Security awareness training is all about preparing your organization’s employees for how to withstand potential security threats and help them to understand security best practices. One of the best ways to do this is through simulated attack campaigns, more commonly known as phishing attacks. These are artificial campaigns that help security staff test and measure their company’s ability to withstand a cyberattack. In this article we'll discuss the important principles and concepts to consider when developing an phishing attack campaign for your organization.
The first type of employee security training you should focus on is academic training, this is typically in the format of online courses or quizzes that employees take. In many companies employees are required to complete these courses as part of their onboarding process. Taking these courses help to teach employees the basics of security as well as the considerations they need to make when they are performing their day to day job responsibilities.
Applied security campaigns are practical evaluations of an employee's ability to detect potential security risks and respond appropriately. These types of assessments are great for measuring how effective your employee’s security programs are and getting quantifiable proof of your employee’s ability to respond appropriately. The most common form of this is through simulated phishing campaigns that allow you to test and measure your employee’s responses through releasing fake information and measuring your employee's responses. Then this is compared against the company's security policies and it can be determined if the employee requires further training.
In security operations, the human element of your organization will be the biggest obstacle in creating a secure organization. Many businesses spend thousands or millions of dollars securing their systems but this is fruitless if you fail to invest in building strong security awareness in your employees. One careless mistake by an employee can easily deteriorate all of the security features that you put in place in your organization. As proof of this, there are statistics that assert that as much as 70-90% of all data breaches are the result of social engineering, which is the psychological manipulation of employees to get them to perform an action that is harmful to the business. Your best way for preparing your employees for these scenarios is to use effective employee phishing campaigns.If phishing campaigns are practiced regularly, you can keep security awareness top of mind for your employees and frequently identify at-risk employees.
Standard employee security tests typically include online courses during onboarding but these do not provide the same level of validation that a proper phishing simulation will provide. When you are building your first employee phishing campaign you want to put yourself in the position of the hacker and consider what type of phishing attack they would be looking to perform. This is commonly known as threat modeling. Anticipating the type of attacks that your employees will face and creating attack campaigns to emulate this behavior will make it much more likely that employees will actually pull situation-specific learnings to protect against possible future attacks.
Here are some of the questions you want to ask during this process:
What information is publicly exposed on the internet?
Most phishing victims are people who have their email 2-factor authentication as alternative authentication methods alongside your traditional username and password to prevent hackers from compromising accounts. This is commonly done in the form of a software token generated from a software app like Microsoft Authenticator but it can also be done through a hardware device, biometrics, or phone numbers publicly exposed on the internet. The result being that this will allow attackers to gather that information and send the phishing emails directly to them. You should be mindful of how much of this information is freely available (passwords, usernames, authentication apps) and focus on employees that will be reading and responding to the emails sent to your company’s public mailboxes/emails.
Who are our third parties?
Another method attackers will commonly use is to pretend to be a third party vendor that the company is used to working with. This is an attempt on the hacker’s part to use the trust relationship you have with that vendor to impersonate them and get you to perform an action like downloading an attachment. Be sure to look at your vendors, banks, software tools, integrations, etc. for compliance certifications, their latest security updates, and their team and resource dedication to security.
Who is the upper management of our company?
Another technique hackers will use is impersonating someone with high authority and requesting someone of a lower position to perform an action quickly. This is in an attempt to pressure that person to take action and not giving them time to think about if that email may be fake. It’s good to use this technique in your campaign to help employees prepare for this type of attack.
What does the standard phishing email look like?
Lastly, I would recommend understanding the different elements of a typical phishing email and mimicking that so that employees can get practice spotting these features. Some of the things that you want to include in your simulation are calls to action, a sense of urgency and vague language.
When determining the attack campaign metrics that you are going to capture during your campaign, your ultimate goal is to…
These three metrics will give you an idea of how many people are able to identify a suspicious email, how many people follow proper company protocol in reporting it and how many people lack the proper security awareness training. You may also want to take it a step further and see how quick your security team that is monitoring the reported emails was able to ban/block that email address across the company in order to prevent other employees from receiving that email. In a real world scenario you want your security team to respond quickly in those situations. By measuring these metrics, it gives your team benchmarks of success when continuing to educate your employees as your security awareness program develops.
Next, you need to decide on the campaign mediums that you are going to use. Some common mediums include email, SMS and phone calls. This depends on how your company does business and the roles of your employees. If your company primarily communications with email, then you may want to focus on that primarily. But if your company has a call center or help line, then you may want to create a campaign specifically for those employees so that you can be sure they know how to respond in any given situation.
Next, when building out your employee security test (phishing campaign) you also need to think about the difficulty level of the attack campaign. Ideally, you want your campaign to include at least three levels of difficulty: easy, medium and hard. This will give you a good idea of how well prepared your organization is for different levels of threats and it gives you the flexibility to send the more difficult tests to your higher priority level targets. For example, high priority targets for a hacker would be people like your IT admins, C-level executives and other people within the organization that would be able to provide the hacker with valuable access or information. These employees need to be tested more rigorously than your everyday employee because they provide a greater level of risk if compromised. There’s a subclass of phishing attacks called whaling, which is targeting senior executives in a company with phishing emails. These emails are usually specifically crafted and much more difficult to detect than normal phishing emails and it’s important that you train your higher ranking employees to be prepared for these specially crafted emails with harder simulations than your normal employees.
Free Open Source Phishing Tools
If your company is going to be creating its own phishing campaign from scratch it’s important that you use quality templates as your first building blocks. Here are some templates you should consider using for building out your phishing campaign simulation:
If your company is planning to outsource this to a specialist company to launch and manage the campaign, then there are a couple of factors you want to consider. Firstly, you want to understand the type of phishing campaigns that they can emulate. For example, do they create custom templates that will mimic your specific third party vendors and common phishing scams that you have seen in your environment or do they just use standard templates. Secondly, understand the type of payloads they can create. A common example is you want to be able to send employees fake attachments like pdfs, word docs, excel sheets and other common attachments you see in business and be able to monitor if they click on them and download them. Third, you want to understand how they will deliver and manage this campaign and over what timeframe. You need to ensure that you will get all of the metrics that you need over a suitable time frame in order to verify how well trained your employees are.
Creating a good security culture is an ongoing process and after the campaign is completed it’s important that you use the results to help generate long lasting change and improvements. To do this it’s a good idea to share the metrics and results with the end users. Notify people that fell victim to the fake email or message that they were tricked and inform them of what signs they should have picked up to avoid being tricked in the future. You can also use the information you gather to identify where your training program may be weak and use that to improve the training you will provide in the future for your employees.