The El Camino Effect in Anti-Phishing Training
Too often in anti-phishing training, or phishing defense in general, companies look for the wrong threats. That’s understandable to a degree, given that attackers constantly shift their tactics. But it’s a still a problem if, to use a bank heist metaphor, you’re looking for robbers who drive a Camaro vs. an El Camino.
Without training based on the latest and most relevant threats, you’ll increase the odds the bad guys get away. Sometimes when that happens, users unfairly get blamed. Not cool. As anti-phishing program administrators, it’s our responsibility to empower folks to succeed.
Understanding the El Camino Effect
To better frame a wholistic (strategic) approach to stopping phishing attacks, we need to understand the basic model outlined below. It shows why technology—normally, the first line of phishing defense—will continue to be challenged and subverted by criminal actors.
The model shows how companies typically approach cyber-security with technology, along with the workaround attackers use. Imagine for a moment that several banks, the stand-in for users in this model, have been robbed by a gang of thieves driving a red Camaro.
The immediate response by security professionals (the police): be on the lookout for that red Camaro. Intelligence will be updated; firewalls and email gateways will be set to identify and stop further Camaro attacks in progress.
This is a good thing and exactly how technology should be utilized, but a significant gap in coverage remains. We must ask ourselves: what happens when the gang dumps the red Camaro and begins driving the blue El Camino instead?
An even more challenging question: are we really going to blame the banks (our users and victims) for being robbed because our security systems were looking for the Camaro instead of the El Camino? The same question applies to anti-phishing programs. Does it make sense to point fingers at users whose training isn’t as relevant as it needs to be?
Don’t Blame the Victims!
The answer, of course, is no. While I personally believe that improved anti-phishing requires appropriate use of the carrot and stick, it’s critical that any reinforcement achieves the results you want.
In anti-phishing, the focus needs to be on user reporting, not susceptibility. Understand that users are your last line of defense prior to a breach in the phishing kill chain. Rewarding them for reporting rather than falling victim is key to maintaining positive engagement and increased reporting of suspicious emails.
Too often, I see organizations go too far in the other direction, being too aggressively punitive. Again, it’s fine to use the stick as well as the carrot, but not if it places blame on people who were trained to look for a Camaro and missed the El Camino. Let’s be clear about who’s to blame: first and foremost, the criminal hackers. And the responsibility for stopping them starts with us, the phishing awareness professionals, not our users.
A better solution begins when we understand (and admit to ourselves) that attacks will make it past perimeter defenses. Any assumption that technology alone will stop an attack is, quite frankly, irresponsible.
As the El Camino model demonstrates, any bank would (and by the way, most do) implement a response strategy for those times the criminals bypass the early warning and mitigation capabilities. Banks utilize silent alarms, activated and monitored by people, to protect against and respond to robberies in progress.
Anti-phishing programs need to do the same.
Collaboration is Key
At conferences over the last few years, security vendors have pushed a new silver bullet— machine learning and artificial intelligence. Honestly though, we should be learning a key lesson from decades of security breaches and the history of change in associated technology.
That lesson is simple: no single technology investment will stop all attacks on our networks and users.
Further, we need to recognize the leading security issue of our time: human interactions with and management of available technology. Put simply, we can no longer ignore the fact that criminal actors, security professionals, and victims are all people doing their best either to subvert or harden the protection of personal (private) and corporate (confidential) data and communications.
It is at this intersection of technology and people where we can achieve the most gains in cyber-security.
The first step is to implement solutions that empower not just awareness but the user’s capability to recognize, report, and mitigate threats. Working with your security teams, you need to base awareness training on active threats, whether they’re Camaros, El Caminos, or Ram trucks.
I have seen this collaborative, user-integrated model achieve stunning results, over and over and over. If we really want to stem the rising tide of breaches, we can’t make criminals of victims. Instead, let’s combine our security technology with well-trained humans. Let’s empower everyone to succeed—except the guys in the El Camino.
To learn more about phishing awareness effectiveness, view the 2017 Cofense™ Phishing Resiliency and Defense Report.
All third-party trademarks referenced by Cofense, whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.