An essential element in being prepared to respond to cyber attacks, and ransomware attacks in particular, is to close the biggest and most easily breached hole in an any organization’s firewall —well-intentioned internal users who fall victim to phishing attacks.
Phishing attacks work by tricking users into clicking links or opening email attachments that install malicious software. According to a 2021 study by Cisco, phishing accounts for 90% of data breaches. Although technical solutions such as spam filters and DMARC (Domain-based Message Authentication, Reporting & Conformance) can reduce the number of phishing emails that reach their targets, the need to educate users on identifying and handling phishing emails is clear. One tool for educating users is a phishing tabletop exercise.
In my previous posts, you heard the story of a fictious company that was caught flat-footed and unprepared when they were hit with a ransomware attack. In response, they conducted their first tabletop exercise, which replayed a similar scenario to the actual attack they had dealt with.
Although the first tabletop exercise was enlightening and helped everyone responsible for responding to cyber-attacks to learn more about their role, there was something missing—the root cause of the attack was never discussed.
Digging Down to the Roots
If the weakness in their defenses had been a spam filter or firewall that wasn’t properly patched, the hole could be patched and the company could move forward. However, the weakness was discovered to be a result of a client whose email server had been hacked and used to send urgent messages to the entire company, supposedly containing a link to a “sensitive encrypted document” that required the user to enter a company password to “verify their identity.”
Multiple users fell for it, and some even kept on trying to access the document long after they’d provided their passwords and nothing happened. By the time someone reported the email, it was too late, and the attackers had multiple entryways to the company network.
A ransomware tabletop exercise generally focuses on the preparedness of the people and departments that must be ready to respond to an attack that’s already underway. A phishing tabletop’s goal is to prepare the entire company to prevent attacks.
One way to conduct a phishing tabletop exercise is by sending a simulated phishing message to the company’s users. Because it’s designed internally, the message will likely be highly targeted while still displaying obvious indicators of being potentially dangerous.
For example, it might be an email that addresses everyone by name and seems to come from a trusted vendor of the company. However, upon further inspection, the domain name used in the email address is wrong, and the attached Word document contains macros.
Asking the Right Questions
Factors that can be tracked and learned from this exercise include:
- How many users opened the email?
- How many opened the attachment?
- How many allowed the macro to run?
- How many filled and submitted the requested information in the attachment?
- How many reported the phishing email?
After the exercise has been completed, users should be informed of the results of the exercise and encouraged to provide feedback. Such phishing exercises should be conducted on a regular basis, with follow-up and lessons learned from each exercise being used to refine future exercises and promote further education and discussion.