To defeat phishing, Energy learns to phish
Agencies test users' awareness of phishing ploys to educate them about increasingly sophisticated attacks
The Energy Department’s Oak Ridge National Laboratory received more than 500 e-mails in April that appeared to be from the lab’s benefits department and contained a link for more information. The link which actually downloaded malicious code when users clicked on it.
Several recipients clicked on it, said Barbara Penland, the lab’s deputy director of communications. “One computer was set up in a way that gave access to our network.”
As a result of the ensuing malware infection that collected technical information to export from the lab, Oak Ridge shut down its Internet access for more than a week, interrupting research on clean energy and other topics.
New Chinese targets put phishing on the rise
Oak Ridge lab shuts down e-mail, Internet after cyberattack
Are mobile users suckers for phishing attacks?
The employees should have known better. The Energy Department conducts two to four phishing exercises a year at its field sites, testing awareness and educating users. But the constantly evolving, increasingly sophisticated attacks make them difficult to adequately defend against.
“Due to advanced exploitation techniques, targeted attacks make it hard for the end user to realize what is going on,” said Haywood McDowell, who is in charge of penetration testing at the department’s Office of Environmental Management.
There is technology to block suspected phishing messages and identify malicious sites and servers, but it is not perfect. “It’s going to catch a certain percentage,” McDowell said. “But this is a moving target. We spend money on firewalls and on filters, but at the end of the day the end user is the first line of defense.”
Testing and training are ongoing processes, as agencies design and send benign phishing messages to workers, followed by educational programs to explain what is being done well, what the mistakes are and how employees can defend their position on the front lines of cyber defense.
DOE uses an online service to do the tests. PhishMe provides templates for creating phishing e-mails that are sent to employees. If the bait is taken, the link or phony attachment delivers a short message about security.
“It’s quite simple,” McDowell said of creating a phishing test. “It’s just a matter of coming up with a story and putting it into an e-mail with a landing site.”
One strength of the service is the ability to collect data on the success of the attacks and develop metrics about what techniques work with whom.
The focus of the service is training, however, said PhishMe CEO Rohyt Belani. “The metrics are a positive byproduct,” he said. “You are able to quantify awareness, [but] our focus is training.” PhishMe has a research agreement with the U.S. Military Academy at West Point to provide training at the school and to use its metrics to study how phishing works.
PhishMe began as a consulting firm that did penetration testing, including phishing attempts. However, annual testing has a limited value. The results are predictable and rarely change from year to year. “Every year, we would come in, and every year, we get the same sorry results,” Belani said. Now the service allows customers to test on their own throughout the year, supplemented with training to reinforce lessons.
Broadly, phishing is a malicious technique that uses a lure, usually an e-mail, to get the victim to provide log-in or account information to the attacker, to visit a malicious site that will upload malware to the computer, or open a malicious attachment. Attacks can be delivered in large volumes by spambot networks that distribute the load to stay under the radar, or they can be targeted to specific organizations or individuals using social engineering, a technique called spear phishing.
On a first run of a PhishMe test, an average of about 58 percent of recipients fall for the attack, Belani said. “It explains why spear phishing is so popular. It works.” But with repeated tests, the response figure usually is reduced to single digits by the fourth round. “We’re not going to get it down to zero,” he said. “It’s not a panacea.”
Update your account!
Although greed is one of the top drivers of successful phishing, it is not the top temptation. The most successful type of lure is one that imposes a responsibility on the victim that appears to come from a person or organization in authority. This is the, “update your account information now!” type of attack. “The authoritative ones are 28 percent more successful than appealing to human greed,” Belani said.
The testing usually is done in several rounds, interspersed with training. It typically begins with a simple, easy-to-spot message in the first round and proceeds to more sophisticated socially engineered attacks. The exact process and mix of attacks depends on the organization and the level of awareness. “There is a bit of an art to it,” he said. “It’s not a pure science.”
An understanding of the organization is one reason it makes sense for the customer to use the service rather than hire an outsider to do testing. Another reason for doing the testing in-house is overcoming reluctance of the would-be victims to sit through a training session after having been fooled by the testers.
“The technical aspect is one thing, but the political aspect is another,” Belani said. That is one reason for starting slowly in the early rounds of testing. “Throw them a softball. We don’t want to discourage them.”
McDowell said that in his experience doing the testing with DOE, there has been little resistance to training on the part of users. “People are typically receptive.”
The usual process is to tell employees that the testing and training is being done, then send out a phishing e-mail in the morning and have the training in the afternoon, presenting the statistics about what happened.
McDowell’s experience is much like that of Belani. In the initial exercise, the response rate usually is more than 50 percent, a level that is not that difficult to lower. “If you perform the same attack a year later, it would still work, but against a small percentage of users,” McDowell said. The overall trend for successful attacks is downward over time.
But successful training requires more than exposing users to a certain type of attack and telling them not to fall for it. Phishers are constantly updating their attacks, and penetration testers and trainers must do the same. “What works this month doesn’t necessarily work next month,” McDowell said. “The ball is always moving,” and training must be a continuing process.
The essential lesson being taught is to critically examine the message being delivered in an e-mail and the requests being made. It is not enough to suspect mail from former Nigerian finance ministers, because sender addresses can be spoofed and spear-phishing attacks can come from trusted addresses.
Users should know the policies of their employers and other organizations with which they do business and understand what types of information will and will not be requested via e-mail. Links should be verified before clicking to see if they really are taking you where you expect to go, and attachments should be examined to ensure that extensions match the expected file type.
None of this is enough, of course. “Will we stop it? Probably not,” McDowell said. “We will never eliminate the risk. Our job is to mitigate it.”