WEBVTT 00:00:00.000 --> 00:00:06.710 align:middle line:90% 00:00:06.710 --> 00:00:09.910 align:middle line:84% Now, there's two ways to essentially run this. 00:00:09.910 --> 00:00:14.270 align:middle line:84% You could either run it in-house or you can do it outsourced. 00:00:14.270 --> 00:00:20.540 align:middle line:84% Now, if you do it in-house, what type of resources do you have? 00:00:20.540 --> 00:00:22.250 align:middle line:90% Do you need to buy the software? 00:00:22.250 --> 00:00:24.360 align:middle line:84% Do you have the infrastructure for it? 00:00:24.360 --> 00:00:28.790 align:middle line:84% Do you have the staff that's ready and trained to do this? 00:00:28.790 --> 00:00:30.750 align:middle line:84% Would you create your own training? 00:00:30.750 --> 00:00:32.570 align:middle line:84% Are you going to outsource the training? 00:00:32.570 --> 00:00:36.290 align:middle line:84% Are you able to dedicate the time to do this? 00:00:36.290 --> 00:00:40.400 align:middle line:90% Or are you going to outsource? 00:00:40.400 --> 00:00:42.420 align:middle line:84% Do you not have the resources to do this? 00:00:42.420 --> 00:00:45.260 align:middle line:84% So are you going to have an outside company do this, 00:00:45.260 --> 00:00:46.250 align:middle line:90% outside vendor? 00:00:46.250 --> 00:00:49.460 align:middle line:84% What type of references does the company have? 00:00:49.460 --> 00:00:51.860 align:middle line:84% Does their vision align with your particular vision 00:00:51.860 --> 00:00:53.840 align:middle line:90% of how you want this to go? 00:00:53.840 --> 00:00:55.280 align:middle line:90% What are their deliverables? 00:00:55.280 --> 00:01:00.845 align:middle line:84% And do they offer any sort of staff trainings? 00:01:00.845 --> 00:01:06.450 align:middle line:84% And how do they actually give the training out to your staff? 00:01:06.450 --> 00:01:08.900 align:middle line:84% Well, if you do your own phishing campaign, 00:01:08.900 --> 00:01:10.640 align:middle line:84% there's a lot of options out there. 00:01:10.640 --> 00:01:12.860 align:middle line:84% There's a lot of open-source ones. 00:01:12.860 --> 00:01:16.700 align:middle line:84% And there's some paid sets that you can actually use. 00:01:16.700 --> 00:01:19.910 align:middle line:84% Social-Engineer Toolkit is a pretty easy one to use. 00:01:19.910 --> 00:01:21.240 align:middle line:90% It's preloaded in Kali Linux. 00:01:21.240 --> 00:01:23.240 align:middle line:84% Or you could actually download it and install it 00:01:23.240 --> 00:01:26.190 align:middle line:84% on a lot of different operating systems. 00:01:26.190 --> 00:01:30.140 align:middle line:84% There's Lucy, which is another open-source solution. 00:01:30.140 --> 00:01:32.120 align:middle line:84% And Gophish is another popular one, 00:01:32.120 --> 00:01:36.070 align:middle line:84% another open-source phishing tool kit. 00:01:36.070 --> 00:01:42.160 align:middle line:84% Now, the nice thing about these open-source ones like Gophish, 00:01:42.160 --> 00:01:44.080 align:middle line:90% it's again, open source. 00:01:44.080 --> 00:01:45.820 align:middle line:90% So it's free for the most part. 00:01:45.820 --> 00:01:49.390 align:middle line:84% You could actually pay money to actually get better templates, 00:01:49.390 --> 00:01:50.200 align:middle line:90% better insight. 00:01:50.200 --> 00:01:52.930 align:middle line:84% But essentially, they're pretty easy to run. 00:01:52.930 --> 00:01:56.260 align:middle line:84% So they give you templates and targets. 00:01:56.260 --> 00:01:58.000 align:middle line:90% You could import it. 00:01:58.000 --> 00:02:00.640 align:middle line:84% You could add a nice web UI for you 00:02:00.640 --> 00:02:03.610 align:middle line:84% to get into a full HTML editor so you can easily 00:02:03.610 --> 00:02:06.790 align:middle line:84% kind of modify these templates that you're building customised 00:02:06.790 --> 00:02:10.449 align:middle line:90% for your particular campaign. 