The Double Barrel: PhishMe trains users to avoid conversational phishing

double-barrel“It’s legit,” an APT1 hacker wrote in response to a recipient who questioned the validity of a spear phishing email sent by the now notorious Chinese hacking group. This recipient had the awareness to initially question the authenticity of the phishing email, but when APT1 responded, it added an element of trustworthiness to its communication, one that could trip up even a savvy employee.

This is one of the tactics Mandiant® described in its report about APT1, and is something we at PhishMe® have observed as well from both our customers and our contacts in the industry. To address this issue, we rolled out the Double Barrel, a new scenario type that will simulate the conversational phishing techniques used by advanced adversaries like APT1. This has been in development for months, and it was a happy coincidence that we rolled this out the same week that Mandiant provided the world with a concrete example.

How PhishMe addresses the top attack method cited in Mandiant’s APT1 report

There’s no shortage of interesting points to take away from the Mandiant® report about the Chinese hacking group APT1 released Tuesday, with many of Mandiant’s findings confirming the threat organized attacker teams pose to enterprises.

First and foremost, the report states, “the most commonly observed method of initial compromise is spear phishing.” This backs up our main message for organizations – to remain focused on the core problem of people being the main vulnerability. Organizations need to proactively address this by developing a user base that is resilient to spear phishing attacks. This doesn’t discount the importance of technology (see our blog post about the NY Times breach), but security behavior management can’t be ignored.

PhishMe’s 2013 RSA Conference Preview

PhishMe (along with our giant bowl of Swedish Fish) will be attending the RSA conference this month for the second time, and we’re pretty excited to be returning to the City by the Bay. We’ve grown a lot since last year’s conference, and this year provides us with a chance to show off how PhishMe has evolved – both as a product and company.

Who better to help us preview our first big event of the year than our founders, CEO Rohyt Belani and CTO Aaron Higbee? I conducted short interviews with each outlining what they are looking forward to, not only about returning to the conference but also about visiting San Fran itself.

PhishMe; then and now

Q: When did it start?

A: We started building early prototypes of PhishMe in 2007, had beta customers in the first part of 2008 and paying customers later that year.

Q: What is it?

A: PhishMe is a subscription to use the PhishMe infrastructure to facilitate the most effective and memorable spear phishing awareness training around.

Organizations pay for a one year license based on the number of people to be trained, to send as many spear phishing training campaigns as they see fit.  It replicates Click-Only, Data Entry, and Attachment based spear phishing attacks.  We provide stories and themes to get people started, but subscribers are welcome to craft their own.  Subscribers manage recipient groups, pick their phishing themes, and customize the education message that is presented to anybody that falls for the phish. It also helps them keep track of who reported the spear phishing email and reward staff for reporting suspicious emails. Detailed reports show how effective the training is. Subscribers can then select multiple campaigns to build trend reports.   Using PhishMe allows organizations to see real measurable results in awareness improving, using the trend reporting that is provided.

Spear phishing awareness training isn’t a one-and-done event. There are different types of spear phishing attacks and humans need reminders that it doesn’t matter what position they hold in the organization, everyone is a valuable target for a spear phisher.

Q: Who buys PhishMe subscriptions?

A: Organizations that have been Phished multiple times.

It’s extremely frustrating for organizations that own every type of end-point-security product and appliance and have rigorous proactive patching and anti-virus to still get compromised via a spear phishing email.  Their vendors tell them if you buy magic heuristic -cloud-malware appliance X, it will solve their phishing problem.  How does one write a signature for an email that sends a user to a website that simply asks the victim for their username and password?  The truth that the security product vendors don’t want to admit: they can’t. When an organization has an 8 person IR team onsite billing $300hr, looking over at that rack of failed security products is demoralizing. Faced with these circumstances, sending spear phishing emails to the workforce as a means to deliver awareness education about spear phishing stops sounding like a crazy idea.

Q: Who else buys PhishMe?

A: Organizations replacing their own homegrown solution.

Organizations who know they need to do this and have made attempts to build their own solution, but have learned through experience conducting these exercises in a safe controlled manner isn’t as simple as it sounds. What if the recipient is on IE6? Will your page render? What if they open it from a BlackBerry or iPhone? Will their scripts still be able to record the results? What if the end user forwards the training exercise on to digg, slasldot, redditt? You don’t want to be headline news like the Air Force was with their uncontrolled attempt: Many PhishMe customers transition from their own solution to PhishMe because it’s easier, safer, and has better reporting.

Q: Anybody else?

A: Consulting organizations buy professional services licenses to conduct training exercises on behalf of their clients.

Q: Any changes over time?

A: In 2009 and 2010 we saw a shift in our inbound sales.

The word “Phishing” often conjures thoughts about consumer related phishing scams aimed at getting financial information or information that could facilitate identity theft.  In the past two years, the differentiation between spear phishing targeting specific actors in an organization vs. consumer phishing is more well-known.  We began getting inbounds by customers who were aware they needed to proactively address spear phishing, if not from their own experience, from reading about it in trade publications or talking with industry colleagues who were combating the problem.  Still, to this day, the majority of inbound sales leads come from companies who have been compromised via spear phishing. Stories like the RSA breach just help make it more acceptable to disclose “yes, we were compromised by hilarious pictures of cats”.

Organizations don’t need to sit around and wonder if they have a spear phishing problem.  They can find out how bad the problem is and do something about it.

Aaron Higbee

Phishing joins the SANS Top 20

Phishing is now recognized as a 2007 SANS Top 20 risk, and rightly so. What I was even more excited to see is SANS calling out the countermeasure correctly. They didn’t recommend deploying millions of dollars worth of technology to “catch” phishing attacks, but said “user awareness is a key defense. The most promising method of stopping spear phishing is continuous periodic awareness training for all users; this may even involve mock phishing attempts to test awareness”.  As I said in a previous blog post , we are in total agreement with SANS on the efficacy of this countermeasure. In fact we are so in agreement that we have developed a solution ( to do exactly that – run mock phishing attacks to test and measure employee awareness.

Now for the gimmicksmen. Qualys just made an interesting announcement – “Free security scan available for the new SANS Top 20“. I wonder how they are going to scan for phishing vulnerabilities.

– Rohyt

Phishme Update

The development of our phishing attack emulation service, to be hosted at, is on target for a February 2008 release. We are in the midst of alpha testing at this time and hope to be ready for beta in January 2008. At that time, we will be opening up the service for free evaluation. If you are interested in being notified (via email) when the evaluation accounts become available please sign up at signup (we will not phish you 🙂 ).

– The Phisherman

Rohyt Cited in Industry Week Article

Brad Kenney interviewed me about the unique information security challenges faced by manufacturing companies. Excerpts from that interview can be found in his IndustryWeek story –  From ID to IP Theft.

Moral of the story: Large employee bases whose skill set is not in technology, coupled with fragmented operations make the job of an information security officer in the manufacturing sector very challenging.