Anything you do can become a work of art if you put passion, creativity and persistence into it. The world's most impressive paintings, compositions or the most majestic buildings, were achieved with experimentation, planning, and learning from mistakes. Click rate, report rate, repeat offenders, emotional motivators, target group, scenario, are just some of the elements combined into a complex frame called phishing programs. Most times the process of mixing and matching to create a successful program becomes to the owner somewhat a work of art.
Often overlooked, the people side of security gives exciting insight on human behaviour that frequently remains the "last line of defence" against cyber-attacks. While the constant development of technology builds more reliable tools for real-time visualisation of attacks and methods to stop and reduce the impact, some areas still rely on human judgement. In this fast-paced industry, the human element remains the one that cannot simply be patched or upgraded with a line of code. The lack of an easy fix for such a complex situation drives the widespread presence of phishing exercises in security awareness programs.
Image Source: 'https://www.freepik.com/free-photos-vectors/technology
For those unfamiliar with the term, "phishing" is a way for cyber attackers to manipulate people into giving out information or doing what they want the victim to do. These malicious actors use email, SMS, or calls to launch these attacks and forge stories that rely on emotional response. While we won't get into details about the anatomy of phishing, what we need to understand is that this type of attack is widely used because it usually requires lower effort in the preparations phase, but if successful gives a high return on investment.
Employees own credentials and overall knowledge critical to breach a company's security successfully. Malicious actors will use phishing as a way to obtain this sensitive information and progress with their attack. With phishing being one of the leading causes of the increasing number of data breaches, companies turn to internal testing for strengthening the resilience against this type of cyberattack. If there is not enough buy-in for the program, have leadership, look at the following:
Industry stats on the state of phishing. According to the 2020 Data breach investigation report issued yearly by Verizon, phishing accounts for over 20% of the top threat action varieties in breaches, occupying thus number one before use of stolen credentials (due to hacking). In the 2019 "The Cost of Cybercrime" study Accenture states that in "phishing and social engineering attacks are now experienced by 85 per cent of organizations, an increase of 16 per cent over one year".This data becomes more relevant for future action plans once a company assesses how strong its security posture is and what future investments it is willing to make.
Cost of a breach. IBM´s study shows that in 2018 the average cost of a data breach was $3.9 million, 150 $ per stolen record. With GDPR protecting the rights of EU citizens, we need to also account for fines of 20mil euros or 4% of the annual global turnover and, this does not even quantify reputational damage. The risk assessment process can drive these decisions and support for investing in security.
When requesting a budget for a phishing program, organisational data is the key to get leaderships attention. Analysing incidents is a starting point to track if and where problem areas appear. Looking into the frequency of attacks, time (money) spent by operations teams on investigating incidents can be compared with the investment in a phishing tool. We need to collate with this data any published results by organisations with active phishing campaigns to show the feasibility of testing. The evolution of our metrics across time, that hopefully represents the change in people´s behaviour, will advocate for the tool´s return on investment.
If the organisation has decided that phishing is a priority risk and needs focus, a phishing tool will go a long way. When it comes to developing skills, adults learn best by doing. Phishing campaigns are a practical way of exercising how to look out for this type of cyber threat, thus helping retain the information for longer periods of time.
When it comes to arts, culinary is one of my favourites as it requires quality ingredients, preparation, measurement, following a sequence as well as experimenting and curiosity. As an amateur cook I find the process of preparing a fine meal to that of preparing a phishing campaign for launch is not dissimilar.
Just like how baking grandma´s cake recipe requires a different experience to what is needed to prepare a French pastry, there are also differences between launching a new phishing program to managing one that has been ongoing for one or two years.
Let us see some success recipes for each of these cases.
Picking a platform is the initial step when all requirements for the tool must be listed. A phishing tool needs to be simple to use, allow easy data upload, have diverse scenarios and customizable templates. Some platforms have a user-friendly interface for updating scenarios while most will require some coding skills to do more detailed changes to the scenario´s design elements. When assessing a tool, ask the provider to explain what source they use for creating the scenarios and how often they update them.
