Real World Phishing Simulations from bluedog:
Why Security Awareness Training Isn't Enough

The news is full of stories on cyber breaches or ransomware attacks. Most of these cases began with a phishing email loaded with malware. Most companies have undergone one or more security awareness training programs, with various levels of success.

For an attacker, the question isn’t if he can get in via an email, but how much effort is needed to get in. Is a spam blast enough to get in with a macro embedded Word file? Or, do the attackers have to up their game, creating custom malware which is delivered in a spear phishing email in order to have it activated?

With the bluedog real world Phishing Simulations, the answer to that question will be given. Helping any organization identify its weaknesses in order to become stronger than ever!

Phishing Simulation

The Value of bluedog's Phish

It doesn’t matter how well secured an organization is, there is always a way in. It just depends how much time, money and effort the attackers want to invest. If they are targeting an organisation because they have a potential of several millions, cash or data, they will invest more to reach their goal.

It is important to determine a company’s security risk baseline or cyber posture. With this baseline, the company can outline how secure they want to be. Once in place, assessments can be conducted to ensure security measures taken are indeed up to standard.

This is where phishing simulations come into play. When performing this assessment, bluedog have designed roughly 20 types of phishing attacks, ranging in difficulty to both prepare and perform. The harder it is to get into the organization, the stronger its security defences are generally.

A scoping call determines the range of scenario’s that need testing during the simulation. It is important that as few people as possible within the target organization know about the attack. The number of scenario’s and difficulty levels are determined during the scoping call. This is based on the set security posture of the organization. In the event a scenario must include all users, a list of user emails is requested.

Following the scoping call, the preparation can begin. This is where bluedog tries to find email addresses out in the wild. Methods such as search engines and breached databases result in a list of users that can be easily targeted. The percentage of the total users is considered during the reporting phase.

During preparation, bluedog also researches the best method of delivering the phish.. Is there a way to bypass filters that are in place?

The phishing email is designed based on the number of accounts, type of accounts and agreed scenarios. This can be anything, from a giveaway of a Christmas present to an account credentials request. This depends on many variables.

The weaponized friendly malware is crafted by bluedog. This malware acts as if it’s semi-blank, meaning it isn’t actually malicious, but all types of anti-virus modules supposedly blocking this type of file. Depending on the agreed attack level with the assessed scenario, this malware is either based on existing templates or created from scratch.

It’s time for action! Once the prepared phishing emails are being delivered, performance metrics are collected. This resembles e-mail marketing practices, but obviously used for a slightly different purpose.

When the malware is executed, bluedog receives notifications within the various types of command and control systems set up for the specific phishing simulation. This mimics the real world, where an actual network connection is attempted to be made by the malware inside the phish.

After all scenarios are executed, the end results are worked into a detailed management report. The goal of this report is to explain in laymen terms what was done and how difficult it was to do it. All scenarios are explained and a conclusion per scenario is given on how the set security posture matches the result of the assessment.

News reports on cyber-attacks get worse and worse by the day. No matter how many security awareness programs and training a company undergoes, attackers will always find a way in. It just comes down to how much time, money and effort they are willing to invest on your business.

With the bluedog Phishing Simulation service, any company can assess their true state through a series of scenarios executed against their organization. Assessment results are mapped against the company’s security posture, providing a very clear picture of how their maturity level is and how difficult it is to successfully deliver a phishing email.

Watch our full end-user dashboard demonstration video here.