top of page
Search

"That's off limits" Said no attacker ever ...

Out of 1000 employees, statistically, 162 of them will allow an attacker into your company. 

About a week ago someone suggested that there should be certain things that are off limits in phishing. That if your company "lies" in a phishing exercise, and promises things to your employees (such as a gift card if they sign up and insert their credentials here) that this was unethical. The consultant also continued that this behavior would eventually erode the trust between the employees and the company as an employee that fell for the phish, was essentially being punished by having to take computer based training again (see positive punishment below). I commented on the subject, but wanted to take some time and take a bit of a deeper dive here in an article that isn't limited in space as believe it or not, there is a lot to unpack here. 

"Said no attacker ever" is a phrase many of you will have heard at some point in your career. It's typically preached by red teamers or offensive security when constraints are placed on them for what is supposed to be a "realistic attack". If you haven't heard this term, give it some time, you will. The idea here is this; the entire point of having an offensive security team, is to mimic a real external threat. It is offensive security's job to protect an entity by attacking that entity how a real life malicious attacker would. Offensive security thinks differently, they are malicious, they have an on/off switch that allows them to turn into an utterly remorseless "evil" person and come up with vile ways to trick, break, hack, ruin and/or insert any other thing you could come up with here. After they find the attack vectors that work, that switch turns off, and the offensive security team works with the blue team to help implement whatever changes that will ultimately help said entity to mitigate those attacks. This is literally the job of your offensive security team. Yes many times there is going to be a scope, and many times they will be limited in what they should, can and will test due to a specific requirement. However, when it comes to "real world threats" your offensive security team should not be constrained, as a real world attacker is, guess what? You got it,not constrained. 

The constraints placed on your offensive security team doesn't allow them to pivot, it doesn't give you or your company, gov etc. a realistic idea of 1. Your security posture, and 2. What a real attacker could possible do or succeed in doing. 

Side-bar about TTP (Tactics, Techniques, and Procedures) and the MITRE attack framework. Certain Governments in the world are requiring companies to utilize OSINT to perform the most likely TTP of what someone believes is the company's most likely attacker. Then to constrain the offensive security team to ONLY that attack surface as it is outlined in the MITRE attack framework. I can and will write an entire article on why this is probably one of the WORST methods I have ever seen implemented in my life, not to mention the MITRE attack framework is tied to a company that sells services. Yes many people contribute to it, but think about this for a minute. As an attacker, your company uses a framework that is posted online, why would I not look for attacks that aren't present and simply do that? Before you retort, please show me where - plugging into your drop, inside your company through physical compromise is located under "initial access" is located. It's not, nor will it be, as I have reached out to them and suggested physical be included, and was simply told, that's not what this is for. So we have a framework that is missing a foundational piece of security (among many other things), and that is what some governments are using for an attack framework? Because as an attacker, I'm going to make sure I stick to your framework when attacking your company right? 

And now, back to phishing! Once again, social engineering is the #1 WAY an attacker compromises a company, or a company gets compromised, however you want to look at it. By not allowing the teams that are sending phish, to utilize an actual attackers methods, you are doing, or not doing a plethora of things: 


  1. Staying Ahead of Attackers - Hamstringing the team doing the phish, making their job more difficult as they are more worried about what is "allowed" rather than what is in the "wild"

  2. Realistic Simulations - Not allowing your employees to see what is common, or what is currently being used by real threats.

  3. Measuring True Preparedness - Not actively testing your company's defensive posture? A phish should test the people, policy and procedures. Many companies miss out on this great opportunity every time they send a phish, and only worry about if someone clicked, missed opportunities to be better. 

  4. Legal and Compliance Readiness - In the event of actual phishing attacks, companies might face legal and compliance issues. Imagine if "HR" phishing was deemed off limits, and during the investigation, it shows your employees clicked on an HR phishing email by a real world attacker? How good will that look knowing that your company didn't "allow" that type of phishing, when in reality, it was the exact thing you should have been training for? 


How do we fix it all? Well if I knew a 100% cure all, I'd sell it and retire a wealthy person! I can however share what I have seen work countless times, reducing the click through rates of your company significantly. 


