It might Be Time to Rethink Phishing Awareness

In the wake of the MGM news, I thought it a good time to discuss phishing awareness. It’s rumored that the attacker(s) were able to impersonate an internal MGM employee and social engineer the help desk into resetting their password. This story, while believable, may or may not be true. However, it got everyone talking about phishing and how such attacks fits into our threat models.
在米高梅新闻之后，我认为现在是讨论网络钓鱼意识的好时机。有传言说，攻击者能够冒充米高梅内部员工和社会工程师帮助台重置密码。这个故事虽然可信，但可能是真的，也可能不是真的。但是，它让每个人都在谈论网络钓鱼以及此类攻击如何适应我们的威胁模型。

Phishing attacks, be they by SMS, phone call, email, or even in person, usually have one thing in common. They target employees who are unlikely to have any cybersecurity experience, and therefore are unable to identify social engineering attacks. A logical, but often misguided practice is phishing training, with many organizations attempting to convert their regular employees into amateur threat analysts.
网络钓鱼攻击，无论是通过短信、电话、电子邮件，甚至是亲自进行，通常都有一个共同点。他们针对的是不太可能有任何网络安全经验的员工，因此无法识别社会工程攻击。网络钓鱼培训是一种合乎逻辑但经常被误导的做法，许多组织试图将其正式员工转变为业余威胁分析师。

Now, don’t get me wrong, I’m not saying all phishing awareness is bad, but results will differ wildly based on approach. Phishing awareness could boost your security posture, or it could completely undermine it.
现在，不要误会我的意思，我并不是说所有的网络钓鱼意识都是不好的，但结果会因方法而异。网络钓鱼意识可能会增强您的安全状况，也可能完全破坏它。

The pitfalls of misguided phishing awareness & testing
误导性网络钓鱼意识和测试的陷阱

Phishing tests, specifically, are somewhat of a double-edge sword. If simulated attacks aren’t realistic enough, they may train employees to only detect and avoid specific examples, or worse, phishing tests in general. On the flip side, if the attacks are too realistic, they can erode employee trust and create friction within the organization.
具体来说，网络钓鱼测试在某种程度上是一把双刃剑。如果模拟攻击不够现实，他们可能会训练员工只检测和避免特定示例，或者更糟的是，一般的网络钓鱼测试。另一方面，如果攻击过于现实，它们可能会侵蚀员工的信任并在组织内造成摩擦。

Attackers are freely willing to exploit people’s emotions, but security testers should not. I’ve seen phishing simulations pretending to be sick relatives, announcing fake bonuses to employees during times of financial hardship, and even publicly shaming staff who fail the tests. Whilst the phishing lures themselves may be highly effective, the end result is likely to be anything but.
攻击者可以自由地利用人们的情绪，但安全测试人员不应该。我见过网络钓鱼模拟假装成生病的亲戚，在经济困难时期向员工宣布虚假奖金，甚至公开羞辱未通过测试的员工。虽然网络钓鱼诱饵本身可能非常有效，但最终结果可能并非如此。

Imagine you’ve had a long difficult year at work. You’re struggling with bills, maybe your car needs a big repair. But don’t worry, you’re getting a Christmas bonus! Or, so you though. Upon clicking the link you’re met with the harsh reality that not only are you not getting that bonus, you’re going to have to add sitting through phishing training to your busy work schedule. Now, I don’t know about you, but I’d be leaning less towards extra security vigilance and more toward ransoming the network myself.
想象一下，你在工作中度过了漫长而艰难的一年。您正在为账单而苦苦挣扎，也许您的汽车需要大修。但别担心，您将获得圣诞奖金！或者，所以你。单击链接后，您会遇到残酷的现实，即您不仅没有得到奖金，而且您将不得不在繁忙的工作日程中添加通过网络钓鱼培训进行坐姿。现在，我不了解你，但我不太倾向于额外的安全警惕，而更倾向于自己赎回网络。

Jokes aside, playing on employees’ emotions or punishing them for failing at something that isn’t even their job is likely to be extremely counter-productive. Employees who fall victim to genuine phishing attempts will become far less likely to notify the security team out of fear, shame, or resentment. Workers may also attempt to avoid failing phishing tests by undermining other security controls, such as through the use of personal devices that don’t run EDRs or pass through the corporate gateway.
撇开玩笑不谈，利用员工的情绪或惩罚他们在甚至不是他们工作的事情上的失败可能会适得其反。成为真正网络钓鱼尝试受害者的员工将不太可能出于恐惧、羞耻或怨恨而通知安全团队。工作人员还可能尝试通过破坏其他安全控制来避免网络钓鱼测试失败，例如通过使用不运行 EDR 或通过公司网关的个人设备。

I’ve often joked that the world’s best hackers aren’t the people who work for ransomware groups, nor the NSA, they’re your employees when your security controls get in the way of their work.
我经常开玩笑说，世界上最好的黑客不是为勒索软件组织工作的人，也不是国家安全局，当你的安全控制妨碍他们的工作时，他们是你的员工。

