Tag Archives: Emerging Threats

Just a Reminder, SIP is a Popular Scanning Target

Posted on by
3

I just wanted to give you a quick reminder that SIP scanning remains quite popular on the Internet. These probes can lead to compromise and fraud against your VoIP systems. Make sure you do not have VoIP systems exposed to the Internet without proper controls. If you review your logs on the Internet perimeter, SIP scans will look similar to this:

This was captured from the HITME using HoneyPoint Personal Edition.

2013-09-30 17:02:18 – HoneyPoint received a probe from 207.127.61.156 on port 23

Input: OPTIONS sip:nm SIP/2.0

Via: SIP/2.0/TCP nm;branch=foo

From: <sip:nm@nm>;tag=root

To: <sip:nm2@nm2>

Call-ID: 50000

CSeq: 42 OPTIONS

Max-Forwards: 70

Content-Length: 0

Contact: <sip:nm@nm>

Accept: application/sdp

Keep an inventory of your VoIP exposures. They remain a high area of interest for attackers.

More on Persistent Penetration Testing from MSI

Posted on by
11

MicroSolved has been offering Persistent Penetration Testing (PPT) to select clients now for a couple of years. We have been testing and refining our processes to make sure we had a scalable, value driven, process to offer our full client base. We have decided to open the PPT program up to another round of clients, effective immediately. We will be open to adding three additional clients to the PPT group. In order to qualify, your organization must have an appetite for these services and meet the criteria below:

The services:

  • MSI will actively emulate a focused team of attackers for either a 6 or 12  month period, depending on complexity, pricing and goals
  • During that time, MSI will actively and passively target your organization seeking to reach a desired and negotiated set of goals (usually fraud or theft of IP related data, deeper than traditional pen testing)
  • Full spectrum attacks will be expressed against your organization’s defenses in red team mode, across the time window 
  • Once an initial compromise occurs and the appropriate data has been identified and targeted, we will switch to table top exercises with the appropriate team members to discuss exploitation and exfiltration, prior to action
  • If, and only if, your organization approves and desires, then exploitation and exfiltration will occur (note that this can be pivoted from real world systems to test/QA environments at this point)
  • Reporting and socialization of the findings occurs, along with mitigation strategies, awareness training and executive level briefings
  • The process then repeats, as desired, through the terms and sets of goals

The criteria for qualification; Your organization must:

  • Have full executive support for the initiative, all the way to the C-level and/or Board of Directors
  • Have a mature detection and egress process in place (otherwise, the test will simply identify the needs for these components)
  • Have the will to emulate real world threat activity without applying compliance-based thinking and other unnatural restraints to the process
  • Have a capable security team for MSI to work with that has the capability to interface with the targeted lines of business in a rapid, rational and safe manner
  • If desired, have the capability to construct testing/QA platforms and networks to model real world deployments in a rapid and accurate fashion (requires rapid VM capability)
  • Be open to engaging in an exercise with an emulated aggressive adversary to establish real world risk and threat profiles
  • Be located in the US (sorry, we are not currently accepting non-US organizations for this service at this point)

If your organization meets these requirements and you are interested in discussing PPT services, please drop me a line (Twitter: @lbhuston), or via email at Info at microsolved dot com. You can also reach me via phone at (614) 351-1237 x 201.

New threats: Unknown Cyber Threats & APT according to InfoSec Researchers in the Peoples’s Republic of China 新型威胁:未知威胁与APT 中華人民共和國

Posted on by
1

 New threats: Unknown Cyber Threats & APT according to InfoSec Researchers in the Peoples’s Republic of China 新型威胁:未知威胁与APT 中華人民共和國

 http://www.vulnhunt.com/nextgen/apt/

Good day folks;

Here’s an article about how information security researchers within the People’s Republic of China, 中華人民共和國 define ‘Unknown Cyber Threats & the innocuous Western term “APT”.

Enjoy!

