Customized Phishing Simulations Keep You “Left of Breach”

Part 3 in a series on being “Left of Breach” in the Phishing Kill Chain.

In part 2 we looked at Self-Enumeration, assessing security and business process gaps that phishing attackers exploit. It’s the first step in being “Left of Breach” (see figure below), the process that builds a proactive phishing defense strategy.

Want to Get In Front of Breaches? Be Like the Marines.

Part 1 in our series on being “Left of Breach” in the Phishing Kill Chain.

Too often in the information/cyber security industry, we focus our efforts on mitigation of breaches after they occur, relying on incident response teams to find the needles in the haystack.

According to “Left of Bang: How the Marine Corps’ Combat Hunter Program Can Save Your Life,” (by Patrick Van Horne and Jason A. Riley; Foreword by Steven Pressfield) The Marine’s Combat Hunter training program works on this premise: by understanding what “normal” looks like, we are much more likely to recognize activities and behaviors that are out of place. That recognition, even if based on “gut feel,” becomes the trigger for acting. This approach relies heavily on front-line human assets, not just automation or artificial intelligence, to detect attacks in progress. Most important, it lets you get in front of breaches before they blow up in your face.

Get “Left of Breach.”

In the Marine’s case, it’s acting to get “Left of Bang,” as in bombs and bullets. In anti-phishing programs, it’s getting Left of Breach—taking proactive steps instead of accepting that hackers and other malicious actors will succeed no matter what. In the figure below, it’s everything left of the bullseye.

With a few modifications, the standard security industry kill chain can resemble the Marine Combat Hunter approach.

As you can see in the Phishing Kill Chain above, we focus on baselining an organization and developing human threat reporters throughout the first four steps. This provides 2 things: a starting point for risk analysis and development of targeted simulations (Enumeration, Design, Delivery); and the development of HUMINT (human intelligence), data collection and reporting of suspicious material to incident response teams.

As your anti-phishing program matures, you’ll combine the data your employees report with human-vetted phishing intelligence feeds in Triage. The net: actionable intelligence enabling you to mitigate threats before they happen.

5 steps to getting there:

  1. Be transparent and educate users on standard phishing clues and the purpose of the program.
    • NOTE: Program transparency is key to your success. It builds enthusiasm for the program and a sense of ownership and positive engagement with the organization’s security process.
  2. Baseline your organization’s technical and business process weaknesses for targeting during initial simulations.
  3. Execute diverse simulations and analyze for risk level (e.g. – high susceptibility to active threats)
  4. Design follow-up simulations based on known deficiencies and analysis of initial results.
  5. Stress the importance of reporting in all simulations and awareness activities.

Taking these simple steps is the quickest, most effective way to protect against phishing. Ready to get Left of Breach? Booyah!

Next: part 2 of our “Left of Breach” series examines the first step in the Phishing Kill Chain, Self-Enumeration.

Stay on top of recent phishing and malware threats and attacks trends, delivered straight to your inbox completely free. Subscribe to PhishMe® Threat Alerts today.

Enterprise Phishing Susceptibility Analysis

Analysis overview:

  • 8 million emails over a 13 month span
  • 75% of organizations are training more than 1,000 employees
  • Representing organizations from US (86%) and Europe (14%)
  • Representing 23 industries

Tackling a mountain of unmined data in search of answers can be a daunting task. Starting from scratch, we understood that we would likely face challenges to our pre-conceived notions of what works well and were prepared to accept what the data would tell us, however challenging it might be. Our goals were simply to understand what and how much data was available for analysis. We began with basic questions; how many scenarios are clients running? What type of scenarios are they and what do they contain? Are there any trends based on time, content, type or context?