Customized Phishing Simulations Keep You “Left of Breach”

Part 3 in a series on being “Left of Breach” in the Phishing Kill Chain.

In part 2 we looked at Self-Enumeration, assessing security and business process gaps that phishing attackers exploit. It’s the first step in being “Left of Breach” (see figure below), the process that builds a proactive phishing defense strategy.

The next step is designing phishing simulations. As you’ll see, the more they resemble threats your company actually faces, the better.

In simulation design, you model known attacks—either against your organization or industry—utilizing Self-Enumeration and analysis of the results. Consider your potential design criteria and incorporate:

  1. Known security gaps in technology or processes
  2. IR team discovery of malicious phishing attempts on your organization
  3. Available phishing intelligence / active threat feeds
  4. Potential human targets that would yield high value results for an attacker

Analysis of previously run simulations

Design phishing simulations that look like your organization.

The above graphic illustrates how you can maximize phishing intelligence to develop anti-phishing simulations in your environment.

By understanding what is current or trending, you can develop phishing simulations that match actual attacks and allow the results to paint a clearer picture of your organization’s risk exposure.

Let’s consider some potential simulation results to illustrate the above point further.

Assume that the above template resulted in its current phishing susceptibility average (17.5%) and that a smaller percentage (8%) reported the simulation. Let’s further assume that the first report came in after several people had fallen susceptible.

What would those high-level results tell us about the organization’s capability to resist this threat? With a resiliency rate of less than 1 (number reported over number susceptible), we would perceive an opportunity to further educate employees about this threat.

While we did have good reporting, the fact that no one reported prior to some people taking the bait shows the company might have experienced a breach.

With these results and basic analysis, you’d see the need to invest more time in improving recognition and reporting behaviors. This would lead you to re-incorporate this simulation into the program. In other words, repeat the specific simulation for retention, then develop similar designs to measure depth of recognition by phishing type or style.

Want to get Left of Breach? Focus on phishing risk identification and reduction.

In summary, design simulations that target known weaknesses (technical and non-technical) or active threats. Model simulations based on phishing intelligence feeds and actual phishing attacks against your company or industry. Also, reincorporate low resiliency simulations into your ongoing program to drive increased recognition, reporting speed and rates.

Remember, while the example cited focused on active threat intelligence, the same analysis and repetition should be integrated into your ongoing program for phishing simulations. Your goal is to identify high-risk threats to your organization, develop enough capability to recognize them and get left of breach, regardless of the simulation model used or its source.

Next: part 4 of our “Left of Breach” series takes a closer look at effective delivery models and how to appropriately emulate the behaviors of malicious actors and advanced persistent threats in your anti-phishing program.

Don’t miss another threat – stay on top of emerging phishing and malware threats and attacks, all delivered straight to your inbox completely free. Subscribe to PhishMe® Threat Alerts today.

Endpoint Phishing Incident Response with PhishMe and Carbon Black
Phishing Incident Response: Get Started in 3 Steps

Leave a Reply