An important part of any security awareness programme being able to test to see how effective phishing training is.
Tracking simulated phishing
When performing phishing simulations, you need some way of tracking the actions of your users. Tracking good actions tends to be easy, because it depends on the user proactively reporting the incident to a central desk.
Tracking bad actions can be tricky. You need something that simulates malware and can be something that you can track. But you don’t want to put the user, or the organization at risk.
There are many vendors and tools available, but not all security awareness teams have the funds to use them.
Some awareness teams write their own tools, and this can be a great option if you have the skillsets available. The risk here is that the software that is supposed to be a test could open up real risks if you do not implement it correctly.
So, what can a cash-strapped, coding-challenged awareness trainer do?
Phishing with EICAR
If you have a centralized anti-malware solution, consider using the EICAR test file for a quick and dirty, but safe way, to track users’ non-compliant actions. It’s perfectly safe (no malicious code, just a well-known string), every anti-malware program is designed to recognize it (so it will be reliably detected), and it’s small.
The idea is to be able to use your anti-malware as a tracking system for EICAR in your organization. The EICAR file is never misinterpreted to be anything else, and it will be rare that your organization will encounter it naturally. So, if you create simulations that use this file, you can have a pretty reliable tracking system to see who, where, and how often the file was encountered. Then, you use that information as a crude measure of how your users are behaving when encountering this file.
Some people recommend using options like Metasploit’s Meterpeter from Rapid7. It is also free but contains very powerful features that allow you to extend your simulations and gather data from the hosts it infects. But there are a couple of problems with meterpreter.
First, you have to be sure that you can remove meterpreter from all the machines. If it remains, it can act as a backdoor to anyone who finds it. Second, anti-malware can easily detect and block meterpreter, defeating the ability to use its power while retaining a possibility of a backdoor risk if it is not detected.
So, stick with the EICAR test file and avoid the unnecessary risks.
How to use EICAR in a phishing simulation
Put the test file on USB sticks and distribute the sticks around your premises. If the user plugs in the strange USB into their work computers (which should be against policy), then your central anti-malware solution should get an alert so you can follow up.
You could also try adding the file as an attachment to an email. It is likely that email virus scanners will find it before it hits your users, so you could try zipping it up a few times to see if that would bypass your anti-malware).
Crude, but free and safe
It’s a crude test with obvious limitations, but it’s simple and free. And it doesn’t put your users at risk if you do it wrong.
Have you used something like this in your security awareness programme? Tell us about your experiences in the comment section.