In a recent conversation with the Security Awareness community we spoke with Uriel Kosayev, experienced security researcher and author of the Antivirus Bypass Techniques, who walks us through the elements of a phish from an attacker's point of view. It was an engaging discussion to consider it from the perspective of security awareness training.
When attackers launch a phishing campaign against an organization, it can be either against an entire organization (your generic, run-of-the-mill phishing email sent out en masse) or specifically targeted to only an individual or group of individuals (spear phishing or whaling).
Part of what an attack is looking to accomplish is bypassing security controls and understanding the end-point protection. The attackers aim is to identify the best vulnerable endpoint at which to place the point of attack (aka - the action they want the target to take, like clicking a link or downloading a file).
Beyond understanding what security controls and protections an organization already has in place from a technical perspective, attackers also turn to publically available information to learn the culture and mindset of an organization and the people who work in the business. The company website, social media pages (LinkedIn and Wikipedia are particularly helpful), and other public listings provide insights to help criminals build a profile that help them understand the language used, the industry, the tech tools, and the businesses their target engages with. They also note how aware of attacks individuals and companies appear.
A starting point can typically be checking the size of a company and honing in to identify how many IT Administrators there are - these roles are considered high-value targets. If an attacker can breach the account of an IT Admin and there are no security controls or poorly configured segmentation, then the keys of the kingdom become easy access to get into most, if not all, areas of the business.
Attackers then look into all the digital nooks and crannies to see where there may be information lying around that they can use to cross-reference with other intel to build up a persona and story to present to the target(s) that is believable and compliments familiar information the target would expect regarding their role.
Uriel stated it succinctly, "It's not about getting the data. It's about understanding the data you have."
"It's not about getting the data. It's about understanding the data you have."
Some phishing attacks can be very broad with the aim to look for any existing vulnerability across an organization while other attacks might focus on a specific tool the company is known to use. The time it takes to perform recon and implement an attack differs based on how broad or targeted it will be, as well as the size of an organization playing a role.
For spear phishing, typically attackers seek to impersonate a top-level executive. To do this successfully, they need to understand the psychology of the individual they wish to impersonate. Reviewing the type of language used on social media gives insights on how they write and how they reply to others, as well as the tone of voice they use regularly.
Additionally, they look to get a copy of the company's email signature to use to further legitimize the appearance of the phish. One easy way attackers obtain this is simply reaching out to a member of the sales team - these professionals are typically very open to being contacted and always ready to correspond with someone expressing interest in their product/service.
With the cosmetics in place and an email drafted that is generic but in the style of the supposed sender then comes the actual placement of the hook itself. As we all know, it can come in the form of a link that redirects to a fake landing page or malicious site, it can be a file download that executes malware, or even simply a phone number to call to a fake representative who will continue the charade to finalize the actual exploit.
For Uriel, it's important to really grab their attention from the beginning of a presentation. For many employees, they've heard the basics before and the same recommendations. What he uses to wake even the 'veteran' employee is using real-world examples.
"My first goal is to open the mind of my audience; to give them reasons why they need to listen and why they need to gain an understanding that it's a real threat. I'm doing it with a lot of examples, real-world examples. I show them live with videos - this is how I attach this, here is how we do it; this is how it looks from the attacker's point of view, etc. And only then do I show them what they can do about it."
But Uriel doesn't stop there, he takes it a step further to give a more 'immersive' experience into the lifecycle of an attack. He guides the audience through the next stage after the bait is taken and a phish is successful.
Some of the scenarios he walks through include how the malware executes on your computer; what type of information is gathered; and what can be done with access to your device. One particular tool that opens eyes is one that takes snapshots of sensitive documents saved in your device from passports, credit cards, and everything in between. In his own words, "This is where people actually get scared. It's not like "I fall for a phish and everything will be fine. You fell for a phish, now you need to understand what can happen potentially, and it's very scary and very fast."
However, Uriel's goal isn't to scare them, it's to give a wake-up call that can then lead to positive action.
One of the aspects he emphasizes as critical within organizations is for them to create a sense of comfort and safety for employees. Make it easy and non-threatening for individuals to report when they clicked on a phishing link or have concerns about a particular email or message; and if they failed a phishing simulation, don't judge them. Use it as an opportunity to listen and to teach. Not doing so actually makes the company less secure as employees will communicate less and have a negative view of security, which makes them less inclined to "do their part".
Training employees in security awareness shouldn't be isolated to scheduled instances one or two times a year but rather integrated into the whole lifecycle of an employee.
"Implement [training] into the people cycle of the organization starting with new hires and then maintaining with everyone throughout the year with monthly talks, keeping it front of mind all the while reiterating "you can trust us - if something happens it's fine - you can trust us."
While Uriel's style of instruction may not be attainable for everyone, it definitely has proven to be effective. In a recent presentation he gave to a company with over 2000 employees globally using his immersive approach to a phishing attack, around 90% of those who attended didn't fall for the next round of phishing simulation done afterwards. In the words of one attendee, "I've done hundreds of phishing awareness sessions. You're the first who actually got me 'kicked in the face' and really show the real world stuff how an attack is executed, what happens in the computer, and how to actually defend against."
He shares a little perspective from his own native language, "'Knowing' [in Hebrew] is the act of not only understanding something on an academic level, but to go and literally experience. What I'm doing, I'm providing the real experience. When people experience something, it will be in their veins, it will be in their bodies, it will be in their mind, in their soul and it will stay there."
1 - For the end user, before you act, think. Ask yourself "who sent this? what time was it sent, what's the purpose, etc". Get curious and question why you're receiving a certain message and stop if you have any concerns.
2 - To the security team, it's critical to regularly test your security controls. "Test them, use ratings, use penetration, testers like go and understand the policies and the security configurations on those security solutions, whether it's mail gateway and where it's EDR, antivirus and try to reconfigure them better and in much more secure way. Use the vendor if you need. Use your security to make this better. It's not like you're putting something and by
default, you need to do something about it. You need to maintain it."
3 - To everyone, think like a hacker.
Connect with Uriel Kosayev on LinkedIn and while you're there check out our Security Awareness Manager community.
Phishing and Other Cyber Attacks: How to Report It
Building Healthy Security Cultures - Interview with Nadja el Fertasi
Looking for awareness training that is short, relevant, and engaging? Check out Wizer’s free security awareness video library.