We continue to introduce you to a world that fights against phishing, learns the basics of social engineering and does not forget to train its staff. Today we have a Phishman product as a guest. This is one of the partners of TS Solution, which provides an automated system for testing and training employees. Briefly about his concept:
-
Identification of training needs of specific employees.
-
Practical and theoretical courses for employees through the learning portal.
-
Flexible system of system operation automation.
Product Introduction
Company Since 2016, he has been developing software related to the testing and training system for employees of large companies in the field of cybersecurity. Among the customers there are various representatives of industries: financial, insurance, trade, raw materials and industrial giants - from M.Video to Rosatom.
Suggested Solutions
Phishman cooperates with various companies (from small businesses to large corporations), initially it is enough to have 10 employees. Consider the pricing and licensing policy:
-
For small businesses:
A) - version of the product from 10 to 249 employees with a starting price for a license from 875 rubles. It contains the main modules: information collection (test sending of phishing emails), training (3 basic courses on information security), automation (setting up a general testing mode).
B) - product version from 10 to 999 employees with a starting price for a license from 1120 rubles. Unlike the Lite version, it has the ability to synchronize with your corporate AD server, the training module contains 5 courses.
-
For big business:
A) — in this solution, the number of employees is not limited, it provides a comprehensive process of raising the awareness of personnel in the field of information security for companies of any size with the ability to adapt courses to the needs of the customer and business. Synchronization with AD, SIEM, DLP systems is available to collect information about employees and identify users who need training. There is support for integration with an existing distance learning system (LMS), the subscription itself contains 7 basic IB courses, 4 advanced and 3 game ones. It also supports an interesting option for training attack using USB drives (flash cards).
B) - the enhanced version includes all Enterpise options, it becomes possible to develop your own connectors and reports (with the help of Phishman engineers).
Thus, the product can be flexibly configured for the tasks of a particular business and integrated into existing information security training systems.
Introduction to the system
To write the article, we deployed a layout with the following characteristics:
-
Ubuntu Server from version 16.04.
-
4 GB RAM, 50 GB hard disk space, 1 GHz or faster processor.
-
Windows server with the role of DNS, AD, MAIL.
In general, the set is standard and does not require a lot of resources, especially considering that you usually already have an AD server. During deployment, a Docker container will be installed, which will automatically configure access to the management and training portal.
Under the spoiler, a typical network diagram with Fishman
Typical network diagram
Next, we will get acquainted with the system interface, administration options and, of course, functions.
Login to the management portal
The Phishman Administration Portal is used to manage the list of departments and employees of the company. It launches attacks to send phishing emails (as part of training), the results are generated in reports. You can go to it by IP address or domain name that you specify when deploying the system.
Authorization on the Phishman portal
Convenient widgets with statistics on your employees will be available to you on the main page:
Phishman main page
Adding Employees for Interactions
From the main menu, you can go to the section "Employees", where there is a list of all company personnel broken down by department (manually or via AD). It contains tools for managing their data, it is possible to build a structure in accordance with the state.
User Control PanelEmployee creation card
Optional: integration with AD is available, which allows you to conveniently automate the process of training new employees and keep general statistics.
Launch of employee training
After you have added information about the company's employees, it becomes possible to send them to training courses. When it might be useful:
-
new employee;
-
planned training;
-
urgent course (there is an informational occasion, it is necessary to warn).
The record is available both for an individual employee and for the entire department.
Formation of the training course
Where options:
-
form a study group (combine users);
-
choice of training course (number depending on the license);
-
access (permanent or temporary with dates).
Important!
The first time an employee enrolls in a course, they will receive an email with login details for the Learning Portal. The invitation interface is a template, available for change at the discretion of the Customer.
Sample letter for invitation to study
If you click on the link, the employee will be taken to the training portal, where his progress will be automatically recorded and displayed in the statistics of the Phishman administrator.
User Launched Course Example
Working with attack patterns
The templates allow you to send targeted training phishing emails with a focus on social engineering.
Section "Templates"
Templates are located inside categories, for example:
Search tab for built-in templates from various categories
There is information about each of the ready-made templates, including efficiency.
An example of a "Twitter Newsletter" template
It is also worth mentioning the convenient ability to create your own templates: just copy the text from the letter and it will be automatically converted into HTML code.
The note:
back to content , then we had to manually select a template for preparing a phishing attack. Phishman's Enterprise solution has a large number of integrated templates, and there is support for convenient tools for creating your own. In addition, the vendor actively supports customers and can help add unique templates, which we believe is many times more efficient.