Semper Fi,

謝謝您

紅龍

 

安全威胁近些年来发生巨大的变化,黑客攻击从传统带有恶作剧与技术炫耀性质逐步转变为利益化、商业化。为了突破传统的安全防御方法,一种名为APT的攻击迅速发展起来。APT是advanced persistent threat的缩写,译为高级持续性威胁。它是指近年来,专业且有组织的黑客(甚至可能有国家背景支持),针对重要目标和系统发起的一种攻击手段。

APT的主要特征:

 持续性: 攻击者为了重要的目标长时间持续攻击直到攻破为止。攻击成功用上一年到三年,攻击成功后持续潜伏五年到十年的案例都有。这种持续性攻击下,让攻击完全处于动态发展之中,而当前我们的防护体系都是强调静态对抗能力很少有防护者有动态对抗能力,因此防护者或许能挡住一时的攻击,但随时间的发展,系统不断有新的漏洞被发现,防御体系也会存在一定的空窗期:比如设备升级、应用需要的兼容性测试环境等等,最终导致系统的失守。

终端性: 攻击者虽然针对的是重要的资产目标,但是入手点却是终端为主。再重要的目标,也是由终端的人来访问的。而人在一个大型组织里,是难以保证所有人的安全能力与安全意识都处于一个很高水准之上的。而做好每个人的终端防护比服务器端防护要困难很多。通过SQL注射攻击了WEB服务器,一般也是希望利用他攻击使用这些WEB服务器的终端用户作为跳板渗透进内网。

广谱信息收集性: 攻击者会花上很长的时间和资源,依靠互联网搜集,主动扫描,甚至真实物理访问方式,收集被攻击目标的信息,主要包括:组织架构,人际关系,常用软件,常用防御策略与产品,内部网络部署等信息。

针对性: 攻击者会针对收集到的常用软件,常用防御策略与产品,内部网络部署等信息,搭建专门的环境,用于寻找有针对性安全漏洞,测试特定的木马是否能饶过检测。

未知性: 攻击者依据找到的针对性安全漏洞,特别是0DAY,根据应用本身构造专门的触发攻击的代码。并编写符合自己攻击目标,但能饶过现有防护者检测体系的特种木马。这些0DAY漏洞和特种木马,都是防护者或防护体系所不知道的。

渗透性社工: 攻击者为了让被攻击者目标更容易信任,往往会先从被攻击者目标容易信任的对象着手,比如攻击一个被攻击者目标的电脑小白好友或家人,或者被攻击者目标使用的内部论坛,通过他们的身份再对组织内的被攻击者目标发起0DAY攻击,成功率会高很多。再利用组织内的已被攻击成功的身份再去渗透攻击他的上级,逐步拿到对核心资产有访问权限的目标。

隐蔽合法性: 攻击者访问到重要资产后,往往通过控制的客户端,分布使用合法加密的数据通道,将信息窃取出来,以饶过我们的审计和异常检测的防护。

长期潜伏与控制: 攻击者长期控制重要目标获取的利益更大。一般都会长期潜伏下来,控制和窃取重要目标。当然也不排除在关键时候破坏型爆发。

从以上特性来看,可以获得如下结论

APT攻击的成本很高(专业的团队,长期的信息收集,挖掘0DAY和利用,特马,环境测试,渗透性社工与潜伏,多种检测对抗),因此只适合专业的网络犯罪团伙或有组织和国家支持的特种攻击团队

因此APT攻击是针对有重要价值资产或重要战略意义的目标,一般军工、能源、金融、军事、政府、重要高科技企业等最容易遭受APT攻击。

虽然普通网民不会遭受APT攻击的眷顾,但是如果你是APT攻击目标组织的一名普通员工甚至只是与APT攻击目标组织的一名普通员工是好友或亲戚关系,你依然可能成为APT攻击的中间跳板,当然作为普通个人,APT攻击本身不会窃走你个人什么东西(你本身就是重要人物如组织中的高级管理人员或个人主机里保存有重要资料的除外)。

不要以为你重要的信息资产只在内网甚至物理隔离就能不遭受APT攻击,因为即使物理阻止了网络层流,也阻止不了逻辑上的信息流。RSA被APT攻击利用FLASH 0DAY偷走了在内网严密保护的SECURID令牌种子,震网利用7个0DAY和摆渡成功渗透进了伊朗核设施级的物理隔离网络。

 New threats: unknown threats and APT

Security threats change dramatically in recent years, with a mischievous hacker attacks from the traditional sports and technology gradually changed the nature of the interests and commercialization. In order to break through the traditional method of security and defense, called APT attacks developed rapidly. APT is the advanced persistent threat acronym, translated advanced persistent threats. It refers to recent years, professional and organized hackers (and may even have national context support), an important goal and system for initiating a means of attack.

