[HN Gopher] Launch HN: Riot (YC W20) - Phishing training for you...
___________________________________________________________________
Launch HN: Riot (YC W20) - Phishing training for your team
Ahoy Hacker News! I'm Ben, founder of Riot (https://tryriot.com), a
tool that sends phishing emails to your team to get them ready for
real attacks. It's like a fire drill, but for cybersecurity. Prior
to Riot, I was the co-founder and CTO of a fintech company
operating hundred of millions of euros of transactions every year.
We were under attack continuously. I was doing an hour-long
security training once a year, but was always curious if my team
was really ready for an attack. In fact, it kept me up at night
thinking we were spending a lot of money on protecting our app, but
none on preparing the employees for social engineering. So I
started a side project at that previous company to test this out.
On the first run, 9% of all the employees got scammed. I was
pissed, but it convinced me we needed a better way to train
employees for cybersecurity attacks. This is what grew into Riot.
For now we are only training for phishing, but our intention is to
grow this into a tool that will continuously prepare your team for
good practices (don't reuse passwords for example) and upcoming
attacks (CEO fraud is next), in a smart way. Your questions,
feedback, and ideas are most welcome. Would love to hear your war
stories on phishing scams, and how you train your teams!
Author : BenjaminN
Score : 73 points
Date : 2020-03-24 17:25 UTC (5 hours ago)
| equidistant wrote:
| That's an unfortunate business name
| BenjaminN wrote:
| Definitely bad timing. My experience with names: they are never
| good enough.
|
| What I look for in a name:
|
| 1. If I say it out loud, you know how to write it.
|
| 2. If I say it out loud today, you remember it tomorrow.
|
| On that 2 criteria, Riot works quite well I think.
| equidistant wrote:
| It's bad in that there's already a very popular game company
| named Riot (Games) which everyone refers to as 'Riot'.
| thenewnewguy wrote:
| Disagree, I have serious doubts you could confuse the two.
| I can see almost no context where 'Riot (Games)' and 'Riot
| (Anti-Phish Company)' could be meaningfully confused.
| BenjaminN wrote:
| Some people know League of Legends, most don't know Riot
| Games. And I double checked: Riot Games don't own a
| trademark for anything related to cybersecurity.
| Arathorn wrote:
| Unfortunately that doesn't seem to stop them going after
| companies with Riot in their name (even though Riot is
| also a dictionary word) :(
| mc32 wrote:
| What are the steps necessary to get this up and running?
|
| Step 1, 2, 3... Besides signing up. ESP if you have O365 or GApps
| for mail.
| BenjaminN wrote:
| 1. Import the list of your employees.
|
| 2. Whitelist the IP address we use to send the emails.
|
| 3. Activate the "phishing simulation" module.
|
| 4. Wait and see.
|
| Takes 5 minutes.
| cones688 wrote:
| > "I was pissed"
|
| How do you balance/deal with "security shaming", which is proven
| to put you further at risk as an organization?
|
| There is some interesting research from the UK Government in this
| space - https://www.ncsc.gov.uk/blog-post/trouble-
| phishing#section_3
|
| The relevant bit:
|
| "If just one user reports a phish, you can get a head start on
| defending your company against that phishing campaign and every
| spotted email is one less opportunity for attackers...but
| phishing your own users isn't your only option.
|
| Try being more creative; some companies have had a lot of success
| with training that gets the participants to craft their own
| phishing email, giving them a much richer view of the influence
| techniques used. Others are experimenting with gamification,
| making a friendly competition between peers, rather than an 'us
| vs them' situation with security."
| BenjaminN wrote:
| 1. There's an option to hide the names of the employees. It
| would replace all the names with random animal name + a color.
| It's great if you don't want to know which employees are
| falling for attacks.
|
| 2. I love the idea to actually make the employees create their
| own attacks, but seems a bit hard to do and pretty much time
| consuming for a company.
| cones688 wrote:
| Its not the actual individuals - its the culture it creates,
| "HA! We caught you, you dumbass, here's 2hrs of training".
| This means people are afraid to report or take ownership over
| looking out for phishing as it creates no benefit for them,
| its just there to make the security team smug.
|
| Having been part of and designed these campaigns before (with
| open source options like https://getgophish.com/), there is
| no way to report as phishing or reward users who detected but
| therefore didn't interact with it. This means in your example
| - did the other 81% just not open it, ignored it, or actively
| thought it was phishing? These are key metrics a company
| needs to know their potential attack surface.
| Nuzzerino wrote:
| So we have Riot Games, Riot.im, and now this. As if two wasn't
| enough confusion.
| Kkoala wrote:
| Seems to be a hot topic recently. I first discovered
| https://www.hoxhunt.com/, there are probably some other
| competitors as well, what makes you different?
