[bluedino]

This describes the security industry as a whole.

We had a user click an email and get phished.

We tried training the users with tools like KnowBe4, banners above the emails that say things like THIS IS AN OUTSIDE EMAIL BE VERY CAREFUL WHEN CLICKING LINKS. Didn't help.

The email was a very generic looking "Kindly view the attached invoice"

The attached invoice was a PDF file

The link went to some suspicious looking domain

The page the link brought up was a shoddy impersonation of a OneDrive login

In just minutes, the users machine was infected, it emailed itself to all of their Outlook contacts...

So this means nothing in this list detected a goddamn thing:

    Next-generation firewall
    AI-powered security
    'MACHINE LEARNING'
    'Prevent lateral spread'
    enterprise defense suite with threat protection and threat detection capabilities designed to identify and stop attacks
    AV software that was advertised to 'Flag malicious phishing emails and scam websites'
    'Defend against ransomware and other online dangers'
    'Block dangerous websites that can steal personal data'
    the cloud-based filtering service that protects your organization against spam, malware, and other email threats

And the company that we pay a huge sum of money to 'delivers threat detection, incident response, and compliance management in one unified platform' didn't make a peep.

But, we are up to the standards of quite a few acronyms.

It's all a useless shitshow. And plenty of productivity-hurting false flags happen all the time.

[causi]

Have you tried threats and public humiliation?

"ATTN ALL employees: Dave Smith ignored security training and was phished into installing malware. He is now fired because he was an idiot."

[dexterdog]

I think there are a number of departments that will help you join Dave in his new-found freedom from employment if you send that.

[Nevermark]

Hmmm. Not if the firing notice was triggered by Dave from a suspicious executable in his email.

Although the idea of tightening up security practices by having some sociopathic employee tricking colleagues into publicly firing themselves by malware does make me feel a little ill.

[bigbillheck]

> Have you tried threats and public humiliation?

Looks like we've found a seventh.

[Arch-TK]

I think this still falls under the user education section. Just as a rather frowned upon form of education.

[Spooky23]

Several years ago, I worked on an incident response for an incident that was detected and stopped.

Tl;dr, a targeted phishing email was the catalyst for the whole thing. The various systems that detect these thing effectively blocked it ~97/100 times. One click was all it took. The user who clicked had a bad feeling and used a blame-free and convenient reporting mechanism to report it.

That doesn’t mean that tools and training are useless. As a defender in any context, defense has to be multilayered and flexible as circumstances change. In IT, sports or warfare, it’s the same process or funnel.

The scenario you described likely would have been detected by an EDR tool, or by log analysis if there was a process to do that. Declaring “shitshow” is accepting a bad outcome. Unfortunately as the value of compromising a company has gone up, the opponents have leveled up, and defenders need to as well.

[namaria]

"The spot where we intend to fight must not be made known; for then the enemy will have to prepare against a possible attack at several different points; (...) If he sends reinforcements everywhere, he will everywhere be weak."

Sun Tzu, Art of War. I know, cheesy to compare network security with warfare. But, I've learned that big shinny stack of tools is a red flag. If there is no threat model and focused hardening, you're not doing security, you're doing compliance.