The recent DNC “false alarm” is a cautionary tale. While there can be value is performing phishing tests against your organization, they are not without potential pitfalls.
Real or simulated, what lessons can your business learn from this example?
Phishing tests are designed to help your users decipher good email from bad. While there is still some debate on the long-term efficacy of this approach, one thing that is vital is that the entire security organization be aware of the test and respond accordingly. In the case of the DNC “false alarm”, it appears there was a distinct lack of communication with the affected groups, leading to the false alarm. Not only will a phishing test challenge your users, it should also challenge your security organization and their response processes. As a simulation, the security personnel must respond accordingly, including knowing when to “stop” the defined response processes.
We should absolutely give credit to the various DNC groups for responding as though this was an actual attack. But a little communication goes a long way and could have allayed a good amount of concern (let alone the media attention).
By some accounts, over 90% of breaches start with a phishing email. Why? Because phishing works.
While organizations have had email security solutions in place for 20 years, they have taken a back seat to more sexy solutions like Endpoint Detection and Response or next-gen AV. Email security has achieved “good enough” status while security time and budget is spent searching for the latest holy grail. The cybercriminal underground knows this and continue finding ways to adapt phishing to bypass the latest email security defenses. It’s a game of one-upmanship where the bad guys only have one task – to bypass email security defenses – while the internal security team must defend on multiple fronts.
Phishing tests have become the defense du jour to help train user’s ability to identify malicious email. What phishing testing has also done is started down the path of adopting defense-in-depth for email security. Defense-in-depth is a long-established security strategy designed to protect your organization across all potential attack fronts. Normally organizations have a single solution at each layer (web security, email security, endpoint security, etc.). But as attacks have become more advanced, security teams are learning the hard way that a single solution does not always mean a “layer” is adequately protected. Phishing tests were an understandable reaction to the “I can’t stop everything at my email security gateway” reality. Since the next step in this layered approach was the Inbox (i.e. end users), it only made sense to involve the end users somehow.
And yet, phishing still works. Whether the goal is ransomware, crypto mining or business email compromise, there are no signs that phishing volume is declining. So, how does a small business respond in a world of, seemingly, never-ending attacks and a high likelihood of breach?
- Accept the high likelihood of being breached Identify your valuable assets (aka cybercriminal targets).
- Enhance your phishing defenses to include postdelivery detection.
First, and foremost, accept the reality that you will very likely be breached.
Just because you are not a Fortune 50 organization does not mean you are not a target. The cybercriminal underground has a flourishing market that sells everything necessary to attack almost any organization. The world of opportunistic attacks, where a broad swath of entities is attacked at once, is now the world of targeted opportunistic attacks. Even the smallest amount of information collected from social media (much of it already for sale on the dark web) can be turned in to targeted attacks generated using an opportunistic attack framework. In other words, thousands of organizations can be attacked at once (opportunistic) using very low volume, targeted phishing email.
In this new reality, preparation is vital. Identify your most important assets, the value to your organization if they are “stolen”, and the cost to adequately protect them. I have talked with some organizations that determined the “value” as very low, so their risk tolerance was high meaning their preparation was more closely aligned with “notification and clean-up” rather than rapid response. If, on the other hand, your assets have extremely high value (i.e. low-risk tolerance) then you must prepare for rapid detection and response (with a healthy dose of data redundancy for good measure).
But what about phishing, you ask? Defense-in-depth is your key. As more organizations move to hosted email server platforms like Microsoft Office365 and Google G Suite, new levels of integration are available to apply email security post-delivery (after the email security gateway). If we revisit involving end-users, phishing training is asking them to decide good from bad. There are now post-delivery solutions that simply ask the end user to submit the message to experienced email security analysts and let them decide. Defense-in-depth to a whole new level.