[HN Gopher] Launch HN: Riot (YC W20) - Phishing training for you... ___________________________________________________________________ Launch HN: Riot (YC W20) - Phishing training for your team Ahoy Hacker News! I'm Ben, founder of Riot (https://tryriot.com), a tool that sends phishing emails to your team to get them ready for real attacks. It's like a fire drill, but for cybersecurity. Prior to Riot, I was the co-founder and CTO of a fintech company operating hundred of millions of euros of transactions every year. We were under attack continuously. I was doing an hour-long security training once a year, but was always curious if my team was really ready for an attack. In fact, it kept me up at night thinking we were spending a lot of money on protecting our app, but none on preparing the employees for social engineering. So I started a side project at that previous company to test this out. On the first run, 9% of all the employees got scammed. I was pissed, but it convinced me we needed a better way to train employees for cybersecurity attacks. This is what grew into Riot. For now we are only training for phishing, but our intention is to grow this into a tool that will continuously prepare your team for good practices (don't reuse passwords for example) and upcoming attacks (CEO fraud is next), in a smart way. Your questions, feedback, and ideas are most welcome. Would love to hear your war stories on phishing scams, and how you train your teams! Author : BenjaminN Score : 73 points Date : 2020-03-24 17:25 UTC (5 hours ago) | equidistant wrote: | That's an unfortunate business name | BenjaminN wrote: | Definitely bad timing. My experience with names: they are never | good enough. | | What I look for in a name: | | 1. If I say it out loud, you know how to write it. | | 2. If I say it out loud today, you remember it tomorrow. | | On that 2 criteria, Riot works quite well I think. | equidistant wrote: | It's bad in that there's already a very popular game company | named Riot (Games) which everyone refers to as 'Riot'. | thenewnewguy wrote: | Disagree, I have serious doubts you could confuse the two. | I can see almost no context where 'Riot (Games)' and 'Riot | (Anti-Phish Company)' could be meaningfully confused. | BenjaminN wrote: | Some people know League of Legends, most don't know Riot | Games. And I double checked: Riot Games don't own a | trademark for anything related to cybersecurity. | Arathorn wrote: | Unfortunately that doesn't seem to stop them going after | companies with Riot in their name (even though Riot is | also a dictionary word) :( | mc32 wrote: | What are the steps necessary to get this up and running? | | Step 1, 2, 3... Besides signing up. ESP if you have O365 or GApps | for mail. | BenjaminN wrote: | 1. Import the list of your employees. | | 2. Whitelist the IP address we use to send the emails. | | 3. Activate the "phishing simulation" module. | | 4. Wait and see. | | Takes 5 minutes. | cones688 wrote: | > "I was pissed" | | How do you balance/deal with "security shaming", which is proven | to put you further at risk as an organization? | | There is some interesting research from the UK Government in this | space - https://www.ncsc.gov.uk/blog-post/trouble- | phishing#section_3 | | The relevant bit: | | "If just one user reports a phish, you can get a head start on | defending your company against that phishing campaign and every | spotted email is one less opportunity for attackers...but | phishing your own users isn't your only option. | | Try being more creative; some companies have had a lot of success | with training that gets the participants to craft their own | phishing email, giving them a much richer view of the influence | techniques used. Others are experimenting with gamification, | making a friendly competition between peers, rather than an 'us | vs them' situation with security." | BenjaminN wrote: | 1. There's an option to hide the names of the employees. It | would replace all the names with random animal name + a color. | It's great if you don't want to know which employees are | falling for attacks. | | 2. I love the idea to actually make the employees create their | own attacks, but seems a bit hard to do and pretty much time | consuming for a company. | cones688 wrote: | Its not the actual individuals - its the culture it creates, | "HA! We caught you, you dumbass, here's 2hrs of training". | This means people are afraid to report or take ownership over | looking out for phishing as it creates no benefit for them, | its just there to make the security team smug. | | Having been part of and designed these campaigns before (with | open source options like https://getgophish.com/), there is | no way to report as phishing or reward users who detected but | therefore didn't interact with it. This means in your example | - did the other 81% just not open it, ignored it, or actively | thought it was phishing? These are key metrics a company | needs to know their potential attack surface. | Nuzzerino wrote: | So we have Riot Games, Riot.im, and now this. As if two wasn't | enough confusion. | Kkoala wrote: | Seems to be a hot topic recently. I first