1. Phishing Case Study
Imagine after you have built a system with heavy-duty security measures:
the latest antivirus updates, next-gen Endpoint Detection and
Response(EDR), super strict machine policies, multi-layer firewall,
etc.
Everything is running smoothly until one day, a random accountant clicks
on a cute cat picture sent to their email.
If you're lucky, the security systems will have alerts for you to respond to. Occasionally, the system may be compromised to the extent that some people lose their jobs.
|
| Achilles' heel of system network |
2. Cyber security phishing awareness training. Have you ever?
You cannot rely solely on machines and documentation to completely resolve this issue, as it also depends on the user. It is influenced by personality traits (careful, clumsy, careless,...), mood (happy, sad, angry, etc.), and many other personality factors. The best you can do beyond technical measures is to help them acquire knowledge and skills for prevention.
You should always remember that the more security tools and regulations the system employs, the greater the negative impact on the convenience and comfort level of employees when using it, which almost directly affects productivity and work quality.
This is why phishing awareness training is important. In my opinion, this is the answer to the question: what is the best countermeasure against social engineering?
Phishing also known as social engineering(SE).
Currently, companies and organizations that pay attention to information security will frequently send phishing awareness email to employees, disseminating phishing training video, and informing about campaigns from malware groups, etc. All aimed at the goal to raise alertness about SE attacks for their staff
However, I am always asked after each phishing awareness training
session: "How do I know my employees will be vigilant? And to what extent
will they be vigilant, spear phishing vs phishing, can they defend against
both??"
So, I always have to conduct testing by sending pretend emails to a random
selection of employees. I monitor which individuals open the emails and
which ones run attachments that are fake malware. The purpose is to
generate evaluation reports and somewhat illustrate what it would be like
if the organization were targeted by a spear phishing attack.
Many of my client companies even request to conduct this every month or
every quarter. This is to ensure that their employees are constantly
reminded about maintaining security and are capable of avoiding sweet
baits in the future.
3. Training and assessment tools for phishing awareness capabilities.
I need a software suite that helps me send fake emails, tracks activities such as opening emails and running attachments, and provides statistics for reporting.
The most important requirement is:
- This system must be completely under my control, ensuring that the information about my client companies is not exposed/leaked to any third party.
- This platform must support dangerous types of attachments currently being used by existing malware groups.
- Of course, the price must be reasonable within the budget, preferably free. Or open source, ultimately.
- Last but not least, it should be user-friendly and provide statistical evaluation results to assess the current average level of awareness.
I have previously sought software solutions from various providers (Have you ever heard of KnowBe4's ?), and none of the services guaranteed the confidentiality of my client information. Of course, according to my standards. Therefore, the safest option is to keep all the information within systems I control. Being self-sufficient is the best approach.
I decided to package my toolkit into a complete software suite. I named this project Kaburra, after the Kookaburra bird, which is a type of kingfisher but does not eat fish.
|
| Kaburra: Open source simulated phishing platform |
You can access this open-source platform at:
https://github.com/2x7EQ13/Kaburra
The convenience here is that I am also a researcher who specializes in
monitoring ransomware gangs and APT groups. Therefore, the types of
spear-phishing via email will be updated to closely resemble real-life
scenarios. This project supports both: phishing vs spear phishing.
The project currently allows sending emails via SMTP, enabling you to send one or multiple emails in bulk. With this toolkit, you can track which users have opened the email and which users have downloaded and executed the attachment.
With a very simple interface, you will find it easy to use. It simplifies
the operations to save time for the most important task:
drafting the email content.
In addition to being used for training and assessing awareness of SE
attacks, this tool is also quite useful for training penetration testing
and Red Teaming.
I will write an article about using this toolset in the near future.