"That's off Limits," Said No Attacker Ever…

Written by Gary DeMercurio of Caliber Security Partners, reposted from LinkedIn

Out of 1,000 employees, statistically, 162 of them will allow an attacker into your company.

About a week ago, someone suggested that there should be certain things that are off-limits in phishing. That is, if your company "lies" in a phishing exercise, and promises things to your employees (such as a gift card if they sign up and insert their credentials here) that this was unethical. The consultant also continued that this behavior would eventually erode the trust between the employees and the company as an employee who fell for the phish was essentially being punished by having to take computer-based training again (see positive punishment below). I commented on the subject, but wanted to take some time and take a bit of a deeper dive here in an article that isn't limited in space, as believe it or not, there is a lot to unpack here.

"Said no attacker ever" is a phrase many of you will have heard at some point in your career. It is typically preached by red teamers or offensive security when constraints are placed on them for what is supposed to be a "realistic attack". If you haven't heard this term, give it some time, you will. The idea here is this: the entire point of having an offensive security team is to mimic a real external threat. It is offensive security's job to protect an entity by attacking that entity how a real-life malicious attacker would. Offensive security thinks differently; they are malicious, and they have an on/off switch that allows them to turn into an utterly remorseless "evil" person and come up with vile ways to trick, break, hack, ruin, and/or insert any other thing you could come up with here. After they find the attack vectors that work, that switch turns off, and the offensive security team works with the blue team to help implement whatever changes that will ultimately help said entity to mitigate those attacks. This is literally the job of your offensive security team. Yes, many times, there is going to be a scope, and many times, they will be limited in what they should, can, and will test due to a specific requirement. However, when it comes to "real world threats" your offensive security team should not be constrained, as a real-world attacker is, guess what? You got it, not constrained.

The constraints placed on your offensive security team don't allow them to pivot; it doesn't give you or your company, gov etc., a realistic idea of 1. Your security posture, and 2. What an actual attacker could possibly do or succeed in doing.

Sidebar about TTP (Tactics, Techniques, and Procedures) and the MITRE attack framework. Certain Governments in the world require companies to utilize OSINT to perform the most likely TTP of what someone believes is the company's most likely attacker. Then, constrain the offensive security team to ONLY that attack surface as outlined in the MITRE attack framework. I can and will write an entire article on why this is probably one of the WORST methods I have ever seen implemented in my life, not to mention the MITRE attack framework is tied to a company that sells services. Yes, many people contribute to it, but think about this for a minute. As an attacker, your company uses a framework that is posted online; why would I not look for attacks that aren't present and simply do that? Before you retort, please show me where - plugging into your drop, inside your company through physical compromise is located under "initial access”. It's not, nor will it be, as I have reached out to them and suggested physical be included, and was simply told, that's not what this is for. So we have a framework that is missing a foundational piece of security (among many other things), and that is what some governments use for an attack framework? Because, as an attacker, I will make sure I stick to your framework when attacking your company right?

And now, back to phishing! Once again, social engineering is the #1 WAY an attacker compromises a company, or a company gets compromised however you want to look at it. By not allowing the teams that are sending phish to utilize an actual attackers methods, you are doing, or not doing a plethora of things:

1. Staying Ahead of Attackers - Hamstringing the team doing the phish, making their job more difficult as they are more worried about what is "allowed" rather than what is in the "wild".

2. Realistic Simulations - Not allowing your employees to see what is common, or what is currently being used by real threats.

3. Measuring True Preparedness - Not actively testing your company's defensive posture? A phish should test the people, policies, and procedures. Many companies miss out on this great opportunity every time they send a phish, and only worry about if someone clicks, missed opportunities to be better.

4. Legal and Compliance Readiness - In the event of actual phishing attacks, companies might face legal and compliance issues. Imagine if "HR" phishing was deemed off limits, and during the investigation, it shows your employees clicked on an HR phishing email by a real world attacker? How good will that look knowing that your company didn't "allow" that type of phishing, when in reality, it was the exact thing you should have been training for?

How do we fix it all? Well, if I knew a 100% cure-all, I'd sell it and retire a wealthy person! I can, however, share what I have seen work countless times, reducing the click through rates of your company significantly.

1. Get an offensive security team - Allow your offensive security team to perform phishing; if you don't have one, hire someone to do this for you. Your blue team is great at blue teaming, but they won't have thousands of phish against hundreds of different companies globally under their belt.

