Here's how you can catch phish like Twitter

At Twitter, fighting phishing is a biological business. Its program draws inspiration from the human body's immune system in that the best way to fight infection is with antibodies.

In the Twitter analogy, the body's virus-eating neutrophils were the company's anti-virus and intrusion detection systems while the antibody-producing T lymphocytes were its infection signatures. 

To build such a system, Twitter's project lead Dan Tentler said, you need to inject the organisation with "vaccines". 

"The idea for boosting a company's immune system is very simple: the intention is for people to know not to click on shit, essentially," Tentler said at the Toorcon Seattle security conference.

"Eventually your employees will become white blood cells who will mark things for destruction ... everything they mark becomes a new, learned antigen and will help the system develop an immunity [so it] rarely gets sick."

In a presentation to be delivered at the upcoming Breakpoint security conference in Melbourne, Tentler will state that phishing awareness programs were ineffective beyond check box compliance, and that Twitter's interactive model could be customised to fit different organisations.

He said an effective anti-phishing program must incorporate the particular pretext that phishers use when targeting a given organisation. It could be based on the data or products an organisation offers, for example.

Twitter modelled its program in part by targeting every new employee with uniform spear phishing campaigns. Each subsequent phish increased the sophistication of the pretext beginning on a obvious scam, followed by an enticing email and finishing with a "ridiculously red-team-evil" malware-laden email.

"We see who click on things and who entered data and we can augment and tweak the program as it moves -- every phishing campaign is like a new booster shot."

These feedback loops, which also included an internal mailing list used to help staff report phishing scams, set the program apart from simple awareness training.

"Without the feedback loop, you can't build immunity because you don't know what the system is missing," Tentler said. 

The Twitter program was so successful that enterprising staff had designed Chrome extensions to detect the phishing scams. These staff, Tentler said, were tantamount to naturally-occurring antibodies.

Human trials

Twitter wants others to deploy its program. For others to do so, they must start with compiling about half a dozen phishing scenarios each with custom pretext designed specifically to target the information contained in the business that attackers would seek.

These phishing attacks must mimic real attacks as much as legally possible.

The scenarios then needed to be repeated many times to gain adequate metrics. Twitter targeted new employees with a mind that they would be more "chatty" with fellow staff, but organisations can vary who they target.

Staff who clicked through would-be phishing links should be served an immediate landing page that warned them of phishing and offered clear, technically-absent and friendly training materials and contacts for the internal security team. "You can serve them malware, or pop Java applets, it doesn't matter: you just need uniform, repetitive motions," Tentler said.

Measuring employee clicks and their subsequent interactions over time granted insight to whether staff were improving in their security awareness. Repeat offenders should be reached out in person.

Continuing the analogy, Tentler said security staff should act as doctors by responding to all staff who reported phishing scams in order to encourage employees to continue doing so. "They will pass the feedback around and it will become a security culture."

"If you've made it this far, you've basically conducted a social vulnerability assessment, and identified points of entry and attack surfaces, so now you have to remeditate vulnerabilities".

Twitter planed to include prizes for security-savvy staff and a "traffic school" to help train repeat offenders.

"Imagine never ever having to do incident response for phishing ever again; that's the prize at the end of the rope."