discovered | https://www.hoxhunt.com/, there are probably some other | competitors as well, what makes you different? | tomashertus wrote: | I would be interesting in this answer as well. There is | actually quite heave competition in this space: PhishMe, | PhishLabs, IronScales, MediaPro, KnowBe4, Wombat (acquired by | ProofPoint). | | What convinced YC to invest in your company? | elkos wrote: | Honestly I mixed this with riot.im | BenjaminN wrote: | That's because you're not a LoL player ;-) | bearcobra wrote: | My company uses Knowbe4, and I'm constantly frustrated how it | considers it a fail if I only click a link vs entering in | credentials. Sometimes it's tough to tell if something is | phishing when your checking email on your phone. Does Riot work | the same way? Or do you test to see if users notice issues once | they've actually opened something in the browser? | jiveturkey wrote: | That's not a knowbe4 thing, that's your company's choice. | | opened/clicked/creds and so forth are various levels. Your | company has decided that a mere click is a fail. also, in | gmail, if you 'report phishing' (without clicking), gmail will | "click" it for you as part of their back-end analysis. this | will show up in the click report. this type of click is | distinguishable from a user click, but it's not obvious and | knowbe4 has zero docs on it. | | Keep in mind, a mere click can in fact be a fail. There are | still drive-by attacks that work simply by clicking. | Arathorn wrote: | Hi Ben - cool product! Speaking as the lead for Riot.im, I would | recommend picking another name asap, if nothing else because Riot | Games has an awful lot of lawyers (as we know first hand, | unfortunately). | BenjaminN wrote: | Damn! | Arathorn wrote: | that was our thought too :/ On the plus side, you can come | join our secret treehouse alongside the nice people at | https://riot.js.org/ and https://www.riot-os.org/ who have RG | hanging over their heads... | skocznymroczny wrote: | At the company I work at they send phishing training emails every | now and then. Luckily, the email headers have special fields, so | that the IT firewall lets the "spam" through. I managed to set up | a rule in my outlook to catch these headers and move all the | emails to a special "Phish" folder. | codegeek wrote: | Pricing feedback. I would love this type of training for our | small team of 12 people BUT at this time, I cannot spend | $199/Month even though one could argue that there is no cost high | enough for security. Perhaps add another smaller tier for | companies with 20 or less employees in the 2 digit range ? | BenjaminN wrote: | Sure! Pricing is actually very hard to set up. | jaredwiener wrote: | Curious how you differ from Cofense Phishme? https://cofense.com/ | igammarays wrote: | Everyone's vulnerable to phishing, no matter how technically | literate. It's too easy to click through an email during a moment | of inattention. I've often thought that the only way to reliably | prevent phishing is to enforce the use of a password manager | browser extension, which will refuse to enter a saved password | except on the original domain. Nobody should ever be manually | typing passwords, or even copy-pasting passwords (in the rare | case copying becomes necessary, it should be done with a big bold | warning). | | A safer, phish-proof enterprise password manager may be your | killer product here. | bt3 wrote: | I work at a large professional services firm (think Big 4), so | the risk of any single breach in our network is taken pretty | seriously. Our IT department added an Outlook plugin years ago | that you can use to immediately reporting phishing attempts to | them. As a bonus, they'll sometimes send these "tests" and if you | select to "Report Phishing", you'll get a atta-boy type | notification. I would assume at a macro level, they have stats on | everyone and know who the "riskier" employees are. I have no idea | if this is done inhouse at other large companies. | | Sidenote/ question for you: some of the "test" attacks my company | sends are very specific to the work we're doing and can sometimes | sound very convincing. Do you have a catalogue of "attacks" based | on industry or department (procurement might fall for something | completely different than sales or marketing)? I'm sure with | enough tests, you could measure the effectiveness of attacks (or | maybe the difficulty of detection)... then you can start rating | organizations not just based on what percentage of folks fell for | it, but what specifically they fell for, or what was more likely | to get them to bite. Almost like targeted training? | | Cool idea overall and wish you guys the best. | BenjaminN wrote: | 1. I've talked with a lot of companies (Stripe for example) who | do that internally and it takes a tremendous amount of time to | set up. | | 2. For now attacks are very generic, but will soon be sector- | based and department-based. | | 3. Yes for sure it's probably worth adapting the pace of the | attacks depending on the level of the employees. | | Thanks for the kind words! | mbs348 wrote: | It's been honestly pretty fun to run this at