Social Engineering – Phishing

Despite the most sophisticated plans to protect network infrastructure and company data, no organization can predict every employee’s cybersecurity education level or previous experiences. Phishing is a user-centric attack technique that combines technical and socio-psychological techniques to encourage users to carry out specific actions.

About Phishing Attacks

In a typical phishing attack, a user receives an email that appears to be legitimate and that urges them to click on a link or download a file. Unbeknownst to the email recipient, the link or file is malicious, compromising not only the user’s computer, but also the entire network. Phishing attacks have been leveraged against organizations by their competitors, commodity computer crackers, and state-sponsored actors to bypass network perimeters and deliver highly customized malware. Successful phishing attacks can result in the infiltration of network perimeters and disclosure of proprietary information.

Phishing attacks are extremely difficult to defend against. Phishing operations can be highly customized and tailored to specific individuals (a sub-category of attack called “spearphishing”), making it increasingly difficult for users to recognize malicious intent and even harder for systems to identify phishing emails for automated computer defense.

Assessment Objectives and Methodology

To help organizations assess their vulnerability to phishing attacks, CIS offers phishing engagements that are highly customizable to the organization. In a CIS phishing engagement, employees in the target organization are delivered a specially-crafted email masquerading as an agreed-upon email sender.

Organizations can customize:

  1. Email content
  2. Phishing link or attachment
  3. Landing page
  4. Forms following the landing page to capture user credentials
  5. Personalized email for each target user Ex: “The password for has expired. Please click here”

CIS phishing assessments demonstrate two primary areas of vulnerability:

  1. The ability of an attacker to lure a target to a given website that may host exploits that could be used to compromise users’ workstations
  2. The ability for an attacker to rapidly collect sensitive user credentials that could be used to gain access to an organization’s network

Assessment Deliverables

After the phishing assessment, the CIS consultant provides a detailed report containing the assessment results. The report will determine if the target organization is susceptible to phishing attacks and if it is likely that an attack would receive the end user interactions required for successful intrusion. The final report also will include the assessment’s goals, theory, attack method, concluded results, statistics, campaign effectiveness and conclusions, and recommendations.