The Phishing Kill Chain – Simulation Delivery
Part 4 in a series on being “Left of Breach” in the Phishing Kill Chain.
In part 3 we looked at Simulation Design, where we discussed utilization of simulation results analysis and active threat intelligence in anti-phishing programs. We will now take a closer look at simulation delivery practices.
Once again, we want to model the real world as much as possible in our approach to simulations. Generally, malicious actors and advanced persistent threats use two approaches in their phishing campaigns.
- Traditional Phishing – utilizing mass emailing for both reconnaissance and exploitation
- Spear Phishing – targeted emails based on reconnaissance that exploit known or presumed weaknesses
Because of this, it’s important that we plan delivery of simulations in an analogous manner. Anti-phishing programs should include delivery of simulations to the general population and targeted spear phishing simulations based on the self-enumeration and analysis of previous simulation results.
A typical 1st year simulation delivery plan might look like the following:
|Month 1||Program Announcement with Simulation Sample||All||Announce program and provide initial recognition / reporting guidance and practice for the entire user base.|
|Month 2||eCard Click Only Simulation||All||Provide a straightforward example of risk that many overlook. Remember, simplicity of an email’s construction may not relate to difficulty in recognition.|
|Month 3||Package Delivery Click Only Simulation||All||Identify the company’s potential exposure to an often-used delivery format. Stress technical identifiers and reporting in education.|
|Month 4||Targeted Invoice Attachment||Finance||Begin to address known attack styles and develop increased resilience in those users likely to be phished in this manner.|
|Month 5||Repeat lowest resiliency simulation from month 2 or 3||All||Reinforce the initial lesson and measure for retention and increases in reporting.|
|Month 6||Join Co-Workers on Social Media Data Entry||All||Expose users to the dangers of providing private / confidential information via social media platforms. Measure against initial data entry simulation results.|
|Month 7||Targeted Security Report Simulation||IT||Ensure known phishing attacks that target IT and Security organizations gain wider recognition and stress reporting even in the event of susceptibility.|
|Month 8||Unauthorized Access Data Entry Simulation||All||Re-emphasize the dangers of credential phishing and points of recognition across the user base. Highlight the dangers of credential re-use across accounts.|
|Month 9||Repeat lowest resiliency simulation from month 2,3, or 6||All||Reinforce the initial lesson and measure for retention and increases in reporting.|
|Month 10||Avoid Charges Attachment||All||Introduce the dangers of enabling macros in attachments sent via email. Measure for resiliency and current exposure.|
|Month 11||BEC – Wire Fraud||Finance / Executives||Introduce executive compromise attacks to those most likely to receive them. Measure resilience of the organization’s financial processes and procedures.|
|Month 12||Scanned File (Benchmark)||All||Measure performance against a common style of attack, compare to your industry peers and develop a resiliency trend across the first year of the program.|
As we can see in the simulation delivery plan above, we covered multiple types of phish (click only, data entry, and attachment across multiple themes) and incorporated mass emails and active threat spear-phishing. By doing so, we accomplish multiple goals:
- Increased the resiliency of our entire user base
- Resiliency is equal to total number reported / total number susceptible
- Reinforced and hardened high value targets against known attacks
- Note the spear-phishing against Finance, IT, and Executives
- Identified and mitigated specific exposures associated with phishing
- Note the importance of reducing risk through repetition of low resiliency simulations
Remember – The importance of providing simulations to your entire user base cannot be overstated. With ever changing attack profiles, shifts in job responsibilities and broad access to data, everyone in an organization needs to be prepared to recognize and report suspicious activity.
In the next part of this series, we will take a closer look at stressing the importance of reporting.
Don’t miss another threat – stay on top of emerging phishing and malware threats and attacks, all delivered straight to your inbox completely free. Subscribe to PhishMe® Threat Alerts today.