BackerKit. Sad to | say it caught my COO, but actually more inspiring seeing my team | banding together and fighting back and letting folks know in | Slack. Also, a bonus, a really cool lean use of Drift which | inspired us to use that tool better. | BenjaminN wrote: | Great to have BackerKit on board! | the-pigeon wrote: | Love the idea! Unfortunately the IT group in my company is | swamped with COVID-19 related work at the moment. But will be | sure to bring it up with them once things calm down a little. | | My company recently had a user fall for a very poor phishing | attack (entered password into a Google Sheets request) so | something like this could save IT and the company a lot of money. | BenjaminN wrote: | Since everyone is moving to remote right now, hackers are | enjoying the overall disorganization of companies. I've seen a | growing number of phishing attacks for the past few weeks. | | I wouldn't be surprised if we get a major data leak caused by | COVID-19 in the coming days. | | PS: great username by the way. | brian_herman__ wrote: | How do you differentiate yourself with places like | https://www.knowbe4.com/ which offer free services against | phishing. | BenjaminN wrote: | I tried Knowbe4, I think it's a horrible product. | | I heard once you try the "free service" they call you daily to | sign you up for the paid plan. | jiveturkey wrote: | like sibling, i found knowbe4 to be pretty good. easy to | setup, easy to use, great support, pretty comprehensive. | | not perfect, mind you, but still pretty good. | | they do bug the hell out of you but who cares? it's just one | of dozens of calls i have to ignore on the daily. i told them | to back off and they did. | | i'll tell you what product is actually horrible, and perhaps | ironically so. SANS security training (phishing part relevant | here, but the entire suite is horrid). just stay away, don't | waste a minnit evaluating it. | thrownaway954 wrote: | i used knowbe4 before and I found their product to be very | good and easy to use. also i like that they had training | videos and assessment tests as part of their packages. i | didn't see anything on your site pertaining to this. | rsync wrote: | I wonder if you can comment on the weirdly pro-phishing behavior | of _many_ US banks who, if I didn 't know better, appear to be | _trying hard_ to make their customers vulnerable to phishing | attacks ... | | - TIAA Bank redirects customers, after login, to "cibng.ibanking- | services.com". | | - US Bank, depending on which account you log into will redirect | you to "loansphereservicingdigital.bkiconnect.com". | | - Union Bank will redirect you to "unionbank.customercarenet.com" | if you look at a mortgage account. | | These are big, serious US Banks and these domain jumpings (to | domains that almost look like _parodies_ of an actual bank | domain) occur to every online banking customer. | | They are training their customers to be phished. | | FWIW, I have never seen Wells Fargo do this ... | dmurray wrote: | My bank in Ireland (Ulster Bank) has a notice on the login | page: "You will NEVER need your card reader [their 2FA] to log | in". Last year they changed their login flow so you are asked | to use your card reader to log in. I complained about it on | Twitter but got a meaningless response about customer | safety/new regulations. | | If they wanted to train their customers to be phished, I can't | think how they could do a better job. | thedrake wrote: | One that is happening in nearly every parish is that scammers are | using church bulletins to get the personal info and then sending | a "message" from the priest to those people. So while not CEO | fraud it is very similar. A great setup and one that you could | find a way that you charge when teams are doing the right | thing... have the test be free and the training have a cost | ph0rque wrote: | True story (except for the last two lines): | | Boss: install this antivirus and run it: [link]. | | Me: I dunno, that seems like a phishing attempt... is that really | you, boss? What's the code word? | | Boss: DO IT OR YOU ARE FIRED! | | Me: oh yeah, definitely you; installing it right now. | meter wrote: | How do avoid spam filters when sending your fake phishing emails? | BenjaminN wrote: | Depending on your email provider (most of the time it's | Google), you need to whitelist the IP address I use to send the | emails. It takes probably no more than 4 minutes to do. | MalachiC0nstant wrote: | Why is this any better than product offerings from PhishMe, | Wombat, or KnowBe4? | BenjaminN wrote: | Most of them target big companies. It makes a very different | product. | | I have a fun story with Wombat: I tried to use the product in | my previous company (100 employees), had 4 different calls, | with 4 different sales persons, during 2 months. At the end | they just forgot about me. | jiveturkey wrote: | don't know about wombat and the other, but how can you say | knowbe4 targets big companies? Their SCORM integration is | horrible. | jiveturkey wrote: | You are double the price of knowbe4. How do you expect to | possibly compete? | eggbrain wrote: | How do you work with the