Phishing Smarter: Fewer Tech Controls, More Insights
Picture this: you've signed up for a social engineering attack as part of your organization's penetration test, specifically an email-based phishing campaign. The penetration testing firm is asking you to allow list their campaign through your mail filters and other technical controls. You have all those advanced protections in place - spam filters, web proxies, next-generation phishing protections - designed to protect your end users from phishing attacks. Yet, when it comes to assessing the very risk these controls are meant to mitigate, should you lower them for the tester specifically for the purpose of the test?
The Crossroads of Security Controls and Phishing
Our team gets asked often about this paradox: Why would we want to disable technical controls during social engineering assessments as part of a penetration test? It seems counterintuitive. After all, these controls are there to protect your organization. However, the goal of a phishing assessment is not to assess the strength of your technical controls; it's to see how well your end users can identify and respond to real-world threats when presented with them.
The Art of Social Engineering
Social engineering attacks rely on human psychology and urgency. They exploit our natural tendency to trust, to be helpful, or simply to click. When a phishing email bypasses your technical controls and lands in the end user's inbox, it presents a critical moment: Will they recognize the danger? Or will they fall for the attacker's pretext?
Lowering Controls for Greater Insight
When you allow a penetration testing firm to bypass your phishing filter, you're not exposing your organization to greater risk. Instead, you're surgically allowing a specific campaign through, ultimately mimicking worst case real-world conditions. You're giving your end users the opportunity to demonstrate their ability to identify and respond to threats in this controlled setting.
Red Team Assessments vs. Penetration Testing
Understanding the distinction between a red team assessment and penetration testing is important to this discussion. Phishing as part of a penetration test is a collaborative effort where everyone knows what's happening, except for the employees targeted. It's about understanding how your organization would respond to a simulated attack.
On the other hand, Red Team assessments simulate an advanced persistent threat (APT) with an overall goal of testing your technical controls and internal teams, by doing whatever it takes to reach their objective without detection. During a Red Team assessment, it would NOT be expected for you allow an email inbound, as we would have more time to research and circumvent those controls to remain undetected.
Bonus Tip: Don’t Dumb it Down
Along with push back on lowering security controls, there have been requests to make the phishing email more evident that it is malicious in nature. Some examples would be adding multiple spelling errors or restricting the pretext to only a specific idea. We're now in the era of Generative AI solutions being freely available. It takes little effort aside from a well-crafted prompt to generate a polished phishing email. The days of misspellings are a thing of the past. Plus, you’re hiring experienced professionals. Let them to do what they do best and provide you with a high-quality phishing assessment. The best phishing campaigns leave the user unaware that they were even phished in the first place.
Final Takeaway and Next Steps
The next time you consider why a pen tester might ask you to allowlist their phishing campaign or lower other technical controls during an assessment, remember this: it's not about compromising your security; it's about maximizing the value of your test. By allowing social engineering attacks to bypass some initial layers of defense, you ensure that the once the user is involved, the scenarios are as realistic as possible, providing critical insights into how your they would respond in a real-world situation.
Ready to have a phishing assessment performed? Take a moment to complete our short pen test scoping questionaire and we'll be in touch within 24 hours after that.
About Josh Tomkiel
Josh Tomkiel is a Managing Director on Schellman’s Penetration Testing Team based in the Greater Philadelphia area with over a decade of experience within the Information Security field. He has a deep background in all facets of penetration testing and works closely with all of Schellman's service lines to ensure that any penetration testing requirements are met. Having been a penetration tester himself, he knows what it takes to have a successful assessment. Additionally, Josh understands the importance of a positive client experience and takes great care to ensure that expectations are not only met but exceeded.