Phishing is a significant threat to organisations and remains a common vector that threat actors used to compromise organisations. Whilst traditional email defences will block most malicious emails from reaching your employees there will always remain a portion that will get through. This is where the security capability of your employees is key in the detection and reporting of phishing-based threats.
In this article I’m focusing on how to gain visibility of people related phishing vulnerabilities to support in increasing the security capabilities of your own employees. Whilst technical controls remain important the people related aspects are often overlooked and under resourced. This is not surprising with many referring to people as being the weakest link in company security. A paradigm shift to seeing them as a significant asset in your defence in depth approach to security will deliver significant value and increase the effectiveness of both your technical and process related controls.
What do you want to achieve?
Your goal is to reduce the risk phishing poses to your organisation. Whilst you will never eliminate the risk, you can take significant steps towards achieving your goal through the delivery of the below objectives:
- Building visibility of people related vulnerabilities;
- Increasing the capability of staff to spot phishing scams;
- Increasing the willingness of staff to report phishing.
The following sections look at each of these objectives and describe what actions you can take to achieve them.
Building visibility of people related vulnerabilities
Undertake phishing testing against all or targeted individuals / groups at frequent intervals. Whilst they need to be operated at set intervals make sure these aren’t done too frequently (i.e. more than once every 6 weeks to the same individual) and check the timings aren’t predictable.
You will need to vary the lures, difficulty and types of phishing (link, attachment, credential harvesting) to identify which employees are susceptible to certain types of threat. Prioritise testing according to the genuine threats’ employees are proving vulnerable to.
Increasing the capability of staff to spot phishing scams
As you increasingly identify people related vulnerabilities, you will need to deliver bespoke / targeted training and awareness to help increase staff capabilities. Whilst bulk training may help to improve general capabilities around basic phishing threats, it will not help your staff to identify the more sophisticated threats that are being specifically targeted at individuals in your organisation.
Everyone is susceptible to phishing threats but at varying degrees of difficulty and lures. You need to identify these and specifically focus on addressing the needs of individuals.
Increasing the willingness of staff to report phishing
Build a culture of security where employees know the importance of their role in keeping the organisation safe. You want employees to report phishing emails quickly to give the security team the opportunity mitigate the threat before a wider audience has the opportunity to be compromised by it.
Building visibility
Visibility of people related phishing vulnerabilities can be achieved through a combination of operating phishing testing and through the analysis of genuine threats. This will provide a great insight into the types of emails individual employees are vulnerability to.
When running phishing testing against your employees you will find it challenge to understand individual vulnerabilities when the main measures you have to work with are:
- Click rate - based on links;
- Compromised rate - based on staff giving away sensitive information (data harvesting) or clicking on suspicious attachments;
- Average Failure Rate – benchmarked failure rate across different organisations.
Whilst these are useful indicators in trending progress at an aggregated (high) level, they are not particularly suited to explaining vulnerabilities at a granular level.
NIST Phish Scale
In 2020 NIST published a research article introducing a means of categorising human phishing difficulty using a method called Phish Scale. The method uses a scoring mechanism to calculate the difficulty according to the number of cues visible in the email combined with the premise (applicability, alignment or relevancy) to the organisation. Premise considers the threat within the context of both inside and outside of the organisation.
One of the key failings of using a benchmark figure to compare organisations is that the premise (context) rating of the phishing threats will vary across organisations. For instance, a phishing email themed on a technology has a far greater likelihood of being effective if a given organisation is using that technology. So what is a difficult threat in one organisation may lack relevance and be perceived as easy within another.
As with any research paper the challenge is to take it from an academic concept and apply it to provide beneficial outcomes in a real-world scenario. The method (unlike many others) can be fairly easily translated into a workable assessment tool even if this is just via a Spreadsheet.
Whilst the fundamentals behind the method are great there are still opportunities for refinement.
Phish Scale - potential improvements
I have personally supplemented the existing cues to include unfamiliar tone, overly vague and unusual request as well as updating cue names, descriptions and criteria to make them easier to understand / apply.
The common tactic section of cues suffers from being very specific. In this form, for the list to be effective it would need to be actively developed and would require ongoing maintenance to keep it relevant with changing tactics.
The list can be more effectively represented through utilisation of the 6 types of social power. Each of the existing tactics can be matched to at least one social power. I recommend reading the linked article to understand more about these. They are useful in building an understanding of the techniques used by threat actors to persuade people to undertake their desired actions.
The premise calculations provide a good articulation of context but it is valuable to detail the lure/s (something that tempts or is used to tempt) used in the email as these are important factors in understanding why certain individuals are proving susceptible to it.
Summary
The NIST Phish Scale method has helped me to fill a gap in understanding people related vulnerabilities. It can be applied to both test phishing campaign emails as well as genuine phishing emails. Through combining your existing indicators with those within the Phish Scale method you can help to build actionable intelligence that can enhance the security capabilities of staff in your organisation.
No comments:
Post a Comment