GAO employees responded correctly to a mock phishing email, reporting it immediately, says David Sadnavitch,­­ ­Director of Information ­Systems Security.

Nov 02 2018

Bombarded by Attacks, Feds Learn to Spot Malicious Email

OPM, GAO and the State Department are among the agencies successfully testing employees with anti-phishing tools.

Employees of the Government Accountability Office recently found disturbing messages in their inboxes.

Cyberattackers had sent phishing emails claiming to have damaging information, directing workers to a link where they could pay to keep the information secret.

It wasn’t the most sophisticated phishing attack, and none of the targeted employees paid the cryptocurrency ransom. But what impressed David Sadnavitch, GAO’s director of information systems security, was how many employees quickly reported the email to IT.

“Over 50 percent of the people who received the email and opened it reported phishing to us, which prompted us to go back and figure out what we had to do from a security perspective to block it at our mail gateway and get rid of it from everybody’s mailbox,” Sadnavitch says. “Within five minutes of it being in the building, we had more than 70 people who reported the message. Minutes after that, we locked it down and purged the email.”

Sadnavitch credits the quick response to the agency’s training efforts. For the past two years, the GAO has deployed Cofense’s PhishMe, a tool that allows organizations to simulate real phishing attacks, gain analytics on user behavior and automatically provide extra training for employees who need further education.

The tool has had a dramatic impact on employee awareness and behavior, Sadnavitch says, an effect that other agencies, including the Office of Personnel Management and the State Department, also report.

Before implementing the tool, Sadnavitch says, only about 2 percent of GAO employees would have reported a suspicious email. “People are taking a stronger interest,” he says. “They know the processes to report it, and they’re more skeptical of the mail that comes in.” 


Phishing Is a Familiar Problem with Emerging Solutions

Phishing plagues organizations across several sectors. According to Symantec’s “2018 Internet Security Threat Report,” published in March, the number of URLs related to phishing activity rose by 183 percent between 2016 and 2017, accounting for 6 percent of all malicious URLs in one year.

Certain types of phishing attacks are growing more quickly than others. Phishing attacks targeting Software as a Service grew by more than 237 percent, and attacks targeting social media platforms nearly tripled in 2017, according to PhishLabs’ “2018 Phishing Trends & Intelligence Report.” 

Like other agencies, GAO has tech tools, including mail gateways and endpoint security solutions, in place to spot and stop phishing attacks. But, Sadnavitch notes, the email with which attackers attempted to extort employees didn’t contain any malicious code.

“None of our tools would block or stop that,” he says. “You still need something to help the user effectively report things and help sift out potentially harmful emails. It’s a layered approach to defense. We have plenty of other technology to detect things and stop them from getting in. But when push comes to shove, the behaviors of the individual provide the most security.”

David Sadnavitch
It's constant education, because this threat is never going away."

David Sadnavitch Director of Information Systems Security, GAO

Installing technology is simple, says Jeff Wagner, associate CIO for enterprise infrastructure services and acting CISO at the Office of Personnel Management. OPM’s 2015 data breach resulted in the exposure of personal information for 21.5 million people.

“I can install anything to be as forceful as I want, but the education of the users is the more important piece,” he says. “If I just tried to throw technology at them, and they’re not involved, I’m going to get a lot more issues.”

The Department of Homeland Security conducted anti-phishing training at OPM in 2016, and employees responded. In the first test, 12 percent of employees clicked on the link; five months later, only 1 percent did, according to an August 2017 GAO report.

MORE FROM FEDTECH: Find out why phishing still accounts for the vast majority of data exfiltrations! 

Agencies Get More Options to Combat Phishing 

Vendors have responded to this demand for tools that educate and empower end users. Symantec offers its own tool, called Phishing Readiness, which allows organizations to assess employees’ responses to simulated phishing attempts and ­follow up with video-based training modules. Sophos offers a similar product, called Phish Threat

Both companies are among the preapproved vendors on GSA’s IT Schedule 70, which means companies can receive products from them more quickly.

