1 00:00:00,140 --> 00:00:07,790 [Music] 2 00:00:12,700 --> 00:00:26,448 [Music] 3 00:00:27,829 --> 00:00:31,189 it's out 4 00:00:31,970 --> 00:00:35,409 [Applause] 5 00:00:32,270 --> 00:00:35,409 [Music] 6 00:00:43,080 --> 00:01:26,499 [Music] 7 00:01:30,130 --> 00:01:36,878 [Music] 8 00:01:53,640 --> 00:01:59,239 [Music] 9 00:02:06,410 --> 00:02:09,430 [Music] 10 00:02:14,590 --> 00:02:48,139 [Music] 11 00:02:56,330 --> 00:03:03,319 [Music] 12 00:03:05,530 --> 00:03:09,590 [Music] 13 00:03:08,200 --> 00:03:11,298 all right 14 00:03:09,590 --> 00:03:18,400 microphone checking yeah that'll work 15 00:03:11,299 --> 00:03:24,109 yeah check mic one two one two good stop 16 00:03:18,400 --> 00:03:27,040 all right I think it's time to start so 17 00:03:24,109 --> 00:03:31,450 thank you for coming 18 00:03:27,040 --> 00:03:34,030 and also being here today this talk is 19 00:03:31,450 --> 00:03:37,920 called behavioral security and offensive 20 00:03:34,030 --> 00:03:42,659 psychology if you're expecting Wims talk 21 00:03:37,920 --> 00:03:46,659 you're in the wrong spot he very nicely 22 00:03:42,659 --> 00:03:49,659 gave up the slot for us today how's the 23 00:03:46,659 --> 00:03:50,439 audio out there can you hear us so yeah 24 00:03:49,659 --> 00:03:58,569 in the back 25 00:03:50,439 --> 00:04:04,959 back's a little fine okay wait is that a 26 00:03:58,569 --> 00:04:09,010 bad thing okay so even though it's not 27 00:04:04,959 --> 00:04:12,099 that kind of con we have not a drinking 28 00:04:09,010 --> 00:04:13,750 game for you this you probably don't 29 00:04:12,099 --> 00:04:15,429 have drinks in your hand but we wanted 30 00:04:13,750 --> 00:04:16,988 to have something interactive and we 31 00:04:15,430 --> 00:04:18,699 don't want to promote the crippling 32 00:04:16,988 --> 00:04:20,529 alcoholism that affects us all in our 33 00:04:18,699 --> 00:04:22,919 daily lives because of the jobs that we 34 00:04:20,529 --> 00:04:25,090 have to do darkest timeline a little bit 35 00:04:22,919 --> 00:04:26,710 so what we're gonna do is we have a 36 00:04:25,090 --> 00:04:30,159 number of words we're likely to say a 37 00:04:26,710 --> 00:04:31,840 whole bunch during this one is security 38 00:04:30,160 --> 00:04:33,669 engagement you're gonna hear that a lot 39 00:04:31,840 --> 00:04:34,690 and there's a noise you're gonna make 40 00:04:33,669 --> 00:04:36,340 and don't worry if this doesn't make 41 00:04:34,690 --> 00:04:40,330 sense we have an educational video for 42 00:04:36,340 --> 00:04:42,250 you but the noise are gonna expand if 43 00:04:40,330 --> 00:04:47,349 you hear Red Team yeah you want to 44 00:04:42,250 --> 00:04:50,860 practice that yeah y'all got that you 45 00:04:47,349 --> 00:04:53,349 hear it red team the noises if you hear 46 00:04:50,860 --> 00:04:55,530 fishing I want to hear like that airhorn 47 00:04:53,349 --> 00:04:55,530 ah 48 00:04:55,620 --> 00:05:03,340 and then there's one word so secret so 49 00:05:00,419 --> 00:05:06,340 impactful to our industry that when we 50 00:05:03,340 --> 00:05:08,198 say it I want to see you go crazy just 51 00:05:06,340 --> 00:05:10,780 go ham slob kabob and if you don't know 52 00:05:08,199 --> 00:05:12,130 outgoing slob kabob is don't worry we're 53 00:05:10,780 --> 00:05:14,830 gonna we got an educational video for 54 00:05:12,130 --> 00:05:16,840 you but I just want to hear like massive 55 00:05:14,830 --> 00:05:20,710 here so let us show you this video let's 56 00:05:16,840 --> 00:05:22,119 oh man we're gonna have to do a this is 57 00:05:20,710 --> 00:05:24,698 an instructional video it's required for 58 00:05:22,120 --> 00:05:26,229 maximum learning it's probably not gonna 59 00:05:24,699 --> 00:05:28,470 play here because I don't have any Wi-Fi 60 00:05:26,229 --> 00:05:32,450 but don't worry 61 00:05:28,470 --> 00:05:32,450 I know how to come with a backup 62 00:05:33,290 --> 00:05:35,920 but 63 00:05:35,990 --> 00:05:44,040 yeah you yeah yourself there love kebab 64 00:05:41,310 --> 00:05:46,350 she like looks like a slob kabob kebabs 65 00:05:44,040 --> 00:05:48,830 love kebab she like looks like a slob 66 00:05:46,350 --> 00:05:48,830 kabob 67 00:05:52,140 --> 00:06:11,530 [Music] 68 00:06:07,780 --> 00:06:13,059 a year a year what everything you're 69 00:06:11,530 --> 00:06:15,070 having I this is what we call micro 70 00:06:13,060 --> 00:06:28,150 learning so pay attention and thanks for 71 00:06:15,070 --> 00:06:46,630 being thank you hearted B where did that 72 00:06:28,150 --> 00:07:13,150 name come from you want to know 73 00:06:46,630 --> 00:07:15,930 something you want to know something she 74 00:07:13,150 --> 00:07:15,929 like looks like a slob 75 00:07:17,470 --> 00:07:25,990 so did everyone learn something good 76 00:07:21,550 --> 00:07:28,840 well that's the end of the talk so thank 77 00:07:25,990 --> 00:07:30,490 you so if you want to play along make it 78 00:07:28,840 --> 00:07:32,049 a little interactive that'd be fine it 79 00:07:30,490 --> 00:07:34,810 will probably mess up and that might be 80 00:07:32,050 --> 00:07:35,890 funny for you probably mess us up but 81 00:07:34,810 --> 00:07:37,960 those are the rules 82 00:07:35,890 --> 00:07:39,789 security engagement Red Team phishing 83 00:07:37,960 --> 00:07:43,599 synergy will help you along the way 84 00:07:39,790 --> 00:07:45,910 so my name is Josh Schwartz I am the 85 00:07:43,600 --> 00:07:48,580 director of offensive security at 86 00:07:45,910 --> 00:07:50,920 Verizon media where we call our security 87 00:07:48,580 --> 00:07:55,780 team the paranoids and with me we have 88 00:07:50,920 --> 00:08:03,100 the fabulous birthday princess it is it 89 00:07:55,780 --> 00:08:05,020 is actually her birthday today I mean 90 00:08:03,100 --> 00:08:08,200 thank you for throwing a conference to 91 00:08:05,020 --> 00:08:11,049 celebrate my birthday it is very nice of 92 00:08:08,200 --> 00:08:14,500 them and thank you when for swapping 93 00:08:11,050 --> 00:08:17,890 spots with us because it's my birthday I 94 00:08:14,500 --> 00:08:21,060 also lead the security engagement and 95 00:08:17,890 --> 00:08:21,060 red team at lyft 96 00:08:22,340 --> 00:08:28,560 so I know you're all here for us to 97 00:08:26,130 --> 00:08:29,880 perhaps give you some information but 98 00:08:28,560 --> 00:08:31,890 maybe you're just here because you 99 00:08:29,880 --> 00:08:34,950 thought it was wins talk or maybe you're 100 00:08:31,890 --> 00:08:36,120 here because you came to just heckle or 101 00:08:34,950 --> 00:08:37,710 maybe you're here because you feel 102 00:08:36,120 --> 00:08:38,659 obligated because you work with me or 103 00:08:37,710 --> 00:08:43,890 something like that 104 00:08:38,659 --> 00:08:45,300 front row yeah but because this is an 105 00:08:43,890 --> 00:08:48,390 opportunity for us to share and exchange 106 00:08:45,300 --> 00:08:52,020 information we'd like to do a little bit 107 00:08:48,390 --> 00:08:54,210 of a poll and I'd like to know who we'd 108 00:08:52,020 --> 00:08:57,180 like to know who we're talking to today 109 00:08:54,210 --> 00:09:03,830 so folks in the room who here is on an 110 00:08:57,180 --> 00:09:07,560 internal security team you Wow okay so 111 00:09:03,830 --> 00:09:09,950 who's not