#ishing: alternative narrative for phishing

Ahoy, hear the story of a brave sailor who served on the Golden Arrow, the pride of our fleet. They call him Owl's Eye, because night was like day for him. Although he was young, he saved us from loss in the depths. Two weeks ago, a terrible storm caught us far from the shore, the Golden Arrow was full of holes, we were repairing it day and night. Another storm was gathering ...

This is beginning of short story about social engineering attack delivered by number of channels against organization operations for client over Internet, shortly after new 0-Day was released. Story was designed with alternative narrative that can be used as suplement or replacement of current "phishing" fish-hook narrative. For full story (draft example written in 15 minutes), please read below.

Current approach - phishing is everywhere!

You know this picture: fish threaten by bait on the hook. This seems to be you, threaten by email phish. Useful as easy to imagine, but with serious limitation. Let's find out some:

• people have issues with taking "fish perspective" as most of the lures in phishing are not about hunger, what is main motivation for fish... however we can understood the message of hook hidden in bait,
• this picture was created in times, when social engineering attack mostly was delivered via email, not as today by multiple media channels,
• fish with hooked bait isn't precise today making phishing awareness chaotic and not specific, as is describing spear-phishing rather spam activity,
• in most of the pictures, there is one phish and one hooked bait, in reality there are many what can be misleading about nature of this threat (is common, not unique),
• there is strong negative and personal connection with hooked fish picture, generating sense of failure, weakness and helpless,
• there is serious challenge to show how fish can alert other when detect threat.

Human-fish approach

However useful, and iconic, seems that taking fish perspective is very narrow, and in fact not as natural as expected. It obviously impacting communication challenging good practices share and undermining end user faith in active defense. Only one useful behavior connected to this picture is to leave the bait, in case that could have hook inside. This is not practical and can be read as "avoid any risk" message. Even including variety of fishes to describe targeted audience (BEC, whaling, farming), this is still hopeless fish that is condemned to be hungry or catch/dead.

This negative message is undermining any forward looking, positive engagement of people, feedback enabled situational awareness campaign against threats in digital life. What more. this picture, and name "phishing" was overused to cover other use-cases of social engineering attacks delivered via other channels like SMS and chats, Social Media and forums, games, SEO abuse and many more, including in person attacks, in the name of simplicity and clarity. Unfortunately such idea, and behavior generate more harm than good, leading to oversimplify and chaos within good practices, especially in area of spoofed message detection. Main reason is that communication about detection practices is using "phishing" as tag, or label for detection activity with different requirements applicable to specific channels. This is confusing, and lead to reduce detection effectiveness, not easy at all even without that chaos.

Alternative approach - separation by name

Let's focus on language, as seems this is main issue needs update in "phishing" problem. What if we will leave phishing tag with emails to honor historic approach, and move forward with other tags for different channels? By separation of channel where social engineering attack is delivered, and clearly naming that channel group or type, we can focus with detection best practices separately for each channel we have in use, as micro-learning content for our end users. Using the same convention, and extending existing name space with additional tags for channels not previously commonly named, we can create following map:

#ishing (social engineering attack) is commonly delivered via: ???p - in person, including visual technology (i.e. videoconferencing, TV); ?? v - by voice channel (i.e. phone); ??dev - by device; ?? ph - by mail or email; ?? fil - by file or attachment;?? br - by browser technology (i.e. SEO); ??vr - by virtual reality, metaverse and multiverse; ?? SoMe - by social media; ?? cal - by scheduler, calendar or notification; ?? qu - by QR code, URI shortening, or any other cover redirect service; ?? ar - by augmented reality devices and technology; ?? Sm - by messaging service

Alternative approach - narrative

We don't need to go far away from fish to find useful narrative for global social engineering attacks situational awareness. Using imagination on above picture,we can quickly find similarity with octopus - sea creature, and as social engineering is most powerful technique against people, and most fearless octopus ever known was Kraken, we already have our threat by name.

Now it's easy to move forward with rest of dictionary and meaning for our alternative narrative:

• water as information, critical for human operations but not natural due to cognitive limitations;
• lakes, sea and oceans as building blocks of Internet network, including DarkNet as ocean and seas deeps where light is reduced, and Kraken lair is hidden
• sea creatures as information and digital artifacts, like applications, services, effects and technology i.e. AI
• sea monsters, abused sea creatures as adversary use of information and digital artifacts
• land as physical human presence and activity
• sailor, adventurer, scout, etc. as human being and perspective - main actor
• pirate as adversary, human threat
• ships as information technology owned, or used as owned by humans to operate over Internet (services, mobile apps, IoT activity, etc.)
• ports as physical infrastructure owned and used by humans

This approach is easy to use, understand, and supported by popular culture. We can now go back to our initial story to paint a picture of typical situation that many organizations can face.

Tell the story, share situational awareness

This could be an example of how to use alternative narrative for situational awareness after incident of abuse of customer service social media page and internet enabled email service used in someshing and phishing attacks against organization after 0-days published in both: company social media used for customer service as well as email gateway service. Patching was delayed due to reduced resources what created opportunity to exploit and lunch social engineering attack over weekend against company employees armored with ransomware counting on some late shift, overworked employee error.

Ahoy, hear the story of a brave sailor who served on the Golden Arrow, the pride of our fleet. They call him Owl's Eye, because night was like day for him. Although he was young, he saved us from loss in the depths. Two weeks ago, a terrible storm caught us far from the shore, the Golden Arrow was full of holes, we were repairing it day and night. Another storm was gathering on the horizon and it was dark. Under the cover of night, a huge monster emerged from the depths, pressed its tentacles through the holes in the ship to grab it tightly and sink it into the abyss with us. Owl's Eye kept watch and saw the monster, he hit the tentacle hard with his ax, calling for help. The entire crew rushed into battle, driving the beast back into the sea. Bosun praised Owl's Eye, without which we would all be sleeping at the bottom of the abyss today. The beast followed us for a few more days, but retreat the sight of the fleet at the port's entrance. I heard that she hunted down the White Seagull and few survived. Drink the health of Owl's Eye, because thanks to him you got your goods and we saved our ship. If you are going to the sea, remember this story, be like Owl's Eye, attentive and alert to what is hiding under the surface of the water.

In this particular story case, vigilant employee was able to detect attack, despite late shift, and alert organization to defend against threat. Story line also mentioning followup activity like praising vigilant employee for alert, keeping up guard for whole incident response process and complete patching. Also paralel story related to the same adversary activity is mentioned, finished with operational impact due to ransomware incident. Whole story is presented as discussion with client, sharing situational awareness and culture benefits from service providing organization.

Above is draft story, not processed and curated with metrics based needs for situational awareness, supporting human risk management. There were two SOCO (Single Overreaching Communication Outcome) under common theme of highlighting end user role in protecting organization and client faced service: 1: "you can detect attack", 2:"you can stop attack, reporting it". Audience was IT operations employees groups. Channel was internal social media zone, feedback collection was based on post related discussion and "translations", as well as other examples shared. As Owl's Eye is current employee, team she/he belongs to, was celebrating successful story, as well as exercised AAR (after action review) to learn from detected and not detected red flags from Owl's Eye report.

All above is an example, not happen in reality, designed for illustration purposes. In real case, this narrative can be used for framing internal communication, and need to be supported with necessarily technical and procedural details for actionable effect.