The goal of phishing awareness should not be to entirely prevent phishing. Even the best cybersecurity professionals can fall victim to a well-orchestrated phishing attack. Whilst it is entirely possible to lower the success rate, it is absolutely never going to hit zero. The last line of security defence cannot be the collective infallibility of your entire workforce.
网络钓鱼意识的目标不应是完全防止网络钓鱼。即使是最好的网络安全专业人员也可能成为精心策划的网络钓鱼攻击的受害者。虽然完全有可能降低成功率，但它绝对不会达到零。安全防线的最后一道防线不能是全体员工的集体无误性。

Considerations for effective phishing awareness
有效防范网络钓鱼的注意事项

Phishing awareness is an efficient way to crowdsource threat intelligence. Organizations should be pushing to constructively incentive employees to report suspicious activity, giving positive feedback whenever possible.
网络钓鱼感知是众包威胁情报的有效方法。组织应该推动建设性地激励员工报告可疑活动，并尽可能给予积极的反馈。

Many phishing lures create a false sense of urgency, resulting in targets only realizing they’ve fallen victim after the fact. With the potential for a successful phishing attempt to escalate to full breach in a matter of hours, an employee self-report could easily be the difference between re-issuing an access token and responding to a ransomware event.
许多网络钓鱼诱饵会产生一种虚假的紧迫感，导致目标在事后才意识到自己已成为受害者。由于成功的网络钓鱼尝试有可能在几个小时内升级为完全违规，因此员工自我报告很容易成为重新颁发访问令牌和响应勒索软件事件之间的区别。

Even reports of unsuccessful phishing attempts often provide valuable insight into attacker tools, techniques, and procedures, which can be used to shore up other defences. Known phishing urls and payloads can also be monitored or blocked to prevent future employees falling victim.
即使是网络钓鱼尝试失败的报告，也经常提供有关攻击者工具、技术和过程的宝贵见解，这些工具、技术和程序可用于加强其他防御。还可以监控或阻止已知的网络钓鱼 URL 和有效负载，以防止未来的员工成为受害者。

When it comes to phishing tests, I’m yet undecided on whether they are even worthwhile. I don’t see any reason why employees can’t simply be familiarized with common phishing lures without also being the intended target. Phishing simulations run a very high risk of creating distrust and friction between your employees and security team.
在网络钓鱼测试方面，我尚未决定它们是否值得。我看不出员工有任何理由不能简单地熟悉常见的网络钓鱼诱饵而不成为预期目标。网络钓鱼模拟很有可能在您的员工和安全团队之间产生不信任和摩擦。

Considerations for phishing tests
网络钓鱼测试的注意事项

If phishing tests are to be conducted, I think it’s important to tread carefully. Organizations should entirely avoid emotionally-manipulative lures such as those involving pay rises, vacations, or sick relatives.
如果要进行网络钓鱼测试，我认为谨慎行事很重要。组织应完全避免情绪操纵的诱惑，例如涉及加薪、休假或生病亲属的诱惑。

I also think it ill-advised to punish employees for failing phishing tests. And yes, I’m counting phishing awareness training in that. Having to put aside a busy workload to focus on a menial tasks is exhausting. On top of that, being singled out, or worse, being the reason the whole team got enrolled, is completely humiliating. The last thing you want from a phishing test is to disincentives employees from reporting real threats.
我还认为，惩罚未通过网络钓鱼测试的员工是不明智的。是的，我正在计算网络钓鱼意识培训。不得不放下繁忙的工作量专注于琐碎的任务是令人筋疲力尽的。最重要的是，被挑出来，或者更糟的是，成为整个团队被录取的原因，完全是羞辱。您希望从网络钓鱼测试中获得的最后一件事是阻止员工报告真正的威胁。

Personally, I’d lean toward silent phishing test if testing is a must. Ones where employees are given no indication of the fact that it is a test, was a test, or that they failed. Data gathered can instead be used behind the scenes to inform future security decisions, without undermining employee trust. Even then, I’d still avoid emotionally-manipulative lures at all costs.
就个人而言，如果必须进行测试，我会倾向于无声网络钓鱼测试。那些没有给员工任何迹象表明这是一个测试，是一个测试，或者他们失败了。收集的数据可以在幕后使用，为未来的安全决策提供信息，而不会破坏员工的信任。即便如此，我仍然会不惜一切代价避免情绪操纵的诱饵。

Overall, I think phishing awareness can be highly effective, but far too many organizations are treating it as a carrot and stick exercise. Negative incentives seldom work in any aspect of life, and organizational security is no different.
总的来说，我认为网络钓鱼意识可能非常有效，但太多的组织将其视为胡萝卜加大棒的练习。消极激励很少在生活的任何方面起作用，组织安全也不例外。

原文始发于Marcus Hutchins：It might Be Time to Rethink Phishing Awareness