Having a well designed and tested social engineering training program for an organization is an essential part of employee training and security program. It can directly reduce the risk of a security incident. Social engineering is known to be one of the easiest and lowest risk ways for an attacker to establish an initial foothold within an organization. Half of the incidents Trustwave analysts investigated in 2019 were the result of phishing and other social engineering tactics, up from 33 percent in 2018. There are many ways to effectively train and test an organization improving resilience to social engineering attacks, some methods that are more successful and efficient than others.
Most organizations recognize a need to implement social engineering training as part of a yearly training program. Inevitably, it's common for efforts to be enacted with little regard to holistic organization growth and long-term strategy. The trope of a yearly online listen to a narrator read through a few paragraphs of information, and answer a few multiple-choice questions, is commonly the only training employees receive. This training usually closely mirrors information that broadcast every few months on the 10 o'clock news, and the quiz provides the correct answer when gotten wrong. Training employees in the manner may meet requirements for compliance or insurance. However, it is hardly a deterrent for a semi-skilled attacker.
Training vs Testing, Why Not both?
Training is an essential start to implementing a robust social engineering awareness program within a company. Training information should be minimally technical, while still including information applicable to a highly technical attack. Instead of merely training users to look for signs of suspicious requests, they should receive training in how to think about security as it applies to a situation and how to react to a potential threat. Employees shouldn't have to try to guess if a situation is legitimate, they should be able to identify based on evidence they've gathered.
Similarly, an employee should receive training that includes how to gather information on suspicious correspondence. One of the best times to perform testing for successfully compromised targets is immediately after a known compromise. Identify the sender, identify if the sender is an internal resource or external, and identify if the correspondence is asking something unusual. Finally, when the employee has determined that the correspondence is a potential security risk. Their training should encourage them to follow established company policies for alerting security teams to the potential threat as ignored threats could affect other employees.
Alternatively, testing should be a mechanism used to determine employees correctly apply training and understand what company policies and procedures expect of them. Thorough testing allows leadership to determine which users or departments require additional training resources. Using training to curate a list of employees and the type of training they require is essential for efficient budget usage. Simply testing once a year during or after training may meet compliance requirements, but a targeted training and testing lifecycle lowers your risk.
Social Engineering Incident Response
Social engineering tests should include testing of technical controls, employee response, and incident response policies and procedures. All suspected phishing emails should be treated as malicious. Users should be trained to submit potential phishing emails to an incident response alias for analysis. Affected users should be alerted to change their passwords and not to click on any links or open attachments. Incident response teams should inform any potential employees that may have been exposed to the social engineering attack. Social engineering testing should not be removed from this practice. A social engineering test should provide information on how the company as a whole manages a potential attack.
Strategic Testing Avoids Over Testing and Canned Testing
Similar to training, it is possible to meet compliance requirements for testing without actually decreasing risk to the organization. Two of the easiest ways that testing can be detrimental to an organization are over-testing and using canned generic testing. An over-test condition occurs when the tests happen too often. While regular testing is not specifically a problem, it is common for an over-test to reuse campaigns. It is generally considered best practice only to use a campaign one time in a reasonable timeframe.
SpiderLabs recommends against reusing a campaign more than once in a 3 to 5-year span. Once the campaign is launched, incidence response teams should alert the rest of the company. Additionally, for smaller organizations without defined incident response procedures for phishing campaigns, pretexts shared between coworkers may reach untargeted users. There are many ways that untargeted users could become aware of a phishing test, the most common ways Trustwave has observed has been warning emails from leadership and incident response. Although organic methods like water cooler gossip and general training increase situational awareness of resources outside of targeted business units. Therefore, it is recommended to perform all tests, including the targeting of separate groups and regions, at the same time.
Similarly using canned or reused pretexts can be useful to re-enforce simple awareness. An organization should not rely on canned tests in place of an actual test of how users react to a legitimate threat. A real-world threat actor uses canned pretexts to target users who are not paying attention in the first place. Social engineering tests are used to determine a range of users that could be affected by an attacker.
Trustwave offers a range of services to integrate with your current training and testing that are tailored to fit your organization's size and needs. Services include scalable phishing services, red team services that integrate spear phishing and client-side exploitation with attacker stimulation, as well as training services for both compliance and targeted users.