TSM - The Art of Phishing

Anett Stoica - Security Training & Awareness Lead @ Paddy Power Betfair

Anything you do can become a work of art if you put passion, creativity and persistence into it. The world's most impressive paintings, compositions or the most majestic buildings, were achieved with experimentation, planning, and learning from mistakes. Click rate, report rate, repeat offenders, emotional motivators, target group, scenario, are just some of the elements combined into a complex frame called phishing programs. Most times the process of mixing and matching to create a successful program becomes to the owner somewhat a work of art.

Often overlooked, the people side of security gives exciting insight on human behaviour that frequently remains the "last line of defence" against cyber-attacks. While the constant development of technology builds more reliable tools for real-time visualisation of attacks and methods to stop and reduce the impact, some areas still rely on human judgement. In this fast-paced industry, the human element remains the one that cannot simply be patched or upgraded with a line of code. The lack of an easy fix for such a complex situation drives the widespread presence of phishing exercises in security awareness programs.

Image Source: 'https://www.freepik.com/free-photos-vectors/technology

For those unfamiliar with the term, "phishing" is a way for cyber attackers to manipulate people into giving out information or doing what they want the victim to do. These malicious actors use email, SMS, or calls to launch these attacks and forge stories that rely on emotional response. While we won't get into details about the anatomy of phishing, what we need to understand is that this type of attack is widely used because it usually requires lower effort in the preparations phase, but if successful gives a high return on investment.

Why invest in a phishing program?

Employees own credentials and overall knowledge critical to breach a company's security successfully. Malicious actors will use phishing as a way to obtain this sensitive information and progress with their attack. With phishing being one of the leading causes of the increasing number of data breaches, companies turn to internal testing for strengthening the resilience against this type of cyberattack. If there is not enough buy-in for the program, have leadership, look at the following:

When requesting a budget for a phishing program, organisational data is the key to get leaderships attention. Analysing incidents is a starting point to track if and where problem areas appear. Looking into the frequency of attacks, time (money) spent by operations teams on investigating incidents can be compared with the investment in a phishing tool. We need to collate with this data any published results by organisations with active phishing campaigns to show the feasibility of testing. The evolution of our metrics across time, that hopefully represents the change in people´s behaviour, will advocate for the tool´s return on investment.

If the organisation has decided that phishing is a priority risk and needs focus, a phishing tool will go a long way. When it comes to developing skills, adults learn best by doing. Phishing campaigns are a practical way of exercising how to look out for this type of cyber threat, thus helping retain the information for longer periods of time.

Cookbook for phishing

When it comes to arts, culinary is one of my favourites as it requires quality ingredients, preparation, measurement, following a sequence as well as experimenting and curiosity. As an amateur cook I find the process of preparing a fine meal to that of preparing a phishing campaign for launch is not dissimilar.

Just like how baking grandma´s cake recipe requires a different experience to what is needed to prepare a French pastry, there are also differences between launching a new phishing program to managing one that has been ongoing for one or two years.

Let us see some success recipes for each of these cases.

Phishing recipe #1 - Beginners

Picking a platform is the initial step when all requirements for the tool must be listed. A phishing tool needs to be simple to use, allow easy data upload, have diverse scenarios and customizable templates. Some platforms have a user-friendly interface for updating scenarios while most will require some coding skills to do more detailed changes to the scenario´s design elements. When assessing a tool, ask the provider to explain what source they use for creating the scenarios and how often they update them. 

A sound reporting system is essential to reduce manual work when providing stats to leadership.

Your first campaigns. If the program is just about to be launched, include all employees in the exercises and use a very simple scenario. Quarterly launches are a good way to get people used to the exercise and to gather data for baselining the company's overall click rate. This result will drive the program in year two, including the awareness activities. Before launching the first exercise, it is advisable to run some awareness sessions, so people have the basic knowledge on how to spot them.

Teachable moments. The practicality of the phishing exercise creates memorable opportunities to spread awareness messages. Use the post click landing page to give info about the program and where to report suspicious events. At the end of each campaign, send a follow-up message and give them a brief about the result, signs they could have looked for, and reiterate where to report suspicious emails.

SOC is your best friend. Phishing exercises largely impact the Security Operations team. Before launching any campaigns, agree with the team the exercise date and provide a sample of the scenario.

Metrics. Measuring results is key to show executive leadership the value of the program and how exposed the organisation might be. Susceptibility rate or put simpler, the click rate is being measured against the number of targeted populations. Reporting will be more valuable if it includes numbers on report rate registered by SOC as well as stats on repeated clickers.