on an internal security - 112 00:09:07,560 --> 00:09:12,810 you're like a vendor or a consul Wow 113 00:09:09,950 --> 00:09:18,540 internal security growing it's good good 114 00:09:12,810 --> 00:09:22,589 stuff so who here is on a security 115 00:09:18,540 --> 00:09:24,839 engagement security awareness team okay 116 00:09:22,590 --> 00:09:27,839 a couple people how many of your 117 00:09:24,840 --> 00:09:30,240 companies have a security engagement 118 00:09:27,839 --> 00:09:33,810 security awareness team okay 119 00:09:30,240 --> 00:09:38,010 we're hands and another one nice so 120 00:09:33,810 --> 00:09:44,250 let's think about it for red team yeah 121 00:09:38,010 --> 00:09:47,370 he's on it I don't know I think so folks 122 00:09:44,250 --> 00:09:50,430 who call themselves red team in the 123 00:09:47,370 --> 00:09:53,339 house we are we are the red team we've 124 00:09:50,430 --> 00:09:57,510 got a few how many folks have a red team 125 00:09:53,339 --> 00:10:00,440 inside their company yeah Wow secured 126 00:09:57,510 --> 00:10:04,329 even meeting being written all that 127 00:10:00,440 --> 00:10:07,279 how many folks front row notwithstanding 128 00:10:04,329 --> 00:10:10,219 have this dreamy thing where you have 129 00:10:07,279 --> 00:10:12,170 both of them you have security 130 00:10:10,220 --> 00:10:14,329 engagement and regime and not only that 131 00:10:12,170 --> 00:10:16,910 but they work together and they're part 132 00:10:14,329 --> 00:10:22,040 of the same thing would you say that 133 00:10:16,910 --> 00:10:26,750 they have synergy let's hear it for 134 00:10:22,040 --> 00:10:29,930 synergy because that is what this talk 135 00:10:26,750 --> 00:10:32,870 is about it's about synergy it's about 136 00:10:29,930 --> 00:10:35,089 how these two things can perhaps be 137 00:10:32,870 --> 00:10:38,209 better together and by combining them 138 00:10:35,089 --> 00:10:40,189 you can get a lot more and what we would 139 00:10:38,209 --> 00:10:42,979 like you to leave here today with is 140 00:10:40,189 --> 00:10:45,139 perhaps a few tips maybe some ammunition 141 00:10:42,980 --> 00:10:46,879 if you're ever looking to build a 142 00:10:45,139 --> 00:10:49,069 program like this or if you ever find 143 00:10:46,879 --> 00:10:51,050 yourself where you want to be able to 144 00:10:49,069 --> 00:10:53,120 make the argument to have these types of 145 00:10:51,050 --> 00:10:54,649 things in your organization and you want 146 00:10:53,120 --> 00:10:56,240 to know how to figure out building them 147 00:10:54,649 --> 00:10:58,930 and maybe not get clobbered by it 148 00:10:56,240 --> 00:11:02,269 because it's a dangerous world out there 149 00:10:58,930 --> 00:11:05,839 so if you ever find yourself needing 150 00:11:02,269 --> 00:11:09,410 these hopefully you can get it done 151 00:11:05,839 --> 00:11:11,930 however it's hard because it's a lot 152 00:11:09,410 --> 00:11:14,569 easier said than done much like a 2020 153 00:11:11,930 --> 00:11:15,829 Kayne presidency and there's a number of 154 00:11:14,569 --> 00:11:18,380 reasons for that 155 00:11:15,829 --> 00:11:21,709 first of which both of these things are 156 00:11:18,380 --> 00:11:24,800 very much a luxury item it's things that 157 00:11:21,709 --> 00:11:26,388 they're it's expensive a to pay us to do 158 00:11:24,800 --> 00:11:28,130 this kind of stuff especially when it's 159 00:11:26,389 --> 00:11:31,160 not just directly going out there and 160 00:11:28,130 --> 00:11:34,100 fixing bugs it's expensive to hire 161 00:11:31,160 --> 00:11:36,439 people to just go around and point out 162 00:11:34,100 --> 00:11:39,139 flaws and we all work in security so we 163 00:11:36,439 --> 00:11:41,660 already know how many laws there are 164 00:11:39,139 --> 00:11:43,550 everywhere everything's broken and why 165 00:11:41,660 --> 00:11:46,309 would we want someone to come tell us 166 00:11:43,550 --> 00:11:47,599 about things being more broken like we 167 00:11:46,309 --> 00:11:51,110 already know we just need more people to 168 00:11:47,600 --> 00:11:52,970 help us fix it and it's also pretty bad 169 00:11:51,110 --> 00:11:55,069 for our friends in security engagement 170 00:11:52,970 --> 00:11:56,689 right why would you want someone just to 171 00:11:55,069 --> 00:11:59,089 focus on making people care about 172 00:11:56,689 --> 00:12:02,089 security more just to focus on trying to 173 00:11:59,089 --> 00:12:04,970 change behavior trying to focus on that 174 00:12:02,089 --> 00:12:07,990 human element when there's so many 175 00:12:04,970 --> 00:12:10,570 technical vulnerabilities around us 176 00:12:07,990 --> 00:12:12,640 but if we get lucky enough where someone 177 00:12:10,570 --> 00:12:14,740 decides they want to buy that luxury 178 00:12:12,640 --> 00:12:15,870 item and they sign up to have one of 179 00:12:14,740 --> 00:12:19,120 these things 180 00:12:15,870 --> 00:12:21,550 nobody knows where to put us and what 181 00:12:19,120 --> 00:12:24,790 often happens is we end up in this place 182 00:12:21,550 --> 00:12:28,180 where you're just kind of at the whim of 183 00:12:24,790 --> 00:12:31,550 whoever decided they needed you for red 184 00:12:28,180 --> 00:12:32,819 team sometimes it's the legal team yeah 185 00:12:31,550 --> 00:12:35,020 [Music] 186 00:12:32,820 --> 00:12:36,880 sometimes the legal team sometimes it's 187 00:12:35,020 --> 00:12:38,470 product security and then if you're a 188 00:12:36,880 --> 00:12:41,800 red team on product security what do you 189 00:12:38,470 --> 00:12:43,480 do you do prod set so I've even seen it 190 00:12:41,800 --> 00:12:45,849 where red teams exist and they're a 191 00:12:43,480 --> 00:12:47,050 function of the blue team's the worst 192 00:12:45,850 --> 00:12:47,830 because then they call themselves purple 193 00:12:47,050 --> 00:12:49,030 team and they think they're really 194 00:12:47,830 --> 00:12:50,140 forward-thinking but really they're just 195 00:12:49,030 --> 00:12:54,790 doing a fraction of the job that they 196 00:12:50,140 --> 00:12:57,810 could be doing sorry and we've got the 197 00:12:54,790 --> 00:13:02,140 same problem over on security engagement 198 00:12:57,810 --> 00:13:04,680 I think we have a little bit worse have 199 00:13:02,140 --> 00:13:10,560 you as a red team ever ended up in 200 00:13:04,680 --> 00:13:13,120 compliance well no I had self-respect 201 00:13:10,560 --> 00:13:16,180 due to PCI HIPAA sarbanes-oxley 202 00:13:13,120 --> 00:13:17,740 compliance is a popular place for a 203 00:13:16,180 --> 00:13:20,410 security engagement security or an 204 00:13:17,740 --> 00:13:22,180 esteem to land but when this happens you 205 00:13:20,410 --> 00:13:25,469 end up doing run-of-the-mill check the 206 00:13:22,180 --> 00:13:27,670 block's security awareness videos or 207 00:13:25,470 --> 00:13:29,770 sometimes you get a bit luckier you end 208 00:13:27,670 --> 00:13:32,500 up in engineering which is not a bad 209 00:13:29,770 --> 00:13:34,600 place to land but because of human 210 00:13:32,500 --> 00:13:36,790 nature and people wanting to just focus 211 00:13:34,600 --> 00:13:38,410 on their own kind you end up really just 212 00:13:36,790 --> 00:13:41,589 focusing on security development life 213 00:13:38,410 --> 00:13:43,390 