A fun red team event to reinforce security best practices
By: Olivia Brundage
October is Security Awareness Month in the United States. To raise awareness about security threats, we celebrated with a series of hacks against everyone in the company. This was a fun competition to see who could identify the most hacks before the security team “captured” them.
Scaling security is hard. As a security team, we can’t have eyes and full automation everywhere. Certain threats require team members across the entire company to make good security decisions where they should be the first line of defense. Good training is time-consuming; people may not always listen to presentations or read through guides and checklists. Even with the right training, if your environment is stifling or punishing, people won’t feel comfortable reporting a real security issue. We needed a creative way to show our team both the necessities of being secure and that it’s safe to report issues. To accomplish this, we enveloped our Hacktober event with empathy and a code of ethics.
Hacktober, our month-long company-wide red teaming event, was our way to provide fun and practical training on basic security principles, show ways for staff to secure themselves, as well as to compete with the rest of Mapbox to see who could identify the most hacks. It was also our way to internally test how our security operations team receives, triages, and resolves security reports. Our main motivation was to make this security training memorable and enjoyable — and not a death by PowerPoint experience.
For example, we teach that wandering, unknown USB sticks are bad to stick in your computer. But for many, experiencing is believing. While a malicious USB stick may not be the most common threat in corporate America, this exercise of being hacked re-enforces the larger issue of trusting unknown files, whether on a USB drive, in an attachment within your customer support software, or an attachment in an email that appears to be from someone you work with.
Empathy & Blamelessness
To kick off Hacktober the security team posted an internal blog post with all of the logistics and competition information. Even more importantly, we re-iterated Mapbox’s core value of empathy and how it relates to reporting security issues. Bad news does not get better with time. As a security team, we strive to create a safe environment that allows people to report issues without feeling they will be blamed or victimized.
To foster this environment, we practice blameless post-mortems. If a team member falls victim to an attack, we look at ourselves first. Do we have documentation that teaches that particular security concept? Is that documentation easily accessible? Are people aware this documentation exists? These questions better position our team to teach people how to thwart future attacks.
When you are hacking the entire company, it’s important to have ground rules. People’s time and data are precious. We didn’t want to perform a hack that would cost someone’s entire day nor would we want to reveal private information. We didn’t delete or ransom any data or disrupt production. By knowing our valuable assets and threat model, we designed this red team exercise to teach people basic security concepts without sacrificing time, money, and mental health. This helped us teach valuable awareness and build trust with our team.
Hack. Learn. Repeat.
When we saw multiple people falling for the same hack, we would write up internal posts educating everyone about the warning signs and consequences of falling for the hack. We repeated the hacks in slightly different formats in order to measure peoples’ ability to identify and report attacks after these education efforts.
Our red team commanders orchestrated the attacks each week. As a team, we aimed to launch 3–5 attacks per week across all our offices spanning from DC to Bangalore, India, even including our remote employees. We also had our red team commanders switch out weekly, which gave each new hack a fresh perspective. Since the red team commander had the most eyes on the ground, they were in the best position to evaluate how well the attack went and what our strength and weaknesses were as a company. To make an effective switch, we held a weekly retrospection meeting that captured what happened that week, what would happen the next week, and what was and was not working.
If somebody fell victim to a Hacktober hack, we kept this information private and within the security team, just like we’d do in a real scenario. Mistakes turned into teaching moments that framed our posts. We told the story of the hack, how to identify it, and explained the trust the attacker was trying to exploit so that people would understand the mindset and strategy behind threats. Some of the most powerful moments of the event were when an individual fell victim to an attack and then immediately shared with neighbors what happened and how they were tricked. This spread the word about security and risk to people not even directly affected by an issue. In fact, the word Hacktober eventually became a verb — “I was Hacktobered!”
Points & Competition
Friendly competition keeps things fun, so we rewarded points for those who reported a security event. We didn’t announce any of the Hacktober hacks; anything that seemed odd and suspicious was up for grabs! It was then up to our security operations engineer who was triaging security reports that week to determine if the report was valid. If it was valid, both the threat reporter and Team Mapbox would be awarded a point. For any hacks that went unnoticed or if people fell victim to them, the red team would get a point. By having an individual and company-wide point system, we could track who found the most hacks and how many reports in total were received.
