In our inaugural Q&A column, Tonia Dudley, Cofense Director, Security Solution Advisor, looks at some of the basics of overcoming a spear-phishing social engineering threat.
Q: SC Media: Phishing is considered a subset of social engineering, where an attacker wants you to trust them with important information. Social engineering takes on a lot of different approaches – email, personal through direct discussions with the target employee, indirect where the ultimate target is approached after a colleague is successfully compromised or through the use of email using stolen credentials. What should CISOs know about new trends in social engineering that they might not know and what should they be doing about these trends immediately?
A: Tonia Dudley: We are seeing credential phishing rise at an alarming rate. Organizations should be training their users on this threat, especially as more organizations migrate to Office365 in the cloud. The best way to train on this threat is to simulate a phishing attack, in the same environment where they will experience a real phishing email. We also encourage modeling these campaigns to align with active threats – make it look and feel as real as possible so when the real one comes along, they already know to identify and report. We had a recent story from a customer that experienced a credential phishing attack where one user provided their credentials and within seconds the threat actor logged into their hosted payroll system to change the direct deposit information. These messages are getting much more sophisticated and harder to detect by the gateway. Having a gateway is absolutely important, as well as multifactor authentication for the credential threat, but we see many of these emails making it past the gateway. The threat actors continue to refine their craft to make it past these controls, at the end of the day, well-trained users using their own intuition is your best defense.
Q: SC: Employees who fall victim to social engineering and phishing attacks often are fearful about coming forward because they are afraid that they will be fired or otherwise sanctioned. What recommendations do you have for CISOs for them to encourage employees to step forward if they think they’ve been successfully attacked?
A: TD: This is a great question. First and foremost, a phishing simulation, or any other training program, should only encourage users to report suspicious activity. When organizations incorporate a punitive approach to their programs, this discourages the user from reporting threats. Your phishing simulation program is the most visible aspect of your overall Information Security program, and when you punish people for falling for a scenario it leaves them with a bad experience. Reports on ransomware last year included stories about individual IT admins in the organization paying the ransom directly from their own pockets, causing more damage to the organization. Support for engagement across the entire organization should be led from top down.
Q: SC: Attackers are getting smarter all the time. It’s easy for them to send spear-phishing emails because the amount of information about employees from social sites is expanding daily. Companies cannot stop employees from using social media on their own time so what kinds of defenses work best to keep employees from being phished? After all, a spoofed email that references something the employee recently posted on Twitter, LinkedIn or Facebook might seem to be from a known sender.
A: TD: We are all a target no matter what role we play within the organization. We encourage a flexible phishing simulation program to include department/role spear phishing campaigns based on real threats. These campaigns can sometimes make a user feel threatened, targeted or uncomfortable, but when you explain that this was based on a real phishing campaign seen by the organization users are typically appreciative. They’re glad that you provided them with the latest threat information and reminded them to slow down and take precautions when interacting with any email message.
Q: SC: What can companies do to protect their senior staff and perhaps HR from becoming targets of spear-phishing attacks? HR is accustomed to getting unsolicited resumes, for example – do you need to build out a special infrastructure for HR or Legal or Marketing and how do you train staff to be knowledgeable about using these resources?
A: TD: There are plenty of times where an individual absolutely needs to open an attachment from an unknown source – just as you mentioned, it’s part of the job they do. There are a few safeguards. You can provide them with a device that wouldn’t execute malicious code if opened, such as a tablet. It also helps to ensure you have the latest patches deployed to their endpoints. Enable two-factor for their accounts as a priority if you’re not able to roll out more broadly across the entire organization.
Q: SC: In order to fight social engineering in general and business email compromises – commonly called CEO Fraud – specifically, some companies need to get senior management to change the way they deal with lower level staffers. This might include making themselves available to answer questions like: “I received an email from you asking that I send $20,000 to a bank account in a foreign country. Did you really ask me to do that?” How do we change management’s corporate culture to change the command chain answer a clerk’s question without intimidating low-level employees?
A: TD: This is a very expensive threat that many organizations face. There are some technical controls that can be implemented at the gateway and mail environment – DMARC / DKIM. We also see that tagging messages coming from an external source is helpful to end users – letting them know that the message didn’t really originate internally from CEO@company.com. This is even more difficult to recognize on mobile devices in the native mail client. Most mail clients will display the fully qualified sender, however, this isn’t the case on a mobile device. This is where having the tagging included can provide an additional indicator for the recipient. If they aren’t able to view on another device and are still not sure of the sender, they can simply forward the email to themselves and will be able to see the fully qualified sender in the message body CEO@company.com <email@example.com>.
BIOGRAPHY: Tonia Dudley, CISSP and CISA, joined Cofense in 2018 as Director, Security Solution Advisor. In this role she focuses on phishing defense advocacy while demonstrating how Cofense solutions help organizations across the globe minimize the impact of attacks while reducing the cost of operations. Tonia also advises Cofense product teams on specific customer and market-driven needs to help streamline product roadmaps and create Cofense’s inaugural international customer advisory board. With more than a decade of cybersecurity experience, Tonia has managed programs in cybersecurity incident response, security awareness, and IT compliance for large global organizations. She has spoken at several cybersecurity and industry conferences on building successful security awareness and phishing programs. Her anti-phishing training programs have received three awards.