Security professionals often find themselves tasked with performing different social engineering exercises. Whether overseeing these projects for our organization or executing them for another, many considerations go into every exercise. What is the goal? Who will be targeted? What are our tactics? However, the most critical question is how to perform these exercises ethically, causing the least harm while creating the most value for everyone involved.<\/p>\n
We often see effective phishing attacks performed by real threat actors that make significant, empty promises: charitable donation requests, the promise of money or benefits, and even promotions. We also often see terrible threats, such as blackmail or the threat of employment termination.<\/p>\n
As security professionals, our goal is to help our organization or clients measure their security posture and provide actionable improvements. Social engineering is certainly a very real, very effective threat constantly leveled at organizations and individuals. Many experts consider social engineering to be an area that requires testing and education, and rightly so. Far too often, however, we strive for an absurd level of realism, overriding and, sometimes, even outright going against the end goal: Making the organization more secure.<\/p>\n
\u201cAttackers send these sorts of emails, so why can\u2019t we?\u201d<\/p>\n
When we conduct phishing exercises which make dangerous promises we cannot or will not make good on, we do more harm than good. We create a gap between the security team and the staff who will be targeted, fostering distrust or even outright hostility between users and security staff. Our goal is to improve the security posture, educate users, and identify and fill the gaps in defenses. Promising staff additional money, free COVID tests, or work-at-home opportunities may be realistic. It shows whether employees are susceptible to these threats and may identify training needs. However, it may also indicate that security does not care about the well-being of the targeted staff.<\/p>\n
We\u2019re far better off using tamer scenarios that illustrate the technical and procedural \u201ctells\u201d of a realistic phishing attack without using emotional tools that can cause unnecessary damage. For example, consider the following general pretexts.<\/p>\n
Users will want to click these links (or feel they need to) but will not feel particularly betrayed should they click on them and discover it\u2019s a phishing exercise. Furthermore, if the training material points out all the tells in that phishing email immediately (or as soon as is feasible for the exercise), they\u2019ll feel better equipped for future attacks.<\/p>\n
When a phishing attack bypasses email-focused security systems, such as filters or sandboxes, and lands in an employee\u2019s inbox, the time for alerting is limited. The target either recognizes it is a phish and raises an alert, or they click the link, open the attachment, or send a response. Maybe another system flags those actions and generates an alert, or maybe not. The only remaining chance for a quick response is for that employee\u2014 that person<\/em>\u2014 to warn the organization.<\/p>\n The most successful response to a well-crafted, well-executed phishing attack stems from an employee noticing the problem and manually raising a red flag. If employees do not trust the security department, or if there is not a strong working relationship, there is no motivation to sound the alarm. Things can be further complicated if employees fall for the phish. Fears of punishment or employer retaliation may lead employees to avoid alerting and continue with their work as if nothing ever happened. Without the support of the employees, reliance shifts to another system further down the line.<\/p>\n As security professionals, it is imperative that we foster that trust and working relationship. Users are not the enemy of a security team; they\u2019re one of the greatest assets. They know the work they must do and what is needed to be efficient; they will notice things that IDS systems and SOC staff may overlook. They know about \u201cShadow IT\u201d departments and the workarounds staff use to do their job despite security measures. They may have suggestions on how to balance efficiency and security effectively.<\/p>\n As a CISO, security department staff member, or manager, your primary responsibility is typically to ensure the security of your organization, its systems, its data, and its people. When performing these phishing exercises, internally or with a third-party consultant or service, make sure you\u2019re reading in the appropriate members of your team. Consider bringing in legal and HR teams to review potential scenarios, and always review scenarios before letting your team or third-party vendor begin the exercise. If your organization possesses an internal \u201csecurity council\u201d comprised of staff members, consider reading them in as well, as they may point out issues and concerns other parties would have missed.<\/p>\n Furthermore, consider the current shifts and needs of your organization. If it\u2019s the annual time for employees to sign updated policies, and the proposed scenario involves tricking employees into clicking a link to \u201csign the updated employee handbook,\u201d it may make users wary of following through on the actual, necessary signing of documents. This has the additional benefit of revealing business processes that may resemble realistic phishing attacks, providing an opportunity to change processes and make social engineering attacks more difficult.<\/p>\n Finally, remember that it is the job of the security team and the systems in place to try and prevent successful attacks from reaching users. Staff education on the identification of social engineering attacks and the appropriate response should continue, but design systems to assume a certain degree of successful social engineering attacks. When users fall victim to a social engineering attack, provide education in place of punishment. That user now has hard-won experience, and they can be an invaluable asset in the future.<\/p>\n As a security consultant, fortifying the client is my top priority. I work with some clients annually or even quarterly. I take time to learn their systems, their concerns, and their business; obtaining crucial information helps me be a better consultant to them, leveraging my expertise and their knowledge of their organization to have the most positive impact possible. The more I work with the client, the more valuable I become to them. I\u2019d rather have a simple social engineering engagement every year for five years than one engagement where I \u201cwin\u201d with a realistic but unethical phishing email that ends with the client not wanting to work with me again.<\/p>\n When designing phishing scenarios, consider potential consequences. Have another member of your team review the scenario and provide their feedback, have the client sign-off on the scenario, and have them bring in an executive, HR, and perhaps even legal to give their sign-off. If they have an internal \u201csecurity council\u201d comprised of end-users, have them share their opinions. Avoiding potential disaster is worth reading three or four more people into the exercise.<\/p>\n Will the target of the phishing scenario feel betrayed? Will they feel like you\u2019ve broken a promise? Will they be inclined to share the phish on social media? Will your phish have long-term negative impacts on the organization\u2019s operational effectiveness? Consider all these factors when designing and executing a phishing scenario.<\/p>\n Since the beginning of the COVID-19 pandemic, reports of organizations conducting tone-deaf or outright unethical pandemic-related phishing exercises have been regular. The results are severe negative publicity, potentially lost profits, and more. Targeted staff may seek \u201cgreener pastures\u201d at other organizations that won\u2019t play with their emotions. Those that stay won\u2019t trust the security team or the organization the way they did before, and that may result in a crucial loss of time in responding to genuine social engineering attacks.<\/p>\n I have had clients tell me that the choices made by previous phishing organizations led them to drop that vendor. Once the damage is done, it\u2019s rather hard to undo. When designing social engineering scenarios for a phishing exercise, consider the long-term impact; remember that a more secure organization is the goal, not realism.<\/p>\n Written by Ray Ancel, Senior Security Consultant<\/p>\n","protected":false},"excerpt":{"rendered":" Security professionals often find themselves tasked with performing different social engineering exercises. Whether overseeing these projects for our organization or executing them for another, many considerations go into every exercise. What is the goal? Who will be targeted? What are our tactics? However, the most critical question is how to perform these exercises ethically, causing […]<\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[67],"tags":[],"_links":{"self":[{"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/posts\/4363"}],"collection":[{"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/comments?post=4363"}],"version-history":[{"count":5,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/posts\/4363\/revisions"}],"predecessor-version":[{"id":4368,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/posts\/4363\/revisions\/4368"}],"wp:attachment":[{"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/media?parent=4363"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/categories?post=4363"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/tags?post=4363"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Better Security<\/h1>\n
Better Consulting<\/h1>\n
TL;DR<\/h1>\n