Cyber news seems to be bustling lately with Spear Phishing attempts and successful attacks. Spear Phishing tactics are becoming more and more sophisticated via well crafted and well worded emails. No longer is the wording obviously from someone that doesn't speak English. Some even go so far as to map out a plot. That is to say that the person leading the attack is carefully crafting, even predicting really, the behavior of their victim and creating a roadmap to accompany the email through a series of what would appear to be valid actions. In some of the attacks I was reading recently the authors really did their homework through other social engineering avenues in order to craft these emails and plots.
Most IT related people would probably identify one of these emails fairly quickly, but even that isn't necessarily true. How many of you reading this really "examine" your emails? Suppose you were to receive an email from someone you know within the company. Maybe it's even the guy three cubicles over. Can you honestly say that with each email you check the senders address, or review header info, or any other method of cross-checking for validity? Perhaps you are lucky enough to have a policy which enforces non-repudiation via signed emails. If so good for you.
We all know that it is the employee, the human, who is the weakest control in any environment, but they are trained. Why are these attacks still so successful today?
Let's face it. User awareness programs are successful and are useful. I would not be doing my field any favors by calling them irrelevant, and I certainly don't believe that they are irrelevant. But let's also be honest about the repetitive nature of these programs. Usually it is an annual requirement with very little accountability attached to it. Typically these trainings are presented in the nature of a slide show, computer based training, or some other easily manipulated method to just get it over with or click through to satisfy the requirement. The programs become, well, mundane and in my opinion unimportant to the person that has to take them. Over time we reach a point as humans that we become comfortable. Maybe this is because an employee has been in a job for thirty plus years. Maybe it is because an employee develops relationships and would never be duped, always recognizing the sender. Let's not forget that this person is also banking that the odds are in their favor that they will not have to encounter any forms of social engineering or attacks. Whatever the reason these email attacks are still successful quite regularly and in many cases result in compromise or loss of something valuable - data or money.
So how can we motivate change within these programs to make them more interesting?
I propose the following items as possible program improvements:
1. Tailor the program toward the audience or role. This is a concept already implemented in every program that I've ever audited. What has not been done is to allow the content to tell a story of relevance. There is currently plenty of historical data for use in developing a training program that makes the attacks more relatable and therefore of concern. Allow history the opportunity to enhance your programs relevance by role.
2. Current programs tell users some of the key things to look for in identifying email attacks of any kind. What they sometimes do not do is show the user where and what those things are. We have to remember as IT professionals that not everyone works in our field.
3. Develop some form of accountability towards the success of User Awareness programs. It is key that management support enforces this, which is one of the reasons programs are not very successful today. I see it all the time. Folks just see the program as "in the way" and all they want to do is "put the check in the box". Cultures are created and people are typically resistant to change. That makes this point fairly hard to overcome.
4. Social Engineering done well spans more than a single person. We need to develop not only methods of identification of social engineering one on one, but also make it identifiable as a collaborative effort across the organization. I'll admit that I do not have much insight on how to actually accomplish this, but in at least three of the attacks I recently read about it was obvious that several avenues were taken. Were they able to have been correlated these attacks may have been unsuccessful.
This most certainly is not an all inclusive list, but it does represent some of my immediate thoughts on how to improve User Awareness programs to combat Spear Phishing and other Social Engineering attacks. A great User Awareness program is really the strongest way to protect an organization from Social Engineering methods.
