Spear Train to Fight Spear Phishing

(Roger A. Grimes) #1

As KnowBe4’s data-driven defense evangelist and author of A Data-Driven Computer Security Defense, I’m all about a company using its own computer security data and experiences to drive specific, targeted, mitigations. Its ultimate goal is to put the right defenses in the right places in the right amounts against the right threats. It’s about filtering out the forest of noise to focus on the most likely threats.

For instance, instead of worrying about patching all 5,000 to 6,000 new vulnerabilities announced each year, year-after-year (that’s about 15/day), you should concentrate on the ones most likely to be exploited in your company. When you realize that less than 1% of publicly announced vulnerabilities ever get executed “in-the-wild” and that your environment usually doesn’t even contain most of those, and most of what you do have is never attacked, you can probably patch just a few software programs and eliminate the majority of vulnerability risk in your environment. Patching less programs is easier to accomplish than trying to patch all programs and makes it more likely that you’ll patch fewer, but riskier, programs better.

This sort of data-targeted thinking also applies to security awareness training. If I was looking for a catchy buzzword to encapsulate my thinking, I might call it “spear training” just to be a little snarky about it. Here’s how you go about it.

How to Spear Train
Spear training is security awareness training with a little more focus on the needs of particular groups and other relevant user attributes.

Get a Starting Baseline
First, as with any security awareness training program, KnowBe4 recommends conducting a simulated phishing test against all users, to find out who and how many users are currently able to be tricked into opening a simulated phishing email. We call this the “Phish-Prone PercentageTM”. A starting baseline can be used and compared against future tests to see how successful your security awareness training program has been at educating users. It’s one of the few and easiest ways to empirically measure the outcome of your IT security dollars and efforts.

Next, you need to get a good understanding of the types of social engineering and spear phishing that are currently being sent against your environment, especially the successful ones. You can do that by reviewing related help desk tickets, incident response databases, or by reviewing any phishing-specific databases you may have. You should be collecting these metrics anyway, and the longer period of time you have been collecting, the more accurate your spear training can be. Plus, you’ll be able to better see new phishing trends as they develop and grow.

KnowBe4 offers a free tool, Phish Alert Button, which works with Microsoft Outlook and Google Chrome G Suite Gmail. Once installed, when users are faced with a suspect phishing email, they can click on the phish report button, delete the email, and report the phish to a predefined email address. This allows administrators to be aware of the amount and types of phishing attacks that are being sent against their environment; plus, it helps to develop an employee culture that looks for suspicious emails. Pay particular attention to the different types of phishing attacks sent against different groups of people or over different times of the year.

Spear phishing isn’t going to be very successful if it isn’t communicated in the receiver’s default or expected language(s). Phishing emails usually have to be appropriate for the receiver’s language, dialect, and culture. I frequently travel to foreign places around the world, and after hooking up to different WiFi connection points, it’s not unusual for me to start getting spam and phishing attempts directed toward me in the foreign country’s native language. As a native English-speaker, I’ve quickly learned to ignore emails sent to me in Mandarin and Arabic.

Spear phishers know this, and they always make sure to send their rogue emails in the correct language(s) for their victim’s home location or expectation. It’s important to understand that not all recipients require or expect only their native language to be used. If an employee works for a foreign company or with a customer in a foreign country, it may be normal and expected for another language to be used. For that reason, many non-native English-speakers would not be turned off by getting a pure English-written email. In other countries, it might be suspicious, especially if the recipient doesn’t normally get emails in a non-native language.

KnowBe4 supports dozens of different languages and dialects. And simulated phishing tests can easily be configured to send in the recipient’s home language. Spear training must start with getting the expected language correct.

Next, be aware that phishers love to send group-specific spear phishing emails, which appear more realistic because of their relevancy to a particular group. For example, they might send requests for money transfers (what is known as CEO fraud phishing) to departments and groups normally involved in money transfers. They might send phishing emails about legal matters to your legal department. And it is a common ploy to send very specific, project-related phishing emails to members of a particular project team. The more specific the focus, the more likely the receivers are going to open and click on documents and links without questioning their legitimacy. It is the tradecraft of the spear phisher. When collecting data about your company’s real phishing, pay particular attention to the spear phishing emails that appear to “correctly” focus on a particular group with details relevant to that group.

KnowBe4’s services allow you to quickly import existing groups, manually create new groups, or even add new members to an existing group based upon how they performed in response to previous simulated phishing tests or training. One of our most commonly used automation methods is to automatically add users to the “Phish-Prone” group if they fail one or more phishing simulations. You can even add them to different groups, with target-specific or adaptive training based upon past actions. If you can think of a way to target training to a particular group or based upon a particular action to previous training, KnowBe4 can probably provide it.

If you see group-focused spear phishing emails, you definitely want to simulate those same types of emails to those same groups in your simulated phishing tests. Even if you don’t see group-focused spear phishing happening in real phishes, it’s good to test the group’s susceptibility to focused spear phishing and beat the attacker before he/she can be successful with spear training. This is not to say that you should not send general, less group-focused, simulated phishing tests to all groups. Everyone is more susceptible to some form of phishing that makes them put down their normal defenses. You won’t learn what those triggers are unless you try a broad range of simulated phishing tactics. Spear training just tells you to send some group-specific simulated spear phishes as well.

Times of the year may also play a part. For example, we know for sure that phishers will send more employee-related tax and payroll phishing emails in the few months just before taxes are due. Phishers love to send topic-related phishing emails pertaining to national holidays, national or company news, and during global disaster events.

If you are watching your identified spear phishing email subjects close enough, you’ll quickly see trends for particular times of the year and current events. Conversely, you might see a new, more general phishing trend, for example, “Your payment was declined for Netflix” just because the spear phishing criminals have suddenly figured out that nearly everyone has a Netflix account, and abusing that pervasive relationship makes good financial sense for them.

KnowBe4’s services can certainly help you track the top phishing emails that are being sent against your company, whether group-focused or not. We also keep track of the top global weekly, monthly, and yearly phishing campaigns, and create an easy way for you to include them into your regular security awareness training offerings.

Focused training should be a part of any security awareness training. Start by finding out how many of your users are Phish-Prone. Then send general, group-specific, and time-specific education relevant for the time of year and groups involved. Send periodic simulated phishing tests against your users, making sure that at least part of the phishing tests are customized for the types of groups you are targeting, including their language, and for the time of year. Keep pushing the training and phishing simulation tests until your biggest social engineering problems are no longer your biggest social engineering problems. Then start with the next most popular types of social engineering and phishing in your environment. Using focused, targeted training and testing will lead to a more successful security awareness training program and more quickly reduce overall risk.

A data-driven computer defender is keen to look at his/her company’s own experiences to generate a more focused, specific defense. KnowBe4 provides tools, services, and reports to help make focused security awareness training, not only easy to do, but easy to automatic. If you’re interested, contact us at sales@knowbe4.com to learn more about how you can make your security awareness training more accurate. Become a spear trainer.

Fight the good fight!