Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/25/2013
04:52 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

How Lockheed Martin Phishes Its Own

Defense contractor built an internal spearphishing simulation program amid concerns of increasing targeted attacks

Third in an occasional series on user security awareness training

On several occasions over the past couple of years, employees at Lockheed Martin have flagged suspicious emails that turned out to be previously unknown targeted attack campaigns aimed at the defense contractor.

This additional pair of eyes in security is one of the bonuses of Lockheed Martin's homegrown phishing training program, according to the defense contractor's corporate information security officer.

"Employees each year report something to our CIRT [Computer Incident Response Team] because of our [phishing] training, and it's been something new to us, and we were able to detect an intrusion that was coming at us," says Chandra McMahon, CISO at Lockheed Martin.

Read the other articles in this series on user security awareness training:

>> Part 1: Hacking The User Security Awareness And Training Debate

>> Part 2: How To Successfully Phish Your Own Firm

Lockheed Martin launched the so-called "The I Campaign" in 2009, which includes monthly simulated phishing attacks on a sample of users and an integrated, interactive training system. Since then, the company has seen 45 percent fewer employees falling for the phony phishes it sends to their inboxes, and overall, 55 percent more employees are making the right decision on whether to delete a sketchy email or confidently open its attachment.

"I can say definitely that not only do I have more employees taking good actions with regard to emails, but more are reporting suspicious emails to the CIRT -- and attacks have not been able to get started because employees" found them first, McMahon says.

Defense contractors are one of the most popular targets of cyberespionage, and they're regularly flooded with spearphishing emails trying to lure unsuspecting employees into clicking on a link or attachment silently harboring malware that entrenches the attackers inside the company

"Spearphishing is one of the largest attack vectors to start a cyberintrusion. We recognized that many years ago," McMahon says.

[A rare inside look at how the defense contractor repelled an attack using its homegrown 'Cyber Kill Chain' framework. See How Lockheed Martin's 'Kill Chain' Stopped SecurID Attack.]

Simulated phishing training, once a controversial practice, is increasingly becoming more mainstream in large corporations. Experts say the best practice is to inform users about the simulated phishing training program you're launching or running, why you're doing it, and how it will make them and the company safer and more secure.

Lockheed Martin created its spearphishing training program and first tested all employees in 2010 to establish a baseline for user behavior. It's a cultural thing for the company, too. "We firmly believe this is a business conduct issue: We call it conduct on the keyboard," she says. "If you keep the doors locked and don't allow [outsiders] to go unescorted into our facilities ... you can do the same thing in cyber."

The goal, like with many security awareness programs for users, is to commission users to be part of the overall security architecture in an organization. "When we think of cyberdefense at Lockheed Martin, we talk from a defense-in-depth perspective. We look at our employees as being the first line of defense: That's why we have made an investment in education and awareness," McMahon says. "If a user doesn't click on a spearphish, it helps us stop a cyberintrusion from getting started."

Lockheed's simulated phishing messages are customized for various groups or individuals in the company as well.

Even so, some sophisticated attacks can be so convincing that even users well-schooled in phishing behavior and signs will still be fooled. McMahon says that's the reality of today's threats, and if a user does fall for a real phish, the company's own security architecture would take over from there and provide the defenses, she says. "If you have bad actors sending email as legitimate email users with legitimate context ... in that situation, users may not be able to make" the right decision to not open an attachment or link, she says.

"That's where you have to rely on your custom defense capabilities" to detect and thwart any malware, McMahon says.

When a user mistakenly falls for a simulated phishing email, they are automatically routed to an interactive training session that illustrates for them the red flags to look out for, and teaches them how to handle the messages. If they receive an email with a low level of trustworthiness or an irrelevant context, for example, it's likely a spearphish or scam.

"We have repeated testing ... there's a progressive set of actions that take place if employees don't perform well on tests," McMahon says. "If we test a user and they take a bad action, the system then engages them and does real-time training ... they then get put back in the pool to be retested."

Phishing awareness programs have proved to be effective for many organizations. PhishMe, which providers a service, says one of its customers had about 58 to 65 percent of its users fall for the phony phish the first time, but a year later, that rate was in the single digits.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
4/29/2013 | 6:05:25 PM
re: How Lockheed Martin Phishes Its Own
Any decent company in
todayGs technological world that are not red team testing their own operations
are probably missing some valuable information on how easy it is to gain access
to their systems. A major company dealing with the sensitive information and
products that Lockheed Martin does should most definitely have their own
systems and employees tested. As afar as phishing, goes, why not, considering
that it is the number one reason that systems are being breeched. TodayGs
breeches and access to the companies systems are done cleverly through some
form of phishing or another.

Paul Sprague

InformationWeek Contributor
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19071
PUBLISHED: 2019-11-18
A memory leak in the rsi_send_beacon() function in drivers/net/wireless/rsi/rsi_91x_mgmt.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering rsi_prepare_beacon() failures, aka CID-d563131ef23c.
CVE-2019-19072
PUBLISHED: 2019-11-18
A memory leak in the predicate_parse() function in kernel/trace/trace_events_filter.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-96c5c6e6a5b6.
CVE-2019-19073
PUBLISHED: 2019-11-18
Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout() failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, ...
CVE-2019-19074
PUBLISHED: 2019-11-18
A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-728c1e2a05e4.
CVE-2019-19075
PUBLISHED: 2019-11-18
A memory leak in the ca8210_probe() function in drivers/net/ieee802154/ca8210.c in the Linux kernel before 5.3.8 allows attackers to cause a denial of service (memory consumption) by triggering ca8210_get_platform_data() failures, aka CID-6402939ec86e.