A sound reporting system is essential to reduce manual work when providing stats to leadership.
Your first campaigns. If the program is just about to be launched, include all employees in the exercises and use a very simple scenario. Quarterly launches are a good way to get people used to the exercise and to gather data for baselining the company's overall click rate. This result will drive the program in year two, including the awareness activities. Before launching the first exercise, it is advisable to run some awareness sessions, so people have the basic knowledge on how to spot them.
Teachable moments. The practicality of the phishing exercise creates memorable opportunities to spread awareness messages. Use the post click landing page to give info about the program and where to report suspicious events. At the end of each campaign, send a follow-up message and give them a brief about the result, signs they could have looked for, and reiterate where to report suspicious emails.
SOC is your best friend. Phishing exercises largely impact the Security Operations team. Before launching any campaigns, agree with the team the exercise date and provide a sample of the scenario.
Metrics. Measuring results is key to show executive leadership the value of the program and how exposed the organisation might be. Susceptibility rate or put simpler, the click rate is being measured against the number of targeted populations. Reporting will be more valuable if it includes numbers on report rate registered by SOC as well as stats on repeated clickers.
You won't always have a linear progression of the results as these will change depending on the difficulty of the scenario. Include in the reporting insights about the difficulty level and observations that help in accurately understanding the results.
On the safe side of the law. Intellectual property and copyright must not be overlooked. We cannot just impersonate another brand even if it is for educational purposes. Unless there is written approval from the company whose name we want to use, the legal team can give guidance on how we should proceed. Well known providers will not allow the build of scenarios that might pose an interference with the law.
Phishing recipe #1 - Advanced
Three or four campaigns with different type of scenarios give a good idea of the organisation´s posture. Data interpretation supplies the list of opportunities for improvement and drives next year's plan.
Let us see what recipe we can apply as advanced phishers.
Reassess your platform. Whether the product is due for renewal, or if you are unhappy with it, a periodic assessment of the platform is a must. New releases improve the experience and effectiveness of using these tools. Two such features are integration with Active Directory for automating data upload and the use of AI to schedule future scenarios based on the individual result obtained by each employee. There is also an increased focus on offering diverse training material which is an excellent option if we do not have much budget to work with.
Automation of reporting. Excel sheets will become harder to manage in time. Senior leadership wants visibility and easy access to data; thus, a reporting dashboard can really highlight the value of our work. Existing security dashboards built in-house can easily connect to the phishing platform using an API. Configuration of a proper reporting view can be developed by the more technical colleagues. Often just asking for ideas and planning the work ahead of time will give excellent results and a sense of teamwork.
Spicing up the scenarios. Without variation, people will quickly get used to the way you build your campaigns, making them somewhat unresponsive. Gradually increasing the difficulty level will keep them on edge as well as more prepared for the real threats that are out there.
Reassess the approach. Once done with baselining, you need to reassess the program and build on the lessons learned. While targeting the entire organisation makes data comparison easy, sending out mass emails to all employees will tip them off, impacting the accuracy of results. As a solution, the random sampling-based approach provides a more accurate picture of how well people recognise phishing emails when no one else around gets them. A targeted approach creates realistic scenarios based on a person's role in the company and is the closest we get to prepare people for real phishing attempts. In terms of percentage, a 30% random sample of the user base should give representative results.
In an advanced phase of the program, you can start combining the two approaches and decide to increase or decrease the frequency of your exercise. This moment in time is also when you can start using in the program real-life scenarios your SOC team records.
What to do with repeat clickers. Often called repeat offenders, these people can pose a risk to the organisation. Some companies use a process where the first "offence" will be followed up by an email, the second by a classroom training, and the third will include reporting managers in the conversation. The organisational culture will be the best compass to define what the right approach looks like. Regardless of the decision, being assertive in our communication and understanding why they keep falling these exercises is essential to a good collaboration.
