Phishing with the Sharks Using the Attack Simulator

Hello, Paul Bergson back again. It is late fall and once again playoff time for High School and Collegiate volleyball. Women’s volleyball in Minnesota is a big deal and I have played and coached for over 30 years and I have a lot of great memories with my friends and family in this sport. One thing I have learned is teaching young athletes to be well rounded in the game. Many become focused on the offensive part of the game and won’t put the effort to learn how to become a skilled defender. Yet they don’t seem to understand if you can’t control the ball defensively you don’t get to set up an attack against your opponent.

I see this same sort of mentality when it comes to preparation for the defense against phishing attacks. There are technical measures that can be put in place to guard against malware which includes Phishing attacks but the last line of defense against Phishing is your user base.

Preparing your users to be on the lookout for phishing attacks is difficult to do. Most figure their job isn’t very glamorous, and no one would want to target them. Yet, the largest attack vector isn’t software flaws but is instead the human factor. Email Phishing attacks randomly target millions of users and targeted spear-phishing attacks focus on high value assets within the company. Spear-phishing attacks are more effective and much harder to detect with “roughly 75% of all company breaches now start with phishing attempts designed to steal user credentials.”
https://blogs.technet.microsoft.com/cloudready/2018/04/30/phishing-examples-for-the-microsoft-office-365-attack-simulator-part-one/

Look at that number, 75%! With a number that large it makes it easier for IT decision makers to justify budget expense requests, to their management, to protect the enterprise infrastructure. So what type of equipment is needed to protect against “Phishing” attacks? No physical equipment is needed! Only annual or more frequent “User Training”, along with ongoing tests to ensure users are following training guidance.

What about email and spam filters, don’t those protect the enterprise? The answer is yes, but like anything else phishing/spear-phishing attacks evolve and some of this email still lands in your user’s inboxes.
https://blogs.msdn.microsoft.com/tzink/2014/09/12/why-does-spam-and-phishing-get-through-office-365-and-what-can-be-done-about-it/

It is at this point; your users are your last line of defense. Awareness and training could be the difference that saves your enterprise from attackers getting a foot hold within the company and the opportunity to pivot from this compromised workstation. If your user’s have been trained to spot a phishing attack (or watering hole) they can stop the attack in the “Kill Chain”.
https://blogs.technet.microsoft.com/prasadpatil/2017/12/15/crippling-the-cyber-kill-chain/

Training your users on how to spot an attack is based on not trusting people or organizations your users aren’t familiar with and to ensure the information provided within an email is legitimate.

Once training has been completed it can be crucial to be aware of the level of understanding your users have on this threat. This awareness can be performed with a Phishing awareness assessment. An awareness assessment creates a phishing simulation to see which users fall victim, which don’t fall victim and those that don’t fall victim and report the attack. The details that are pulled from this assessment can then be used to help retrain those users that fell victim.

An awareness assessment can be created manually but that can be difficult, there are third party tools and vendors that can provide this service, but Office 365’s Threat Intelligence service recently released a new enhanced feature called “Attack Simulator”. Attack Simulator has three options available:

  • Spear-phishing user testing
  • Password spray attack
  • Brute-force password attack

In order to use Attack Simulator, there are several prerequisites:

  • The enterprise owns O365 Threat Intelligence (E5 Licensing) or have purchased Threat Intelligence separately
  • Exchange Online is in use (On premise is not supported)
  • Multi-Factor Authentication (MFA) for O365 is enabled and used by the account running the Attack Simulator

The only users capable of using the Attack Simulator feature are O365 Global Administrators or someone that has been delegated the “Security Administrator” role.

Prior to running an in-house phishing attack, ensure to get leadership approval, since this could be considered a hostile act even if it is just a simulation.

The O365 team has created a number of scenarios to help our users create a targeted attack. Along with the links provided below I have also included a short video on the console:

I still recall an eventual DII collegiate player on my team, good enough to help the team offensively but a detriment defensively sitting on the bench as we were playing for a berth in the state tournament. Sadly, she never got an opportunity to play in the tournament run. The following year she finally realized that there were three components to the game – Bump, Set and Spike. Think of this as the volleyball “Kill Chain” (Lockheed Martin framework) which opponents will leverage to their advantage.

If you have access to the Attack Simulator, don’t “Sit on the bench” figuring it isn’t important. It is!!! Use this tool to help educate and protect your enterprise from Phishing attacks as well as Password Spray and Brute Force attacks.

“Go, Go Gophers!”