The prize for reports? Anyone’s first report would earn them a Hacktober sticker. The top 25 people would receive a special branded Mapbox Hacktober shirt.
This points system actually led to people reporting issues that wouldn’t have normally been reported but were security issues we needed to address, for example leaving a WiFi password up on a whiteboard in a meeting room. Because no one knew what was a hack and what wasn’t, it raised situational awareness for everyone. Does that mysterious suitcase belong to someone or are you being Hacktobered?
Nothing is safe during #hacktober w/ @hmjudge #lifeatMapbox
Testing Ourselves
We integrated Hacktober hacks as part of our existing on-call process, so we could test our own Incident Response Framework. The security operations team at Mapbox maintains a 24/7/365 on-call, multi-tiered schedule. The person currently on-call would be the “blue team commander” for the week and would triage reports as they come in. Keeping the blue team out of the loop as much as possible allowed us to see where we needed improvements. For instance, we realized the way we handled phishing attacks was too time intensive and noisy. We have since streamlined our process, reducing back-and-forth followup.
Before kicking off the event, we ensured our internal documentation was up to date. We have a help file that explains how to report a security issue, how to escalate a security issue, and an FAQ. Reinforcing the correct way to report a security issue minimizes the likelihood an issue will be reported out-of-band, such as through a direct message in Slack or a random mention in a channel that could go unnoticed. We put a lot of effort into training our team how to communicate with us, so that they would know exactly where to find help or report issues after Hacktober.
Keeping up the momentum
A month is a long time to run a security event; we had to be creative to maintain enthusiasm and interest.
Our awesome spaces team created wonderfully designed security-themed “Fun Fact” posters every Friday. These posters included a recap of Hacktober and who was in the lead, fueling the competition.
After each week, we would also recap the hacks in an internal post. Because people saw that our red team was successful in hacking their fellow team members, the security message was more powerful. Finally, we celebrated anyone who uncovered a hack with a company-wide announcement to keep the event top-of-mind and also incentivize awareness.
Setting up your own event
Structuring a month-long security event depends on your organization’s structure and culture. What works best for us will be different for you. We found that combining situational learning and an empathetic approach was a great foundation that anyone can build on. If you need some easy and effective hack ideas, we felt that these worked well for us:
- Place “free” USB sticks around the office. You can test people’s situational awareness by leaving fake malicious USBs and seeing if they report these drives or start to use them.
- Leave computers out and about. Back in 2012, 52% of all stolen corporate laptops happened in the work place. By leaving out spare laptops, we wanted to see if anyone would notice and try to find the owner. Now when there’s a laptop just lying around, people call it out.
- Put a “Lock Your Computer Message” on unlocked computers. It’s easy to walk away from your desk and leave your computer unlocked, exposing sensitive work left for everyone to see. Anytime we saw an unlocked, unattended computer, we would stick a USB that would run a script that writes a “lock your computer” message.
- Use fake social media accounts to phish. Security trainings typically overlook social media as a vector for phishing attacks. We created fake social media accounts, like on Twitter and LinkedIn, and posted or direct messaged spammy content.
- Send out phishing emails. After our first round of phishing, we sent out an internal post with techniques for spotting fake emails. We repeated the campaign several times with different iterations and supported each attempt with education and training materials.
Security training shouldn’t be time-boxed to one month. Smaller red team activities throughout the year can continuously educate everyone about security risks, defenses, and reporting practices. Practicing blameless post-mortems and empowering our fellow team members made this event worthwhile. For us, this exercise has made everyone more cognizant of security issues, even if it’s made us a little more paranoid.
Do you enjoy solving difficult security problems with empathy and creativity? Come join our team! We’re hiring.
Host your own Hacktober was originally published in Points of interest on Medium, where people are continuing the conversation by highlighting and responding to this story.