[BreachExchange] Why Ethical Phishing Campaigns are Ineffective

[Audrey McNeil]

https://www.techopedia.com/why-ethical-phishing-campaigns-are-ineffective/2/34464

It has been posited that targeted long term ethical phishing campaigns are
no more effective than using your finger to plug a dam.

This in part is so true, unless combined with a solid, well thought out
mitigating security architecture, that encompasses the Layered Defence
method.

Targeted ethical phishing campaigns are usually performed by an external
cybersecurity agency or internally by a business to gauge potential
security holes. These campaigns consist of carefully crafted emails that
are created and sent out to the organization to simulate methods used by
real-world attackers.The campaigns are conducted over a period of time to
thoroughly assess the ability of personnel within a business to correctly
identify a phishing email. Once identified by the recipient, the campaigns
aim to verify if the recipient knows how to act or respond in an
appropriate way. Targeted campaigns can be tailored to suit an
organization, for example targeting a Finance or Sales department.

Ethical phishing has an important role to play in protecting against cyber
attacks. Plus, any cybersecurity training given to staff becomes a
transferable and worthwhile skill. People who have undergone this kind of
training also become more security-aware away from work, for example, while
surfing the web or reading emails on their own devices. On their own,
however, ethical phishing campaigns are not enough.

Ethical Phishing Campaigns

Ponder this: Your Ethical Phishing Team has just posted their latest
campaign report on the Intranet, the stats look promising, and only five
members of staff have clicked on the carefully worded ethical phishing
emails this month. But hey, no worries, those single-points of failure will
each receive a communication from their managers stating that they can
expect enrollment for additional 'Phishing Awareness Training'. They'll get
the hang of it, eventually, won't they?

Training users to be vigilant by keeping a watchful eye on their inboxes
for emails containing malicious links is a sure way to foster an
appreciation and an awareness of the threats posed by Cyber-criminals and
does provide some intermittent protection.

Data Breaches Still Occur

However, ethical phishing campaigns alone are not a guarantee that your
business won't fall victim to a data breach. All it takes is a single user
out of a few thousand, to click on an email containing a malicious link; a
link that allows a Command and Control( C2C) scenario, or a piece of
ransomware to infiltrate your perimeter network and jeopardize your entire
business. The risks are significant: as a blow to the company's reputation
and via regulatory sanctions or fines. If you contravene General Data
Protection Regulations (GDPR), that can amount to a maximum of €20 million
(about $24.3 million) or 4% of annual global turnover, whichever is greater.

And that's not accounting for the costs of incident response in hours lost,
specialist services, loss of revenue, and detrimental effects of the
potential loss of data. This is when we find out how realistic and accurate
those Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)
were.

Eventually, and it could be sooner than you think, you or a member of your
team are going to let a phishing email slip through that gap in your
network security, and make no mistake, it is a serious gap that could see a
twenty-year-old reputation of good standing, ruined in a day. In 2020, 96%
of phishing attacks arrived by email and every minute, companies lose
$17,700 due to a phishing attack. Organizations that have fallen victim to
phishing include Facebook, Google, Pathé, and Mattel; at a combined loss of
$124 million. (Read: 7 Sneaky Ways Hackers Can Get Your Facebook Password.)

Why Breaches Happen

But my staff aren't stupid! I hear you say.

No, they aren't, and neither am I, but we are only human and therefore
prone to make mistakes. Busy schedules, email overload, or just plain
fatigue can all result in that one tiny mistake. It could happen today,
tomorrow, or it might have happened last week - would you even know? Has
anyone alerted the IT or security team to a potential incident?

According to Security Boulevard:

22% of all data breaches in 2020 involved phishing attacks.

97% of users cannot recognize a sophisticated phishing email.

Employees in departments handling large-scale data have problems in
identifying phishing emails.

Recipients open 30% of phishing emails, and 12% of these targeted users
click on the malicious link or attachment.

78% of users claim to be familiar with the risks of unsolicited links in
emails. And yet, they click on the links, anyway.

What's the problem?

It's easy to see why criminals use phishing. It is an effective technique.
We may spot one or two if we are lucky and alert, but phishing emails are
constantly adapting, designed to trick us, persuade us into clicking on a
familiar-looking email from the CEO or CFO instructing us to act. .
Clicking on a link within a malicious email carries the potential to
connect with a server on the Internet. Unfortunately, it could be a server
belonging to a Command & Control (C2C) Threat Actor. You won't even realize
what has happened - you've been phished. (Read: How to Avoid Getting
Phished.)

There are several kinds of phishing attacks users must be aware of:

Spear Phishing: Whereas phishing casts a wide net, hoping to catch any
valuable information, spear phishing is highly targeted and designed to
access specific information.

