I always look forward to attending security conferences, and DerbyCon is no exception. It’s a quality conference, with great presentations, training, and camaraderie.
This year’s conference was ripe with new tools, new exploits, and even a primer on how to make better BBQ (always a worthwhile hacker skill). But the one piece of information that really sent me reeling was one that I gleaned from Chris Hadnagy of Social-Engineer.org. It was simply this – that only 7% of organizations ever phish their own employees.
This statistic is appalling. Not because phishing is one of the top attack vectors today. Not because the issue has been around since the mid-nineties, giving us over two decades to work on the problem. Not because of the ease with which companies can run a self-assessment campaign today. No, it’s appalling because of the amount of money most organizations dump into their security stack, and yet those same organizations never run even the simplest of phishing assessments to test whether their multi-million dollar security stack can be bypassed via what is arguably one of the weakest links in any organization.
The cost of running an internal phishing campaign is a fraction of what a professional penetration test might cost. Yet most organizations I encounter have never tried to test what many pen-testers are likely to target early in an engagement – if they’re allowed to do so as part of the test’s scope. Often the fear of the likely results of an internal phishing campaign makes prevents organizations from allowing pen-testers to phish as part of their scope, even though this has been the attack vector of choice for some of the highest profile breaches of the last few years.
As security professionals, we need to get past whatever fears we have about phishing our own organizations. A key approach to dispelling those fears is creating an internal phishing campaign that is centered on learning, growth, and improvement of the organizations security posture, rather than embarrassment. So, where does one start?
- Get permission. In writing.
At this point this should be standard operating procedure for any Infosec professional, but I have to state it, just in case. I’ve seen too many presentations about people that got fired for assessing their own company without permission.
- Don’t reinvent the wheel.
There’s a lot of good primers out there to help you, from Brian Kreb’s article “Phishing Your Employees 101”, to Infosystir’s blog post “The Path to Fixing Security Awareness Training”, which lays out great pointers on getting started. A wealth of other articles can readily be found to assist you.
Ready for more advanced strategies? Check out Hadnagy’s book “Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails”.
- Start small – but get started!
There’s a wealth of free tools available for download, and I highly suggest you start with a free tool first. Large organizations will most likely need to move to a commercial tool or service eventually. But one of the best ways to understand what you’ll need from a commercial resource is to run a small assessment using free or cheap tools that give you a feel for what you’ll need as you grow. Every time you say “If it only did this”, write that feature down in you notes, and find a vendor that can provide it.
Those just getting started will want to take a look at tools like:
- The Simple Phishing Toolkit – One of the original open source tools, and a new group has picked up the reigns to continue the project.
- The Social-Engineer Toolkit – More open source goodness. This one come to us from David Kennedy and TrustedSec.
- Phishing Frenzy – This open source tool puts a strong focus on campaign management and ease of use.
- King Phisher – Another campaign focused tool with a good feature set.
- Phish.io – This web-based tool lets anyone try to run a quick phishing simulation. No technical skills required; even a non-technical manager or executive can phish their staff, their board, their business unit, and demonstrate how easy it is for anyone to fall for a well-crafted phishing message. But please, get permission first. In writing!
So, what can organizations hope to gain by running their own phishing campaigns? It is one of the most effective ways to handle an issue that no technology can truly prevent – phishing for credentials. Hadnagy also claims that companies who stuck with it saw an 85% reduction in malware. That’s a huge payoff, and it’s this type of security awareness training that truly gets results – not the relatively ineffective Computer Based Trainings (CBT) through which so many of have slept been subjected. Additionally, the time recuperated from those issues can be put toward shoring up the remaining 15% of an organizations malware exposure, focusing on a deeper, more effective defense in depth program.