Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Combatting Social Engineering Is Not Just A Compliance Requirement

Having a well designed and tested social engineering training program for an organization is an essential part of employee training and security program. It can directly reduce the risk of a security incident. Social engineering is known to be one of the easiest and lowest risk ways for an attacker to establish an initial foothold within an organization. Half of the incidents Trustwave analysts investigated in 2019 were the result of phishing and other social engineering tactics, up from 33 percent in 2018. There are many ways to effectively train and test an organization improving resilience to social engineering attacks, some methods that are more successful and efficient than others.

Most organizations recognize a need to implement social engineering training as part of a yearly training program. Inevitably, it's common for efforts to be enacted with little regard to holistic organization growth and long-term strategy. The trope of a yearly online listen to a narrator read through a few paragraphs of information, and answer a few multiple-choice questions, is commonly the only training employees receive. This training usually closely mirrors information that broadcast every few months on the 10 o'clock news, and the quiz provides the correct answer when gotten wrong. Training employees in the manner may meet requirements for compliance or insurance. However, it is hardly a deterrent for a semi-skilled attacker.

Training vs Testing, Why Not both?

Training is an essential start to implementing a robust social engineering awareness program within a company. Training information should be minimally technical, while still including information applicable to a highly technical attack. Instead of merely training users to look for signs of suspicious requests, they should receive training in how to think about security as it applies to a situation and how to react to a potential threat. Employees shouldn't have to try to guess if a situation is legitimate, they should be able to identify based on evidence they've gathered.

Similarly, an employee should receive training that includes how to gather information on suspicious correspondence. One of the best times to perform testing for successfully compromised targets is immediately after a known compromise. Identify the sender, identify if the sender is an internal resource or external, and identify if the correspondence is asking something unusual. Finally, when the employee has determined that the correspondence is a potential security risk. Their training should encourage them to follow established company policies for alerting security teams to the potential threat as ignored threats could affect other employees.

Alternatively, testing should be a mechanism used to determine employees correctly apply training and understand what company policies and procedures expect of them. Thorough testing allows leadership to determine which users or departments require additional training resources. Using training to curate a list of employees and the type of training they require is essential for efficient budget usage. Simply testing once a year during or after training may meet compliance requirements, but a targeted training and testing lifecycle lowers your risk.

Social Engineering Incident Response

Social engineering tests should include testing of technical controls, employee response, and incident response policies and procedures. All suspected phishing emails should be treated as malicious. Users should be trained to submit potential phishing emails to an incident response alias for analysis. Affected users should be alerted to change their passwords and not to click on any links or open attachments. Incident response teams should inform any potential employees that may have been exposed to the social engineering attack. Social engineering testing should not be removed from this practice. A social engineering test should provide information on how the company as a whole manages a potential attack.

Strategic Testing Avoids Over Testing and Canned Testing

Similar to training, it is possible to meet compliance requirements for testing without actually decreasing risk to the organization. Two of the easiest ways that testing can be detrimental to an organization are over-testing and using canned generic testing. An over-test condition occurs when the tests happen too often. While regular testing is not specifically a problem, it is common for an over-test to reuse campaigns. It is generally considered best practice only to use a campaign one time in a reasonable timeframe.

SpiderLabs recommends against reusing a campaign more than once in a 3 to 5-year span. Once the campaign is launched, incidence response teams should alert the rest of the company. Additionally, for smaller organizations without defined incident response procedures for phishing campaigns, pretexts shared between coworkers may reach untargeted users. There are many ways that untargeted users could become aware of a phishing test, the most common ways Trustwave has observed has been warning emails from leadership and incident response. Although organic methods like water cooler gossip and general training increase situational awareness of resources outside of targeted business units. Therefore, it is recommended to perform all tests, including the targeting of separate groups and regions, at the same time.

Similarly using canned or reused pretexts can be useful to re-enforce simple awareness. An organization should not rely on canned tests in place of an actual test of how users react to a legitimate threat. A real-world threat actor uses canned pretexts to target users who are not paying attention in the first place. Social engineering tests are used to determine a range of users that could be affected by an attacker.

Trustwave offers a range of services to integrate with your current training and testing that are tailored to fit your organization's size and needs. Services include scalable phishing services, red team services that integrate spear phishing and client-side exploitation with attacker stimulation, as well as training services for both compliance and targeted users.

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More