| tomashertus wrote:
| I would be interesting in this answer as well. There is
| actually quite heave competition in this space: PhishMe,
| PhishLabs, IronScales, MediaPro, KnowBe4, Wombat (acquired by
| ProofPoint).
|
| What convinced YC to invest in your company?
| elkos wrote:
| Honestly I mixed this with riot.im
| BenjaminN wrote:
| That's because you're not a LoL player ;-)
| bearcobra wrote:
| My company uses Knowbe4, and I'm constantly frustrated how it
| considers it a fail if I only click a link vs entering in
| credentials. Sometimes it's tough to tell if something is
| phishing when your checking email on your phone. Does Riot work
| the same way? Or do you test to see if users notice issues once
| they've actually opened something in the browser?
| jiveturkey wrote:
| That's not a knowbe4 thing, that's your company's choice.
|
| opened/clicked/creds and so forth are various levels. Your
| company has decided that a mere click is a fail. also, in
| gmail, if you 'report phishing' (without clicking), gmail will
| "click" it for you as part of their back-end analysis. this
| will show up in the click report. this type of click is
| distinguishable from a user click, but it's not obvious and
| knowbe4 has zero docs on it.
|
| Keep in mind, a mere click can in fact be a fail. There are
| still drive-by attacks that work simply by clicking.
| Arathorn wrote:
| Hi Ben - cool product! Speaking as the lead for Riot.im, I would
| recommend picking another name asap, if nothing else because Riot
| Games has an awful lot of lawyers (as we know first hand,
| unfortunately).
| BenjaminN wrote:
| Damn!
| Arathorn wrote:
| that was our thought too :/ On the plus side, you can come
| join our secret treehouse alongside the nice people at
| https://riot.js.org/ and https://www.riot-os.org/ who have RG
| hanging over their heads...
| skocznymroczny wrote:
| At the company I work at they send phishing training emails every
| now and then. Luckily, the email headers have special fields, so
| that the IT firewall lets the "spam" through. I managed to set up
| a rule in my outlook to catch these headers and move all the
| emails to a special "Phish" folder.
| codegeek wrote:
| Pricing feedback. I would love this type of training for our
| small team of 12 people BUT at this time, I cannot spend
| $199/Month even though one could argue that there is no cost high
| enough for security. Perhaps add another smaller tier for
| companies with 20 or less employees in the 2 digit range ?
| BenjaminN wrote:
| Sure! Pricing is actually very hard to set up.
| jaredwiener wrote:
| Curious how you differ from Cofense Phishme? https://cofense.com/
| igammarays wrote:
| Everyone's vulnerable to phishing, no matter how technically
| literate. It's too easy to click through an email during a moment
| of inattention. I've often thought that the only way to reliably
| prevent phishing is to enforce the use of a password manager
| browser extension, which will refuse to enter a saved password
| except on the original domain. Nobody should ever be manually
| typing passwords, or even copy-pasting passwords (in the rare
| case copying becomes necessary, it should be done with a big bold
| warning).
|
| A safer, phish-proof enterprise password manager may be your
| killer product here.
| bt3 wrote:
| I work at a large professional services firm (think Big 4), so
| the risk of any single breach in our network is taken pretty
| seriously. Our IT department added an Outlook plugin years ago
| that you can use to immediately reporting phishing attempts to
| them. As a bonus, they'll sometimes send these "tests" and if you
| select to "Report Phishing", you'll get a atta-boy type
| notification. I would assume at a macro level, they have stats on
| everyone and know who the "riskier" employees are. I have no idea
| if this is done inhouse at other large companies.
|
| Sidenote/ question for you: some of the "test" attacks my company
| sends are very specific to the work we're doing and can sometimes
| sound very convincing. Do you have a catalogue of "attacks" based
| on industry or department (procurement might fall for something
| completely different than sales or marketing)? I'm sure with
| enough tests, you could measure the effectiveness of attacks (or
| maybe the difficulty of detection)... then you can start rating
| organizations not just based on what percentage of folks fell for
| it, but what specifically they fell for, or what was more likely
| to get them to bite. Almost like targeted training?
|
| Cool idea overall and wish you guys the best.
| BenjaminN wrote:
| 1. I've talked with a lot of companies (Stripe for example) who
| do that internally and it takes a tremendous amount of time to
| set up.
|
| 2. For now attacks are very generic, but will soon be sector-
| based and department-based.
|
| 3. Yes for sure it's probably worth adapting the pace of the
| attacks depending on the level of the employees.
|
| Thanks for the kind words!
