To Get “Left of Breach,” First Know Thyself

Part 2 in a series on being “Left of Breach” in the Phishing Kill Chain.

In part 1 of this series, we talked about getting front of data breaches by taking proactive steps—everything to the left of the bullseye in the figure shown here:

Doing this enables you to be “Left of Breach,” a great place to be. To get there, your team first needs to assess where you are now. We call this part of the process Self Enumeration. Here’s what it means and why it matters.

Take stock of “normal” conditions.

When attempting to manage threats in any environment, begin with an understanding of your environment under “normal” conditions.

In physical security terms, this is not dissimilar from being situationally aware, which simply means paying attention to what is going on around you and incorporating that information into your planning, preparedness and threat response protocols.

In effect, you’re modeling the behaviors of advanced persistent threats and other malicious actors, who begin their own process by attempting to identify your weak spots and exploit them.

A “What’s Your Normal?” Checklist

When beginning an anti-phishing program, self-enumerate. In other words, ask yourself a list of key  questions.

Security environment:

[   ] What are normal traffic flows and email patterns?

[   ] Where does your most critical data reside and who has access?

[   ] And what operating systems, email clients and browsers are you using?

Business operations:

[   ] Who are my highly visible, high authority targets?

[   ] What are my highest risk business processes? (e.g. sending PII attachments in email)

[   ] What social media platforms do we use and what information are we sharing publicly?

[   ] How many third-party vendors access my network or interact with us via email?

Active threats:

[   ] What phishing campaigns are we being hit with today?

[   ] How is our industry being targeted by malicious actors?

[   ] Do we understand our risk exposure to current attack models?

Employee engagement:

[  ] Do our employees view themselves as responsible for information security?

[   ] Have we shown our users how to identify a phish?

[   ] Have we empowered our users to report suspicious activity for analysis and response?

To know thyself, baseline your technical environment so that anomalies are more easily seen. Identify high-value assets and which business processes use them. Analyze those business processes and ensure secure communication/email protocols are being followed.

Also, understand how you are being targeted today and design simulations to measure current exposure to those risks; respond with repetition of simulations for increased recognition.

Understand your employees’ current recognition and reporting capabilities and design simulations that inform and challenge them to do better.

Finally, assess simulation results from a “capability and risk” perspective. This lets you design and prioritize on-going simulations, plus inform business process development efforts.

While the checklist above is not exhaustive, the answers can help you customize phishing simulations and incident responses. You’ll be better prepared to address threats specific to your organization.

Attached Invoice Simulation Template

As your anti-phishing program matures, simulation results will add to your understanding of the risks you face and your ability to recognize and mitigate them.

Here’s an example. At PhishMe®, we simulated an “invoice attachment” phish, like the one below, and discovered that we had good overall recognition and reporting. However, within a third-party facing organization (e.g. vendor management), our resiliency scores were low. In other words, a lot of employees fell for it and almost no one reported it.

Figure 1 – simulated invoice attachment mock phishing email created using PhishMe Simulatorä.

Now let’s ask ourselves a couple of questions about the results and turn them into actionable intelligence.

  1. Does this result represent a lack of phishing recognition and reporting capabilities or have we identified an insecure business process that exposes us to greater phishing risk in this area?
  2. How closely did our simulation match the work processes we have asked our associates to implement daily?
  3. Are there existing policies for this externally facing department that specify communication protocols with third party vendors?
  4. Have we shown our associates how to identify and report emails that don’t match those protocols?

Perhaps the most important question to ask ourselves in this case:

  1. Can this department’s processes be made more secure to reduce our exposure to phishing?

A good start to staying Left of Breach.

As you can see, self-enumeration (including basic analysis of simulation results) reveals many  opportunities to reduce your phishing risk. Remember, malicious actors and advanced persistent threats are constantly probing your organization. It’s better to enumerate now and close any gaps before trouble arrives.

Next: part 3 of our “Left of Breach” series examines the second step in the Phishing Kill Chain, Simulation Design.

Don’t miss another threat – subscribe to PhishMe® Threat Alerts today and receive updates on new and emerging phishing and malware threats, completely free.

Catching Phish with PhishMe Intelligence and ThreatQ
Human Phishing Defense Tackle Box – PhishMe Intelligence™ and IBM QRadar®

Leave a Reply