We use KnowBe4.com's user training. That's really the only way you can fight
this, since its a human problem, not a technical one. These guys provide fully
automated, AI based (well, who knows what that means) simulated phishing
attacks, largely to give users real-world practical experience detecting and
fending off attacks. You get a report card on each users to, so you know where
the weaknesses are in your staff knowledge. Their training regimen includes
some pretty good self-guided instructional videos.
DMARC, SPF, digitally-signed emails, encryption, none of that matters if a user
can be tricked into letting the crooks in the front door.
-mel
From: NANOG on behalf of Michael
Thomas
Sent: Monday, November 13, 2023 11:40 AM
To: nanog@nanog.org
Subject: Appropriate venue to find out about the state of art of spear phishing
defense?
I know this is only tangentially relevant to nanog, but I'm curious if
anybody knows where I can ask what orgs do to combat spear phishing?
Spear phishing doesn't require that you deploy DMARC since you can know
your own policy even if you aren't comfortable publishing it to the world.
tia, Mike