| mbs348 wrote:
| It's been honestly pretty fun to run this at BackerKit. Sad to
| say it caught my COO, but actually more inspiring seeing my team
| banding together and fighting back and letting folks know in
| Slack. Also, a bonus, a really cool lean use of Drift which
| inspired us to use that tool better.
| BenjaminN wrote:
| Great to have BackerKit on board!
| the-pigeon wrote:
| Love the idea! Unfortunately the IT group in my company is
| swamped with COVID-19 related work at the moment. But will be
| sure to bring it up with them once things calm down a little.
|
| My company recently had a user fall for a very poor phishing
| attack (entered password into a Google Sheets request) so
| something like this could save IT and the company a lot of money.
| BenjaminN wrote:
| Since everyone is moving to remote right now, hackers are
| enjoying the overall disorganization of companies. I've seen a
| growing number of phishing attacks for the past few weeks.
|
| I wouldn't be surprised if we get a major data leak caused by
| COVID-19 in the coming days.
|
| PS: great username by the way.
| brian_herman__ wrote:
| How do you differentiate yourself with places like
| https://www.knowbe4.com/ which offer free services against
| phishing.
| BenjaminN wrote:
| I tried Knowbe4, I think it's a horrible product.
|
| I heard once you try the "free service" they call you daily to
| sign you up for the paid plan.
| jiveturkey wrote:
| like sibling, i found knowbe4 to be pretty good. easy to
| setup, easy to use, great support, pretty comprehensive.
|
| not perfect, mind you, but still pretty good.
|
| they do bug the hell out of you but who cares? it's just one
| of dozens of calls i have to ignore on the daily. i told them
| to back off and they did.
|
| i'll tell you what product is actually horrible, and perhaps
| ironically so. SANS security training (phishing part relevant
| here, but the entire suite is horrid). just stay away, don't
| waste a minnit evaluating it.
| thrownaway954 wrote:
| i used knowbe4 before and I found their product to be very
| good and easy to use. also i like that they had training
| videos and assessment tests as part of their packages. i
| didn't see anything on your site pertaining to this.
| rsync wrote:
| I wonder if you can comment on the weirdly pro-phishing behavior
| of _many_ US banks who, if I didn 't know better, appear to be
| _trying hard_ to make their customers vulnerable to phishing
| attacks ...
|
| - TIAA Bank redirects customers, after login, to "cibng.ibanking-
| services.com".
|
| - US Bank, depending on which account you log into will redirect
| you to "loansphereservicingdigital.bkiconnect.com".
|
| - Union Bank will redirect you to "unionbank.customercarenet.com"
| if you look at a mortgage account.
|
| These are big, serious US Banks and these domain jumpings (to
| domains that almost look like _parodies_ of an actual bank
| domain) occur to every online banking customer.
|
| They are training their customers to be phished.
|
| FWIW, I have never seen Wells Fargo do this ...
| dmurray wrote:
| My bank in Ireland (Ulster Bank) has a notice on the login
| page: "You will NEVER need your card reader [their 2FA] to log
| in". Last year they changed their login flow so you are asked
| to use your card reader to log in. I complained about it on
| Twitter but got a meaningless response about customer
| safety/new regulations.
|
| If they wanted to train their customers to be phished, I can't
| think how they could do a better job.
| thedrake wrote:
| One that is happening in nearly every parish is that scammers are
| using church bulletins to get the personal info and then sending
| a "message" from the priest to those people. So while not CEO
| fraud it is very similar. A great setup and one that you could
| find a way that you charge when teams are doing the right
| thing... have the test be free and the training have a cost
| ph0rque wrote:
| True story (except for the last two lines):
|
| Boss: install this antivirus and run it: [link].
|
| Me: I dunno, that seems like a phishing attempt... is that really
| you, boss? What's the code word?
|
| Boss: DO IT OR YOU ARE FIRED!
|
| Me: oh yeah, definitely you; installing it right now.
| meter wrote:
| How do avoid spam filters when sending your fake phishing emails?
| BenjaminN wrote:
| Depending on your email provider (most of the time it's
| Google), you need to whitelist the IP address I use to send the
| emails. It takes probably no more than 4 minutes to do.
| MalachiC0nstant wrote:
| Why is this any better than product offerings from PhishMe,
| Wombat, or KnowBe4?
| BenjaminN wrote:
| Most of them target big companies. It makes a very different
| product.
|
| I have a fun story with Wombat: I tried to use the product in
| my previous company (100 employees), had 4 different calls,
| with 4 different sales persons, during 2 months. At the end
| they just forgot about me.
| jiveturkey wrote:
| don't know about wombat and the other, but how can you say
| knowbe4 targets big companies? Their SCORM integration is
| horrible.
| jiveturkey wrote:
| You are double the price of knowbe4. How do you expect to
| possibly compete?