00:02:10.449 --> 00:02:12.700 align:middle line:84% And when you launch the campaign, 00:02:12.700 --> 00:02:14.230 align:middle line:84% emails are sent in the background. 00:02:14.230 --> 00:02:15.760 align:middle line:84% You could also schedule a campaign 00:02:15.760 --> 00:02:17.330 align:middle line:90% to launch whenever you want. 00:02:17.330 --> 00:02:22.090 align:middle line:84% So this is handy for the start and stop time that you have. 00:02:22.090 --> 00:02:24.430 align:middle line:84% And especially, if it's going to be a repeated campaign, 00:02:24.430 --> 00:02:26.650 align:middle line:84% you could just schedule it out and just 00:02:26.650 --> 00:02:28.870 align:middle line:90% let Gophish do its thing. 00:02:28.870 --> 00:02:31.720 align:middle line:84% And this particular program will track the results. 00:02:31.720 --> 00:02:34.810 align:middle line:84% Detailed results are delivered in near real time 00:02:34.810 --> 00:02:37.630 align:middle line:90% and can be exported in reports. 00:02:37.630 --> 00:02:40.810 align:middle line:84% The export is going to be important because whoever 00:02:40.810 --> 00:02:44.980 align:middle line:84% you are doing this phishing attack for - it's your IT 00:02:44.980 --> 00:02:49.060 align:middle line:84% manager, CTO, whatnot - they're going 00:02:49.060 --> 00:02:53.470 align:middle line:84% to want to see what the actual deliverables are. 00:02:53.470 --> 00:02:54.850 align:middle line:90% What are the statistics? 00:02:54.850 --> 00:02:56.080 align:middle line:90% Who clicked on it? 00:02:56.080 --> 00:02:57.550 align:middle line:90% Who submitted information? 00:02:57.550 --> 00:03:00.310 align:middle line:90% Who didn't open it? 00:03:00.310 --> 00:03:00.980 align:middle line:90% Et cetera. 00:03:00.980 --> 00:03:04.300 align:middle line:84% So again, going to be very important. 00:03:04.300 --> 00:03:08.020 align:middle line:84% And this particular program, you can install for Windows, Linux, 00:03:08.020 --> 00:03:10.880 align:middle line:90% or OS X. 00:03:10.880 --> 00:03:12.380 align:middle line:84% Now, if you outsource it, there's 00:03:12.380 --> 00:03:14.360 align:middle line:90% a lot of different options also. 00:03:14.360 --> 00:03:16.700 align:middle line:84% And again, I do recommend that you do your research 00:03:16.700 --> 00:03:19.910 align:middle line:84% and make sure that these particular companies are going 00:03:19.910 --> 00:03:25.337 align:middle line:84% to be able to work out for you, that they are going 00:03:25.337 --> 00:03:27.170 align:middle line:84% to fit within your price range, that they're 00:03:27.170 --> 00:03:29.510 align:middle line:84% able to deliver what you want them to deliver, 00:03:29.510 --> 00:03:32.720 align:middle line:84% and that they are reputable companies. 00:03:32.720 --> 00:03:37.190 align:middle line:84% So the real big one out there is Social-Engineer. 00:03:37.190 --> 00:03:40.250 align:middle line:84% The person who runs this is Chris Hadnagy. 00:03:40.250 --> 00:03:44.240 align:middle line:84% And this particular one is pretty interesting. 00:03:44.240 --> 00:03:45.800 align:middle line:90% They give talks at Black Hat. 00:03:45.800 --> 00:03:49.250 align:middle line:84% They have books on social engineering. 00:03:49.250 --> 00:03:52.310 align:middle line:84% And they have a website that gives 00:03:52.310 --> 00:03:55.370 align:middle line:84% a lot of information on phishing and social engineering. 00:03:55.370 --> 00:03:57.410 align:middle line:90% There's also KnowBe4. 00:03:57.410 --> 00:03:59.240 align:middle line:90% KnowBe4 is another company. 00:03:59.240 --> 00:04:01.370 align:middle line:84% And they also offer some free tools. 00:04:01.370 --> 00:04:05.470 align:middle line:84% And they'll run phishing campaigns for you also. 00:04:05.470 --> 00:04:11.440 align:middle line:84% Or there's PhishingBox, which you could get a demo with. 00:04:11.440 --> 00:04:15.430 align:middle line:84% And they're also a pretty interesting company that 00:04:15.430 --> 00:04:16.570 align:middle line:90% can run phishing campaigns. 