Don’t blame the users on the mistakes you made
The new age of cyber has created many jobs which are quite unique and which requires users to do a certain thing every day. A thing which sometimes leads to unexpected outcomes, well, like a phishing incident.
Did you know that in some banks there are people which just take pdf attachments and store them on an online folder? For example in cases of mortgages or loans. So these users receive hundreds of emails per day from systems and customers and their job is it to click on the attached file and store it in a different location.
I know there are still domain registries out there who require copies of documents to be send to their sales representative or account manager every so often. So also these users simply need to click on a pdf or doc file and check if the form is filled out correctly.
And why go that far, I mean even I get scripts send by customers and they ask questions about the code inside.
I guess you can also see where this is going? Somehow we expect that these users, whose job is to open files, to spot the one malicious file or email they should not click
Let’s add to this,
we (cyber people in general) created some fancy trainings over the years of things you should not do or things to be aware of, like:
- Always check the sender: did you expect the email to come in?
- Watch out for any tone of urgency
- Don’t click on links, or hover over the link to check if it looks legit
- Don’t open attachments
All great ideas, but
- there are some horrible email addresses out there, which are quite legit but to the naked eye… well, smells phishy.
- Maybe train all the bosses (and the customers alike) to not use any tone of urgency in their legit emails. That could help to distinguish such emails.
- Do you perhaps know about solutions like Proofpoint or Cloudflare and what they can do to links? When a link is hidden in a 256 character long string, it doesn’t make it any easier to spot any funny business.
- Not to open any attachments, I guess I made it clear above that this a joke in itself.
One more thing which really doesn’t help, is the quality of internal communication. Way too many companies use third party tools for polls, inquiries or swag. As a result links are always external and email addresses never belong to your own company. Also if we are honest, sometimes the quality of the emails in regards of fonts and graphics is far behind the quality of what professional phishing people can do.
Over the last 10 years of my career I have seen many people replying to internal emails and asking if these are really legit. I should mention that I worked in security for quite a while and the people are real trolls if they can point out something like that… some people. So that means that the training has worked!
But there is sometimes not really a difference to be seen and this generates issues even if the user tries as hard as they can do to do the right thing.
What can we do to make it better?
- External Warnings
I am a pretty huge fan of the “External” label and tags you can add for example to emails. So the user can see directly that an email wasn’t send from within the organization. This can help if the user was at least a little suspicious of an email to give him the confidence to simply not click it. Remember his job is to click in the first place.
Maybe check out this Google Support Page for some compliance ideas on emails.
- Get tools in place
Every user in your network should have the basic set of security tools in place, like Antivirus and an Endpoint Protection (Palo Alto Networks XDR if you ask me). As you need to be able to detect and also respond on his system. The tools should log into central log stores (can be a SIEM, can be Cortex Data Lake) so you are able to do this detection and response in real time.
- Get (a bit more advanced) tools in place
If the user is a line of defense in your company, well let me tell you, they can’t be (explained above). So make sure you have the tools in place.
- Spam Filter (and Grey Listing) are a great start, some “phishers” still don’t work according to email best practices, so you can filter those out
- Email Inspection and Filtering as well as quarantining, because you want to block and inform the customer on suspicious email attachments. It also adds a great second step for the user, as they will need to go and click on a certain internal link to get their attachment and they will be more careful on opening it.
- External Warnings (see 1 above)
- A Security Orchestration, Automation and Response tool, integrated with your email service. With this you can delete emails on a scale. If one falls for the trap, you can at least prevent all others.
- And maybe the best addition (if you’re up for it): Threat Intelligence.
Have a team which monitors what is going on in the wild, so they can update all your blocklists and filters based on real scenarios and attacks experienced by others.
That’s it for today, please leave a 👏 and be excellent to each other.