You want to phish your company or your client. You’ve never done this for work before, you’ve got a week to do it, and you figure that’s plenty of time. Then someone objects to the pretext at the last minute. Or spam filters block everything. Or you decide to send slowly, to avoid detection, but the third recipient alerts the entire company. Or you can only find 5 target addresses. We’ve all been there on our first professional phishing exercise. What should be as easy as building a two page web site and writing a clever e-mail turns into a massively frustrating exercise with a centi-scaled corpus of captured credentials. In this talk, we’ll tell you how to win at phishing, from start to finish, particularly in hacking Layer 8, the “Politics” layer of the OSI stack that’s part of any professional phishing engagement. We’ll share stories of many of our experiences, which recently included an investigation opened with the US Security and Exchange Commission (SEC). Finally, we’ll tell you how we stopped feeling frustrated, learned to handle the politics, and produced successful phishing campaigns that hardened organizations at the human layer, and started to screw things up for the bad actors.
Jay Beale has created several security tools, including Bastille Linux/UNIX and the CIS Linux Scoring Tool, both of which have been used throughout industry and government. He has served as an invited speaker, program chair and trainer at many industry and government conferences, a columnist for Information Security Magazine, SecurityPortal and SecurityFocus, and a contributor to nine books, including those in his Open Source Security Series and the ‘Stealing the Network’ series. Jay is a founder and the CTO of the information security consulting company InGuardians, where way too many clients’ staff have enthusiastically given him their passwords.
Larry Pesce, the Director of Research at InGuardians, has a long history with hacking that began with the family TV when he was a kid, rebuilding it after it caught on fire. Both times. Later, as a web developer for a university in the early days of the Internet, he managed some of the first layer 3-switched networks in the world. Larry holds a handful of SANS certs, wrote a book or two and co-founded the multiple international award-winning security podcast, “Paul’s Security Weekly”. When not pursuing these activities, work-related passions have also involved leveraging OSINT for attack surface development.