Written by: Alex Martirosyan
Phishing attacks have been the dominant means by which threat actors achieve initial access for years. This technique is increasing in sophistication and volume with the adoption of remote and cloud services in the workplace. It should therefore be no surprise that the upcoming Verizon Data Breach Investigations Report (DBIR) finds that this trend has continued into the present. In response, companies have revamped their cyber threat awareness training programs by performing internal phishing campaigns. We have had the opportunity to assess the efficacy of these programs and test them ourselves. Our most significant finding is that current training practices in the information security field fail to provide adequate guidance to professionals aiming to prevent social engineering attacks. In some instances, it has had the opposite intended effect by enabling these malicious activities. We believe that this is a function of misguided professional priorities – many of us are so interested in preventing the “hack” that we lose sight of our core objectives. Instead of mitigating the threat, we have become more interested in tracking click rate percentages, leading to ungrounded fears and misallocated resources.
Take, for example, Coinbase’s recent Super Bowl ad. They released the best phishing template the world has seen to date; many security professionals were shocked to learn how many people rushed to their phones to scan the floating QR code. Ask yourself: were you scolded for scanning the unknown QR code? Were you told that doing so is functionally equivalent to clicking on unknown links?
This example highlights the crux of the challenges facing the information security industry’s training materials and educational programs. If we as professionals are so worried about a user visiting a link or scanning a QR code, why have we been pushing for defense in depth or “zero trust”? Most counter-phishing programs are more interested in driving click rate trends ever lower to reach an impossible percentage than in meaningfully educating end users about threats. We have spent countless resources in creating rigorous patching and asset management programs to reduce the risk of merely clicking a link, without fully appreciating the reality that additional steps are required for an adversary to achieve their objective. We’ve also been somewhat dishonest with ourselves. Most of us are not sufficiently important to be targeted by a nation-state adversary or an advanced persistent threat (APT). Yet we act as though we are in our training programs and practices, despite data suggesting that far less sophisticated actors, whose methods require a different approach for mitigation, are more numerous, relevant, and harmful to our clients.
Even the most mature companies consistently maintain a 3% average click rate. Unfortunately, others may be trying to improve their image by launching low-effort, easily detected campaigns to get a better-looking number. This suggests that focusing on simple, trackable metrics has made the pursuit of low click rates its own objective, which distracts from the actual goal of guarding against social engineering attacks. Actual risk is effectively obfuscated by a shroud of reassuring metrics.
Rather than allowing nicely presented numbers and reports to lull us into a false sense of security, it is important we consider our risk profile, which requires applying the same principles and methodologies from our toolset of general risk management. Impact is the most important quality to assess here – what happens if a user visits an unknown URL? What is our threat profile, and have we examined these scenarios with our control environment? Think back a decade to when perimeter defense was similarly ingrained as a central pillar and solution to cyberattacks. If we know that actors are getting past these defenses, we should be assuming that end users will be clicking links.
Thanks to The Paranoids – Yahoo’s information security team – and their approach to building phishing resilience, we know that click rate is not the end. We commonly hear when scoping assessments or reviewing programs, “We treat a click as a failure since we assume they would have entered credentials or executed the macro.” The end user may then be placed under a sanctioned program, and the training never provides a realistic scenario of what would happen. Are you confident that in a worst-case scenario, your users will report suspicious behavior or admit they may have made a mistake? The best awareness programs incentivize users and help them understand the controls that are in place to be able to detect malicious activity. The phishing campaign’s pretext should be to achieve the highest possible click rate. If a third-party is performing this test, challenge them to create a realistic scenario. However, it is worth mentioning the importance of operating within ethical bounds and having honest conversations about using fear in social engineering attacks.
Not every campaign will have the success rate of a Coinbase marketing campaign. However, with enough effort, we can train users to get comfortable reporting mistakes and prevent credential input, macro execution, or malware downloads. Cultivating a relationship and culture with users that shifts awareness towards authentication or detecting abnormal requests will make the adversaries’ lives miserable. Drop strict click rate metrics and focus on metrics after the click. Begin tracking the users that reported or performed some interaction with the phish. Specifically, the ones brave enough to admit to scanning that QR code.
