Phishing is the most prevalent variety of social attacks according to the 2017 Verizon DBIR. This session is focused on teaching attendees how to create a successful enterprise phishing program as it relates to security awareness training. I'll talk about planning and setup, implementation with technical details and results with process improvement. The planning portion will discuss getting approvals from management and buy-in on the program, template creation, target (recipient/employee) considerations, campaign type (link or attachment), ticketing process and escalation procedure. The implementation phase will discuss domain registration, web development tips for spear phishing campaigns, SSL certificate options, dealing with SPF records, troubleshooting SPAM undeliverable emails and other SMTP problems, VPS hosting and automation with Python. The final portion of the talk will discuss tracking, alerting and reporting of user interactions, handling recipient complaints, adding value to the organization/ROI with cost breakdown and final thoughts on the program.  At every stage in the discussion I'll discuss ways to identify malicious activity, empower users to take action and help protect the organization with the added bonus of a live demo. Behind the scenes topics of discussiion include:

•    Technical approach to link and attachment based campaigns

•    Web Development and Certificate integration for spear phishing campaigns

•    Dealing with SPF records and troubleshooting SMTP issues

•    Automation of sending, tracking, alerting and reporting

•    Handling complaints and users

•    Identifying goals, getting buy-in and handling backdoors/shells

•    Adding value and ROI

•    Tips and tricks for easier campaign creation and successful rollout

Planning, implementation and execution will be focal points, however detecting and thwarting are also key areas that will be addressed...

After completing this session audience attendees will... 

* Be able to implement an in-house enterprise phishing program to enhance security awareness training

* Avoid common pitfalls and troubleshoot technical issues

* Understand the costs and time commitments of a phishing program

* Be able to detect phishing campaigns with ease

* Learn how to better protect their organization

Why attend this talk?

Because in October North Korea hackers targeted multiple U.S. electric power companies with spearphishing emails: http://www.newsweek.com/north-korea-targets-us-companies-using-spearphishing-emails-682025

Because phishing attacks are constantly evolving and becoming more sophisticated: https://krebsonsecurity.com/2017/12/phishers-are-upping-their-game-so-should-you/

Because as security professionals we care... join this talk and have fun learning all about what goes into making an effective phishing campaign and how to help protect your organization and uses from being compromised.