Building a Phishing Program

Phishing is a significant compromise vector for all companies in all industries.  At the Mining and Metals ISAC annual conference in November, we discussed phishing, and with input from our members and some great feedback from Chris Roberts and Cherie Burgett, we have prepared some guidelines for developing a strong phishing response program.

Executed well, a phishing program will not only educate and prepare users to recognize and respond to a phishing email, vishing call or other social engineering attack, but will provide an effective vehicle to build trust and connection with the company.  A good phishing program will also enable a fast, ideally automated response when a user does make a mistake, because we start with recognizing a simple truth.  Humans make mistakes; users are human.  Users will click on things.

What a phishing program should never do is peddle fear.  Users should not be led to believe that one mistake by them will bring down the entire company, cost millions of dollars, and thousands of jobs.  It should also never attempt to trick, fool, or otherwise try to “catch” users.  Trusted relationships are never formed based off fear, making a person feel foolish or tricked.  As an aside, if the reality of your environment is that one click could be the end of your company, that is not a problem for your users. The lack of resilience is a security issue, not a user issue.

So, what does good look like?  I will break it down into two phases: the education/awareness side and the phishing response side.

User Education

Users should receive recurring training on recognizing and responding to the various forms of phishing, and what to do should they receive one, and more critically what they should do if they fall for a scam.

Ideally, the training should be:

• Short- aim to consume less than 3-5 minutes of your user’s time rather than a 30-minute to an hour on a long online training module.  Layer short, engaging chunks of content.
• Focused on reporting – users should be encouraged to report phishing emails through some easy-to-use mechanism.
• Be positive —no fear-mongering, no threats; keep the tone light and positive.
• Phishing simulations – tell your users you are doing it, how you are doing it and when.  The goal is to reinforce the training, not to “catch” your users.  The goal of the training is not to lower the click rate; it is to increase your report rate!
• When users report, especially after they click, the response should be positive.  A hearty thank-you, points in a gamified contest, challenge coins, coffee—whatever you do, reward the reporter.

Phishing Response

When your detection technology or a user report triggers the response, time is of the essence; focus now needs to be on containment at both the computer and identity levels, and on getting the user back to work.  Ideally, much of this work can and should be automated, under the assumption of a compromise.  What actions should your automated playbook take?

1.      Containment- Use your endpoint software to contain the device in question.

2.      Contain and reset identities impacted – you should look to reset credentials, and or decrease trust to trigger more extensive conditional access policies on all accounts active on the affected device.

3.      Reset the device to a known good state.  With the use of centralized document storage and folder redirection, combined with tools to allow for a rapid reset of the affected endpoint, you should aim to get the user running in a known good state within 10-15 minutes.

4.      Identify other users who have received the same email (if available) and harvest from inboxes.

All these items can be automated and should deal with most phishing incidents and don’t require the use of AI.  Further actions that should be taken may be automated or AI assisted, depending on your capabilities

5.      Review forensics packages available from the endpoint for any evidence of malware execution or lateral movement.

6.      Review activity for in-scope identities for unusual activity

7.      Increase the level of scrutiny of impacted identities for a period

8.      Most importantly- share the email and any investigative findings with your ISAC to help protect your sector.  You are unlikely to be the only one to receive this campaign.

Tying it all together

Wrapping up, you can’t educate your way out of this problem.  The quality of social engineering is only getting better, so we need to build a culture of trust with users across the company, as well as systems that assume a user will click on something that we all wish they would not have.

Good Phishing programs take a positive approach with users, eliminating the fear based training of old, meet users where they are at, and focus as much or more on users reporting (particularly if they make a mistake). From there, this is a good place to assume compromise, and take quick actions to contain the computer in question, return it and affected identities to known good states and get your users back to work. Forensics can follow out of band, and potentially in aggregate to look for trends or indicators of more extensive compromise.