00:04:16.570 --> 00:04:18.737 align:middle line:84% But again, there's a lot of different ones out here. 00:04:18.737 --> 00:04:21.790 align:middle line:84% These are some examples of outsourcing your phishing 00:04:21.790 --> 00:04:24.630 align:middle line:90% campaigns however. 00:04:24.630 --> 00:04:27.090 align:middle line:84% So in wrapping up, phishing campaigns 00:04:27.090 --> 00:04:29.610 align:middle line:84% can give you important awareness. 00:04:29.610 --> 00:04:34.770 align:middle line:84% And also, they can provide an important training tool. 00:04:34.770 --> 00:04:37.020 align:middle line:84% You want to consider - are you going do this in-house, 00:04:37.020 --> 00:04:38.395 align:middle line:84% or are you going to outsource it? 00:04:38.395 --> 00:04:41.250 align:middle line:84% Well, depending on your resources, skill sets, 00:04:41.250 --> 00:04:43.980 align:middle line:84% requirements, you can run a campaign in-house 00:04:43.980 --> 00:04:46.670 align:middle line:90% or you might need to outsource. 00:04:46.670 --> 00:04:48.560 align:middle line:90% Paid versus open source. 00:04:48.560 --> 00:04:50.900 align:middle line:84% So there's an abundance of tools out there - 00:04:50.900 --> 00:04:54.050 align:middle line:84% open-source and paid tools - for phishing campaigns. 00:04:54.050 --> 00:04:56.870 align:middle line:84% Be sure to pick carefully because you're really going 00:04:56.870 --> 00:05:00.050 align:middle line:84% to need to figure out what tool's going to fit your unique 00:05:00.050 --> 00:05:02.907 align:middle line:84% needs, because everyone's needs for a phishing campaign is 00:05:02.907 --> 00:05:05.240 align:middle line:84% probably going to be a little bit different than someone 00:05:05.240 --> 00:05:07.620 align:middle line:90% else's. 00:05:07.620 --> 00:05:09.210 align:middle line:84% Before you start, always make sure 00:05:09.210 --> 00:05:11.670 align:middle line:84% that you have written permission from management 00:05:11.670 --> 00:05:13.590 align:middle line:84% and the scope of work and deliverables 00:05:13.590 --> 00:05:16.120 align:middle line:90% before you even start. 00:05:16.120 --> 00:05:18.940 align:middle line:84% Documentation - documentation is important. 00:05:18.940 --> 00:05:22.850 align:middle line:84% So you'll want documentation of expectations, deliverables, 00:05:22.850 --> 00:05:28.370 align:middle line:84% scope of work, the results, et cetera. 00:05:28.370 --> 00:05:30.470 align:middle line:84% Training - what type of training are you 00:05:30.470 --> 00:05:32.000 align:middle line:90% going to have for your staff? 00:05:32.000 --> 00:05:35.180 align:middle line:84% And how is it going to be made available? 00:05:35.180 --> 00:05:38.990 align:middle line:84% Will the training be provided after someone clicks the email 00:05:38.990 --> 00:05:40.020 align:middle line:90% and opens it? 00:05:40.020 --> 00:05:43.610 align:middle line:84% There's certain phishing emails that as soon 00:05:43.610 --> 00:05:45.170 align:middle line:84% as someone clicks on the link it'll 00:05:45.170 --> 00:05:47.570 align:middle line:84% actually pop and go, "Hey, this was a phishing email. 00:05:47.570 --> 00:05:49.880 align:middle line:84% Hey, here's a training link for you." 00:05:49.880 --> 00:05:52.113 align:middle line:84% Or you're going to offer training afterwards. 00:05:52.113 --> 00:05:54.530 align:middle line:84% These are all different options that you need to consider. 00:05:54.530 --> 00:05:57.150 align:middle line:90% 00:05:57.150 --> 00:05:58.520 align:middle line:90% So this was all about phishing. 00:05:58.520 --> 00:06:00.103 align:middle line:84% In the next email, we're going to talk 00:06:00.103 --> 00:06:01.352 align:middle line:90% about what a red team is. 00:06:01.352 --> 00:06:02.310 align:middle line:90% Thank you for watching. 00:06:02.310 --> 00:06:04.360 align:middle line:90% I'll see you next video. 00:06:04.360 --> 00:06:06.000 align:middle line:90%