cycle at the absence of looking at the 214 00:13:41,590 --> 00:13:46,090 rest of the organization even though we 215 00:13:43,390 --> 00:13:49,030 all know that risks exists in all areas 216 00:13:46,090 --> 00:13:50,800 of the business or you end up with the 217 00:13:49,030 --> 00:13:52,990 opposite problem you're allowed to 218 00:13:50,800 --> 00:13:54,939 educate everyone except engineers 219 00:13:52,990 --> 00:13:59,410 because you're not technical enough to 220 00:13:54,940 --> 00:14:02,050 speak to an engineer next you have 221 00:13:59,410 --> 00:14:04,060 above-average social skills in high EQ 222 00:14:02,050 --> 00:14:07,900 which makes everyone think that you are 223 00:14:04,060 --> 00:14:09,339 the team event planner or just because 224 00:14:07,900 --> 00:14:09,939 you can write everything from 225 00:14:09,340 --> 00:14:12,610 company-wide 226 00:14:09,940 --> 00:14:14,920 emails to blog posts of course material 227 00:14:12,610 --> 00:14:17,680 doesn't mean that this team is your tech 228 00:14:14,920 --> 00:14:19,870 writer everyone wants this mythical 229 00:14:17,680 --> 00:14:20,959 creature with all of you skillsets but 230 00:14:19,870 --> 00:14:23,360 no one wants to pay for 231 00:14:20,960 --> 00:14:28,100 it or consider the incredible rarity of 232 00:14:23,360 --> 00:14:30,980 a unicorn enter the cycle of security 233 00:14:28,100 --> 00:14:32,540 culture doom often do despite in a 234 00:14:30,980 --> 00:14:34,160 career focused deep in tech or 235 00:14:32,540 --> 00:14:39,530 engineering there's this misconception 236 00:14:34,160 --> 00:14:42,829 I'm sorry oh here I am talking about 237 00:14:39,530 --> 00:14:46,180 speaking skills misconception of the 238 00:14:42,830 --> 00:14:48,170 resources required to build this program 239 00:14:46,180 --> 00:14:51,050 videos don't grow on trees 240 00:14:48,170 --> 00:14:52,849 gamification sounds cool innovate 241 00:14:51,050 --> 00:14:55,609 innovative in fact for the platform 242 00:14:52,850 --> 00:14:56,960 required to track all these actions and 243 00:14:55,610 --> 00:14:59,660 the points cost money 244 00:14:56,960 --> 00:15:01,910 the rewards also associated with these 245 00:14:59,660 --> 00:15:03,560 programs cost money even more so if your 246 00:15:01,910 --> 00:15:06,550 program is successful because then you 247 00:15:03,560 --> 00:15:09,290 have a lot of rewards to give out 248 00:15:06,550 --> 00:15:11,719 expectations for this role then border 249 00:15:09,290 --> 00:15:15,319 on unrealistic you have to be good at 250 00:15:11,720 --> 00:15:17,750 presenting writing have arguably the 251 00:15:15,320 --> 00:15:21,380 widest breadth of security and privacy 252 00:15:17,750 --> 00:15:23,390 knowledge in the field data science to 253 00:15:21,380 --> 00:15:25,580 track the efficacy of your program 254 00:15:23,390 --> 00:15:28,520 learning theory to get these knowledge 255 00:15:25,580 --> 00:15:29,720 bits to stick behavioral science because 256 00:15:28,520 --> 00:15:32,930 you know you're trying to actually 257 00:15:29,720 --> 00:15:34,960 change some behavior design video and 258 00:15:32,930 --> 00:15:38,750 photo editing skills to make your 259 00:15:34,960 --> 00:15:40,520 content look good and event planning to 260 00:15:38,750 --> 00:15:42,890 get people excited about the stuff that 261 00:15:40,520 --> 00:15:44,600 you're doing and on top of all of this 262 00:15:42,890 --> 00:15:46,730 you have to be able to think like an 263 00:15:44,600 --> 00:15:48,710 attacker to simulate attacks looking at 264 00:15:46,730 --> 00:15:50,780 you fishing at this stage of the 265 00:15:48,710 --> 00:15:53,270 program's either with inadequate funding 266 00:15:50,780 --> 00:15:55,970 these unicorn stables cost a lot of 267 00:15:53,270 --> 00:15:58,490 money or you were never able to find 268 00:15:55,970 --> 00:16:00,290 your unicorn to begin with your program 269 00:15:58,490 --> 00:16:02,150 fails to be you the Prancing success 270 00:16:00,290 --> 00:16:04,550 that you once envisioned it to be and 271 00:16:02,150 --> 00:16:07,160 then because these programs are often 272 00:16:04,550 --> 00:16:09,770 set up for failure our industry views 273 00:16:07,160 --> 00:16:12,290 them as run by soft soft incompetence 274 00:16:09,770 --> 00:16:16,010 and not a success me I'm gonna let you 275 00:16:12,290 --> 00:16:19,339 finish here but there's a bigger problem 276 00:16:16,010 --> 00:16:20,990 than this it goes deeper it's part of 277 00:16:19,340 --> 00:16:23,050 all of us the things that we do and 278 00:16:20,990 --> 00:16:27,110 that's the fact that we disagree 279 00:16:23,050 --> 00:16:29,750 constantly the first time that I had the 280 00:16:27,110 --> 00:16:31,550 responsibility of the fishing program I 281 00:16:29,750 --> 00:16:33,290 talked to Sam about and I'm like I think 282 00:16:31,550 --> 00:16:33,910 we could do this like could make a good 283 00:16:33,290 --> 00:16:36,370 improvement 284 00:16:33,910 --> 00:16:42,750 she was like why would you strive for 285 00:16:36,370 --> 00:16:46,620 mediocrity I said do you even know why 286 00:16:42,750 --> 00:16:48,700 indeed and because we're constantly 287 00:16:46,620 --> 00:16:50,380 disagreeing about it and I know I'm the 288 00:16:48,700 --> 00:16:52,030 biggest hypocrite ever because here we 289 00:16:50,380 --> 00:16:54,760 are disagreeing about what it should be 290 00:16:52,030 --> 00:16:57,819 like but because we constantly do this 291 00:16:54,760 --> 00:16:59,620 we constantly argue about what is a good 292 00:16:57,820 --> 00:17:03,220 red team what is a good secure engaging 293 00:16:59,620 --> 00:17:06,640 program what we end up with is a lack of 294 00:17:03,220 --> 00:17:08,860 definition and because we can't define 295 00:17:06,640 --> 00:17:11,020 ourselves because we can't communicate 296 00:17:08,859 --> 00:17:13,300 to other people what our value is nobody 297 00:17:11,020 --> 00:17:19,150 understands our value and we sit there 298 00:17:13,300 --> 00:17:22,839 like a sad little Kanye so I present to 299 00:17:19,150 --> 00:17:26,280 you this new and innovative thing the 300 00:17:22,839 --> 00:17:30,899 conjoined squares of a allistic success 301 00:17:26,280 --> 00:17:33,340 synergy I know right I'm excited too 302 00:17:30,900 --> 00:17:35,350 because these two things we have a lot 303 00:17:33,340 --> 00:17:39,040 of common right we both have this lack 304 00:17:35,350 --> 00:17:42,040 of definition we both fail to define 305 00:17:39,040 --> 00:17:44,320 ourselves really well and we both exist 306 00:17:42,040 --> 00:17:46,270 in this state where we've got a lot of 307 00:17:44,320 --> 00:17:49,810 vendors who think they can do it too and 308 00:17:46,270 --> 00:17:51,340 the marketplace is saturated and because 309 00:17:49,810 --> 00:17:53,500 of that there's a lot of external people 310 00:17:51,340 --> 00:17:55,179 selling the bare minimum that is 311 00:17:53,500 --> 00:17:56,770 supposed to do what we're trying to 312 00:17:55,180 --> 00:17:58,270 build but we know we could probably do 313 00:17:56,770 --> 00:18:01,030 it better internally because we can 314 00:17:58,270 --> 00:18:02,889 customize things to our internal needs 315 00:18:01,030 --> 00:18:05,590 