To defeat phishing, Energy learns to phish

Featured eBooks
A New Era of Social Media Regulation
Making AI Work for Government
Strengthening State and Local Cyber Defenses
Insights & Reports
Breaking Ground Report: Providing perspectives on America’s infrastructure modernization programs
Presented By CohnReznick
Download Now
Leveraging Identity: A Public Sector Guide for External Services
Presented By Okta
Download Now
By William Jackson
 

Connecting state and local government leaders

By William Jackson

|

Filters won't catch every threat, so Energy and other agencies have gone phishing themselves, using training and penetration tests to beef up employees' knowledge of attacks.

The Energy Department’s Oak Ridge National Laboratory received more than 500 e-mails in April that appeared to be from the lab’s benefits department and contained a link for more information. The link which actually downloaded malicious code when users clicked on it.

Several recipients clicked on it, said Barbara Penland, the lab’s deputy director of communications. “One computer was set up in a way that gave access to our network.”

As a result of the ensuing malware infection that collected technical information to export from the lab, Oak Ridge shut down its Internet access for more than a week, interrupting research on clean energy and other topics.

Related coverage:

New Chinese targets put phishing on the rise

Oak Ridge lab shuts down e-mail, Internet after cyberattack

Are mobile users suckers for phishing attacks?

The employees should have known better. The Energy Department conducts two to four phishing exercises a year at its field sites, testing awareness and educating users. But the constantly evolving, increasingly sophisticated attacks make them difficult to adequately defend against.

“Due to advanced exploitation techniques, targeted attacks make it hard for the end user to realize what is going on,” said Haywood McDowell, who is in charge of penetration testing at the department’s Office of Environmental Management.

There is technology to block suspected phishing messages and identify malicious sites and servers, but it is not perfect. “It’s going to catch a certain percentage,” McDowell said. “But this is a moving target. We spend money on firewalls and on filters, but at the end of the day the end user is the first line of defense.”

Phishing tests

Testing and training are ongoing processes, as agencies design and send benign phishing messages to workers, followed by educational programs to explain what is being done well, what the mistakes are and how employees can defend their position on the front lines of cyber defense.

DOE uses an online service to do the tests. PhishMe provides templates for creating phishing e-mails that are sent to employees. If the bait is taken, the link or phony attachment delivers a short message about security.

“It’s quite simple,” McDowell said of creating a phishing test. “It’s just a matter of coming up with a story and putting it into an e-mail with a landing site.”

One strength of the service is the ability to collect data on the success of the attacks and develop metrics about what techniques work with whom.

The focus of the service is training, however, said PhishMe CEO Rohyt Belani. “The metrics are a positive byproduct,” he said. “You are able to quantify awareness, [but] our focus is training.” PhishMe has a research agreement with the U.S. Military Academy at West Point to provide training at the school and to use its metrics to study how phishing works.

PhishMe began as a consulting firm that did penetration testing, including phishing attempts. However, annual testing has a limited value. The results are predictable and rarely change from year to year. “Every year, we would come in, and every year, we get the same sorry results,” Belani said. Now the service allows customers to test on their own throughout the year, supplemented with training to reinforce lessons.

Broadly, phishing is a malicious technique that uses a lure, usually an e-mail, to get the victim to provide log-in or account information to the attacker, to visit a malicious site that will upload malware to the computer, or open a malicious attachment. Attacks can be delivered in large volumes by spambot networks that distribute the load to stay under the radar, or they can be targeted to specific organizations or individuals using social engineering, a technique called spear phishing.

On a first run of a PhishMe test, an average of about 58 percent of recipients fall for the attack, Belani said. “It explains why spear phishing is so popular. It works.” But with repeated tests, the response figure usually is reduced to single digits by the fourth round. “We’re not going to get it down to zero,” he said. “It’s not a panacea.”

Update your account!

Although greed is one of the top drivers of successful phishing, it is not the top temptation. The most successful type of lure is one that imposes a responsibility on the victim that appears to come from a person or organization in authority. This is the, “update your account information now!” type of attack. “The authoritative ones are 28 percent more successful than appealing to human greed,” Belani said.

The testing usually is done in several rounds, interspersed with training. It typically begins with a simple, easy-to-spot message in the first round and proceeds to more sophisticated socially engineered attacks. The exact process and mix of attacks depends on the organization and the level of awareness. “There is a bit of an art to it,” he said. “It’s not a pure science.”

An understanding of the organization is one reason it makes sense for the customer to use the service rather than hire an outsider to do testing. Another reason for doing the testing in-house is overcoming reluctance of the would-be victims to sit through a training session after having been fooled by the testers.

“The technical aspect is one thing, but the political aspect is another,” Belani said. That is one reason for starting slowly in the early rounds of testing. “Throw them a softball. We don’t want to discourage them.”

McDowell said that in his experience doing the testing with DOE, there has been little resistance to training on the part of users. “People are typically receptive.”

The usual process is to tell employees that the testing and training is being done, then send out a phishing e-mail in the morning and have the training in the afternoon, presenting the statistics about what happened.

McDowell’s experience is much like that of Belani. In the initial exercise, the response rate usually is more than 50 percent, a level that is not that difficult to lower. “If you perform the same attack a year later, it would still work, but against a small percentage of users,” McDowell said. The overall trend for successful attacks is downward over time.

But successful training requires more than exposing users to a certain type of attack and telling them not to fall for it. Phishers are constantly updating their attacks, and penetration testers and trainers must do the same. “What works this month doesn’t necessarily work next month,” McDowell said. “The ball is always moving,” and training must be a continuing process.

The essential lesson being taught is to critically examine the message being delivered in an e-mail and the requests being made. It is not enough to suspect mail from former Nigerian finance ministers, because sender addresses can be spoofed and spear-phishing attacks can come from trusted addresses.

Users should know the policies of their employers and other organizations with which they do business and understand what types of information will and will not be requested via e-mail. Links should be verified before clicking to see if they really are taking you where you expect to go, and attachments should be examined to ensure that extensions match the expected file type.

None of this is enough, of course. “Will we stop it? Probably not,” McDowell said. “We will never eliminate the risk. Our job is to mitigate it.”

NEXT STORY: New Chinese targets put phishing on the rise

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.