Spoiler: This is a post about defending against phishing attacks, not a guide for engaging as an actor in a phishing campaign.
When it comes to playing defense in InfoSec, engaging in Phishing campaigns is a well-accepted method to test your company's readiness for possible intrusion. It's becoming common for third parties (auditors, insurers) to require these types of tests be carried out to maintain compliance.
Recently, I had a discussion with our CISO around organizing simulations to test our company and wanted to share some insights on how we approached the problem.
Rules
Before we talk about specific campaigns, it's important to first discuss some ground rules when engaging in Phishing simulations:
- The purpose of the simulation is to measure the readiness of different groups of your work force for a phishing attack.
- Employees need to be informed that the company periodically conducts phishing campaigns to test our readiness. This disclosure generally happens at onboarding, or when the employee has to agree to updated policies in an employee handbook.
- Employees should not receive forewarning when a campaign is being conducted. Doing so would taint the results, as people will be prepared for the attempt, whereas Phishing attacks in the wild happen at random.
- Employees who fall for a phishing simulation shouldn't be shamed. Rather, they should be educated about policies and best practices, and that education should be documented as an addendum to a simulation report. Auditors will often ask for this as additional evidence when certifying compliance.
- Keep it simple, stupid. The vast majority of reported phishing attacks have been simple requests. Test your audience against what you're actively seeing.
- Try not to overly engage employees with simulations. If you run all your simulations simultaneously and an employee gets 8 requests for credentials all at once, they'll see through the ruse.
- Avoid coercion, where the phishing attempt is so enticing that it overly influences engagement. As the Tribune Publishing Co. learned, creating a fictional reward to drive engagement created a negative reaction to the simulation, angering employees who thought they were receiving a bonus.
Simulated Campaigns
Whole Company
It's good to have a company-wide metric when measuring how ready your whole team is for a Phishing attack. A good test case for your whole company would be to ask for credentials for a common system, like SSO, Slack, Zoom, or even your own company's product.
Finance
Finance is often a target for phishing because they control the coin purse. To measure Finance's readiness, a good phishing test will try to obtain credentials for a banking system, or submit a fraudulent invoice/purchase agreement.
Resource Owners
Given the proliferation of SaaS products in the workforce, a company might have a large number of users with administrative rights. A bad actor could target this group seeking access to specific systems, either to obtain proprietary data or to allocate resources for their own purposes.
For a phishing campaign against resource owners, it's best not to campaign against all resources at once. Instead, pick a sample of services and target those admins only.
Contractors
As Okta's most recent security disclosure highlighted, contractors are also vulnerable to intrusion. Being able to report on this particular population within a company will likely be crucial going forward with certain certifications, as most companies have controls around what contractors have access to.