Why Zero Tolerance should be the future of phishing
- Gary DeMercurio
- Jul 31, 2024
- 2 min read
A few years ago I wrote an article entitled "Why Zero Tolerance should be the future of phishing"
We had gathered over three years of phishing test data from multiple phishing campaigns launched at some of the top Fortune 500 companies all the way down to sole proprietorships. From that data, one metric stood above all the others: 62.5% compromise rate.
Now that doesn't mean 62% of the people interact or click on what we send them (That number is 26.2%). What it does mean is when I send out my evil phishing campaign, 26% of the people I reach... click... and out of that.. 62% of those people I've hooked.
That means if someone says.. "oh what is this?" There is a 62.5% percent chance on average that person is either going to download a payload that will give the malicious actor control of the host, or that person will share working credentials to their account. While there are security measures that can help to a degree, the metrics are clear—even if the threat actor doesn’t compromise your host, over half the time an active username and password is now in the hands of a malicious actor.
These results SHOULD have been a wake-up call for every organization. I can't tell you how many companies I have tested that use an "acceptable" rate of a 10% click through. As an attacker I'm dancing in the streets because that leaves a 6% compromise rate. But alas, these numbers haven't gone down even with the advent of filters and services. Why? Because you can't rely on a filter or service to make up for poor training. We ALWAYS get through, it may take some time.. but there is always a way.
Let’s look at what that might look like for a large enterprise with, say, 50,000 employees. A 26.2% click rate equals 13,100 clicks. If this company were to fall into the “average” compromise rate, that would be 8,187 compromises! Even the "acceptable" 10% click rate would yield 3,125 compromises, not so acceptable now is it?
Go ahead, do the math for your company... have 100 employees? That's at least 11 creds, downloads, compromised hosts that I'm getting.
Defense for phishing and social engineering training, REAL training not the common computer based classes that only tell you what to look for, should be one of a companies main priorities. It has been and still is the #1 WAY a company gets compromised.
Teaching people HOW and WHY Social engineering works, showing them the attackers point of view and how we manipulate them, creating an environment of both accountability AND gamifying the entire process. These work, we've seen companies fall from over 10% to the 2% to 4% range simply by introducing these techniques. And... people oddly enough, enjoy this much more than that boring "training" they get after they've clicked on the wrong thing.
Comentarios