the internal culture of our companies 316 00:18:02,890 --> 00:18:07,240 and we actually care and we don't just 317 00:18:05,590 --> 00:18:08,889 drop in a product and walk away and 318 00:18:07,240 --> 00:18:12,700 sorry for all the vendors who think 319 00:18:08,890 --> 00:18:15,510 they're really great but there's more to 320 00:18:12,700 --> 00:18:19,570 that though I mean we have some failures 321 00:18:15,510 --> 00:18:25,120 that are very complementary like sorry 322 00:18:19,570 --> 00:18:27,250 security engagement but yeah suck it 323 00:18:25,120 --> 00:18:29,979 real phishing making it realistic 324 00:18:27,250 --> 00:18:32,740 because you've probably never been 325 00:18:29,980 --> 00:18:36,570 behind the keyboard typing that email 326 00:18:32,740 --> 00:18:36,570 actually trying to get a shell 327 00:18:36,890 --> 00:18:43,410 right but red team is really good at one 328 00:18:40,410 --> 00:18:45,150 done fishing engagements whenever you're 329 00:18:43,410 --> 00:18:47,520 done it for a large group of people 330 00:18:45,150 --> 00:18:49,290 consistently 331 00:18:47,520 --> 00:18:51,600 okay yeah you're right you know we 332 00:18:49,290 --> 00:18:52,860 normally you just kind of get shell once 333 00:18:51,600 --> 00:18:55,860 and we don't really test the entire 334 00:18:52,860 --> 00:18:58,320 population but it works right I guess we 335 00:18:55,860 --> 00:18:59,490 don't really care about making change or 336 00:18:58,320 --> 00:19:02,250 I guess we really don't care about 337 00:18:59,490 --> 00:19:05,010 working with partners because let's face 338 00:19:02,250 --> 00:19:08,040 it red team we're really not people 339 00:19:05,010 --> 00:19:10,350 people it's a lot easier to whisper to 340 00:19:08,040 --> 00:19:12,780 those ones and zeros and make the door 341 00:19:10,350 --> 00:19:14,399 open up than it is to have a meeting 342 00:19:12,780 --> 00:19:15,660 with some other people to actually make 343 00:19:14,400 --> 00:19:20,040 something useful 344 00:19:15,660 --> 00:19:21,960 I guess but then because security 345 00:19:20,040 --> 00:19:23,909 engagement often doesn't come from a 346 00:19:21,960 --> 00:19:26,220 heavy engineering or technology 347 00:19:23,910 --> 00:19:27,900 background your escena is just not quite 348 00:19:26,220 --> 00:19:31,020 neat enough to get a seat at the table 349 00:19:27,900 --> 00:19:32,880 there's usually an annual pull post on 350 00:19:31,020 --> 00:19:36,570 Twitter by someone who I will not 351 00:19:32,880 --> 00:19:38,040 mention at this time asking if you can 352 00:19:36,570 --> 00:19:42,780 really be in security if you're not 353 00:19:38,040 --> 00:19:45,360 really good at coding yeah so on behalf 354 00:19:42,780 --> 00:19:49,010 of red team sorry for that sorry for all 355 00:19:45,360 --> 00:19:52,979 that wheat wheat shaming as it were so 356 00:19:49,010 --> 00:19:54,420 present to you an obvious alliance of 357 00:19:52,980 --> 00:19:56,450 these two things if you didn't see this 358 00:19:54,420 --> 00:19:58,980 coming right 359 00:19:56,450 --> 00:20:03,000 security engagement and red team can 360 00:19:58,980 --> 00:20:04,110 work together and try and address some 361 00:20:03,000 --> 00:20:06,059 of the real problems and make a bigger 362 00:20:04,110 --> 00:20:08,280 impact right because red team can lend 363 00:20:06,059 --> 00:20:09,809 that credibility right that leanness 364 00:20:08,280 --> 00:20:12,678 that we already have that we care about 365 00:20:09,809 --> 00:20:15,360 so much and security engagement can 366 00:20:12,679 --> 00:20:16,800 focus on actually changing behavior 367 00:20:15,360 --> 00:20:20,449 focusing on actually getting that 368 00:20:16,800 --> 00:20:23,129 message out in an impactful way so 369 00:20:20,450 --> 00:20:24,929 advertising media that's how we 370 00:20:23,130 --> 00:20:27,750 organized our program we call it 371 00:20:24,929 --> 00:20:29,160 propaganda machine except no one would 372 00:20:27,750 --> 00:20:31,559 actually let me call it that so I only 373 00:20:29,160 --> 00:20:34,290 named our slack channel that but we call 374 00:20:31,559 --> 00:20:36,120 it proactive engagements the idea is 375 00:20:34,290 --> 00:20:38,490 that all of these programs come together 376 00:20:36,120 --> 00:20:40,709 under one umbrella to kind of feed each 377 00:20:38,490 --> 00:20:42,390 other and it's like that at a formal 378 00:20:40,710 --> 00:20:43,980 level in the organization structure and 379 00:20:42,390 --> 00:20:46,320 it's a core pillar of our security 380 00:20:43,980 --> 00:20:47,970 program we've got the red team we've got 381 00:20:46,320 --> 00:20:50,309 phishing we've got security engagement 382 00:20:47,970 --> 00:20:52,550 got security education all aligned 383 00:20:50,309 --> 00:20:55,710 behind this one goal of changing 384 00:20:52,550 --> 00:20:58,309 behaviors actually making a difference 385 00:20:55,710 --> 00:20:58,309 right 386 00:20:59,190 --> 00:21:09,270 yeah but aren't you trying to change 387 00:21:06,870 --> 00:21:12,929 behaviors yeah are you trying to 388 00:21:09,270 --> 00:21:14,460 engineer behaviors nice so why wouldn't 389 00:21:12,930 --> 00:21:18,090 you just call it behavioral engineering 390 00:21:14,460 --> 00:21:21,050 if I didn't think of that yeah I think 391 00:21:18,090 --> 00:21:23,520 security engagement security awareness 392 00:21:21,050 --> 00:21:25,730 propaganda machine West propaganda 393 00:21:23,520 --> 00:21:31,050 machine proactive engagement out 394 00:21:25,730 --> 00:21:33,090 behavioral engineering in but you know 395 00:21:31,050 --> 00:21:34,830 how can you computer easy program in a 396 00:21:33,090 --> 00:21:36,330 human is hard you need some good 397 00:21:34,830 --> 00:21:40,560 foundations with your behavioral 398 00:21:36,330 --> 00:21:42,389 engineering first is design the hardest 399 00:21:40,560 --> 00:21:44,310 thing is just reducing choice and 400 00:21:42,390 --> 00:21:46,170 ability to make bad decisions but that 401 00:21:44,310 --> 00:21:49,860 will make your program the most 402 00:21:46,170 --> 00:21:52,190 impactful you know if you make simple 403 00:21:49,860 --> 00:21:55,229 changes like in your email client 404 00:21:52,190 --> 00:21:57,660 notifying users when emails come in from 405 00:21:55,230 --> 00:22:01,140 someone outside of your organization or 406 00:21:57,660 --> 00:22:04,440 making a password manager really easy to 407 00:22:01,140 --> 00:22:07,350 implement it's this design concept that 408 00:22:04,440 --> 00:22:09,600 someone in Japan his name's CheY Ghosh 409 00:22:07,350 --> 00:22:12,149 and ago something like that worked for 410 00:22:09,600 --> 00:22:15,449 Toyota at one point he came up with this 411 00:22:12,150 --> 00:22:17,040 thing called okay okay which sounds like 412 00:22:15,450 --> 00:22:19,410 the newest Pokemon but it's not it's the 413 00:22:17,040 --> 00:22:21,510 idea that if you design things in a way 414 00:22:19,410 --> 00:22:24,240 that makes it hard to make the mistake 415 00:22:21,510 --> 00:22:25,830 or impossible it is a better design 416 00:22:24,240 --> 00:22:28,050 think about when you go to plug 417 00:22:25,830 --> 00:22:29,340 something in the outlet one size is 418 00:22:28,050 --> 00:22:31,080 