“Danger, Will Robinson!”
As security professionals, it is our duty to minimize risk, which encompasses protecting many things. Among these things are users. We install Web proxies, URL filtering software, anti-virus software, DLP tools, and a wide array of technology to help users avoid or mitigate these risks. We create education programs teaching users how to avoid getting caught in the traps of threat actors. Sometimes these mitigations are effective (though seen as annoyances) and sometimes they are just not.
Trusteer’s study, Measuring the Effectiveness of In-the-Wild Phishing Attacks [PDF], estimates that just one half, of one percent, of online banking customers are successfully phished. However, those incidents still cause $2.4M to $9.4M in annual losses per one million clients. That’s a lot of money and is mostly comprised of home user targets.
…teach a man to avoid a phish…
A lot of companies have developed security training programs that try to teach users how to avoid phishing schemes. These programs are your typical “don’t click on emails from people you don’t know,” or “don’t open attachments you didn’t ask for.” But, is this really working? It may be helpful on the very obvious phish. “I did not buy American Airlines Tickets, why are they emailing them to me?” The question is, are your users still at a great risk of the medium to very good spear phish?
There have been many stories about how a phishing attack can lead to a decently sized breach within the last few years. Whose fault is that really? Are we, as security professionals, failing users? If you are unsure of how large an issue a phishing attack may become, try searching for ‘breaches related to spear phishing’. Some really large companies are on that list, and that doesn’t even include companies who have not reported an issue. This is serious bad guy business. Why? Because we grab our end-users’ attention about phishing for exactly as long as it takes to complete the presentation about how to avoid the threat and get their completion certificate.
If you went to a Cisco CCNA class and viewed a bunch of slides about networking configurations and gear, and then were expected to go set up an enterprise network, what do you think your success rate would be? This is akin to what we’re doing and we expect it to work. Let’s take this activity to the next level!
It’s Time to get Interactive
We need to give our users labs! What better way to teach people how to avoid phishing campaigns than to teach them with SAFE real live experiences? Send them phishing emails and see if they open them or click the links in them. If they do, teach them why they shouldn’t have! Take the phishing emails you are already getting and turn them into training tools.
Derek and Will, the creators of the Spear Phishing Toolkit, had the exact same idea and have built a great tool that can be used in exactly this fashion. Create campaigns, email your users, and track who is clicking links in emails and entering credentials. These are the people who need a little more help with identifying the emails that are going to get them, and the company, into trouble. From there, you can build an extra training specifically designed for them that addresses the problems they may be seeing. You can also keep better eyes on your risky users for indicators of compromise.
We recently implemented this type of interactive education at Go Daddy to help educate our users about the dangers of phishing and how to spot a phish… unbeknownst to them, of course. This exercise is helping us target the users who aren’t successfully avoiding a phish, with more education. It’s going to take some time to tell whether or not this program is truly successful. However, it’s better than letting the bad guys ramp-up their tactics and hoping that our users will be successful at avoiding the attack on their own.