Use Responsibly: Recon Like an insider threat for Best User Training ROI

Abstract:

 Fellow Researcher Allie Page and I attempted the creation of effective Security Awareness Training with a measurable return on investment. We chose to perform a case study in creating training that might be effective against phishing, partly because an ROI formula was already in existence and partly because no one said we couldn’t ¯\_(ツ)_/¯

 Our Blue Team had a well-tuned top of the line Email gateway with Post Delivery Protection, integrated threat feeds and when adjusting for the implementation of DMARC, DKIM and SPF it was 99.9986% effective at blocking phishing campaigns just shy of perfection from a mathematical standpoint. Out of a total 14 million received emails sent to the organization just over half were spam and phishing. The stack setup was working well with just under 1000 malicious emails managing to find their way past all defenses and into the user’s inboxes (better known as the Danger Zone!). Unfortunately, out of that 1000 malicious emails received we had an 85% click rate from our user base. A click occurring afterhours or in the heat of an ongoing campaign could lead to a compromise of systems estimated by insurers at up to 7 million dollars in damages. With background information and the basic numbers needed for the ROI formula we began a case study that started with OSINT and ended with a 62% reduction in users falling for malicious emails within 5 months’ time.

 OSINT was useful for providing information useful for rating the skill level required for an attack as it revealed the tools and user information available to an attacker. However internal data brought much more to the picture when it came to how to rate the likelihood and impact of a risk. A lot of internal data was essentially wasted due to the sheer volume of it. As we zeroed in on internal data we began to use the term OSINT+. The idea of OSINT+ is that it takes advantage of the data a defender has been given access to due to establishing the right to monitor information in the network and on devices that belong to the enterprise. We set out to build a framework for defense recon. The framework was utilized to tune threat matrices to reflect the organization, to make security awareness training more effective, and to aid in the demonstration of security is a service.