GitLab goes Phishing
People often attempt to promote themselves or bolster their credibility by claiming they do good deeds. I am always amused by people who do this by claiming to do things that we are all expected to do anyway. “Why would I steal that, I pay all my bills?” or “I’m just out working hard trying to make it, I take care of all my kids”. In some social settings, such acts do set the claimant apart from their neighbors and peers, but in reality, it is what they should be doing anyway. Every member of society is expected to do these basic social responsibilities. You should pay ALL of your bills and you should take care of ALL of your children.
The Git repository and DevOps platform GitLab received some very positive press this week for conducting a phishing simulation on their employees. The GitLab Red Team used the open-source phishing campaign software GoPhish to target a sample of fifty employees with an email offering a laptop computer upgrade. Not surprisingly a significant portion of the test subjects failed. Thirty-four percent of the tested subjects clicked the link and fifty-nine percent of those employees provided their credentials. That works out to be ten employees provided their GitLab corporate credentials to the “bad guys”.
Good job GitLab, you did what you are supposed to do. Why the press? Well to be honest, it seems that some of the reporters took the testing out of context and don’t understand how GitLab operates as a company. The reporters keyed in on the fact that the employees targeted were “work from home”. The press seemed to associate the testing remote employees with the current Covid-19 epidemic. There was a subtle theme that GitLab was breaking barriers by subjecting their pandemic affected workforce to testing that would normally be reserved for those employees that were co-located in an office. The reporters seemed to be unaware, or at least just didn’t care (as it would lessen the theme of the story) that GitLab is, and always has been, a remote-first company. Gitlab employees have been working from home before Covid-19 was ever known, let alone caused any business to disperse its workforce.
What GitLab should be receiving credit for is the transparency and openness for which they shared the test procedures and results. Imagine a security manager calling up the CISO with the request, “We ran a security test and one-third of our employees failed. Can we publish that?”. In what Fortune 500 entity does that occur?
Gitlab not only publicly shared the results, but also the detailed procedures used, including the language of the phishing email. All of the information was published to this GitLab Red Team Git repository.
The technical writing and documentation are also fantastic. It is a step-by-step explanation of the process including charts and images. They even provide education support detailing how the subjects could have identified the email as fraudulent.
Good job GitLab. While you do not get credit for paying all your bills and supporting all of your children, you do get kudos for being so open with the results of this test. There was no requirement for you to release this information, but you did, and the entire community is better because of it!