APT main features:

 

Sustainability: an important target for attackers continued to attack until a long break so far. A successful attack to spend one to three years, a successful attack lurking five to ten years after the last case has. This persistent attack, the attacker completely dynamically evolving, and the current emphasis of our protection system are rarely static protective ability against those who have the dynamic ability to fight, so those who may be able to block the protective moment of attack, but with the time of development, the system constantly new vulnerabilities are discovered, there will still be some defense system window period: for example, equipment upgrades, application compatibility testing environment and so require, eventually leading to the fall of the system.

Terminal resistance: Although the attacker is an important asset for a goal, but starting point is the main terminal. Further important objective, but also by people to access the terminal. And people in a large organization, it is difficult to ensure the safety of all ability and safety awareness are at a very high level above. And do everyone’s terminal protective than the server-side protection to be much more difficult. SQL injection attacks via the WEB server, are generally hoping to use him against the use of these WEB server as a springboard to penetrate into the end-user within the network.

Broad spectrum of information collection: the attacker will take a long time and resources, relying on the Internet to collect, active scanning, and even real physical access, to collect information about the target to be attacked, including: organizational structure, interpersonal relationships, commonly used software, common defense strategy and products, internal network deployment and other information.

Targeted: The attacker will be collected from the commonly used software for commonly used defense strategy and products, internal network deployment and other information, to build a dedicated environment for finding security vulnerabilities targeted to test whether a particular Trojan bypass detection.

Unknown sex: the attacker targeted basis to find security vulnerabilities, especially 0DAY, depending on the application itself is constructed of specialized trigger an attack code. And prepared in line with their targets, but it can bypass the existing system of special protection by detecting Trojans. These 0DAY loopholes and special Trojans, are protective or protective system does not know.

Permeability social workers: the attacker to allow an attacker to target more likely to trust, they tend to start with the easy confidence by attackers target object to proceed, such as attacking a target computer to be attacked by white friends or family, or the attacker targets Using the internal forum, through their identity and then the organization launched by attackers target 0DAY attack, the success rate would be much higher. Re-use within the organization’s identity has been successful attack penetration attacks his superiors to go step by step to get to the core assets have access goals.

Covert Legitimacy: the attacker access to critical assets, often through the control of the client, using the legitimate distribution of encrypted data channel, the information to steal out to bypass our audit and anomaly detection protection.

Long-term potential and control: an attacker to obtain long-term control of the interests of more important goals. Usually long-simmering down, control and steal important goals. Of course, does not rule out sabotage outbreak at a critical time.

From the point of view the above characteristics, the following conclusions can be obtained

APT attack is costly (professional team, long-term information gathering, mining and utilization 0DAY, Tema, environmental testing, permeability and latent social workers, a variety of detection confrontation) is intended only for professional or organized cybercrime gangs and national support team special attack

Therefore APT attacks are of great value for the asset or strategically important objectives, general military, energy, finance, military, government, and other key high-tech enterprise most vulnerable to APT attacks.

While ordinary users will not suffer APT attacks attention, but if you are APT attacks target tissue or even just an ordinary employee organization with APT attack targets a general staff are friends or relatives, you are still likely to be in the middle of APT attack springboard, of course, as an ordinary person, APT attack itself will not steal your personal anything (such as your own is an important figure in the senior management of the organization or individual host inside except the preservation of important data).

Do not think you important information assets are physically isolated from the internal network can not even suffer APT attacks because even if the physical network layer prevents flow logically can stop the flow of information. RSA APT attacks use FLASH 0DAY was stolen including network closely guarded SECURID token seed, Stuxnet and ferry use 7 0DAY successful penetration into the Iranian nuclear facility-level physical isolation network.

http://www.vulnhunt.com/nextgen/apt/

See You At EPRI Event in Chicago

Posted on by
3

Next Monday, June 17th, I’ll be presenting at the EPRI conference in Chicago. My topic is a threat update on what attackers are targeting and what kind of value future state designs and other research/planning data has on the attacker market. If you’re going to be at the event, please join me for my presentation. If you’d like to grab a coffee or the like, let me know. I’ll be around all day. 

