Phishing exercises and you - stop punishing optimism
I've always made the joke that one of the prerequisites for getting involved in the field of Cybersecurity was at the end of the day you need a minor dose of paranoia in order to really operate efficiently in our field. Our job is to think of ways that the system could be abused and to try and counteract those things. As a result we rarely see anything as simply face value. Every email is an OSINT collection method, every executable just one bad developer away from being a backdoor, every day a new vulnerability that will no doubt be exploited.
And I don't mean to say those things aren't happening. I don't want to downplay the role of modern cybersecurity especially in an age with bots, criminal organizations, and nations states suddenly realizing that it's the new ballgame in town. I do however ask you to stop punishing your users.
When I first saw things like Phishme, Knowb4, or the likes, I have to admit that I saw a lot of promise in the product. A way to show users what phishing emails were, how to spot them, and then to metricize that into something that could help me develop additional courses? That sounded just amazing on it's face. But as I have watched more and more organizations adopting this "Human Defense" model I see a concerning correlation.
These users are being punished for getting phished, and quite frankly, that's not alright. The fact is that we as humans have been defeating human security not for decades, or centuries, but millennia. It isn't a new sort of TTP (Tactic / Technique / Procedure), it is in fact the oldest. Learning to use someone's inherent trust or optimism against them is the foundation of most of human security defeat methods.
Yet we take this as some kind of flaw in the security industry, as if the user should be trained out of their optimism, their trust, or their empathy. We look at those reports and think to ourselves "How could they be so foolish, this was so obviously a trap?" and I have to ask everyone to remind themselves, being optimistic, trusting, or empathetic isn't an inherent flaw. If anything we should probably be encouraging those things rather then trying to chase them away.
So when you tell a user that "If you click one more phishing link, we're going to fire you!" you are effectively telling them that they need to give up their trust if they're going to work for your organization. That they are a man alone and that anything and everything communications wise must be scrutinized before it's acted upon. That their empathy of wanting to get someone a gift card because they're in financial trouble is in fact a bad reaction.
The fact is, it is that empathy, that trust, and that optimism that make us human. Don't punish your users for being human. That isn't to say that I don't think there is value inn things like Phishme and Knowb4, quite the opposite, I do think there is absolutely value in training users what common attacks look like. But they aren't experts in the field, and they shouldn't be.
Our job isn't to make our workers souless process based automatons who refuse to let the injured lady into the building because that's against policy. Our job is to build the technological and physical defenses behind that so that when that does turn out to be a ploy, the system isn't entirely defeated behind it.
The security onion is something we always speak about and it's very real, but we seem to continue to shift the blame from the technology to the human. It seems the theme more and more in the field is to emphasize "Oh well 95% of attacks are going to come through phishing, so clearly our focus should be on how to prevent phishing."
Well let me give you a hint, you won't. No matter how much training you give, no matter how much you threaten someone, in a choice between the core features of their humanity and a corporates secret, a human is going to choose humanity every single time and they aren't wrong for doing so, just not as paranoid as us.
So our job becomes the art of defining the security perimeter behind that user. We can train them, but don't make that your focus, instead let us use our skills with technology to build that onion behind our first layer.
This means going back to the principals of Cybersecurity which we so often talk about. No amount of Mitre attack framework or Threat hunting, or understanding APT malware samples is gonna make a hill of beans if you aren't implementing the absolute basics of cybersecurity. Network Segmentation, Multi factor authentication, and Change Management all created on the basis of least privilege's.
- Firewall (Preferably with Layer 7 analysis capabilities).
- IDS (Intrusion Detection System)
- VPN Solution (Virtual Private Network)
- Log Collection Solution
- NAC (Network Access Control)
- EDR (Enterprise Detection and Response)
- Asset Management
- SIEM (Security Information and Event Management).