The Phishing Kill Chain – Reporting
Part 5 in a series on being “Left of Breach” in the Phishing Kill Chain.
In part 4 we looked at Simulation Delivery, and stress the importance of utilizing methods that model malicious actors and advanced persistent threats. We will now take a closer look at developing reporters in your company environment.
This point in The Phishing Kill Chain is where we break from the standard model. It is where we switch from defensive mode to proactive threat management. All our earlier steps are designed to reach this point so it is important that we consider some best practices and pitfalls to avoid when implementing a reporting process.
- Setup your users for success by being transparent about the purpose of your program and by providing them simulations that show them how to report. Be sure to stress reporting even in the event of failure and the importance of their part in the phishing kill chain.
- Develop a reporting response plan based on your current processes. If your associates report suspicious phish to a help desk or an IR team, be sure those teams are prepared for increases in reporting (especially during simulations) and that they know how to handle responses to your users.
- Ensure all phishing awareness activities, including simulation education pieces, stress reporting.
- From a technical perspective:
- Send all reports to one email address for analysis and verification. This can be a distribution list, but in that case, ensure you define analysis and review process and who is responsible for following up.
- Automated acknowledgement of your user submissions and thank them for staying vigilant. Let them know that you will be following up if necessary.
- Ensure your reporting process includes all the required data in your reports; header information, etc.
- From a program perspective:
- Ensure you are tracking both simulation and suspicious email reports.
- Measure success at the simulation and program levels as outlined below.
Behavioral Analysis – Simulation Level (Attachment Type)
The chart above outlines how PhishMe® Professional Services analyzes the behavioral characteristics at the simulation level. Note that the framework for the analysis is based on reporting not susceptibility. The reason for this is that we want to align the any analysis with the primary purpose of our larger program; i.e. recognize, report and resolve phishing threats before a breach occurs. The lynchpin of that process is reporting.
Note the highlighted section in the graphic above. Users that fall susceptible / respond and report are classified as exhibiting desirable behaviors. This is because this action is exactly what we would want from our users in a real-world situation. See something, Say something.
When looking at a program level, we want to shift our view to the one presented in the Program Trending Analysis chart below.
In this view, we are showing the resilience (number reported over number susceptible) of each simulation run and from this data can further develop an ongoing reporting and resiliency trend over time.
Program Trending Analysis
Both charts are presenting leading indicators of success, but not the final measure of success we will discuss in our next blog post on Triage and Mitigation.
Remember the following points when it comes to developing reporters in your user base:
- Be transparent about the purpose
- Stress reporting in all awareness and simulation activities
- Make it simple for your users to report
- Prepare your response teams ahead of time
Key Reporting Takeaway – Stress reporting even in the event a user falls susceptible. This key behavior is what will drive success in getting left of breach.
In the next part of this series, we will take a closer look at key factors in the Triage, Analysis and Mitigation of reported threats.
Don’t miss another threat – stay on top of emerging phishing and malware threats and attacks, all delivered straight to your inbox completely free. Subscribe to PhishMe® Threat Alerts today.