In a recent webinar from cybersecurity experts Huntress, we got to take a look at a new concept from their SAT platform (Security Awareness Training) -Phishing Defence Coaching.
This is a new way to deploy phishing exercises that provide contextual interactive experiences for any users that are caught out.
Three members of Huntress SAT‘s senior product team provided a demonstration and explained some of the use cases behind the recent developments for the product and how it can help MSPs (managed service providers) to reduce the risk of the human factor for their clients.
Webinar: That Phishy Feeling – Learning to Spot Modern Phishing
The webinar event took place on Thursday 6th June 2024 at 4:30pm BST.
It was presented by:
- Dima Kumets, Principal Product Manager, Huntress SAT
- Truman Kain, Senior Product Researcher, Huntress SAT
- James O’Leary, Product Marketing Manager, Huntress SAT
And you can catch a full replay of the webinar here.
Security Awareness: From Threat to Training
Truman began by showing some recent examples of common phishing attempts that have been added their educational portfolio.
Example 1: Rapid Scenario Addition and Modification
There was a recent example of a phishing email targeting MSPs and domain admins in particular. It would appear as a mailbox redirect alert, which the intended victims would be used to seeing.
Huntress developers added this scenario into their SAT platform as this kind of impersonation attack is something all MSPs should be aware of.
Example 2: Malvertising
For some websites you see as trustworthy, there can still be some malicious code hiding in the javascript advertising.
Just clicking on the advert link would download malware onto the hosts machine.
Though this was picked up quickly and isolated by the Huntress SOC Team (Security Operations Centre), the remedial recommendations included enrolling the user onto security awareness training to prevent similar actions in the future.
Malvertising is another scenario now added to the Huntress SAT catalogue.
Example 3: Password Storage
Since January 2024, Huntress have discovered over 30,000 unsecure credential files.
Unsecure credential files are a massive liability because once attackers gain egress into your system, finding these files and exploiting them gives them a greater ability to pivot, hide and elevate permissions.
Because this is a bigger problem than some realise, Huntress created another specific scenario to address this problem in their SAT catalogue.
A Demonstration of Phishing Defence Coaching
To demonstrate how Phishing Defence Coaching works differently to other methods of follow-up training, Dima took us through a typical scenario.
The phishing email that he showed us was a fraud protection alert from American Express.
While it may have looked believable enough to the untrained eye, there were some clues to its lack of authenticity.
Whereas typical anti-phishing measures may spot this, and isolate it before you click on the link, phishing defence coaching works a little differently.
When you click on the phishing link, you’re redirected to a screen informing you that you were almost phished. This begins the coaching process where you’re asked a question: “Why did you click on the link?”
Possible answers you can give are:
- I was in a hurry
- It looked important/seemed urgent
- I didn’t look clearly enough
- I thought I was in trouble
Or if none of these fit why you clicked on it, you can add your own reason into a text field.
Depending on the answer you give, it will give you feedback that tells you why this plays into the hands of the attackers.
Phishing Defence Coaching Shows You the Signs to Look at For
Next, the coaching refers back to the phishing email that caught you out to show you the signs to look out for next time.
- Does it have a suspicious email address?
- Does the link address seem to direct you to a completely different domain when you hover over it?
- Does it convey a sense of urgency?
- Is the email not at all relevant to you? (e.g. do you even have an American Express account associated with this email address?)
- Does the email contain discrepancies in the branding, design and wording?
At the end of this process it asks: On a scale of 1 to 5, how prepared do you feel to identify future phishing attacks?
This information lets the MSP know if there’s a need for a follow-up conversation about more security awareness training, so it’s important to ask.
Phishing Defence Coaching Dashboard
When you send out a phishing simulation from Huntress SAT, it records the information about who clicked on the link and who ignored it.
Of those that were compromised, you can see the reason they gave for clicking on the link, as well as how prepared they said they were at identifying future phishing attacks.
In future, this will also be able to show historic data. So for MSPs, you can show how much better your client’s staff are at spotting phishing attempts. Which, in turn, demonstrates your value as an MSP to your clients.
What Beta Testing Revealed
Out of a sample of 181 people who were phished successfully the top three reasons given for clicking the link were:
- 29% said “I didn’t look closely enough”
- 19% said “It seemed important”
- 9% said “I was in a hurry”
Other common responses said they clicked because it referenced a colleague by name or their email address.
Truman said that it’s a common tactic that phishers employ as a way to bypass our cognitive defences. We’re much more likely to believe an email is legitimate if we see a familiar name within the text.
The preparedness indicator revealed a small number selected 1 or 2 on the scale, which is what you’d expect. However, even those selecting 3, 4 or 5 will be tested again in subsequent months. So it’s best to encourage honest responses here, because the results will reveal the truth.
Question and Answer Session
To finish the webinar, the speakers invited the audience to ask questions.
Q1: Do you think that people will be honest about their response to the preparedness question?
A2: If you see results with no 1s or 2s reported, then that’s a good thing, of course. It means you should focus on education for the 3s as the lower benchmark.
Q2: To prevent compromised users from telling everyone in the office, is it possible to delay the coaching until all the test emails have been opened?
A2: We considered this approach, but really the emphasis is one of education in the moment. This is so that they are learning while the situation is fresh in their minds.
Q3: Will the SAT platform update its content from threat intelligence collected by the MDR/EDR teams?
A3: Absolutely, in fact the Malvertising scenario we saw earlier came about because it was a common attack vector picked up by the SOC analysts. In cases like this, the details are passed across to the SAT developers to create new scenario content from when it’s judged to be relevant to MSPs and their clients.
Phishing Defence Coaching Conclusion
The human factor is still a popular vector for attackers to exploit.
Today’s phishing emails are designed to catch you off guard. Therefore, it’s important to not only protect users when they are compromised, but equip them with the knowledge to avoid being compromised in future.
As an MSP, you need to deliver the best value in reducing the risk for your client as possible. Huntress SAT’s Phishing Defence Coaching will certainly help you to do that.
You Might Also Be Interested In
I'm the MSP Community Manager for Tubblog. A small business owner, technical writer and blogger, with 15 years experience in corporate IT. I frequently attend MSP peer groups and create content relevant to IT service providers and business owners.
All PostsYou might like:
Comments