09:00 AM
By Lex Robinson, Anti-Phishing/Cyber Security Strategist, PhishMe
By Lex Robinson, Anti-Phishing/Cyber Security Strategist, PhishMe
Sponsored Article

3 Ways your Phishing Defense Can Be like the Marines

To lower the security threat, organizations must choose the right battles. These best practices will show you how.

Want to stay in front of breaches? Train like the Marines.

Too often in cybersecurity, people focus on mitigating breaches after they occur—and long after phishing emails deliver malicious payloads. To lower the threat, many companies now train employees by sending them simulated phishes, so they can learn to recognize and report suspicious messages. It's the kind of proactive thinking the Marines call "left of bang." In the security world, it’s more like left of breach.

The Marines Combat Hunter training works on this premise: by understanding what "normal" looks like, you’re much more likely to recognize activities and behaviors that are out of place. That recognition, even if based on “gut feel,” becomes the trigger for acting.

This approach relies heavily on front-line human assets, not just technology, to detect attacks in progress. Most important, it lets you get ahead of trouble before it blows up. Here are three best practices to apply this thinking to your phishing defense.

Best Practice 1: Baseline your company’s weaknesses
That's what the bad guys do. Threat actors begin by identifying your weak spots so they can exploit them. It’s time to think like they do. Do a thorough analysis of your security environment, business operations, active threats and employee engagement. All of this will inform your phishing simulations.

  • It’s also smart to do a "what’s normal?" checklist. Typical questions might include:
  • What are normal traffic flows and email patterns in your security environment?
  • Where does your most critical data reside and who has access?
  • What operating systems, email clients and browsers are you using? Who are my highly visible, high-authority business operations targets?
  • What are my highest risk business processes? (e.g. sending PII attachments in email)
  • What social media platforms do we use and what information are we sharing publicly?
  • How many third-party vendors access my network or interact with us via email?
  • What phishing campaigns are we being hit with today?
  • How is our industry being targeted by malicious actors?
  • Do we understand our risk exposure to current attack models?
  • Do our employees view themselves as responsible for information security?
  • Have we shown our users how to identify a phish?
  • Have we empowered our users to report suspicious activity for analysis and response?

Best Practice 2: Design phishing simulations that look like the threats you face
Now you’re ready to phish your employees. Your checklist has yielded the baseline information to simulate phishes. Again, be sure to incorporate what you know about active phishing threats. By understanding current or trending threats, you’ll develop simulations that mirror real attacks and get results that show your risk exposure.

After announcing the training program so employees know what to expect (including the message that simulations are meant to educate, not berate), start sending mock phishes ranging from basic to more advanced. Over 12 months, you might for example send an innocent looking e-greeting card, an invoice attachment that really isn’t, a social media invitation to disaster and a request for funds—the latter seemingly from a trusted source but in fact a form of social engineering known as business email compromise (BEC).

It’s really, really important to deliver simulations to everyone. The C-level gets phished all the time. So do human resources and finance. And oh yes, IT. You’ll also want to run follow-up simulations based on what you’ve learned from the first few rounds.

Best Practice 3: Train everyone to report phishing
Recognizing a phish is good. Reporting it is better. When you train your people, all of them, to report suspected phishing you transform them into human sensors. Your human intelligence helps to shorten meantime both to detection and response. To that end, many organizations have installed simple reporting plugins to their email toolbars. With one click, employees can send potential phishes to the security team for quick analysis and, if needed, incident response.

These are the sort of things that helps to keep your business left of breach—taking proactive steps instead of playing chronic defense. To mitigate better, mitigate less. Choose your battles, like the Marines.

Lex has over 30 years of experience in information technology with a strong focus on strategic planning and program delivery. He is responsible for PhishMe Professional Services delivery strategy and provides hands-on program consulting, as well as customized results analysis and recommendations for clients seeking to reduce their organizations’ susceptibility to phishing attacks. Prior to PhishMe, Lex’s professional career included consulting and management of product and service delivery teams for small businesses, global Fortune 20 organizations and Government Agencies.

Lex is a Certified Counter Intelligence Threat Analyst (CCTA), holds an Electronic Engineering Degree, has numerous technical and behavioral science certificates as well as continuing professional development credits in IT security and ethical hacking. Additionally, Lex is a frequent speaker on personal responsibility and ethics in information security, and has published multiple books and papers on topics from security awareness to social engineering.



Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
12/5/2017 | 4:25:18 PM
OSINT mapping of YOUR team
"Who are my highly visible, high-authority business operations targets?" - I love this.  I don't think enough organizations have visibility of their team's presence on the Internet and especially social media.  As we all know, these are ripe targets for collecting information (Recon) to be used in later social engineering (beyond just phishing) attacks.   
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
BlueBorne Attack Highlights Flaws in Linux, IoT Security
Kelly Sheridan, Associate Editor, Dark Reading,  12/14/2017
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.