In July, DHS announced new anti-phishing features on the Mobile Endpoint Security platform by Lookout, which it partners with; last year, the agency purchased 2,500 licenses. In addition to detecting phishing attempts in SMS messages, the platform detects and prevents attacks hiding inside mobile apps, social media messages and corporate or personal email, and alerts users in real time if the connection is exposed to malicious apps or websites.

Robert Westervelt, a research ­director within IDC’s Security Products group, says that training on recognizing and responding to phishing attacks should be part of a broader cybersecurity strategy — one that helps employees increase their personal cybersecurity.

“It’s not about the phishing training itself,” he says. “It’s about combining it with a sustained end-user training campaign, something that fosters a culture of security.”

People are the biggest part of any anti-phishing effort, says Kevin Cooke Jr., principal deputy CIO for the Department of Housing and Urban Development. “We also remind people they need to think about these things in their personal life,” he says. “We have a lot of financial and personal data to protect, and the biggest part is making sure that employees feel invested in that.” 

DOWNLOAD: Read this white paper if you want to keep your agency out of the headlines over a cybersecurity incident! 

GAO, State Department Test Employees with Phishing Campaigns 

The GAO “phishes” its own employees on a rolling basis, targeting its approximately 3,000 users with three different scenarios (one each for three separate thousand-user groups) during a cycle.

“It takes about six weeks to get through everybody,” says Sadnavitch. “We’ll have a week gap, and then we start all over again with new scenarios. We don’t stop.”

Sadnavitch and his team receive detailed reports from the Cofense tool about the number of users who opened the faux-phishing email, how many clicked on a link within the message, how many reported the email to IT and how much time employees spend on training modules. 

The agency has used ploys such as telling employees that they’ve won a free cup of coffee to trick them into clicking.

“The most significant thing that’s happened is, when we’re getting real phishing attempts in, we have a lot more people doing the reporting,” Sadnavitch says. “I truly believe it’s working.”


The portion of organized attack groups that use spear-phishing emails, making the method by far the most widely used attack vector

Source: Symantec, “2018 Internet Security Threat Report”

At the State Department, different groups of employees are more or less likely to fall for different types of phishing attempts, says Debbie Pierre-Louis, director of policy, liaison and training for the department’s Bureau of Information Resource Management. The department’s international employees, for example, might be more likely than domestic workers to click on a link promising a free iPad.

“Stateside, you’re not going to get a lot of bites out of that,” she says. “Overseas, that’s a cash cow.”

When the State Department recently experienced turnover in top positions, Pierre-Louis and her team crafted a faux phishing email that purported to contain a link to an updated organizational chart. The subject matter was of such interest that rumors of the new organizational chart made the news.

“It was actually the phishing campaign,” she says. “Of course, people clicked on that link and were told, ‘You’ve got to have more training.’”

MORE FROM FEDTECH: Find out about the new cybersecurity risk score DHS will give to agencies! 

How to Carefully Train Employees to Guard Against Phishing 

Agencies must be careful, Pierre-Louis says, to avoid “poisoning the well” by mimicking real department emails so closely that employees don’t know which messages to trust.

“We don’t send phishing campaigns from our emails that are used to send out alerts,” she notes. “We have to be really careful with the campaigns.”

At OPM, the agency uses simulations to evaluate both end-user behavior and the security team response.

“We don’t let our internal incident response team know that it’s happening,” Wagner says. “From our testing, we know that our response rate from the security operations center is between 4 and 10 minutes, from the time of the report until the time that it’s blocked.”

While it may seem like overkill to constantly “phish” his own employees, Sadnavitch says he doesn’t plan on scaling back anytime soon.

“I don’t believe once a year is enough,” he says. “You always have new people coming into an organization, and you never know how well they’ve been trained. 

“It’s constant education, because this threat is never going away.”

Photography by Jonathan Timmes

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.