You won't always have a linear progression of the results as these will change depending on the difficulty of the scenario. Include in the reporting insights about the difficulty level and observations that help in accurately understanding the results.

On the safe side of the law. Intellectual property and copyright must not be overlooked. We cannot just impersonate another brand even if it is for educational purposes. Unless there is written approval from the company whose name we want to use, the legal team can give guidance on how we should proceed. Well known providers will not allow the build of scenarios that might pose an interference with the law. 

Phishing recipe #1 - Advanced

Three or four campaigns with different type of scenarios give a good idea of the organisation´s posture. Data interpretation supplies the list of opportunities for improvement and drives next year's plan.

Let us see what recipe we can apply as advanced phishers.

Reassess your platform. Whether the product is due for renewal, or if you are unhappy with it, a periodic assessment of the platform is a must. New releases improve the experience and effectiveness of using these tools. Two such features are integration with Active Directory for automating data upload and the use of AI to schedule future scenarios based on the individual result obtained by each employee. There is also an increased focus on offering diverse training material which is an excellent option if we do not have much budget to work with. 

Automation of reporting. Excel sheets will become harder to manage in time. Senior leadership wants visibility and easy access to data; thus, a reporting dashboard can really highlight the value of our work. Existing security dashboards built in-house can easily connect to the phishing platform using an API. Configuration of a proper reporting view can be developed by the more technical colleagues. Often just asking for ideas and planning the work ahead of time will give excellent results and a sense of teamwork. 

Spicing up the scenarios. Without variation, people will quickly get used to the way you build your campaigns, making them somewhat unresponsive. Gradually increasing the difficulty level will keep them on edge as well as more prepared for the real threats that are out there. 

Reassess the approach. Once done with baselining, you need to reassess the program and build on the lessons learned. While targeting the entire organisation makes data comparison easy, sending out mass emails to all employees will tip them off, impacting the accuracy of results. As a solution, the random sampling-based approach provides a more accurate picture of how well people recognise phishing emails when no one else around gets them. A targeted approach creates realistic scenarios based on a person's role in the company and is the closest we get to prepare people for real phishing attempts. In terms of percentage, a 30% random sample of the user base should give representative results.

In an advanced phase of the program, you can start combining the two approaches and decide to increase or decrease the frequency of your exercise. This moment in time is also when you can start using in the program real-life scenarios your SOC team records.

What to do with repeat clickers. Often called repeat offenders, these people can pose a risk to the organisation. Some companies use a process where the first "offence" will be followed up by an email, the second by a classroom training, and the third will include reporting managers in the conversation. The organisational culture will be the best compass to define what the right approach looks like. Regardless of the decision, being assertive in our communication and understanding why they keep falling these exercises is essential to a good collaboration. 

Awareness approach. The way we do awareness activities or training between phishing campaigns should change along with the program to increase engagement. Traditional phishing classroom sessions can be replaced with a workshop in which people learn to build their own phishing campaign. While some might argue how ethical this is, unless we have techies in the audience and give them a runbook, they will not know how to launch their own attacks. Another engagement approach is to involve people in giving ideas for future campaigns. A competition and a prize might incentivise participation while creating a sense of teamwork.

Make it easy to report. Measuring the report rate tells us how much we can rely on people to call out suspicious events. To increase this number and motivate people to take action we have to give them the proper tools. Rolling out a phishing report button in outlook makes escalation accessible to everyone. Post installation the number of emails will spike, so have all involved teams ready.

Lessons learned and advice from an old Chef

Whether we just started, or we are a couple of years in the program, phishing tests can always bring surprises. Since it is solely relying on human behaviour, with each campaign, there is something to discover, or at least this was my experience.  

After three years of phishing, here is what I learned and what I would advise:

Closing: As a security awareness professional, I advocate for the importance of the human element. My experience has taught me so far that there is no perfect or one tool-fix-all solution. It is always a mix of means adapted to the organisation's needs that will drive your efforts and ultimately the result. Technology will give a fast-paced response, but people are sitting behind those technologies. Good and transparent communication is key to keeping staff engaged and feeling like we are all building something together. I strongly disagree with the much-repeated expression that people are the weakest link, and even if that is true basing our program on this assumption will eventually create a more significant gap. Security is the employees' responsibility too, and there needs to be a consequence for risky actions, but security awareness professionals have a significant role to play. We need to remember our responsibility is to equip people with the knowledge they need to recognise phishing attacks, and the tools we choose to do that becomes a work of art.