Rethinking Security Awareness? Fine-Tune Your Simulations

Part 2 of 2

In part 1 of this short series, we gave tips on re-energizing a mature security awareness program. We noted the importance of reassessing your organization’s risk profile and communicating with users as you educate them on phishing. For part 2, let’s look at anti-phishing through the lens of simulated threats.

How to Refocus Your Phishing Simulations

If you manage a security awareness program, you need to educate users on phishing emails that land in their inboxes—active threats like malware, business email compromise (BEC), or sextortion. This means talking to your SOC to understand the threats your business faces, then running simulations of those same threats. The objective isn’t just to educate users to spot phishing but to condition them to report threats, so the SOC can respond faster.

If you’ve been running simulations for some time, here are proven ways to reinvigorate your program.

Give Users an Easy Way to Report

To repeat, reporting is what you’re after. Make it easy for ALL users to report a suspicious message by giving them an EZ button. Cofense PhishMeTM customers can (and should) deploy Cofense ReporterTM, our email toolbar button that lets you report with one click.

If users don’t report threats, the SOC is blind while the danger spreads. Well-conditioned users become human sensors that send valuable threat intelligence to your security teams.

Send Targeted Simulations

As you build resiliency across your organization, send different simulations to different kinds of users:  high-value targets in human resources or finance, repeat clickers, and new hires/new users. You’ll also  want to continue sending campaigns to your full population.

Simulate Emerging and Active Threats

The phishing scenarios in Cofense PhishMe are based on real threats, thanks to constant input from our threat intelligence teams. For example, we see a lot of emerging threats, those observed in the wild, using phony invoices and purchase orders. Threat actors have a good understanding of how organizations process payments and emulate those methods to disarm users.

If something seems familiar, users are more likely to open an attachment or click links to filesharing sites like Sharepoint. Another example: users often feel safe using sites that display the HTTPS prefix and padlock symbol. They look for these on e-commerce sites asking them to enter personal information. There’s been an uptick in threat actors leveraging HTTPS in phishing emails, so you might use this tactic in your simulations.

Also be sure to send simulations that mirror active threats—phishing emails that get past your organization’s secure email gateway (SEG). Again, communicate with your SOC to learn the latest examples. If your organization is a Cofense TriageTM and Cofense VisionTM customer, these incident response solutions can give you deeper insight.

As your phishing awareness program matures it needs to stay current with your phishing risk. Teach users to report more nuanced attacks should they breach the perimeter. To counter today’s threats, your organization, all of it, needs to keep up with the times.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Is It Time to Rethink Your Phishing Awareness Program?

Part 1 of 2

As seen in Cofense’sTM 2019 Phishing Threat & Malware Review, threat actors innovate relentlessly. Technologies like secure email gateways (SEGs) can’t keep up. In fact, the vast majority of phishing emails verified by the Cofense Phishing Defense CenterTM are found in environments using SEGs.

With so many malicious emails making it past security controls, the human factor becomes decisive. This means your phishing awareness program needs to stay in fighting trim. In particular, it’s important to educate users on attacks that breach your perimeter, working with your SOC to focus on the most frequent threats.

If your program has been up and running for a few years, it may be time to rethink what you’re doing. Let’s start by looking at your threat profile and your program’s approach to communications.

Rethinking Your Threat Profile

If you conducted a risk profile in the past, consider revisiting your findings to see if they reflect both your internal environment and external threats. If your business has never done a risk profile, you should probably set a cadence to review your company’s risks.

Threat actors look at a lot of factors before targeting an attack, so your phishing awareness program should do the same. Privileged access users and high-risk business functions, geography, technical environment, adherence to compliance standards, and corporate communications and email style can all be used to launch a phishing attack.

One smart way to identify risks: review all Software as a Service (SaaS) applications. Because these applications use email to send, receive, and log communications, threat actors can easily leverage them to design attacks. Cofense CloudSeekerTM is a free tool that can help. It allows you to report on SaaS applications configured in your environment, including any provisioned without IT’s knowledge. CloudSeeker starts with a catalog of popular SaaS applications and checks each to see if a domain has been configured for use.