different in America because we didn't 419 00:22:29,340 --> 00:22:33,270 really didn't like try very hard at this 420 00:22:31,080 --> 00:22:36,210 but in other countries like it can only 421 00:22:33,270 --> 00:22:39,450 be plugged in one way it prevents you 422 00:22:36,210 --> 00:22:41,700 from making the bad choice so rather 423 00:22:39,450 --> 00:22:44,160 than like all the plug manufacturer is 424 00:22:41,700 --> 00:22:47,850 saying hey please plug the plugs in the 425 00:22:44,160 --> 00:22:49,410 right way we say okay you're gonna make 426 00:22:47,850 --> 00:22:51,030 mistakes let's make it impossible for 427 00:22:49,410 --> 00:22:53,880 you to make that mistake or even better 428 00:22:51,030 --> 00:22:56,040 like a better explanation of this or a 429 00:22:53,880 --> 00:22:58,350 better example of this is the USB see 430 00:22:56,040 --> 00:22:59,760 right now it's impossible to plug it in 431 00:22:58,350 --> 00:23:01,610 the wrong way it's just fine no matter 432 00:22:59,760 --> 00:23:03,620 how you do it 433 00:23:01,610 --> 00:23:05,179 sorry I got really excited about pokey 434 00:23:03,620 --> 00:23:09,080 if it actually used to be called baka 435 00:23:05,180 --> 00:23:10,940 yogi which was which was idiot proof or 436 00:23:09,080 --> 00:23:12,409 fool true but then I think they wanted 437 00:23:10,940 --> 00:23:14,960 to market it a little bit better so they 438 00:23:12,410 --> 00:23:19,420 made it a little lighter clip so perhaps 439 00:23:14,960 --> 00:23:23,410 we in security you can do some baka okay 440 00:23:19,420 --> 00:23:23,410 don't you mean okay okay 441 00:23:25,870 --> 00:23:31,969 next one of your greatest threat actors 442 00:23:29,150 --> 00:23:33,680 is the customer the user that simply 443 00:23:31,970 --> 00:23:37,370 doesn't know the security or privacy 444 00:23:33,680 --> 00:23:39,040 mind thing to do and the simple tool for 445 00:23:37,370 --> 00:23:41,090 that is educating them giving them the 446 00:23:39,040 --> 00:23:43,760 content and knowledge that they need to 447 00:23:41,090 --> 00:23:46,280 make the better choice the harder 448 00:23:43,760 --> 00:23:49,310 adversary that you have is the user that 449 00:23:46,280 --> 00:23:51,649 knows better but doesn't care about 450 00:23:49,310 --> 00:23:53,480 doing the right thing and for them you 451 00:23:51,650 --> 00:23:55,610 need to build a positive sentiment with 452 00:23:53,480 --> 00:23:56,930 your security and privacy teams give 453 00:23:55,610 --> 00:23:59,270 them the motivation to do the right 454 00:23:56,930 --> 00:24:02,660 thing generally through gamification or 455 00:23:59,270 --> 00:24:04,160 some other motivation techniques and 456 00:24:02,660 --> 00:24:07,040 then practicing good bedside manner 457 00:24:04,160 --> 00:24:09,260 within your team and then last measure 458 00:24:07,040 --> 00:24:10,430 ability to ensure that you can prove 459 00:24:09,260 --> 00:24:13,080 efficacy over time 460 00:24:10,430 --> 00:24:16,080 [Music] 461 00:24:13,080 --> 00:24:17,730 so behavioral change campaigns is kind 462 00:24:16,080 --> 00:24:20,158 of the idea that we're presenting here 463 00:24:17,730 --> 00:24:22,470 and like any campaign you need to have a 464 00:24:20,159 --> 00:24:24,360 clear goal you have to clearly define 465 00:24:22,470 --> 00:24:26,669 what behavior it is that you want to 466 00:24:24,360 --> 00:24:30,090 change before you start then you have to 467 00:24:26,669 --> 00:24:32,159 measure if something changed and then 468 00:24:30,090 --> 00:24:35,668 you actually have to follow up and 469 00:24:32,159 --> 00:24:37,619 communicate it out you can't just do 470 00:24:35,669 --> 00:24:39,059 something in a little bubble and expect 471 00:24:37,619 --> 00:24:41,039 other people to understand that you've 472 00:24:39,059 --> 00:24:43,830 done something now 473 00:24:41,039 --> 00:24:47,009 we're not kind of like the first people 474 00:24:43,830 --> 00:24:49,199 to ever think of this there's actually a 475 00:24:47,009 --> 00:24:51,570 group of people who really care about 476 00:24:49,200 --> 00:24:54,179 changing human behavior and they do so 477 00:24:51,570 --> 00:24:56,730 so all of us dum-dums don't kill 478 00:24:54,179 --> 00:24:58,529 ourselves with disease and such and they 479 00:24:56,730 --> 00:25:00,269 are called the World Health Organization 480 00:24:58,529 --> 00:25:02,279 and they already document what a 481 00:25:00,269 --> 00:25:03,450 behavioral change campaign can be and 482 00:25:02,279 --> 00:25:05,309 they have this definition a health 483 00:25:03,450 --> 00:25:07,200 campaign something that follows a 484 00:25:05,309 --> 00:25:08,460 specific sequence that moves the target 485 00:25:07,200 --> 00:25:10,470 audience from awareness of an issue 486 00:25:08,460 --> 00:25:12,779 towards a behavior resulting in a 487 00:25:10,470 --> 00:25:16,619 specific health outcome what if we 488 00:25:12,779 --> 00:25:18,299 replace health with security here and we 489 00:25:16,619 --> 00:25:20,609 thought about behavioral change change 490 00:25:18,299 --> 00:25:22,470 campaigns in the context of security and 491 00:25:20,609 --> 00:25:24,600 we think a security behavioral change 492 00:25:22,470 --> 00:25:27,779 campaign follows a specific sequence 493 00:25:24,600 --> 00:25:29,759 that moves our target audience from 494 00:25:27,779 --> 00:25:31,379 awareness of an issue kind of knowing 495 00:25:29,759 --> 00:25:33,779 that security is important towards the 496 00:25:31,379 --> 00:25:37,049 behavior and it results in a specific 497 00:25:33,779 --> 00:25:40,320 security outcome okay they do the thing 498 00:25:37,049 --> 00:25:42,090 we want them to do they have some other 499 00:25:40,320 --> 00:25:44,580 advice too that is really useful for us 500 00:25:42,090 --> 00:25:48,689 but involve partners early in the 501 00:25:44,580 --> 00:25:51,840 campaign campaign can benefit if we find 502 00:25:48,690 --> 00:25:55,190 the people who are already caring about 503 00:25:51,840 --> 00:25:58,439 that stuff and using trusted messengers 504 00:25:55,190 --> 00:26:01,529 this idea is quite devious actually find 505 00:25:58,440 --> 00:26:03,389 people who are trusted right perhaps 506 00:26:01,529 --> 00:26:05,429 people who already prolific in your 507 00:26:03,389 --> 00:26:07,678 organization they have power to speak 508 00:26:05,429 --> 00:26:09,509 out and get them to deliver the message 509 00:26:07,679 --> 00:26:11,970 of security or health or whatever it 510 00:26:09,509 --> 00:26:13,649 might be and then this last thing they 511 00:26:11,970 --> 00:26:16,169 said is something we often ignore 512 00:26:13,649 --> 00:26:19,649 ensure the availability of community 513 00:26:16,169 --> 00:26:22,830 resources health change campaigns they 514 00:26:19,649 --> 00:26:26,879 don't try and make people like all use 515 00:26:22,830 --> 00:26:27,090 condoms or not inject themselves needles 516 00:26:26,879 --> 00:26:28,530 or 517 00:26:27,090 --> 00:26:30,600 do any of these bad behaviors if they 518 00:26:28,530 --> 00:26:32,730 don't have an available alternative you 519 00:26:30,600 --> 00:26:33,990 don't have the resources to actually do 520 00:26:32,730 --> 00:26:35,400 that other thing you can't