It’s pretty common for companies to bundle social engineering into their penetration testing programs. But when the report shows up, you may find you’re surprised and frustrated at the rate of employees clicking links to open malicious documents.
You’re asking, how did these risky emails get through? How were my employees so easily manipulated? And why didn’t anyone on the IT staff catch this? Don’t sweat it. Happens to more people than you can imagine.
But if the remediation section of that same report isn’t showing actionable solutions that could give you quantifiable results, don’t worry. That’s what we’re here for.
We’ve got guidance for three forms of remediation:
Gateway/edge technical controls
End-user technical controls
Security awareness training
Gateway/edge technical controls
Unfortunately, you can’t control users and their environment. And the reality is some end-user technical controls and security awareness training are simply out of IT staff control. The only thing you can control is managed infrastructure.
There are two primary control points when it comes to edge technical controls, and this is where you should focus your effort:
A secure email gateway
Additional hardening of the gateway specific to your organization.
Establishing a secure email gateway takes research and careful decision-making based on your organization’s budget. If your current gateway proved lackluster during social-engineering testing, it’s time to figure out where things went wrong. Investing in the protection of your organization will prove well worth the cost in the long run.
Additional hardening of SPF, DMARC, and DKIM records prevent attackers from spoofing internal users and service accounts. This guide to email spoofing will help take some of the mystery out of these acronyms.
Some sites we like to use for ensuring proper mail records configuration:
A Python module and command line parser for SPF and DMARC records.
This site for scanning SPF and DMARC records for issues that could allow email spoofing.
Attackers falsify credibility by purchasing similar domains to yours. They do this to create realistic phishing emails that appear to come from inside an organization. To prevent spoofing, you can:
Block similar domains
Purchase the domains
Institute warning banners for email received from external users
Take the time to evaluate your organization’s email attachment allowance as well. Ask that external partners send attachments to employees using a secure file-sharing services.
If you absolutely have to allow attachments, block Microsoft Office documents containing macros to prevent the delivery of files almost guaranteed to be malicious.
End-User Technical Controls
Let’s say an email manages to surpass all of your edge filtering technical controls. What now?
First things first: you’ll need to harden your end-user machines and their authentication process. When it comes to phishing email, attackers typically have one of two goals: either they want to collect credentials, or they want to get code execution by having the user open a dangerous file.
The most important hardening solution for preventing user credential theft is implementing multi-factor authentication. Even if an attacker steals a password, it won’t matter in this case: they won’t be able to gain account access without being able to enter an identification password generated on the user’s personal hardware. This can include a hardware key provided by the company or a user’s mobile device.
Other hardening solutions:
Implement a strong web filter to block malicious domains and IP addresses.
Build an in-depth defense with additional security controls and a control to block action on suspicious links.
Block websites hosted at recently registered websites – attackers often don’t age their infrastructure.
Methods for preventing malicious code execution:
Build additional hardening into user workstations.
Install endpoint protection software on all workstations.
Prevent (if not warn) users from opening an Office document containing macros.
Security Awareness Training Programs
The most overlooked aspect of social engineering prevention is security awareness training. This type of training is crucial and needs to be carefully thought-out to actually be effective. If done wrong, you won't help your users. Instead, you’ll hurt their ability to catch phishing emails before it’s too late.
Keys to successful security awareness training:
Build succinct courses and training modules. Research and thoroughly test options that require you to pay for them.
Establish quick, easy and effective ways for users to report phishing emails.
Conduct frequent phishing campaigns to keep users sharp.
Make sure ALL staff are part of the program, even IT and other tech-savvy users.
Enlist the help of similar organizations to share social-engineering risk knowledge and mitigation practices.
Social engineering is lethal. Resulting data theft, ransomware and brand reputability loss combine to create a powerful poison capable of wrecking your business's’ financials. Get in touch if you want to dive deeper.
Social Engineering - Your mitigation checklist
Edge Tech Controls
- Establish a secure email gateway
- Ensure you have proper SPF, DMARC, and DKIM records
- Block or purchase similar domains
- Evaluate your email attachment allowance
- Apply a strong web filter
- Multi-factor authentication
- Use endpoint protection software
- Build additional hardening into user workstations
Security Awareness Training
- Develop succinct training modules
- Establish a quick-and-easy reporting system for phishing emails
- Frequent phishing campaigns – both targeted and broad, to train staff.
- Positive reinforcement -- instead of punishing those who click a test campaign links, reward the ones who don't.