This document discusses phishing techniques and metrics for evaluating phishing campaigns. It begins by listing various topics to avoid that could cause offense and introduces the author, Chris Nickerson. The bulk of the document outlines different phishing methods an attacker could use, such as shoulder surfing, smoking targets, and browser attacks. It also discusses important metrics for phishing campaigns like click ratios and response times of defensive systems. The document emphasizes that collecting real metrics allows making real decisions to strengthen defenses and reduce phishing risks over time through improved training, technology, and follow through.
47. Slide 48
“If it weren’t for the users we
would be secure”
– Some idiot in infosec who should have taken a job as a used car
salesperson
“Users are our BIGGEST
vulnerability”
– Some Infosec “professional” who diesn’t know what vulnerability
means
51. Slide 52
Mail Configuration
Pure vanilla spoof (forged internal from Internet)
Validate/verify addresses
Recipient and Sender
MX, SPF, RBL, Spam
Block known bad senders/Blacklists
Throttle after X in an hour
52. Slide 53
Spam/Proxy Configuration
In line spam detection
Proxy in use
Content inspection
Content filtering
Exceptions
Inspect (Decrypt) SSL
57. Slide 58
On Device Vulnerability
Does the user have rights
Can you priv esc
Can you get to the “Mothership”
Is there IP I can take?
Can I pivot and “Go for the gold”
58. Slide 59
Post Phish Value
Did your IR team catch it?
How long did it take to kick in response
How effective was response
Is there skill gaps
What do you need to do
to close the gaps?
59. Slide 60
What other metrics do you need to be
tracking to make informed decisions and
ACTUALLY reduce the risk of phishing
60. Slide 61
User data (Demographics)
User Role
Position
Paygrade
Education level
Etc.
Automated Defensive measurements
Technology effectiveness
REAL METRICS REAL DECISIONS
61. Slide 62
Response timing
Time for emails to get delivered
Time til first detection
Time til enterprise notification
Time required to create incident team
Time to identify threat vectors
Time required to identify/quarantine threat
Time to analyze indicators accurately
Mean time to incident eradication
REAL METRICS REAL DECISIONS
62. Slide 63
After we analyze metrics we need to make a REAL plan
to stop this from happening the SAME way again
Increased user training
Increased technology and automated defenses
Process improvement opportunities
Blue team Improvement
IR process review
War boarding advanced threat
Always asking, WHAT IF we didn’t get it ALL!
FOLLOW THROUGH