Ten years ago – all that was required to break into an organization was a vulnerability on your external perimeter. While this is still the case, many vendors have caught on and, as a result, it is far less likely to remotely compromise an organization through exposed services. Today, the primary targets for an attack include web applications and your end users.

End users are often the weakest link. They come with various backgrounds, qualifications and experience and are more likely to click on links sent to them in by e-mail, this leaves them vulnerable to phishing attacks. Phishing is the practice of sending unsolicited e-mails, pretending to be from reputable companies, in order to trick individuals into disclosing sensitive information, clicking on a link, or opening an attachment.

In order to mitigate this vulnerability, we must first evaluate the likelihood of our users opening links, but second, their willingness to disclose sensitive information. Additionally, we must gauge whether our IT Security team and supporting controls can detect and mitigate the potential for a breach.

What is the difference between phishing for security and phishing for awareness?

Phishing for Awareness

Phishing campaigns are often included as part of an objective-based penetration test that targets end users and measures the likelihood of your organization being compromised through phishing. E-mail phishing is typically performed to evaluate user awareness; we call this phishing for awareness. With this type of phishing, when a user clicks on a link, they are prompted that they have ‘failed the test’ and may require training.

This scenario lends itself to employees sharing information (e.g., “Don’t click on that e-mail”) and leads to watered down metrics. Phishing services almost always make use of templated e-mails which become very familiar to your employees after multiple campaigns. In some cases, awareness vendors allow for custom e-mail templates but their goal is to evaluate the number of clicks. The most common metric for phishing is the CTR or the Click-through rate. Click-through rate is the metric that measures how many people click on your links. However, this is only part of the problem.

Phishing for Security

An attacker is unlikely to tip off your users that they have been tricked and will make their attempts as believable as possible. These campaigns often make use of domains similar to yours with a typo or missing letters and valid SSL certificates. The more effective way to phish end users is to explore what may happen after they click; this is called phishing for security.

Are your endpoint defences capable of detecting custom payloads? Does your Security Operations Centre (SOC) have the capability to detect and contain compromised systems? How long does that take?

Phishing for security makes use of custom campaigns and the metrics are much more powerful. They can be used to answer a number of questions:

  1. How long does it take your team to detect that a breach has occurred?
  2. How long does it take your team to contain the breach?
  3. What percentage of users can be compromised through phishing?
  4. How long would it take a user on your network to obtain administrative access?
  5. Is your Antivirus solution effective at preventing remote access?

What is the most comprehensive type of phishing? Phishing for security or awareness?

Phishing for awareness is an effective tool for measuring user awareness, but it is less effective at simulating a real attack. What it falls short on is the capability of answering whether your organization is capable of first detecting an attack, and second containing or isolating the affected systems. This is the core purpose of phishing for security. Phishing for security is much more realistic and can be chained to an existing assessment; this effectively evaluates external threats.

During a phishing for security campaign, the consultant takes time to explore the organization, understand their values and finally, creates a custom phishing campaign. These campaigns range from raffles, password resets, security awareness tools, masquerading as your service providers, package deliveries and even calendar invites. With these campaigns, the e-mails are crafted with the same writing style used in public-facing content and potentially real names that have authority at your company.

The purpose of this type of phishing is to really understand the effectiveness of your process end-to-end. These campaigns make use of payloads that resemble malware and determine whether your antivirus is capable, can connect back out to a remote location enabling remote access to your network, or compromise user credentials and enable access to a wide assortment of systems depending on the user that is compromised. Phishing can also be used to bypass two-factor authentication.

Do we need both?

How do you know which type of phishing is best? It all depends on your objective for the campaign. It is much more effective to run a fire drill and see what happens, then ask people if they know what to do when the bell starts ringing. Similarly, if you run a vulnerability scan (VA) but do not attempt to exploit the findings, you miss out on answering the critical question of how your organization could be compromised.

Phishing for awareness is often the best place to start, but it must be coupled with phishing for security in order to better understand what would happen during a real attack. Awareness campaigns help measure and custom tailor your awareness training. Additionally, they are much cheaper because they’re templated but this may lead to unrealistic evaluations.

On the other hand, Phishing for security is much more involved because the campaigns are custom, and target your business much more effectively. They evaluate what happens after the click, and how long it takes for your organization to respond.

Conclusion

In summary, it is imperative to add e-mail phishing to your next penetration test to make it more realistic given the significant attack surface area and lack of validation. Most IT security controls are implemented in environments but seldom validated. Phishing for awareness offers tremendous value, but it misses the mark on evaluating critical IT security controls like endpoint defences, IT response times and the effectiveness of your process.

At Packetlabs, we are constantly pushing the boundaries of our phishing campaigns. We have mailed out Gift Cards to “successful” raffle winners, created a backdoored password checker services, and several others that challenge the status quo.

Exploring your business from an attackers perspective is an effective way to be more prepared, and find weaknesses that may have been otherwise overlooked. With significant financial losses and the potential for countless fines, we must ensure our organizations are prepared, and validate that the plans and technologies we invest in are effective. Contact us to learn more about how we can help.