2. Allow that offensive security team to utilize what is current - there is some excellent data available about what types of attacks are being used, what malware they are using, and what is the most likely attack for your size and type of business. Ultimately however, that red team should be able to make the decision on what they think is the best attack vector; they are professionals. Allow them to do their job.

3. Test People, Policies, and Procedures - Defense against Social Engineering / Corporate Espionage is as much about having solid policies and procedures as it is about ensuring your employees stick to solid policies and procedures. What do your employees do when they see a phish or suspect a phish? What is the reporting rate? If your employee doesn't report a phish, is it because they chose to not follow protocol? Is it because they didn't know it was a phish or simply didn't click on it? Did it not hit the inbox? Was your defense successful in keeping it away from them? Unless you take the threat seriously and ask yourself these and many more questions, your company will stagnate and never improve.

4. Train local SMEs and make them accountable - If your director has 20 direct reports, with two managers under them, then those managers, along with the director should be VERY well versed in spotting a phish. If someone who reports to them fails, those SMEs should sit down, figure out why, and take time with that person to explain why it's important, what they did wrong, and how to fix it. At the end of the phishing campaign, those managers and that director, all the way up, should be held accountable, for anything their employees did, or failed to do. This accountability and personal touch works FAR, FAR better than any other training I have seen. It also makes your employees keenly aware of how important the company views security while investing in that employee on a personal level with in-person training, feedback, and support.

5. Computer-based training (CBT): After someone clicks is garbage, get rid of it - Please show me one employee that clicked on a phishing link, only to be met with "This was a phish, you failed" then take the training, and think, WOW I better take this seriously and really buckle down!" That employee is busy, that employee is now aggravated, that employee is now clicking through that CBT as fast as possible to get back to work.

6. Try positive reinforcement; it works - Reward people for doing well. That gift card we talked about in the beginning? Offer it to your employees if they report every phish they see for the quarter. Give them a reason other than the fear of doing CBT if they don't get it. One of the most successful turnarounds I have ever seen in a company’s security posture was them implementing a "game". We suggested they have family and friends walk throughout the facility and wait until someone approaches them. If an employee approaches them and goes through the proper policy and procedure with that person, that employee wins the "golden ticket" On the spot. The Ticket was a $100 gift card, a day off, or whatever the company decided to give out. The instant reward was fantastic, but the story makes this so powerful. "Did you see Sharon won the golden ticket yesterday?" "Oh really? Let's go ask her what happened!" Pretty soon, the story becomes the training that EVERYONE suddenly learns without having to take a CBT. They learn what happened, and how Sharon handled it, and see a reward at the end for doing a job well done. This works in a very similar way for phishing.

The industry relies on negative reinforcement and what is called "Positive punishment" (Adding something unpleasant to decrease a behavior, in this case, CBT to help reduce click-through) for phishing; if you fail, you have something unfavorable happen. If you succeed, there is simply an absence of the unfavorable thing (negative reinforcement). In the above examples, you are using both positive reinforcement (reward for reporting all of your phish for the quarter). If you fail, you're replacing the negative reinforcement with an actual person, that is invested in you doing well, who remediates you and has "skin in the game" for you to succeed.

I have seen Implementing the strategy above do wonders for companies. I have also yet to see a company implement this and regress. From a mom-and-pop shop to Fortune 500 companies, this works.

This isn't a fix-all, you still need to ensure you remove the ability to put clickable links in your emails. You still need to ensure you have anti-phishing measures in place via hardware or software for your company. In the end, an attacker WILL eventually get through, and you need to ensure your employees are properly trained, and you have given them the best chance to succeed. Most of the time when an employee fails, it's due to poor training, even poorer testing, and lack of accountability in the company.

I'll leave you with statistics my company has collected over the last ten years. Your employee has roughly a 25% chance that they will open an email an attacker sends if it lands in their inbox. If that email is opened, there is a 65% chance they will click, or download something malicious. In a company of 1000, that is 162 people who have just given an attacker a foothold into your company. Defense against Social Engineering and Corporate Espionage is and should be your company's most significant concern.

Why Caliber Security Partners?

Caliber Security is a twelve-year-old security services firm, we hire only senior-level and experienced consultants. Our services include web and mobile application security testing, as well as network penetration testing, wireless security testing, social engineering, staff augmentation, and contract-to-hire services. 

Please reach out to us if you have any questions or if we can be of any service to you. You can contact us through the web form or by email at info@calibersecurity.com.