To lower the security threat, organizations must choose the right battles. These best practices will show you how.

Dark Reading Staff, Dark Reading

November 27, 2017

4 Min Read

Want to stay in front of breaches? Train like the Marines.

Too often in cybersecurity, people focus on mitigating breaches after they occur—and long after phishing emails deliver malicious payloads. To lower the threat, many companies now train employees by sending them simulated phishes, so they can learn to recognize and report suspicious messages. It's the kind of proactive thinking the Marines call "left of bang." In the security world, it’s more like left of breach.

The Marines Combat Hunter training works on this premise: by understanding what "normal" looks like, you’re much more likely to recognize activities and behaviors that are out of place. That recognition, even if based on “gut feel,” becomes the trigger for acting.

This approach relies heavily on front-line human assets, not just technology, to detect attacks in progress. Most important, it lets you get ahead of trouble before it blows up. Here are three best practices to apply this thinking to your phishing defense.

Best Practice 1: Baseline your company’s weaknesses
That's what the bad guys do. Threat actors begin by identifying your weak spots so they can exploit them. It’s time to think like they do. Do a thorough analysis of your security environment, business operations, active threats and employee engagement. All of this will inform your phishing simulations.

  • It’s also smart to do a "what’s normal?" checklist. Typical questions might include:

  • What are normal traffic flows and email patterns in your security environment?

  • Where does your most critical data reside and who has access?

  • What operating systems, email clients and browsers are you using? Who are my highly visible, high-authority business operations targets?

  • What are my highest risk business processes? (e.g. sending PII attachments in email)

  • What social media platforms do we use and what information are we sharing publicly?

  • How many third-party vendors access my network or interact with us via email?

  • What phishing campaigns are we being hit with today?

  • How is our industry being targeted by malicious actors?

  • Do we understand our risk exposure to current attack models?

  • Do our employees view themselves as responsible for information security?

  • Have we shown our users how to identify a phish?

  • Have we empowered our users to report suspicious activity for analysis and response?

Best Practice 2: Design phishing simulations that look like the threats you face
Now you’re ready to phish your employees. Your checklist has yielded the baseline information to simulate phishes. Again, be sure to incorporate what you know about active phishing threats. By understanding current or trending threats, you’ll develop simulations that mirror real attacks and get results that show your risk exposure.

After announcing the training program so employees know what to expect (including the message that simulations are meant to educate, not berate), start sending mock phishes ranging from basic to more advanced. Over 12 months, you might for example send an innocent looking e-greeting card, an invoice attachment that really isn’t, a social media invitation to disaster and a request for funds—the latter seemingly from a trusted source but in fact a form of social engineering known as business email compromise (BEC).

It’s really, really important to deliver simulations to everyone. The C-level gets phished all the time. So do human resources and finance. And oh yes, IT. You’ll also want to run follow-up simulations based on what you’ve learned from the first few rounds.

Best Practice 3: Train everyone to report phishing
Recognizing a phish is good. Reporting it is better. When you train your people, all of them, to report suspected phishing you transform them into human sensors. Your human intelligence helps to shorten meantime both to detection and response. To that end, many organizations have installed simple reporting plugins to their email toolbars. With one click, employees can send potential phishes to the security team for quick analysis and, if needed, incident response.

These are the sort of things that helps to keep your business left of breach—taking proactive steps instead of playing chronic defense. To mitigate better, mitigate less. Choose your battles, like the Marines.

Lex has over 30 years of experience in information technology with a strong focus on strategic planning and program delivery. He is responsible for PhishMe Professional Services delivery strategy and provides hands-on program consulting, as well as customized results analysis and recommendations for clients seeking to reduce their organizations’ susceptibility to phishing attacks. Prior to PhishMe, Lex’s professional career included consulting and management of product and service delivery teams for small businesses, global Fortune 20 organizations and Government Agencies.

Lex is a Certified Counter Intelligence Threat Analyst (CCTA), holds an Electronic Engineering Degree, has numerous technical and behavioral science certificates as well as continuing professional development credits in IT security and ethical hacking. Additionally, Lex is a frequent speaker on personal responsibility and ethics in information security, and has published multiple books and papers on topics from security awareness to social engineering.



Read more about:


About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights