Obtain an accurate understanding of your security and risk posture, while ensuring compliance with industry regulators and information security best practices.
Social engineering exploits one of the weakest links in security. The technique uses persuasion and manipulation of people to acquire unauthorized access and/or obtain sensitive information. One of the most common vehicles of social engineering is via email in the form of a phishing attack.
Many of the recent breaches that have made news headlines were due, in part, to targeted “spear” phishing campaigns. As organizations have stepped up their perimeter security, hackers have pivoted to users and client side attacks to penetrate their targets. As an example, these phishing tactics were leveraged during both Operation Aurora and Operation Night Dragon. The list of publically known companies that have been affected by spear phishing attacks continues to grow and major companies have included Google, Adobe, Yahoo, Rackspace, Juniper Networks, Morgan Stanley, Symantec, Northrop Grumman, Dow Chemical, Exxon Mobil, Marathon Oil, ConocoPhillips, BP, and Baker Hughes.
A simulated phishing campaign provides two key benefits to a security conscious organization. First, the results will create a benchmark on the organization's vulnerability to a phishing attack, metrics on what percentage of their employee base is likely to fall victim, and the adequacy of compensating security controls to protect them. Second, a simulated phishing campaign provides structured, on the spot user awareness training where employees learn how to help keep the organization safe and secure. Because security awareness is an iterative process, a subscription-based model is available that provides continued training and metrics on improvement over time.
Similar to our security assessments, the methodology begins with target identification and discovery, execution of a test plan, followed by actual exploitation (optional). We customize each engagement and tailor the campaign to your specific situation. We work closely with your team to design test scenarios that focus on real-time user training and/or proof of concept demonstrations. A phishing campaign may include:
Training Focused: Carefully crafted phishing emails to entice the recipient to open a file or click on a link. User interaction will trigger training and tutorial information that discusses the dangers of openings files and clicking links from unknown parties.
Proof of Concept Focused: Carefully crafted phishing emails to entice the recipient to open a file (such as a malformed PDF) or click on link (such as a malicious website) that, when viewed, attempts to compromise the user's system and install “phone home” capabilities that will create a persistent, external connection into the organizations network.
Following the campaign, Praetorian will provide a detailed report that includes success percentages, trending analysis, and recommendations for improving user awareness and compensating technical controls within your organization based on these results.
Upon completion of the assessment Praetorian shall provide a single electronic report deliverable. The report will provide an analysis of the current state of the assessed security controls. The analysis will identify areas that need to be resolved in order to achieve an adequate level of security. The detailed contents of the deliverable are described below.
The report deliverable will include the following high level sections in a format suitable for management:
The report deliverable will also include the following in-depth analysis and recommendations for technical staff to understand the underlying risks and recommendations:
Praetorian was hired by a private equity firm to create a phishing campaign against end users to evaluate their employees' susceptibility and the company's responsiveness. To prevent any skewing of the results, only senior management had knowledge of the upcoming test.
The first step of the engagement was to devise a plan of execution. For this scenario, Praetorian decided the highest probability for success would be a phishing campaign that masked itself as an internal company initiative. To that end, Praetorian registered a domain confusingly similar to the company's domain (e.g. www.abc.com and www.abcsecurity.com) and created a site that mimicked the look and layout of the company's official website.
Praetorian then harvested valid employee emails through social networking and sales sites such as LinkedIn and JigSaw. Once the list of harvested accounts was approved by the client, Praetorian sent targeted phishing emails to convince users the company was performing an anonymous, random security audit of user passwords and requested their account credentials to test password strength. Of the random user sample targeted, Praetorian had a twenty two percent success rate where users voluntarily provided their usernames and passwords. With the credentials in hand, Praetorian could move deeper into the organization infrastructures via a SSL VPN portal that did not employ two-factor authentication.
The results of the assessment highlighted a need for user awareness and security training as well as the utilization of additional controls such as two-factor authentication. In addition, the equity firm requested follow-on phishing campaigns for metrics and trending analysis as a way to measure the success of the new employee training initiatives.