In our experience, there are two kind of organizations: Those that know they are subject to phishing attacks, and then there are those that don’t know it yet. In this blog article we describe the motives our customers often have for conducting phishing exercises, where we model the ways someone spying and spoofing for information might use. In these examples, we use email as the phishing channel, but the same principles could be used in attacks that take place through social media or chat channels.
Typically, our customers have four different objectives for phishing exercises. First, they want to know from which part of their organization data leakage could originate from. Second, it is important for them to understand if an attacker could possibly make further progress after taking over an email account. They also strive to assess the organization’s sensitivity to recognize attacks and escalate information about it in the appointed manner. Finally, they might hope to increase their organization’s level of understanding in information security in this way.
Data leakage – which part of your organization is vulnerable?
When we begin a phishing exercise, usually only a couple individuals from the customer organization is aware of it. We agree on the channels (e.g. email) used in the exercise, to what groups of personnel the message is targeted to, and what kind of a message would be the most efficient. For example, our customer might evaluate that they have some helpful individuals working in their customer service. We would send them a message that resembles their usual work tasks and motivates them to take action.
After starting the attack, we analyse the responses and report e.g. opened emails and link clicks in them, user credentials entered or not entered and other similar behaviour, from which parts of the organization we managed to take over email usernames and passwords, and whether and how this correlates with the content or timing of the phishing email. We report on the precision our customers have chosen on the target group’s behaviour and e.g. their password strength. As a result, our customer can form an understanding on which part of their organization is especially vulnerable to phishing, which they can then use to allocate training or technical information security measures.
Can the hijacked login credentials be used to gain further access in the organization’s systems?
Email is often the medium to manage usernames and passwords to several systems. Thus, it is possible that someone hijacking an email account can gain further access in the organization’s systems by resetting usernames and passwords. In fact, sometimes our customers want to add the objective of trying to change passwords to e.g. a cloud service or other systems reachable from the public internet and penetrating that system, to the phishing exercise. It is also possible to include penetration methods to IT infrastructure and networks as well as attack scenarios.
Does the organization recognize it is under an attack, and does it communicate about it?
A competent phishing attacker sends their message only to a target audience they hope to take action to gain the desired outcome. For this reason, the IT department or the information security officers might not be aware of the on-going phishing attack, unless the people under the phishing attack recognize it as a phishing attempt and communicate it forward. Failing to do that might lead to countermeasures not being taken in time. This is especially important when someone realizes they’ve been defrauded. Everyone should know how to act in that situation, and the organization should have an atmosphere that encourages immediately informing about it even if confessing might be embarrassing and a delicate matter to the informant.
Often the knowledge of our phishing exercises taking place is kept within a very small circle of people, and e.g. teams monitoring the network traffic are not informed about them. At the same time, records are kept on how many users informed the information security officer or an appointed email address that they were subject to phishing attempts. This tells about the organization’s sensitivity to recognize, escalate and finally react to attacks, how well the agreed processes are obeyed and if the technical monitoring capabilities are able to recognize these attacks.
Does the organization take the risk of phishing seriously?
Many of our clients might have instructed their personnel in case of phishing attempts, and created processes and countermeasures for possible attacks. However, IT management or information security officers might be uncertain if their organization takes the threat of data leakage seriously. Therefore, some of our customers have used phishing exercises as an example to their organization about how significant this topic is. After the phishing exercise, they might have communicated how the exercise took place step by step, and what the results were, to awaken their people. We always advice our customers to think thoroughly how to use these exercises in spreading the knowledge about information security. It’s rarely appropriate to disgrace or put the blame on individuals, and hence, awakening should strive, above all, to changing behaviour and increasing awareness – rather with reward than punishment.
If you’d like to learn more about elfGROUP’s way of conducting phishing exercises, or how we use hacker testing to model hostile activities and unusual conditions to systems and IT environments, call us or leave a contact request!