics to say that their training approach is worthless and we need another approach?

cR0w, 5 months ago

@kinetix @hypolite I disagree. People click links. It's up to security to ensure that the impact is mitigated. If users had to fear for their jobs if they happened to click a link that security allowed into their inbox, you would run out of productive employees.

There are entire workflows that require the users to click links sent to them from the general public. If security is so poor that it allows malicious links to the user, how can the user be expected to pick up what the specialists missed?

cR0w, 5 months ago

@kinetix @hypolite Holding people accountable is a job for HR and Legal, not INFOSEC. Expecting users who are already busy providing value for the org to catch everything is equally delusional and why phishing training does not belong anywhere near a risk register.

I don't expect security to stop everything, I expect IT systems to be properly architected and controlled to the point that it would take significantly more than a low-privilege user account clicking a link to cause an incident.

cR0w, 5 months ago

@hypolite @kinetix Exactly. If the multimillion dollar security systems can't tell it's malicious, how is a user supposed to tell, especially in a reasonable amount of time so it does not disrupt their workflow?

cR0w, 5 months ago

@kinetix @hypolite My point was that at scale, you will never see zero clicks, regardless of the amount of training thrown at users. I used the "don't click this link" as the most absurd way I could think of to show that the baseline of email security is "expect clicks" and build the rest around that. I am in security, not HR and not Legal. They can choose who stays and who goes. My job does not change.

cR0w, 5 months ago

Phishing testing should be testing your security systems, controls, and processes, not bypassing them to test and blame the users.

#phishing #infosec