Choosing the Right Phishing Platform

Andrew Long
4 min readMar 15, 2020

--

It’s always difficult to tell an imaginary person (in this case, you) what is best for them. There are too many choices and too many factors to give a one-size-fits-all recommendation. So instead, let’s talk about what you might try to accomplish, and which questions you should be asking yourself in order to find the best tooling for you.

Let’s illustrate what’s possible by providing a few scenarios.

Scenario 1: The Dev Team

Richard owns a small software development firm in the bay area. Though his company size is less than 50 employees total, they are a diverse mixture of on-site and remote workers that don’t always communicate very well. In fact, many of his employees never have contact with each other. This leads to a situation where anyone who has done their homework on Richard’s company could easily phish his employees by simply pretending to be a coworker.

Luckily, Richard’s CTO is a smart guy. He can see a high risk situation unfolding and has started to look for ways to mitigate their risk while educating their workforce. He begins to assess their situation, and deduces the following:

1. They have a small number of employees.
2. They cannot afford an enterprise solution.
3. They have a small Security team that will have to orchestrate this.

After careful consideration, Richard and his CTO decide to go with an opensource offering called Speed Phishing Framework.The allure of SPF came from it’s ease of use and ability to orchestrate it easily from the terminal, which was a huge plus for his Security Engineers. It doesn’t have a GUI, but it can be automated relatively easily. And hey, it’s free.

Scenario 2: The Mid-Sized Paper Company

Mike is the regional manager of a moderately successful paper company in New England. Recently, a successful hacking attempt led to the defacement of a load of stationary, and cost the company a lot of money in damages. The head of IT at his branch has tracked the attack back to a malicious email to the accounting team. Not wanting to risk another situation like this in the future, Mike begins looking for a solution to educate his employees about the dangers of phishing, and to provide some insight on who in the company is at risk. After painstakingly researching products, he decides to forward his research to the company’s CISO, Dwight. After reading Mike’s list, and supplementing his own knowledge, he decides on these factors:

1. They have a decently large number of employees, ~300.
2. They have multiple branches, and would need to manage user groups.
3. They would like to have regular reports, and to maintain statistics.
4. They’re still trying to save money after the loss, so opensource is preferred.

Mike and Dwight come to an agreement: they’ll use GoPhish. GoPhish is a free and opensource platform featuring campaign scheduling, user group management, RBAC, event collection, and a webhook feature which would allow them to feed data into their already-established Splunk instance, to help with report generation. All the Security Team had to do was put up a VM with GoPhish on their corporate server, and away they rolled. The UI isn’t too bad, either.

Scenario 3: The Uber-Conglomerate

Bob’s father built this company 40 years ago from the ground up, and now he’s sitting on top of an international corporation with thousands of employees. Being at the heart of American industry means always being in the cross-hairs of bad actors, both foreign and domestic. Recent developments in foreign affairs have put Bob’s CISO, CTO, and CIO all on edge. They are sure the company will see a tremendous surge in phishing attacks in the coming months. After a two-week long binge of sprints, standups, and other laborious meetings, the higher-ups have noted a few important points about their company:

1. They have too many employees to manage with a smaller platform.
2. They need complete transparency with operations.
3. Product support is a must, things always break eventually.
4. There is a lot at risk.

After a vote of 6:3, the newly formed Phishing Committee has decided to adopt Sophos as their enterprise phishing simulation platform. Sophos features hundreds of prebuilt templates, comprehensive reporting, data collection, and automatically provides Security Awareness Training to those who fail a phishing attempt. It’s a bit pricey, but Bob figures it’s an investment in their future.

So What’s the Gist?

Basically, it all comes down to budget, number of employees, need for reporting, and how you’d like to handle education. GoPhish is a popular choice for small to mid-range companies with a skilled IT department, larger clients tend to opt for paid platforms. Look around and get acquainted with the landscape, the reality is that, as a Security Engineer, you’ll probably have to use a few. As a manager or C-level exec, knowing what is possible and what is available will allow you to benefit from the best fit for your company.

--

--

Andrew Long

Principal Product Security Engineer @ Flock Saftey. Avid security researcher, dedicated father, and nerdy analog electronics collector.