Awareness approach. The way we do awareness activities or training between phishing campaigns should change along with the program to increase engagement. Traditional phishing classroom sessions can be replaced with a workshop in which people learn to build their own phishing campaign. While some might argue how ethical this is, unless we have techies in the audience and give them a runbook, they will not know how to launch their own attacks. Another engagement approach is to involve people in giving ideas for future campaigns. A competition and a prize might incentivise participation while creating a sense of teamwork.
Make it easy to report. Measuring the report rate tells us how much we can rely on people to call out suspicious events. To increase this number and motivate people to take action we have to give them the proper tools. Rolling out a phishing report button in outlook makes escalation accessible to everyone. Post installation the number of emails will spike, so have all involved teams ready.
Whether we just started, or we are a couple of years in the program, phishing tests can always bring surprises. Since it is solely relying on human behaviour, with each campaign, there is something to discover, or at least this was my experience.
After three years of phishing, here is what I learned and what I would advise:
Do an official launch. Start your program by communicating to all staff what you will do. An initial comms before the program brings everybody onboard, sets expectations and reduces the perception of "shadow security activity". When speaking with new joiners, make sure they are aware of the phishing program and why it is being rolled out.
Buy your domains. Vendors offer a list of domains to use, but these might not be matching the scenarios, or become already known by users after a couple of exercises. A good practice is to buy all available domains that are similar to the company's original one. Acquiring these domains protects the organisation from typosquatting and helps with simulating more realistic phishing attacks.
Don't start with the mentality of catching people in your "net". Remember that your target group consists of adults who do not like to feel continuously tested or assessed to fail. A fundamental characteristic of adult learning is the need for respect. Treat them so and be constructive with the feedback and comms. While not falling for phishing is the ideal goal, we know that our click rate will never be 0. What we want is damage control as fast as possible, so encourage people to report to the SOC team.
Assertive comms goes a long way. With the increase in sophisticated attacks, it is becoming challenging to spot phishing. With filters and scans in place, only the truly good attempts will slide through the system, these being more difficult to recognise. Reinforce the idea that phishing can be hard to spot, that accidents can happen, and instead of feeling ashamed, staff members should raise a flag to the designated incident management team.
Make it relatable. Going back to adult learning, people need to understand why they are doing something before they do it. Be clear on why phishing is critical by sharing real-life cases. SOC is the best source that can help you with data. Sharing what other colleagues have been exposed to makes phishing real and relatable.
Don´t name and shame. There might be several reasons why people click on links, so try and understand first the reasons. Adapt training or awareness according to peoples learning needs, so they become equipped with the knowledge they need to spot phishing. Adults do not react well to being called out or generally to negative reinforcement, use assertive communication when pointing out repeated issues created by a person. Ultimately, have an agreed process to escalate any severe cases where staff members expose (intentionally or unintentionally) the company to risks.
Phishing is not an exact science, so experiment. Use a wide range of emotional motivators. Test them and see what is important to your people. Scenarios of similar difficulty can land different results depending on the emotional motivators used. Make assumptions before each exercise, assess the elements that differ from one campaign to another and connect the dots based on the results. Factors such as time of the year (Holliday season, significant events in the company) will impact your campaign. While many providers say that a data entry scenario is of high difficulty, what matters is how your scenario impacts the target´s interest.
Closing: As a security awareness professional, I advocate for the importance of the human element. My experience has taught me so far that there is no perfect or one tool-fix-all solution. It is always a mix of means adapted to the organisation's needs that will drive your efforts and ultimately the result. Technology will give a fast-paced response, but people are sitting behind those technologies. Good and transparent communication is key to keeping staff engaged and feeling like we are all building something together. I strongly disagree with the much-repeated expression that people are the weakest link, and even if that is true basing our program on this assumption will eventually create a more significant gap. Security is the employees' responsibility too, and there needs to be a consequence for risky actions, but security awareness professionals have a significant role to play. We need to remember our responsibility is to equip people with the knowledge they need to recognise phishing attacks, and the tools we choose to do that becomes a work of art.
by Joao Morais
by Ovidiu Mățan
by Vlad But