Thanks for reading and I hope to see you there! 

OpUSA:: Feint or Fail?

Posted on by
5

So, yesterday was the date of the much awaited OpUSA, originally proclaimed to be a decisive attack on the US banking and government infrastructures. Thankfully, there seemed to be little impact on US banking or government, and while some commercial and even government sites did get attacked, the sustained impact seemed to be fairly well contained.

Below are a few thoughts on OpUSA and observations made from the data we saw around the Internet (in no particular order):

  • Anonymous groups seemed to be alluding to some infighting, with some groups mocking others and some fragments calling the entire operation a fake. There does seem to be some form of power struggle or competition going on inside the loose alignment of cells, at least from what conversations could be reviewed on Twitter, other social media and the paste bin releases.
  • Many of our team considered the possibility that OpUSA was a feint, designed to attract media attention and recruit new talent, even as primary groups and forces remained on the side lines. From a strategic point, this might make sense, though the in-fighting argument above seems more likely.
  • There seemed to be a large focus on attacking sites primarily powered by PHP. Certainly there are groups and cells inside the movement where their primary focus is PHP attacks and their exploits and tools are solely geared to PHP compromises. Other platforms are likely to remain in scope and within reach, but the majority of the attacks and compromises released yesterday seemed to revolve around PHP.
  • The 10,000 credit card release was MOSTLY a bust. All of the cards we saw were already expired. HOWEVER, it should be noted that SSNs, security questions and other PII was included in that release, so the impacts are broader than just credit card information.
  • Lots of released account credentials, software licenses and such also came out with associated tag lines during the operation. Additionally, many of the folks posting released data to the paste bins and on Twitter also usually release a good deal of pirated software, media and music from what we could tell. It is likely that some of the actors involved in the movement also participate in software and media piracy.
  • At least 3 credit unions were included in the released target lists. This was interesting, especially given the previous Anonymous stance that citizens should replace banks with credit unions. One has to wonder why these three particular CUs were targeted or if they were merely tokens. 

Other than the usual chatter and jeers, there seemed to be little unique about OpUSA and the efforts identified with the campaign. The media is picking up on some additional items here and there, but largely, the operation was seen as being a smaller or less successful campaign than previous attack sets.

Coming to Grips with DDoS – Response

Posted on by
1

In our first two blogs concerning Distributed Denial of Service (DDoS) attacks and small service industries, we presented measures organizations can take to prepare for and defend against DDoS attacks. In this final installment on the subject, we will discuss methods of response to these incidents.

The first thing to do when you think you are under DDoS attack is to not panic. Calm and considered responses are always more effective than immediately jumping in and possibly cutting off legitimate connection requests. An ill-considered response on your part could cause the very denial of service your attacker intended in the first place. The best thing you can do is to immediately access your incident response plans and begin to implement those pre-planned procedures you worked so hard on. We are constantly amazed at how many organizations fail to follow their own response planning in the heat of a real incident! 

The next step in the process is traffic (log) analysis. You need to be able to identify what type of attack is being perpetrated and the kinds of bogus requests that are being made. This is where large log capacities and log aggregation tools come in very handy. Being able to view a large amount of data from a central console truly helps you recognize patterns in the attack. Since application layer attacks that employ IP spoofing are presently being used, pattern and type recognition are often the only means you have to discern good traffic from bad.

Once you are able to get a handle on what the bad traffic looks like, you can start filtering it out. This is best done by appliances as close to the network edge as possible. You can also work with your ISP which may be able to assist with filtering as well as other mechanisms such as rate and connection limiting.

After the attack is under control, don’t forget to work with law enforcement agencies such as the FBI and US-CERT. They are interested in these events and may be able to assist you in finding and dealing with the perpetrators. Reporting incidents is important because it is crucial to know the number and types of DDoS attacks that are really taking place out there in order to effectively respond to them. Reporting ends up being good for everybody!

