As we have continued to improve anti-phishing capabilities for clients over the past few years, we have seen a myriad of changes in phishing email composition, style, and approach. Throughout all those changes however, one thing has remained the same.
For the past few years we have discussed the power of emotion in phishing emails. This is never more valuable to understand than during the upcoming Valentine’s season. The traditions of gift giving to current partners and the romanticized notions of hearing from a secret admirer are so firmly ingrained in our minds that we become easy targets for scam artists.
In our 2017 Enterprise Phishing Resiliency and Defense Report, PhishMe® discusses the importance of moving past susceptibility as a key indicator of anti-phishing program success. We want to shift the conversation from vulnerability (susceptibility) to capability (resiliency).
That is, what are an organization’s current anti-phishing capabilities—and how is positive behavior increasing them over time to build resiliency?
The chart below tracks behavior among our clients’ users during phishing simulations. In it, resiliency equals users that “reported only” divided by “all that fell susceptible.” (The latter includes those that reported after falling for simulated phishes.)
Figure 1 – Three-year Resiliency Trend across PhishMe Clients
As you can see, PhishMe clients using PhishMe Reporter® show consistent gains in the capability to recognize and report phishing simulations. In other words, they are becoming more resilient to attack.
Using our formula…
Resilience = Users that Reported Only/All Susceptible
…we can determine the current level of resilience, to any specific phishing simulation or known active threat model. It’s a snapshot of the capability to recognize and report.
To see how this capability changes over time, let’s look at a chart that measures all the ways users behave in simulations.
Figure 2 – Behavior Analysis Chart
While the ideal outcome would be for all tested users to report only, that’s unlikely to happen. But, we can track two other key percentages shown above:
- Responded to Simulated Phish – Did Not Report
- Responded to Simulated Phish – Reported
Because the change you want to see is the reporting of suspicious emails, you expect to see a steady increase in “reported only” or “responded and reported.” Thus, if you were to run the simulation above again to the same user base, you would want an increase in the 43.63% of “reported only” and the 2.25% of “responded and reported.” You would also want a decline in the 14.23% of users that did not report.
This shows how the real goal of anti-phishing programs goes beyond finding vulnerabilities. The longer-term goal is to fortify capability—to build resiliency. Simply put, you want every user that interacts with a simulation to report it.
To learn more about successful anti-phishing programs, be sure to download the 2017 Enterprise Phishing Resiliency and Defense Report.
With the steady rise in ransomware attacks and success, it’s highly likely that related phishing variants will continue to permeate the landscape in 2018.
While this is not a new threat, it’s one that you want to be truly prepared to face. With that in mind, we looked back into our 2017 data and what we found is good news for those clients running active threat ransomware simulations in their environment.
Across 246 simulations and more than 712k emails, the aggregate resiliency score was 2.63. This means that for every susceptible user, there were more than 2 that reported the threat in our simulations.
What this ultimately shows us is that clients can develop recognition and reporting capabilities for these types of attacks when active threat templates are used in immersive simulations. Further, it indicates that these organizations are better prepared to mitigate this threat should it materialize in their environments.
As we have discussed in past blogs, these results highlight the importance of understanding what your organization is seeing in terms of real attacks and that anti-phishing programs should focus on those threats to mitigate the risk of breach.
This represents a fundamental shift in how we think about getting ahead of hackers, APTs and other malicious actors. In the past, the conversation has always been about how fast we identify a breach after the fact.
Now, it’s about utilizing “crowd sourcing” as a strategy to catch hackers in the act.
At PhishMe®, we do this by ensuring our anti-phishing programs include spear-phishing simulations that target high value, at-risk users with scenarios that mimic real world attacks. Each immersive simulation includes reporting instructions for those that fall susceptible and conditions users to do their part for organizational security.
How to Pay It Forward
Utilize multiple intelligence sources to identify exactly who is being targeted by what type of phish and mimic those attacks on a broader scale to drive recognition and reporting of specific threats.
- Work with your intel and incident response teams to identify active phishing attacks against your organization.
- Model simulations based on those identified threats.
- Stress the importance of reporting for all users that recognize a phish (even in the event of susceptibility).
- Repeat low resiliency simulations to improve performance and increase organizational capabilities.
As the data in this blog shows, we can prepare an organization’s users to resist active threats.
The key is developing the ability to act on what is being reported. In other words, until we analyze reports of suspected phishing attacks we are only collecting intelligence data.
It’s time to take that data and make it actionable.
Current PhishMe Triage™ Managed Services data shows us that 10% of reported (suspected) phish are, in fact, malicious. This means that 10 out of every 100 suspected phish that made it past your perimeter defense have the potential to cause a breach.
It’s through analysis of those reports and mitigation of validated threats that we pay ourselves (by reducing value at risk) and avoid paying ransoms to malicious actors. The companies in our data set above are prepared to do just that.
To learn more about becoming more resilient to phishing, download the 2017 Enterprise Phishing Resiliency and Defense Report.
Do we really need another Halloween-themed security blog?
Yep. We do. Not because our edgiest holiday triggers more cyber threats. No, Halloween season is scary because it’s been absorbed by the winter holidays—the spendiest, cyber-riskiest time on the retail calendar, beginning in mid-September and lasting until…it ends, right?
When considering your organization’s response to a simulated phish, it is critical to understand that we are emulating / practicing for real life events with the purpose of conditioning appropriate response patterns in our user base.