tell 521 00:26:33,990 --> 00:26:38,340 everybody to use a condom 522 00:26:35,400 --> 00:26:40,740 there's no condoms available and 523 00:26:38,340 --> 00:26:43,139 therefore in security we can take a good 524 00:26:40,740 --> 00:26:45,180 lesson from this we shouldn't try and 525 00:26:43,140 --> 00:26:47,940 make people do the secure thing if we 526 00:26:45,180 --> 00:26:49,380 don't make that available to them so 527 00:26:47,940 --> 00:26:52,080 what do we do if we've got nothing 528 00:26:49,380 --> 00:26:54,510 you've got no resources no one's behind 529 00:26:52,080 --> 00:26:57,600 you on this idea well you be the change 530 00:26:54,510 --> 00:27:00,000 you want to see in the world most red 531 00:26:57,600 --> 00:27:02,939 team's most engagement programs they 532 00:27:00,000 --> 00:27:04,650 start with this very simple idea go do 533 00:27:02,940 --> 00:27:07,590 something go demonstrate go hack 534 00:27:04,650 --> 00:27:09,390 something that will create momentum for 535 00:27:07,590 --> 00:27:11,310 you and then once you have that momentum 536 00:27:09,390 --> 00:27:14,960 you can build a program from it but the 537 00:27:11,310 --> 00:27:17,520 idea there is don't fuck it up too bad 538 00:27:14,960 --> 00:27:19,230 and in order to not bug it up too bad 539 00:27:17,520 --> 00:27:21,810 you need something called executive 540 00:27:19,230 --> 00:27:24,630 buy-in I know this seems boring but I 541 00:27:21,810 --> 00:27:27,360 bet we all say this all the time but we 542 00:27:24,630 --> 00:27:29,460 don't realize what it really means most 543 00:27:27,360 --> 00:27:32,100 people may think that executive buy-in 544 00:27:29,460 --> 00:27:36,060 is this idea that someone who has power 545 00:27:32,100 --> 00:27:38,490 may be an executive has said yes you can 546 00:27:36,060 --> 00:27:39,960 do this but that's not executive I 547 00:27:38,490 --> 00:27:43,170 that's permission from somebody 548 00:27:39,960 --> 00:27:45,000 executive buy-in the real executive buy 549 00:27:43,170 --> 00:27:47,790 it is that anybody who might have an 550 00:27:45,000 --> 00:27:50,400 interest in D railing or anyone whose 551 00:27:47,790 --> 00:27:52,200 toes you might step on they all already 552 00:27:50,400 --> 00:27:53,940 agree with you that means you can go 553 00:27:52,200 --> 00:27:56,280 accomplish the thing you want because 554 00:27:53,940 --> 00:27:57,660 everybody's already on your side there's 555 00:27:56,280 --> 00:28:00,270 a lot of people you might need to make 556 00:27:57,660 --> 00:28:05,010 friends with to accomplish anything in 557 00:28:00,270 --> 00:28:07,379 security starting with your target 558 00:28:05,010 --> 00:28:09,300 especially for a red team yeah go get 559 00:28:07,380 --> 00:28:11,820 cozy with them no one likes to be told 560 00:28:09,300 --> 00:28:13,110 that their baby is ugly so you gotta do 561 00:28:11,820 --> 00:28:14,399 a lot of pre-work to make them feel 562 00:28:13,110 --> 00:28:16,909 comfortable with the fact that you're 563 00:28:14,400 --> 00:28:19,340 about to go poke them pretty badly 564 00:28:16,910 --> 00:28:22,759 that's what she said 565 00:28:19,340 --> 00:28:25,249 yeah and you also need to probably if 566 00:28:22,759 --> 00:28:26,629 you wanna like message out something you 567 00:28:25,249 --> 00:28:27,830 probably want to go talk to the people 568 00:28:26,629 --> 00:28:31,399 and there's gonna be a recurring theme 569 00:28:27,830 --> 00:28:34,039 here whose job it already is to do that 570 00:28:31,399 --> 00:28:35,779 thing there's someone's it's their job 571 00:28:34,039 --> 00:28:37,249 to communicate to the company don't 572 00:28:35,779 --> 00:28:38,950 start communicating to the whole company 573 00:28:37,249 --> 00:28:42,080 without talking to them first 574 00:28:38,950 --> 00:28:44,149 if they even let you it's often a a 575 00:28:42,080 --> 00:28:46,158 gating function where someone can't 576 00:28:44,149 --> 00:28:47,989 email the whole thing if they're good at 577 00:28:46,159 --> 00:28:49,610 their job you actually can't do that but 578 00:28:47,990 --> 00:28:50,840 you know sometimes we have the access we 579 00:28:49,610 --> 00:28:52,908 need to do things like that 580 00:28:50,840 --> 00:28:55,970 and there's other right the learning 581 00:28:52,909 --> 00:28:57,440 team the people who teach people you 582 00:28:55,970 --> 00:28:58,759 can't run around saying you want to 583 00:28:57,440 --> 00:29:03,070 teach people something if you don't talk 584 00:28:58,759 --> 00:29:05,360 to the people whose job it already is or 585 00:29:03,070 --> 00:29:07,879 onboarding making sure that you can 586 00:29:05,360 --> 00:29:10,100 drive home this message that security is 587 00:29:07,879 --> 00:29:12,918 part of your company culture because 588 00:29:10,100 --> 00:29:14,570 like any good campaign in this world 589 00:29:12,919 --> 00:29:17,539 it's good to get them when they're young 590 00:29:14,570 --> 00:29:19,399 right yeah and that includes at the 591 00:29:17,539 --> 00:29:20,570 company that first day man it's powerful 592 00:29:19,399 --> 00:29:23,119 it's not something that we should ignore 593 00:29:20,570 --> 00:29:24,980 and of course you also need to go talk 594 00:29:23,119 --> 00:29:27,139 to designs to make things pretty talk to 595 00:29:24,980 --> 00:29:29,350 the event planners talk to procurement 596 00:29:27,139 --> 00:29:33,709 you need a lot of friends to succeed 597 00:29:29,350 --> 00:29:37,100 executive buy-in is largely a social 598 00:29:33,710 --> 00:29:39,289 engineering operation you have to figure 599 00:29:37,100 --> 00:29:43,580 out and enumerate all of these different 600 00:29:39,289 --> 00:29:45,740 people so that you can then go exploit 601 00:29:43,580 --> 00:29:47,240 them and it might not sound sexy but 602 00:29:45,740 --> 00:29:48,919 going and having a meeting with the 603 00:29:47,240 --> 00:29:52,399 right people and getting them to buy 604 00:29:48,919 --> 00:29:54,499 into your idea is a real exploit and 605 00:29:52,399 --> 00:29:56,178 it's a powerful one because you might 606 00:29:54,499 --> 00:29:59,809 actually accomplish something if you do 607 00:29:56,179 --> 00:30:01,700 this enough and then of course there's 608 00:29:59,809 --> 00:30:03,740 that last part escalation right popping 609 00:30:01,700 --> 00:30:06,169 one box isn't enough you need everybody 610 00:30:03,740 --> 00:30:07,789 so you take one person buying into your 611 00:30:06,169 --> 00:30:09,289 idea and you pivot off of it and you go 612 00:30:07,789 --> 00:30:11,860 to other people and you get more people 613 00:30:09,289 --> 00:30:11,860 to buy into it 614 00:30:13,580 --> 00:30:18,659 so what does this actually look like in 615 00:30:16,200 --> 00:30:21,720 practice what if you wanted security 616 00:30:18,660 --> 00:30:25,710 integrated directly into your core 617 00:30:21,720 --> 00:30:27,810 central employee content platform this 618 00:30:25,710 --> 00:30:30,120 was the experience that I had the first 619 00:30:27,810 --> 00:30:33,780 time combining Red Team and security 620 00:30:30,120 --> 00:30:38,399 engagement efforts I think thank you 621 00:30:33,780 --> 00:30:42,720 David MVP up in the front row here thank 622 00:30:38,400 --> 