How to prepare for an effective phishing attack simulation

Over the past year, the response of SMEs to vulnerabilities and zero-day has improved a lot. As a result, instead of attacking through the operating system, the attacker changed the target of the attack to a remote control tool and a consultant, and above all, switched to targeting users through phishing attacks.

Companies have also responded with 'patch the human' using phishing simulations. However, phishing simulations are often less effective and unethical in many cases. Recently, GoDaddy sent phishing simulations to more than 7,000 employees. The phishing simulation email asked employees to enter personal information, saying the company was paying $650 as a Christmas bonus, and nearly 500 employees were caught.

This phishing simulation sparked public criticism, and the content was also pointed out that it lacked susceptibility to economic difficulties during the pandemic period. In the end, GodDee apologized to the staff for the test process they had not understood.

Staff training helps keep the system safe, but phishing bait needs to be aware of external issues, and the design focus should be on staff training, not shame. If they don't pass the test, it means that the company has failed to train and protect employees. For effective education, it must be a continuous reinforcement technique rather than an event that catches the public's attention and triggers an accident.

Phishing simulation campaigns can't work without proper user preparation. Before testing your staff, let's take a look at what you have to teach or provide.

Describe the attacker's technique and motivation

Before running tests, attackers should be educated about attacking users based on specific topics and behaviors. The attacker knows what information people want. For example, from early 2020, attackers have begun using Corona 19-themed phishing bait, which is to impersonate WHO information or provide personal protective equipment.

Afterward, the attackers changed their tactics to other major events, such as the Black Lives Matter (BLM) demonstration. As the election approached, the phishing bait also changed accordingly. Educate users to be aware of the news that could be used as bait, but not to trust the news in email links or visit sites that offer such news.

Strong password training

How an attacker uses news like this to trick users into entering authentication information, and what password policies have dealt with it must be explained. 

Now, it is close to the tipping point in terms of authentication information management. A method that has been used for a long time as a standard process for protecting authentication information is a method of frequently changing authentication information. This method leads to fatigue of authentication information, and there is a practice that only slightly changes, such as adding text to the existing password. Now, passwordless technologies and two-factor authentication are used to further protect accounts. Make sure users understand the background of these changes.

Provides a trusted link

Teach them to use a collection of trusted links rather than clicking on links in emails. For example, users who receive an email asking to change their network password should be aware that they should use a trusted link, not a link in the email.

Likewise, administrators should have a trusted management workstation. As a network administrator who needs to click on a number of Microsoft administration links, I currently bookmark links to enter various administration portals. For administrator workstations, this link should only be opened from trusted locations. The same is true for PowerShell or other scripting solutions. Use a workstation that is protected to be used only for that function, or access it remotely.

Explain how to identify malicious links

Educate users that they should always visit links that start with HTTPS and not unprotected sites that start with HTTP. Checking whether the SSL certificate is appropriate and linked to the appropriate root certificate is difficult even for experts. The best you can do is educate users to check that the sites they visit have a site certificate and a padlock symbol. Alternatively, you can force the use of SSL using a browser tool.

Educate users to hover the mouse cursor over the link before clicking the link. Even if you have link filtering enabled in your email software or firewall, you still need to make sure your users know how to check for links in the email. For example, users need to know the IT department's audit process in case of doubt and know that the process should forward emails for review.

Run randomly simulated phishing attacks on a regular basis, but use them for educational purposes, not for reprimands. If your business is eligible for Microsoft Defender for Office 365 Plan 2, you can test your attacks through the Attack Simulator in the Security & Compliance Center.

Post a Comment