Social engineering attacks can’t be stopped with technology alone; nor can they be stopped with training alone. I created the Social Engineering Defensive Framework (SEDF) to help organizations prevent social engineering attacks at the enterprise level. SEDF outlines basic phases for attack prevention.
– Determine Exposure
– Evaluate Defenses
– Educate the Workforce
– Streamline Existing Technology
– Implement an Incident Response Plan
The SEDF phases are independent from each other and can be performed in an order that suits the priorities of the organization. If you’ve just completed a large training campaign, then perhaps evaluating defense is the next step for you.
In my previous post I discussed the first phase of the SEDF, Determine Exposure. Today I’ll move on to the second phase, Evaluate Defenses. This phase can be utilized to evaluate employee resistance and reaction to attacks and effectiveness of detection technology. This post will focus on phishing attacks. Physical attacks will be discussed in a later post. It is common practice for organizations to hire a vendor to perform these assessments, however the organization’s security team can also perform it.
Creating Phishing Assessments
Determine Attack Objective
Simulated attacks can be as simple or complex as you’d like. They can be designed to measure many results, including:
– Click only
– Click and enter information on a landing page
– Click and enter password on a landing page
– Open an attachment
If your organization hasn’t conducted a simulated attack, the click only objective is a good starting point.
Some organizations elect to only target specific departments or geographical locations, while others target the entire organization. If your organization spans over multiple time zones, be sure to group employees in similar time zones. Selecting the recipients early in the process enables you to customize phishing emails for the target group.
Understanding the Human Element
Phishing emails prey on a variety of human emotions in order to achieve the desired action. Often phishing emails create a sense of urgency, claiming that the recipient’s account will be disabled if immediate action isn’t taken. Another popular attack is the e-card email. This attack indicates that someone has sent the user an e-card and they must click on the link to retrieve it. Other tactics to persuade an employee to fall prey to an attack include using their first name or sending an email that appears to be from a fellow employee.
Select Email Type
There are three basic types of phishing emails. General emails utilize a broad topic that can be used for all target groups. An example of a general email subject line is “Your package has shipped! Click here to track delivery progress.” Company specific emails are favored by attackers due to their ease of creation and dependable results. These emails usually involve the company’s health benefits provider, timekeeping software, or web based email. Lastly, spear phishing emails are targeted to very few employees, but contain information specific to the target. Attackers search a number of sources to deduce an employee’s job function and what companies, individuals, or groups they associate with in order to create a believable attack. While other phishing emails are sent in large quantities, spear phishing emails are sent to very few employees—usually less than five. However, the extra research time usually pays off, as spear phishing messages have the highest rate of success.
Coordinate With Other Departments
Operational coordination is essential in this process. Key people in the organization must be informed prior to performing your phishing exercise in order to prevent mistaking a phishing exercise for a real attack. Your Chief Information Security Officer (CISO) must be aware of all planned and active exercises. Informing the manager of the Help Desk is also good practice, as they will likely receive calls from targeted employees. While it is uncommon for the Help Desk Manager to inform employees of a potential exercise, they can ensure that procedures for handling suspicious emails are up to date for their employees to reference. It is also important to for the Help Desk Manager to report the number of calls and emails received during the exercise.
Sending The Emails
When the emails are sent will significantly impact the results of your assessment. Ideally the emails should be sent when employees are likely to be at their desks-mid morning or mid afternoon. Also, keep in mind what time zone your recipients are in when scheduling email delivery. Everyone needs a vacation now and again. If anyone on the contact list will be on vacation during the assessment, be sure to involve their backup contact person prior to sending any emails. Additionally, the personnel responsible for sending the emails and tracking their progress need to be available for questions. Don’t start an exercise and be out of the office the next day.
Tracked results should align with your attack objectives. At a minimum your results should include:
– If the email was opened
– What recipients clicked the link
– If information was entered into the landing page
– If the link was clicked more than once
Results tracking includes more than number of clicks. Other important results to track include:
– Help Desk calls reporting the email
– Emails received reporting the email to security
– Phone calls to security
– Phone calls to involved departments, such as Human Resources
Improper reporting indicates that employees are not familiar with the procedure to follow after they’ve received a suspicious message. Training procedures can be adjusted to reinforce the proper procedure. In the next post, I’ll discuss the fundamentals of physical attacks.
Valerie Thomas | Senior Information Security Consultant | Securicon, LLC | @hacktress09
Valerie Thomas (hacktress09) is a Senior Information Security Consultant for Securicon LLC that specializes in social engineering and physical penetration testing. After obtaining her bachelor’s degree in Electronic Engineering, Valerie led information security assessments for the Defense Information Systems Agency (DISA) before joining private industry. Throughout her career, Valerie has conducted penetration tests, vulnerability assessments, compliance audits, and technical security training for executives, developers, and other security professionals. Additionally, Valerie has presented and trained at multiple BSides events, Derbycon, Black Hat, Defcon, HackMiami, and several other conferences.