If your organization uses any well-known hosted services, remind your staff of the dangers of credential phishing and spoofed websites. Credential simulations are a good idea. You might also use newsletters or announcements to spread the good word. Speaking of which…

Rethinking Your Communications Approach

One of the keys to a successful phishing awareness program is a communications plan. You need to communicate regularly, including before and after each simulation.

Cofense PhishMeTM offers content to help you communicate better. You can use it to remind employees why they’re receiving email training in the first place, plus arm them with the information they need to be successful.

You can use a newsletter, for example, to educate employees on phishing emails that spoof brands like LinkedIn. For legal reasons, you shouldn’t spoof a brand in a simulation, but a newsletter post can warn users that some branded emails are fakes.

Also, embrace the power of “Thank you!” When users report an email and get an immediate response with a thanks, they’re more likely to report again. Users want to know what happens after they act. They also want to know what next steps, if any, they should take. Should they process that invoice? Can they post that purchase order or send it on for signature? Don’t keep them in the dark—communicate and pass out kudos.

In part 2 of this blog, we’ll look at rethinking your simulations. How can you make sure they’re helping to guard against real threats? Stay tuned.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

This Company Turned a Phishing Attack into a Teachable Moment

You’ve read it on this blog before. It’s not enough to simulate phishing emails and raise employees’ awareness. At the end of the day, you need to be able to stop real attacks. One key: basing simulations on phishing threats you actually see in your organization.

Following is a real example of one CofenseTM customer that took these words to heart. This company is global. It operates in an extremely data-rich industry that stores Social Security numbers, email addresses, credit card information, and more. In other words, they have a lot to protect.

First, the company leveraged information from a real credential phishing attack.

This company trains its employees to recognize and report phishing. The team responsible for the anti-phishing program took advantage of a monthly report from the Cofense Phishing Defense Center (PDC), which analyzes and escalates user-reported emails to alert customers immediately to verified phishing threats.

The monthly report described a phishing email, one seen in a different industry, that asked users to perform an urgent network upgrade. “Action required”—just click a link. Upon clicking, users would be taken to a site where they would enter their network credentials.

The Cofense PDC sees hundreds of thousands of similar emails targeting customers each year. Here’s a sample:

Next, they simulated the attack to educate employees.

Credential phishing is an epidemic. To help their employees spot a credential phishing attack, the company decided to use this real attack to craft a simulation. Here’s what the simulated email looked like:

As you can see, the simulated phishing email used a header very similar to the email seen in the wild.

Armed with other details from the real phish, including the full body of the message, the company sent this simulation to high-value targets—employees with elevated credentials, the “keys to the kingdom.” It’s smart to focus on these employees, just like attackers do.

The results were encouraging. The ratio of employees reporting the simulated phish versus those that fell susceptible was greater than 1:1. It was a good start. With continued simulations, the rate should increase and show better resiliency to credential phishing.

To repeat, it’s good to condition employees to report phishing emails. It’s even better to have them practice against the real deal, so they can help stop it before real damage is done.

To learn more about the growth of credential phishing, view the Cofense State of Phishing Defense 2018 report.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Who’s Got Access? “Value at Risk” Anti-Phishing

Part 3 of 3 

So far, we have looked at the concept of “value at risk” (VAR) and how it applies to anti-phishing. We’ve seen how this model can guide your anti-phishing program by focusing on the value of assets you protect. We’ve also examined ways to translate your organization’s data to dollars, which is useful if you’re responsible for data oversight and governance—in other words, it helps to know where data might live and the (estimated) value of digital assets should a breach occur.  

Data to Dollars: “Value at Risk” Anti-Phishing Strategies

Part 2 of 3

Last week,  we looked at the concept of “value at risk” (VAR) and how it applies to anti-phishing. This week let’s do a deep-dive into the “value” aspect of VAR. We’ll ask: do you know where your crown-jewel data is stored and how much it might be worth? Even if the answer is “Not exactly,” an educated guess can help set anti-phishing priorities.

Managed Service Gives SMB’s More Security without the Headcount

If you do a Google search on “SMB’s and cyber-security,” one best practice is hard to miss. The experts say it’s smart to give employees security training. All employees, not just the cyber-warriors in IT.

Another good idea: outsource your training. Let specialists spare you the cost of creating a security awareness program. Better security without more headcount—it’s why so many SMB’s trust Cofense PhishMeTM Managed Service.