00:30:47,640 you uh sorry sorry got so distracted by 623 00:30:42,720 --> 00:30:50,340 dual core need to compose myself so our 624 00:30:47,640 --> 00:30:54,720 red team at the time had a goal of 625 00:30:50,340 --> 00:30:56,879 writing this engagement using certain 626 00:30:54,720 --> 00:30:59,510 exploit that they had found out I also 627 00:30:56,880 --> 00:31:03,980 had a different operation at the time 628 00:30:59,510 --> 00:31:06,300 trying to gain access to a core central 629 00:31:03,980 --> 00:31:08,700 communications platform for the company 630 00:31:06,300 --> 00:31:11,310 that I worked at but we didn't want to 631 00:31:08,700 --> 00:31:13,860 just you know do any old red team 632 00:31:11,310 --> 00:31:16,139 campaign and I needed evidence to prove 633 00:31:13,860 --> 00:31:17,939 that I needed access to this tool so we 634 00:31:16,140 --> 00:31:20,970 sat down to make this phishing risk 635 00:31:17,940 --> 00:31:24,120 model so we looked at all the assets 636 00:31:20,970 --> 00:31:25,980 this is not a you know all-inclusive 637 00:31:24,120 --> 00:31:28,340 list of any assets that a company might 638 00:31:25,980 --> 00:31:31,230 care about but mere just some examples 639 00:31:28,340 --> 00:31:32,970 and we picked the one that we knew would 640 00:31:31,230 --> 00:31:36,120 be most impactful for our organization 641 00:31:32,970 --> 00:31:38,250 next we looked at all the tools within 642 00:31:36,120 --> 00:31:40,590 our environment and which tools would 643 00:31:38,250 --> 00:31:43,220 give us access to that asset and whether 644 00:31:40,590 --> 00:31:45,480 or not they were protected by MFA or 2fa 645 00:31:43,220 --> 00:31:47,790 next when crafting our social 646 00:31:45,480 --> 00:31:50,010 engineering and phishing campaign we 647 00:31:47,790 --> 00:31:51,990 looked at the you know exact action that 648 00:31:50,010 --> 00:31:54,240 would give us access to that tool and 649 00:31:51,990 --> 00:31:56,880 made sure that it was matched up really 650 00:31:54,240 --> 00:32:00,120 well and then last made sure that our 651 00:31:56,880 --> 00:32:03,090 target was you know the user group that 652 00:32:00,120 --> 00:32:05,370 would use that tool and grant us access 653 00:32:03,090 --> 00:32:07,379 and there's you know general 654 00:32:05,370 --> 00:32:10,919 susceptibility to phishing and social 655 00:32:07,380 --> 00:32:13,230 engineering another way of looking at 656 00:32:10,920 --> 00:32:15,210 this let's say I wanted details of a 657 00:32:13,230 --> 00:32:18,590 pending acquisition for my company I 658 00:32:15,210 --> 00:32:21,360 might send a targeted phishing campaign 659 00:32:18,590 --> 00:32:24,730 to get chrome plug-in permissions to 660 00:32:21,360 --> 00:32:26,918 grant desktop capture to the legal teams 661 00:32:24,730 --> 00:32:28,809 browser probably have a light high 662 00:32:26,919 --> 00:32:31,660 likelihood of success with this campaign 663 00:32:28,809 --> 00:32:35,440 what I don't do is fish to capture 664 00:32:31,660 --> 00:32:37,450 credentials why because their gmail is 665 00:32:35,440 --> 00:32:39,640 protected by two-factor authentication I 666 00:32:37,450 --> 00:32:43,510 have a low likelihood of success running 667 00:32:39,640 --> 00:32:45,400 that campaign so what did we end up 668 00:32:43,510 --> 00:32:47,890 doing a little bit of oauth fishing 669 00:32:45,400 --> 00:32:50,890 before it was cool at that time we had 670 00:32:47,890 --> 00:32:52,419 the ability to customize our roth page 671 00:32:50,890 --> 00:32:54,280 to make it look like it was coming from 672 00:32:52,419 --> 00:32:56,140 within our organization we did the 673 00:32:54,280 --> 00:32:59,620 responsible thing over recording into 674 00:32:56,140 --> 00:33:04,510 Google after this time but we got some 675 00:32:59,620 --> 00:33:06,639 pretty gnarly permissions in addition to 676 00:33:04,510 --> 00:33:09,010 the Red Team campaign that we had going 677 00:33:06,640 --> 00:33:12,940 at this time I had my own operation in 678 00:33:09,010 --> 00:33:15,100 play for entire six months when I joined 679 00:33:12,940 --> 00:33:17,260 the company and learned that it wasn't 680 00:33:15,100 --> 00:33:19,719 going to be so easy to gain access this 681 00:33:17,260 --> 00:33:28,929 tool that I viewed as critical for 682 00:33:19,720 --> 00:33:35,500 security engagement even David it's okay 683 00:33:28,929 --> 00:33:38,919 it's okay I started my own executive 684 00:33:35,500 --> 00:33:41,169 buying campaign starting with the 685 00:33:38,919 --> 00:33:43,809 highest ranking member of the company 686 00:33:41,169 --> 00:33:46,270 that I had access to selling them on my 687 00:33:43,809 --> 00:33:47,950 vision and getting the meeting with the 688 00:33:46,270 --> 00:33:51,340 next biggest person within the company 689 00:33:47,950 --> 00:33:53,380 so on and so forth and so until I got 690 00:33:51,340 --> 00:33:54,520 blocked and then I did a little bit of 691 00:33:53,380 --> 00:33:56,500 digging a little bit of reconnaissance 692 00:33:54,520 --> 00:33:58,059 and learned that one of the executives 693 00:33:56,500 --> 00:33:59,950 who had a hard time getting on their 694 00:33:58,059 --> 00:34:03,129 calendar usually had their morning 695 00:33:59,950 --> 00:34:06,040 meetings available and a penchant for a 696 00:34:03,130 --> 00:34:07,660 specific breakfast sandwich entered the 697 00:34:06,040 --> 00:34:11,440 best social engineering - of all time 698 00:34:07,660 --> 00:34:13,629 the Egg McMuffin got that meeting with 699 00:34:11,440 --> 00:34:14,560 them got their buy-in and then made some 700 00:34:13,629 --> 00:34:18,100 other friends along the way 701 00:34:14,560 --> 00:34:20,469 the design team procurement internal 702 00:34:18,100 --> 00:34:22,239 comms because I learned they were also 703 00:34:20,469 --> 00:34:24,009 blocked from using this tool so my 704 00:34:22,239 --> 00:34:26,350 success was going to be their success 705 00:34:24,010 --> 00:34:28,330 until I felt like I had met with every 706 00:34:26,350 --> 00:34:31,659 single person in the company except for 707 00:34:28,330 --> 00:34:33,489 the CEO and I leveraged the results from 708 00:34:31,659 --> 00:34:36,159 the red team campaign to get that 709 00:34:33,489 --> 00:34:38,049 meeting and when I did I you know 710 00:34:36,159 --> 00:34:40,270 presented the problem and then the 711 00:34:38,050 --> 00:34:42,429 immediate solution which was giving me 712 00:34:40,270 --> 00:34:47,530 access to that tool and they agreed 713 00:34:42,429 --> 00:34:51,300 immediately my bounty propagating and 714 00:34:47,530 --> 00:34:53,860 security content on our core platform I 715 00:34:51,300 --> 00:34:56,200 celebrated as one does with some 716 00:34:53,860 --> 00:34:58,870 champagne popping on the roof but then 717 00:34:56,199 --> 00:35:02,049 also got to do some really you know fun 718 00:34:58,870 --> 00:35:05,680 creative innovative micro learning on 719 00:35:02,050 --> 00:35:08,980 our core platform how does this all sum 720 00:35:05,680 --> 00:35:12,160 up you know keeping our hat back to the 721 00:35:08,980 --> 00:35:14,760 boat World Health Organization we have a 722 00:35:12,160 --> 00:35:16,960 behavioral change campaign a clear goal 723 00:35:14,760 --> 00:35:18,730 reducing employee susceptibility to 724 00:35:16,960 --> 00:35:21,520 OAuth phishing attacks 725 00:35:18,730 --> 00:35:24,850 gaining access to the best communication 726 00:35:21,520 --> 00:35:27,040 tool to change behaviors and having one 727 00:35:24,850 --> 00:35:29,370 to remeasure Ville simulation impact 728 00:35:27,040 --> 00:35:32,440 what we're doing measuring behavior 729 00:35:29,370 --> 00:35:35,080 looking at how many employees gave us a 730 00:35:32,440 --> 00:35:37,420 xoauth grants you know gaining access 731 00:35:35,080 --> 00:35:39,940 support and funding for using this 732 00:35:37,420 --> 00:35:42,550 internal tool and then reducing overall 733 00:35:39,940 --> 00:35:44,740 susceptibility to OAuth and other social 734 00:35:42,550 --> 00:35:46,540 engineering attacks and then for doing 735 00:35:44,740 --> 00:35:48,129 and communicating we had a really great 736 00:35:46,540 --> 00:35:50,920 Red Team read out targeted training 737 00:35:48,130 --> 00:35:53,140 company-wide marketing of our attack and 738 00:35:50,920 --> 00:35:55,000 our remediation efforts and then 739 00:35:53,140 --> 00:35:57,970 continuous retesting to measure our 740 00:35:55,000 --> 00:36:00,070 change and our end results when that 741 00:35:57,970 --> 00:36:01,330 really noisy OAuth attack went out 742 00:36:00,070 --> 00:36:03,760 around the world 743 00:36:01,330 --> 00:36:05,890 our employees caught it in ten seconds 744 00:36:03,760 --> 00:36:08,920 we were the first company to report it 745 00:36:05,890 --> 00:36:11,350 to Google 70% of our reported fishes end 746 00:36:08,920 --> 00:36:13,750 up being real fishes that means that our 747 00:36:11,350 --> 00:36:16,569 employees were so good at spotting real 748 00:36:13,750 --> 00:36:19,230 phishing attacks our company and when we 749 00:36:16,570 --> 00:36:21,310 did a campaign with a binary execution 750 00:36:19,230 --> 00:36:26,080 100% of the people that we targeted 751 00:36:21,310 --> 00:36:28,480 reported it to our team this is actually 752 00:36:26,080 --> 00:36:32,650 a pretty great success story and it 753 00:36:28,480 --> 00:36:38,380 comes down to a really core idea and the 754 00:36:32,650 --> 00:36:41,260 goal here was to use the V app and we're 755 00:36:38,380 --> 00:36:43,870 not naming the company but like it's the 756 00:36:41,260 --> 00:36:46,570 app that is the company if you can ever 757 00:36:43,870 --> 00:36:49,029 do that if you can ever figure out like 758 00:36:46,570 --> 00:36:51,430 how to place security how to place 759 00:36:49,030 --> 00:36:51,960 things that you want people to know 760 00:36:51,430 --> 00:36:54,359 about 761 00:36:51,960 --> 00:36:57,500 security education messaging whatever it 762 00:36:54,359 --> 00:37:00,000 is into the most central integrated 763 00:36:57,500 --> 00:37:01,800 thing that the company has right if 764 00:37:00,000 --> 00:37:03,480 you're Facebook you poke you get it 765 00:37:01,800 --> 00:37:05,250 integrated into the internal Facebook 766 00:37:03,480 --> 00:37:07,560 thing if you're snapchat you get it 767 00:37:05,250 --> 00:37:09,990 integrate it into snapchat itself if 768 00:37:07,560 --> 00:37:10,650 you're Pandora you play songs about 769 00:37:09,990 --> 00:37:14,279 security 770 00:37:10,650 --> 00:37:16,770 I don't know but using whatever that 771 00:37:14,280 --> 00:37:18,630 place that people already go to as your 772 00:37:16,770 --> 00:37:21,450 messaging platform is going to be the 773 00:37:18,630 --> 00:37:23,460 most powerful thing and we as security 774 00:37:21,450 --> 00:37:26,189 practitioners should maybe stop trying 775 00:37:23,460 --> 00:37:28,500 to reinvent the wheel everywhere this 776 00:37:26,190 --> 00:37:29,280 idea already exists and we talk about it 777 00:37:28,500 --> 00:37:31,109 all the time when we talk about 778 00:37:29,280 --> 00:37:33,960 offensive operations this idea of living 779 00:37:31,109 --> 00:37:36,779 off the land which if you're unfamiliar 780 00:37:33,960 --> 00:37:40,050 it means don't drop a bunch of exploit 781 00:37:36,780 --> 00:37:42,920 toolkit on a system when you get access 782 00:37:40,050 --> 00:37:45,780 to it because that's gonna get detected 783 00:37:42,920 --> 00:37:47,910 but instead use the things that are 784 00:37:45,780 --> 00:37:49,440 already existing in the environment to 785 00:37:47,910 --> 00:37:53,368 move laterally to move your privileges 786 00:37:49,440 --> 00:37:58,140 up it's important for us to think about 787 00:37:53,369 --> 00:38:01,320 how we approach putting security in 788 00:37:58,140 --> 00:38:03,509 other places and one idea that we might 789 00:38:01,320 --> 00:38:06,210 want to be aware of is the 790 00:38:03,510 --> 00:38:08,730 dunning-kruger effect and this is a 791 00:38:06,210 --> 00:38:12,720 psychological principle in which we're 792 00:38:08,730 --> 00:38:16,080 when we try something new we go from not 793 00:38:12,720 --> 00:38:18,689 being skilled at all to being a little 794 00:38:16,080 --> 00:38:22,020 bit skilled and we suddenly think we're 795 00:38:18,690 --> 00:38:25,589 the freakin best at it but man I got all 796 00:38:22,020 --> 00:38:26,940 these new skills and actually over time 797 00:38:25,589 --> 00:38:29,099 maybe you experienced this in your 798 00:38:26,940 --> 00:38:30,720 career as a security professional but we 799 00:38:29,099 --> 00:38:33,089 definitely I know we're all really 800 00:38:30,720 --> 00:38:35,189 really smart right security people so 801 00:38:33,089 --> 00:38:37,320 smarmy not on computers but we're not 802 00:38:35,190 --> 00:38:39,150 that great at everything else and unless 803 00:38:37,320 --> 00:38:42,619 we really put that time into learning 804 00:38:39,150 --> 00:38:45,570 that we're probably not going to be and 805 00:38:42,619 --> 00:38:48,869 the thing that will give us the biggest 806 00:38:45,570 --> 00:38:50,990 advantage is diversifying the types of 807 00:38:48,869 --> 00:38:54,570 people we allow into security 808 00:38:50,990 --> 00:38:56,759 diversifying the skillsets that we use 809 00:38:54,570 --> 00:38:59,160 an approach rather than thinking that we 810 00:38:56,760 --> 00:39:03,770 as an industry can do everything all on 811 00:38:59,160 --> 00:39:06,420 our own leveraging design leveraging 812 00:39:03,770 --> 00:39:10,690 behavioral psychology 813 00:39:06,420 --> 00:39:12,400 leveraging marketing sales people who 814 00:39:10,690 --> 00:39:14,800 have skill sets that are different than 815 00:39:12,400 --> 00:39:16,510 ours because we will never get security 816 00:39:14,800 --> 00:39:18,640 into the places it needs to be and 817 00:39:16,510 --> 00:39:22,230 people will never care about it if we 818 00:39:18,640 --> 00:39:24,129 stay in this little camp that's just us 819 00:39:22,230 --> 00:39:25,720 and then that's the end of the 820 00:39:24,130 --> 00:39:28,420 presentation and if you have any 821 00:39:25,720 --> 00:39:31,680 questions we'll try and answer them so 822 00:39:28,420 --> 00:39:31,680 ask them or don't 823 00:39:32,880 --> 00:39:40,670 then don't I guess alright that's the 824 00:39:37,630 --> 00:39:47,179 end pot thank you bye 825 00:39:40,670 --> 00:39:47,179 [Applause] 826 00:39:49,370 --> 00:39:51,400 Oh