| eggbrain wrote:
| How do you work with the service providers you use to host your
| platform and send out emails (e.g. Heroku / Mailgun) to let them
| know you are not a malicious phishing company, but an anti-
| phishing company?
|
| I say this because I ended up reporting the phishing email I
| received from you guys to Mailgun, and I believe accidentally got
| your account disabled. Sorry about that.
| BenjaminN wrote:
| YES you did!
|
| I called them just right after that, and I have to say they've
| been great so far. We agreed I would pay for a dedicated IP,
| and they now fully support Riot. And having a dedicated IP is
| actually better, because you can now remove the unexpected
| warning on Gmail.
| jedberg wrote:
| > Would love to hear your war stories on phishing scams, and how
| you train your teams!
|
| I was working on anti-phishing in 2003, before it had the name
| phishing. We were trying to teach our users not to fall for the
| scams.
|
| It didn't work. People will fall for the same scam over and over.
|
| The conclusion we came to was that the only solution to phishing
| was education, and education was also nearly impossible to get
| 100% coverage.
|
| I wish you luck, but don't get discouraged if it doesn't work.
| We've been trying to educate people about phishing for 17+ years.
| :)
|
| We shifted our focus to tracking the phishing sites and then
| tying that back to which user accounts were hacked, and disabling
| the hacked accounts and notifying the users before damage could
| be done.
|
| PayPal actually holds the patent on what we built, along with a
| ton of other anti-phishing and phishing site tracking patents.
| swamifin wrote:
| If you wouldn't mind I'd really like to get your opinion on
| this proposed hardware solution I posted a while back:
|
| https://news.ycombinator.com/item?id=22343786
| derision wrote:
| According to Wikipedia, the term phishing (or fishing)
| originated in the mid-1990s
| jedberg wrote:
| The term was coined in the 90s, but didn't get widespread
| usage until the mid-2000s. So yes, technically it had that
| name already, but no one used it then.
| BenjaminN wrote:
| I actually started coding in 2000 trying to hack my brother, so
| I can relate: phishing has been a never-ending story.
|
| It's still worth trying though!
| jedberg wrote:
| Definitely worth trying! Just want to help you set
| expectations. :)
| BenjaminN wrote:
| Thanks!
| johnwheeler wrote:
| Did you try punitive disincentives?
| brobinson wrote:
| A better approach is to turn it into a game: reward those
| who report suspected phishing emails, security breaches,
| tailgating into secure areas, USB devices left around,
| etc. and have red teams doing this stuff periodically.
| Punitive measures don't really work. Friendly competition
| with rewards does work, though.
| johnwheeler wrote:
| that's a good point :D
| rwmurrayVT wrote:
| The company sends out fake phishing emails. The same
| people keep falling for it... I suppose the outlined
| punishments are not strictly enforced.
| nothrabannosir wrote:
| _> The conclusion we came to was that the only solution to
| phishing was education, and education was also nearly
| impossible to get 100% coverage._
|
| A friend works for a company that fires employees after failing
| three phishing tests.
|
| It doesn't solve the problem for those people, but it does work
| for that company. What has priority depends on your management
| style :)
| closeparen wrote:
| The only way to pass the phishing tests at my employer is to
| _never click links in email_. But then we also have a number
| of official systems sending emails with links in them (bug
| tracking, code review, Zoom invites, HR portal, etc).
|
| The only way this kind of policy makes sense is if you have
| to actually give the phishing site some kind of credential in
| order to fail, vs. merely opening on it.
|
| If someone has a Chrome zero-day, we're done anyway. Just
| post it on HN.
| ttul wrote:
| This is a hot area, but there are already huge competitors. How
| do you differentiate?
| BenjaminN wrote:
| Great question!
|
| 1. From Gophish: you need to be technical and you need at least
| a week off to prepare the attacks. With Riot, you can be
| sending attacks in a matter of minutes.
|
| 2. From Knowbe4, ...: those are products made for enterprise
| companies, that are trying somehow to adapt to smaller
| companies. Riot is doing the opposite: it was built with
| smaller companies in mind.
|
| Overall, I think there's a huge need today for product-centric
| cybersecurity companies, where most of the big players are
| sales-centric companies.
| bfrit wrote:
| > Overall, I think there's a huge need today for product-
| centric cybersecurity companies, where most of the big
| players are sales-centric companies.
|
| Totally agreed, and I love this. High five from a Techstars
| 2020 company doing a similar product-first approach to cyber
| security program planning and implementation for small
| businesses. We use Webroot as a vendor to supply phishing
| right now but would love to talk. brian@havocshield.com
___________________________________________________________________
(page generated 2020-03-24 23:00 UTC)