Whaling: Phishing that is crafted to capture information from the "whales,"
like CEOs, CFOs and other C-suite executives.

Smishing and Vishing: Although email is the most common form phishers use
for bait, they also can reach out via text or SMS (smishing) or voice
messaging (vishing.)

The idea behind ethical phishing campaigns seems sound. Emulate the
methodology of the cybercriminals to identify where there has been a lapse
in training and what sort of emails your employees are more likely to fall
for. However, concerns about just how ethical it is to wage a "gotcha"
campaign on your employees have been raised. Does the ethical phishing
campaign change behaviour, or does it breed resentment? Do employees feel
grateful for the learning opportunity or do they feel like they have been
tricked?

These concerns, along with the fact that on their own, ethical phishing
campaigns are ineffective, leads one to wonder what should be done.

Layered Security Defense

So what's the answer, what else should be in place, how do you close the
security gap?

As previously mentioned, to protect an organization from a data breach or
cyber attack via the attack vector of a phishing email, a well-defended
enterprise network must have layered security in place to counter and
protect against such an attack.

The National Cyber Security Centre (NCSC) recommends four layers of defense
to protect against phishing attacks.

Layer 1: Make It Difficult for Attackers

The first layer is making it difficult for malicious emails to even reach
the users in your organization.

This is where DMARC comes in handy as a configurable technical defense.
Ensure your business has correctly configured Anti Spoofing safeguards such
as DEMARC, DKIM, and SPF in Microsoft Exchange or a similar back-end
system, encourage your suppliers, partners, and customers to do the same.

Reduce information freely available to potential attackers by reducing your
digital footprint (social media and information published on your website),
and ensure incoming emails are being filtered for malicious links and
quarantined where required.

Layer 2: Identify and Report

The second layer is to make sure each user is equipped to identify and
report suspected phishing emails. This is where ethical phishing campaigns
and Red Flag training become a dynamic skill.

Layer 3: Limit Damage Potential

The third layer involves protecting your organization from the effects of
undetected phishing emails.

Configure devices securely, disable macros, install anti-malware &
anti-virus. Block users from installing software, use whitelisting,
Blacklisting, DNS Sinkholes, and don't forget to Implement two-factor
authentication (2FA)

Layer 4: Respond Quickly

Alert your IT or Security team if you suspect that you have inadvertently
clicked on a suspicious email. Put processes in place for everyone to
follow in the event they have caused a breach and ensure your team knows
who to contact and what to do. Establish an environment where people are
not embarrassed to admit they "fell for it." Knowing about an incident
early on can limit the harm caused.

Ethical Phishing Alternatives and Additions

This isn't to say there is no place for ethical phishing campaigns. As part
of a multi-pronged defense against bad actors, they can be implemented well
and derive valuable information about security in your organization. Only
you know how they will be received by your employees or if the risks
outweigh the benefits. You may want introduce these measures instead, or in
addition to ethical phishing.

Look to implement email Gateways and apply policies, such as a visual stamp
within the body of the email showing: **Warning this email is from an
external source – Beware**
This will prompt your users to apply extra vigilance, causing them to pause
and think twice - do I trust this email, was I expecting it?

Use Conditional Formatting in your email client to identify external
emails, for example, you could put in a Rule that turns any incoming email
from Senders outside of your business - Bold & Red.

Next-Generation Firewalls, Web Application Firewalls, and NetFlow Alerting.

Network Intrusion Protection Systems, Endpoint Protection, Email Data
Encryption, and email content filtering, email authentication, and threat
intelligence.

Off-the-shelf platforms such as Symantec, Mimecast, Sophos, and virtual
link protection such as that provided by Menlo Security. Most of these
solutions include AI & Machine Learning and provide some form of 'Human
Layer Security' in the guise of Behavioral analytics.

Implement an email security platform such as Egress Prevent & Protect with
built-in AI & ML, designed to protect your outbound emails.

Conclusion

Not all businesses can afford to resource an IT or Security department,
spend valuable budget on equipment and system redundancies. However,
businesses must wake up to the fact and realize the actual Human aspect of
your Security Defence is where the threat of SPOFs is greatest. (Read: The
5 Greatest Security Threats from 2020.)

Ethical Phishing Campaigns are definitely a positive contribution to the
fight against cybercriminals and go some way to protect businesses.
However, without being part of a dynamic Layered Defence, the gap and the
risk of a breach is ever-present and should never be left to chance.

Yes, staff should understand their role in keeping your organization safe,
but should not be left out in the cold, exposed to the possibility of
compromise.

Cybercriminals aren't 9 to 5, they will work tirelessly around the clock,
leaving no stone unturned. They see your staff as collateral damage, an
inroad to your data, and will stop at nothing until they reach your crown
jewels.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210520/5d8cb813/attachment.html>