Why PhishMe makes Pentesters Uncomfortable

I read Aitel’s article right before leaving for BlackHat: “Why you shouldn’t train employees for security awareness

Popcorn in hand, this should be a fun read. After all, we agree that traditional awareness methods don’t seem to be sticking.

Reading… a phishing mention, ok good …

hrm …

“It’s a much better corporate IT philosophy that employees should be able to click on any link, open any attachment, without risk”

Wait what?!@#

A hit piece about security awareness with a sole focus on spear phishing.

“You talkin’ to me? You talkin’ to me? Then who the hell else are you talking… Well I’m the only one here.”

I wasn’t convinced the article wasn’t an elaborate troll, but CSO prodded, and Aitel reiterated. Most recently he was on a panel for PaulDotCom’s episode 300  and stuck to his original script. In the Security Leadership » Security Awareness section of CSO Online, these two articles have 80+ comments. The past ten articles combined (excluding these) have a grand total of three comments. Over-the-top opinions get page views. So here we go.

A phishing pentest is a waste of money

That statement aims squarely at the profitable pentest service line and kneecaps the zing from the juicy report that’s needed to sell next year’s assessment. It also irritates the mercenary face punchers when they have to go back to traditional attack and report work. Pentesters pay good money for point-and-clicky exploit tools. Who am I to cripple a feature set and spoil their fun? A report about how you weren’t able to break in flounders, while one about how you were able to trick employee X into clicking Y leading to compromise  reads like a slasher novel. A pentester needs to deliver a thriller in order to level up in the customer’s security budget. Phishing does that nicely.

Any organization who believes they need to spend money to find out if they are vulnerable to spear phishing needs a new CSO.

“I felt like destroying something beautiful.”

I’m the last person to rehash the “there is no value in pentesting / pentesting is dead” debate. security needs testers who are motivated by the sole desire to destroy something beautiful. I employed a team of face punchers at Intrepidus Group who enjoy their job thoroughly. I’ll be the first to tell you this type of person is not who you want implementing and executing defensive security policy and strategy for your enterprise network. They punch faces and write reports.

It’s no wonder a number of passionate network defenders took issue with the article’s advice. Not only is a phishing pentest a complete waste of money, it squanders and taints a valuable teaching opportunity that could be used to improve security. Emotional beings don’t like to be penetrated for the sake of penetration. They’re fragile, very fragile! I have a list of organizations who can’t use the PhishMe method because an overzealous pentester went over-the-line!

PhishMe.com!# TURF WARS

The original article hits, heart rates increase, copy-cat services moan. Commenters comment, the twittersphere tweets, bloggers blog, and the dust settles. The responses were what I was expecting. It was good to see PhishMe customers chime in with their true-to-life experiences completely dismissing the article. The most disappointing commentary (yet not surprising) was the twitter echo chamber of offensive testing curmudgeons piling on with no experience making a meaningful impact to the security defense of an organization to speak from. Donny you’re out of your element!

It’s a simple matter of turf. PhishMe forces the intersection and commingling of the offensive and the defensive.

There is something about the PhishMe method that rubs pentesters the wrong way and this won’t be the last time we have them reaching for Alka-Seltzer. In the hierarchy of security industry egotism, face punching and popping shells is the most visible. There are no high fives or pelvic desk thrusts for blocking-tha-shit-out-of -packets. Along comes PhishMe looking hotter than the bride on the wedding day. “Social Engineering!?!—that’s my job!” I don’t expect face punchers to give up selling phishing tests. I just want them to stop getting the practice banned by screwing up the delivery.

“I live my life one EIP register at a time…“

The article’s bulleted suggestions of what organizations should be doing instead of phishing  awareness training just goes to show how disconnected the offensive mind can be. ***Breaking News: *** Those suggestions: They are already doing them! If you define success or defeat in digital defense by code execution on a single internal host, then reducing your employee’s phishing susceptibility from 68% to 5% probably does seem like a #fail. Let’s gloss over an organizations natural headcount churn. For the sake of discussion, let’s assume a significant reduction in phishing susceptibility isn’t reason enough to do the PhishMe method. Most can appreciate the following byproducts of a PhishMe program:

• Dramatic increase in incident reporting — Employees learn how and who to report suspicious emails to. Getting incident reports to the right people instead of the spam bucket does wonders.

• Employees learn the difference between phishing-fraud at home vs. targeted phishing at work.

• Inconsistent email messaging goes away — You cannot have terrible, unverifiable, non-standard corporate email communications alongside a PhishMe program. The presence of PhishMe will force an already needed email communication change.

• Situational Awareness — The time from initial phish to the first report will dramatically decrease. This is a huge advantage to the network defender.

• Email defenses get reexamined: Initiatives like SMIME and rejecting inbound email spoofing the organization’s domains get prioritized.

You would think with all these measurable benefits that it wouldn’t be too hard to convince someone to put down their hammers and refocus on improving the security posture of an organization. But I still encounter the resident assessment guy within an organization who is irritated by the fact that PhishMe isn’t an attack tool. I would say to their CSOs: Don’t buy PhishMe and force your pentest team to create awareness. More often than not they can’t get out from under their own attack-and-report mindset . Instead they are bitterly jealous they are stuck working on improving security, while their peers get to have fun punching faces. For now email remains broken. Putting all your eggs in the technology basket hasn’t been working. We don’t have a single customer who purchased PhishMe to fill a compliance need.  PhishMe walks a different path. We change behavior.

Regards,

Aaron Higbee

 

p.s.   “Is Pentesting Worth it?”  A  round table at PaulDotCom’s 300th episode begins at 5:15pm today.  Care to wager on some panelist insisting that a pentest without a phishing component is the ‘wrong way’?

Breaking the Myths of Social Engineering
LinkedIn password leak: What it means for phishing