Infiltrating the Corporation – Simple protection against total ownership of your network
A number of years ago I was lucky enough to have the trust of my CEO and he allowed me to run a social experiment for security. For a period of 4 weeks, I wrote a four part series on the ‘evolution of phishing’, sending out emails to employees every Friday in easy to read bite size chunks. On the 5th week, I didn’t send out my usual blog update. I did something slightly different…That’s right, I sent out a phishing email (unbeknownst to the employees), informing them of an important update in security that they MUST read - Simply click, ‘here’.
And then, well, I just sat back and harvested their usernames and passwords.
I know, it was below the belt, it was sneaky, it was, well, what a hacker would do. It also resulted in no one ever clicking on any links I put in my emails ever again.
How it was done
The technical execution of a Social Engineering attack like this was simple. There are a number of tutorials on the Internet on how to perform it, and as such, I’m not going to map it out here. This article is about exploring how to assist you in protecting your organisation to the best of your ability.
How can you protect the organisation from such an attack?
This is a broad question and there are many layers that should be implemented to give you the best chance of minimising exploitation. Unfortunately, but also pragmatically, you should know up front, there is no mechanism to stop this happening in most organisations today – that is of course without either major changes to business or major costs.The best we can do is try to minimise for it to occur, and also focus our attention on Incident Response to clean it up when it does eventuate. So, let’s review what failed above and what succeeded, to find a viable, effective and economical solution.
Clearly the weekly blogs informing employees about phishing attacks failed. It was all theory with no application, and when it came to the crunch, about 40% of the organisation clicked on the email and provided their username and password. 10% wrote back and knew it was a hack. And the remaining 50% hadn’t read my email yet - before I called off the experiment.
Additionally, and this is the element the hacker is betting on, the human element failed. And that failure came from the human emotion to ‘trust’. Sadly, although trust is a good thing, when it comes to social engineering, trust is translated to ‘I open myself to be vulnerable to you’ – and such is life.
Post the staged hack, for a number of weeks everyone was talking about the attack! Their level of awareness had been raised to the importance and dangers of phishing attacks. This never occurred during the 4 week period with my best attempt to write interesting articles.
Finally, there was also a direct impact on user behaviour and they learnt not to openly trust emails - At least from me anyway.
Lessons learned and actions taken
From the above experiment, I learned a lot about human nature. We truly learn best by doing – not thinking. And because we are creatures of habit, continuous and persistent effort is necessary. As such, today I send around the phishing emails (malware, viruses and links removed) to employees, so they can see these threats first hand rather than from unread informative (and extremely entertaining) blogs.
What I’ve found now is, the staff are really proactive in updating the service desk and security when they see suspicious emails. They’ve also written back to me thanking me personally, because they shared this information with family members and it saved them a locked computer and being held to ransom.
Of course there are many other ways to protect against phishing, like border anti-malware, proxies, C&C detection and client side checking, but in this day and age when anti-virus signatures are easily by-passed, TOR anonymizes end points, encryption hides network traffic and dangerous software appears legitimate, the human element doesn’t always have to be the weakest link.
Correct awareness does work, but as I mentioned earlier, layer it in with other preventative controls and make sure you also have a robust Security Incident and Response process because these attacks are only on the rise and it is only a matter of time.
Please do not take it upon yourself to run such an experiment within your organisation without the expressed written permission from your CISO and CEO, unless you wish immediate dismissal and the potential for a criminal record and gaol time.
And if you would like to run a similar type of (approved) campaign within your organisation to test user awareness and your security response plan, please feel free to reach out to me at NTT Communications ICT Solutions.