service providers you use to host your | platform and send out emails (e.g. Heroku / Mailgun) to let them | know you are not a malicious phishing company, but an anti- | phishing company? | | I say this because I ended up reporting the phishing email I | received from you guys to Mailgun, and I believe accidentally got | your account disabled. Sorry about that. | BenjaminN wrote: | YES you did! | | I called them just right after that, and I have to say they've | been great so far. We agreed I would pay for a dedicated IP, | and they now fully support Riot. And having a dedicated IP is | actually better, because you can now remove the unexpected | warning on Gmail. | jedberg wrote: | > Would love to hear your war stories on phishing scams, and how | you train your teams! | | I was working on anti-phishing in 2003, before it had the name | phishing. We were trying to teach our users not to fall for the | scams. | | It didn't work. People will fall for the same scam over and over. | | The conclusion we came to was that the only solution to phishing | was education, and education was also nearly impossible to get | 100% coverage. | | I wish you luck, but don't get discouraged if it doesn't work. | We've been trying to educate people about phishing for 17+ years. | :) | | We shifted our focus to tracking the phishing sites and then | tying that back to which user accounts were hacked, and disabling | the hacked accounts and notifying the users before damage could | be done. | | PayPal actually holds the patent on what we built, along with a | ton of other anti-phishing and phishing site tracking patents. | swamifin wrote: | If you wouldn't mind I'd really like to get your opinion on | this proposed hardware solution I posted a while back: | | https://news.ycombinator.com/item?id=22343786 | derision wrote: | According to Wikipedia, the term phishing (or fishing) | originated in the mid-1990s | jedberg wrote: | The term was coined in the 90s, but didn't get widespread | usage until the mid-2000s. So yes, technically it had that | name already, but no one used it then. | BenjaminN wrote: | I actually started coding in 2000 trying to hack my brother, so | I can relate: phishing has been a never-ending story. | | It's still worth trying though! | jedberg wrote: | Definitely worth trying! Just want to help you set | expectations. :) | BenjaminN wrote: | Thanks! | johnwheeler wrote: | Did you try punitive disincentives? | brobinson wrote: | A better approach is to turn it into a game: reward those | who report suspected phishing emails, security breaches, | tailgating into secure areas, USB devices left around, | etc. and have red teams doing this stuff periodically. | Punitive measures don't really work. Friendly competition | with rewards does work, though. | johnwheeler wrote: | that's a good point :D | rwmurrayVT wrote: | The company sends out fake phishing emails. The same | people keep falling for it... I suppose the outlined | punishments are not strictly enforced. | nothrabannosir wrote: | _> The conclusion we came to was that the only solution to | phishing was education, and education was also nearly | impossible to get 100% coverage._ | | A friend works for a company that fires employees after failing | three phishing tests. | | It doesn't solve the problem for those people, but it does work | for that company. What has priority depends on your management | style :) | closeparen wrote: | The only way to pass the phishing tests at my employer is to | _never click links in email_. But then we also have a number | of official systems sending emails with links in them (bug | tracking, code review, Zoom invites, HR portal, etc). | | The only way this kind of policy makes sense is if you have | to actually give the phishing site some kind of credential in | order to fail, vs. merely opening on it. | | If someone has a Chrome zero-day, we're done anyway. Just | post it on HN. | ttul wrote: | This is a hot area, but there are already huge competitors. How | do you differentiate? | BenjaminN wrote: | Great question! | | 1. From Gophish: you need to be technical and you need at least | a week off to prepare the attacks. With Riot, you can be | sending attacks in a matter of minutes. | | 2. From Knowbe4, ...: those are products made for enterprise | companies, that are trying somehow to adapt to smaller | companies. Riot is doing the opposite: it was built with | smaller companies in mind. | | Overall, I think there's a huge need today for product-centric | cybersecurity companies, where most of the big players are | sales-centric companies. | bfrit wrote: | > Overall, I think there's a huge need today for product- | centric cybersecurity companies, where most of the big | players are sales-centric companies. | | Totally agreed, and I love this. High five from a Techstars | 2020 company doing a similar product-first approach to cyber | security program planning and implementation for small | businesses. We use Webroot as a vendor to supply phishing | right now but would love to talk. brian@havocshield.com ___________________________________________________________________ (page generated 2020-03-24 23:00 UTC)