Finally, it is very important to conduct lessons learned meetings and to adjust your incident response and business continuity planning. Table top exercises and other incident preparation techniques are helpful, but nothing helps you learn the hard lessons like a real incident. Why waste the only valuable thing to come out of the whole mess!

This series is written by John Davis, MicroSolved, Inc.

MicroSolved, Inc. Adds Threat Expert Bill Hagestad to Team

Posted on by
7

Columbus, Ohio; April 10, 2013 –MicroSolved, Inc. is proud to announce the addition of Bill Hagestad to the team. Bill is one of the most internationally recognized subject matter experts regarding the People’s Republic of China and her use of the computer as a weapon system.

 
Prior to joining MSI, Bill created the Red Dragon Rising website which is dedicated to the identification and analysis of foreign language cyber threats. He has authored numerous papers related to the People’s Republic of China and the cyber demagoguery that revolves around the Middle Kingdom. Bill literally wrote the book on Chinese cyber warfare ~ “21st Century Chinese Cyberwarfare”, which is available on Amazon.com. The international intelligence, law enforcement and military experience from the cyber realm that Bill brings to MicroSolved is a very welcome addition to MSI’s industry leading
capabilities offered to clients for more than twenty years.

 

“We are very excited about Bill joining the team and about his emerging role in developing new relationships and offerings for our clients.”, said Brent Huston, CEO of MicroSolved. “With our growth in the critical infrastructure markets in the last several years and our continued focus on bringing rational information security products and services to ICS asset owners, utilities, government agencies and banks/credit unions, Bill brings us significant additional threat intelligence and educational capabilities. After turning 20 years old last November, we wanted to position MicroSolved to bring new, even more valuable insights to our customers and the community – and that begins with deep knowledge about the global threat landscape.”, he added.

About MicroSolved, Inc.

MicroSolved, Inc. was founded in 1992, making it one of the most experienced information security services companies in the world. Providing risk assessment, ethical hacking, penetration testing and security intelligence to organizations of all sizes has been their passion for more than two decades. MSI are the inventors of HoneyPoint Security Server, a patented honeypot intrusion detection platform designed for nuance and anomaly detection. Today, they secure businesses on a global scale and still provide expertise close to home. From governments to the Fortune 500 and from small business to YOUR business, they are the security experts you can trust.  

Press Contacts

Brent Huston

CEO & Security Evangelist

(614) 351-1237 x201

Info@microsolved.com


Bill Hagestad

Senior Cyber Security Strategist

(614) 351-1237 x 250

Info@microsolved.com

Coming to Grips with DDOS – Defend

Posted on by
3

In our first blog about Distributed Denial of Service (DDoS) attacks and small service industries, we discussed measures that organizations should take to prepare themselves for DDoS attacks. In this second installment, we will go over some methods that are useful in defending networks from these attacks. (The third and final installment in this series will deal with responding to DDoS attacks).

One good way to defend your network from DDoS attacks is to hire a service organization that specializes in the problem. They typically employ algorithm-based firewalls, large networks, monitoring, and other techniques to thwart these attacks, and can be very effective. However, these services are also pretty expensive and impractical for smaller organizations unless the threat level is very high indeed. The good news is that you can do a lot to defend yourselves from DDoS attacks.

The first step is knowing exactly what it is that you are defending. Computer networks tend to grow organically and it is a sad fact that most organizations have a very imperfect picture of how their networks are set up and how they behave. To defend against DDoS, it is important to know what typical network traffic looks like throughout the business year. This helps you set proper thresholds for automated detection devices and ensures quick detection of the onset of events such as DDoS attacks.

Another step you can take to help defend against DDoS attacks is to consider a cloud-based approach for your web services. With the traffic volumes DDoS attacks can currently generate, internal web servers at smaller organizations are sure to be overwhelmed. But by employing a content distribution network in a cloud setting you vastly increase your capacity, reduce the chance of any one server becoming unserviceable and are able to deal with the event more efficiently.