  1. Get an offensive security team - Allow your offensive security team to perform phishing, if you don't have one, hire someone to do this for you. Your blue team is great at blue teaming, but they wont have thousands of phish against hundreds of different companies globally under their belt. 

  2. Allow that offensive security team to utilize what is current - there is some great data available about what types of attacks are being used, what malware they are using, and what is the most likely attack for your size and type of business. Ultimately however, that red team should be able to make the decision on what they think is the best attack vector, they are professionals, allow them to do their job. 

  3. Test People, Policies and Procedures - Defense against Social Engineering / Corporate Espionage is as much about having solid policies and procedure as it is ensuring your employees stick to theo solid policies and procedures. What do your employees do when they see a phish, or suspect a phish? What is the reporting rate? If your employee doesn't report a phish, is it because the chose to not follow protocol? Is it because they didn't know it was a phish and simply just didn't click on it? Did it not hit the inbox, was your defense successful in keeping it away from them? Unless you take the threat seriously, and ask yourself these and many more questions, your company will stagnate and never actually improve. 

  4. Train local SME's and make them accountable - If your director has 20 direct reports, with 2 managers under them, then those managers along with the director should be VERY well versed in spotting a phish. If someone that reports to them fails, those SME's should sit down, figure out why and take time with that person to explain why it's important, what they did wrong and how to fix it. At the end of the phishing campaign, those managers and that director, all the way up, should be held accountable, for anything their employees did, or failed to do. This accountability and personal touch works FAR, FAR better than any other training I have seen. It also makes your employees keenly aware on how important the company views security, while investing in that employee on a personal level with in person training, feedback and support. 

  5. Computer based training (CBT) after someone clicks is garbage, get rid of it - Please show me one employee that clicked on a phishing link, only to be met with "This was a phish, you failed" then take the training, and think, WOW I better take this seriously and really buckle down!" That employee is busy, that employee is now aggravated, that employee is now clicking through that CBT as fast as possible to get back to work. 

  6. Try positive reinforcement, it works - Reward people for doing well. That gift card we talked about in the beginning? Offer it to your employees if they report every phish they see for the quarter. Give them a reason other than the fear of doing CBT if they don't get it. One of the most successful turnarounds I have ever seen in a companies security posture was them implementing a "game". We suggested that they have family and friends walk throughout the facility and wait until someone approaches them. If an employee approaches them, and goes through the proper policy and procedure with that person, that employee won the "golden ticket" On the spot. The Ticket was a 100$ gift card, a day off, or whatever the company decided to give out. The instant reward was fantastic, but what makes this so powerful is the story. "Did you see Sharon won the golden ticket yesterday?" "Oh really? let's go ask her what happened!" Pretty soon the story becomes the training, that EVERYONE suddenly learns without having to take a CBT. They learn what happened, how Sharon handled it, and saw a reward at the end for doing a job well done. This works in a very similar way for phishing.


The industry relies on negative reinforcement and what is called "Positive punishment" (Adds something unpleasant to decrease a behavior, in this case CBT to help decrease click through) for phishing, if you fail, you have something unfavorable happen. If you succeed, there is simply an absence of the unfavorable thing (negative reinforcement). In the above examples, you are using both positive reinforcement (reward for reporting all of your phish for the quarter) and if you fail, you're replacing the negative reinforcement with an actual person, that is invested in you doing well, who remediates you and has "skin in the game" for you to succeed. 

I have seen Implementing the strategy above do wonders for companies. I have also yet to see a company implement this and regress, ever. From a mom and pop shop to fortune 500 companies, this works. 

This isn't a fix all, you still need to ensure you remove the ability to put clickable links in your emails. You still need to ensure you have anti-phishing measure in place via hardware or software for your company. In the end, an attacker WILL eventually get through and you need to make sure your employees are properly trained and you have given them the best chance to succeed. Most of the time when an employee fails, it's due to poor training, even poorer testing and lack of accountability in the company. 

I'll leave you with statistics that my companies have collected over they last 10 years. Your employee has roughly a 25% chance that they will open an email an attacker sends if it lands in their inbox. IF that email is opened, there is a 65% chance they will click, or download something malicious. In a company of 1000, that is 162 people who have just given an attacker a foothold into your company. Defense against Social Engineering and Corporate Espionage is and should be your companies largest concern. 

 
 
 

Comentarios

bottom of page