General setup and help
In the “Settings” section, the Phishman system parameters change depending on the access level of the current user (due to layout limitations, they were not fully available for us).
Interface of the "Settings" section
Let's briefly list the options for customization:
-
network parameters (mail server address, port, encryption, authentication);
-
choice of training system (integration with other LMS is supported);
-
editing sending and training templates;
-
black list of mail addresses (an important opportunity to exclude participation in phishing mailings, for example, for company executives);
-
user management (creation, editing of access accounts);
-
update (status view and scheduling).
Administrators will find the “Help” section useful, it has access to the user manual with a detailed analysis of working with Phishman, the address of the support service and information about the state of the system.
Help section interfaceInformation about the state of the system
Attack and training
After reviewing the basic options and system settings, we will conduct a training attack, for this we will open the “Attacks” section.
Control panel interface "Attacks"
In it, we can see the results of already launched attacks, create new ones, and so on. Let's describe the steps to launch a campaign.
Attack launch
1) Let's call the new attack "data leakage".
Define the following settings:
Where:
Sender → the mailing domain is specified (by default, from the vendor).
Phishing Forms → are used in templates to try to get data from users, while only the fact of entering is recorded, the data is not saved.
Forwarding → a redirect to the page is indicated after the user navigates.
2) At the distribution stage, the attack propagation mode is indicated
Where:
Attack type → specifies how and for how long the attack will take place. (option includes non-uniform broadcast mode, etc.)
Sending start time → specify the start time for sending messages.
3) At the “Goals” stage, employees are indicated by department or individually
4) After that, we indicate the templates for the attack already affected by us:
So, to launch the attack, we needed:
a) create an attack template;
b) specify the distribution mode;
c) choose goals;
d) determine the phishing email template.
Checking the results of an attack
Initially we have:
From the user's side, a new mail message is visible:
If it is opened:
If you click on the link, you will be prompted to enter data from the mail:
In parallel, we look at the statistics on the attack:
Important!
Phishman's policy is to strictly follow regulatory and ethical standards, so the data entered by the user is not stored anywhere, only the fact of the leak is recorded.
Reports
Everything that was done above should be supported by various statistics and general information about the level of preparedness of employees. There is a separate section “Reports” for monitoring.
It includes:
-
A training report that reflects information about the results of completing the course within the reporting period.
-
Attack report showing the result of phishing attacks (number of incidents, timing, etc.).
-
A learning progress report that displays the performance of your employees.
-
Report on the dynamics of phishing vulnerabilities (summary information on incidents).
-
Analytical report (reaction of employees to events before/after).
Working with a report
1) Let's execute "Create a report".
2) Specify the department/employees to generate the report.
3) Choose a period
4) Specify the courses of interest
5) We form the final report
Thus, reports help to reflect statistics in a convenient form and monitor the results of the training portal, as well as the behavior of employees.
Learning Automation
Separately, it is worth mentioning the ability to create automatic rules that will help administrators customize the logic of Phishman.
Writing an automatic script
To configure, go to the “Rules” section. We are offered:
1) Specify a name and set the time for checking the condition.
2) Create an event based on one of the sources (Phishing, Training, Users), if there are several of them, then you can use the logical operator (AND / OR).
In our example, we created the following rule: “If a user clicks on a malicious link from one of our phishing attacks, he will be automatically enrolled in a training course, and accordingly, he will receive an invitation by email, and progress will be tracked.
Optional:
—> There is support for creating various rules by source (DLP, SIEM, Antivirus, Human Resources, etc.).
Scenario: “If the user sends sensitive information, then DLP captures the event and sends the data to Phishman, where the rule is triggered: assign a course to the confidential information worker.”
Thus, the administrator can reduce some of the routine processes (sending employees for training, conducting planned attacks, etc.).
Instead of a conclusion
Today we got acquainted with the Russian solution for automating the process of testing and training employees. It helps in preparing the company for compliance with Federal Law 187, PCI DSS, ISO 27001. The benefits of training through Phishman include:
-
Customization of courses - the ability to change the content of courses;
-
Branding - creating a digital platform according to your corporate standards;
-
Work offline - installation on your own server;
-
Automation - creating rules (scripts) for employees;
-
Reporting - statistics on events of interest;
-
Licensing flexibility - support from 10 users.
If you are interested in this solution, you can always contact , we will help organize the pilot and consult together with Phishman representatives. That's all for today, learn yourself and train your employees, see you soon!
Source: habr.com