It is also important to work with your Internet Service Provider (ISP) during DDoS attacks. Your ISP could help in many ways including source blocking, scrubbing, load distribution and rate limiting. In addition, it should be remembered that many DDoS attacks are launched as diversions to cover up other attacks against organizations. Ensuring that your network is properly enclaved and monitored can go a long way in protecting your information and control assets during these attacks.

This series is written by John Davis, MicroSolved, Inc.

Coming to Grips with DDoS – Prepare

Posted on by
3

This post introduces a 3 part series we are doing covering distributed denial of service attacks (DDoS) and helping organizations prepare for them. The series will cover 3 parts, Prepare, Defend and Respond. 

Part 1 of 3 – Prepare.

Distributed Denial of Service (DDoS) attacks use networks of compromised computers (botnets) or web servers (brobots) to flood organization websites with so much traffic that it causes them to fail. This is especially worrying for financial institutions and utilities which rely so very heavily on the availability of their services and controls. DDoS attacks are also mounted by attackers to hide fraud or other hacking activities being perpetrated on networks. Although these types of attacks are not new, they are presently increasing in frequency and especially in sophistication. Application layer DDoS attacks do a good job of mimicking normal network traffic and recent DDoS attacks have been measured at a huge 65 Gb (nearly 10 times the previous high point). The purpose of this blog is to discuss some methods small organizations can employ to properly prepare for DDoS attacks. (Later articles in this series will discuss means for defending against and responding to these attacks).

The first thing any organization should do in this effort is proper pre-planning. Ensure that DDoS is included in your risk assessment and controls planning efforts. Include reacting to these attacks in your incident response and business continuity plans. And as with all such plans, conduct practice exercises and adjust your plans according to their results. In all our years in business, MSI has never participated in a table top incident responce or disaster recovery exercise that didn’t expose planning flaws and produce valuable lessons learned.

Next, your organization should consider DDoS when choosing an ISP. It helps immensely to have an Internet provider that has enough resources and expertise to properly assist if your organization is targeted for one of these attacks. Ensure that you develop a close relationship with your ISP too – communicate your needs and expectations clearly, and find out from them exactly what their capabilities and services really are. 

Finally on the preparation side of the problem, make sure that you keep well informed about DDoS and the actual threat level it poses to your organization. Keep active in user groups and professional organizations. Use the net to gather intelligence. The Financial Service Information Sharing and Analysis Center (FS-ISAC) has plenty of useful and up to date information on DDoS. You can even turn the World Wide Web against the enemy and use it to gather intelligence on them!

–This article series is written by John Davis of MSI. 

PS – This is NOT a problem you can “purchase your way out” of. Organizations can’t and should not buy huge amounts of bandwidth as a preparation for DDoS. The cost impacts of such purchases are not effective, nor is bandwidth size an effective control in most cases. Note that some technology solutions for packet scrubbing and the like do exist. Your milage may vary with these solutions. MSI has not reviewed or tested any of the DDoS technology products as a part of this series.

Go Phish :: How To Self Test with MSI SimplePhish

Posted on by
5

Depending on who you listen to, phishing (especially spear phishing), is either on the increase or the decrease. While the pundits continue to spin marketing hype, MSI will tell you that phishing and spearphishing are involved in 99% of all of the incidents that we work. Make no mistake, it is the attack of choice for getting malware into networks and environments.

That said, about a year ago or more, MSI introduced a free tool called MSI SimplePhish, which acts as a simplified “catch” for phishing campaigns. The application, which is available for Windows and can run on workstations or even old machines, makes it quite easy to stand up a site to do your own free phishing tests to help users stay aware of this threat.

To conduct such a campaign, follow these steps:

PreCursor: Obtain permission from your security management to perform these activities and to do phishing testing. Make sure your management team supports this testing BEFORE you engage in it.

1.  Obtain the MSI SimplePhish application by clicking here.

2. Unzip the file on a the Windows system and review the README.TXT file for additional information.

3. Execute application and note the IP address of the machine you are using. The application will open a listening web server on port 8080/TCP. Remember to allow that port through any host-based firewalls or the like.

4. The application should now be ready to catch phishing attempts and log activity when the following URL structure is clicked on: http://<ip address of the windows system>:8080/ and when that URL is accessed, a generic login screen should be displayed.

5. Create an email message (or SMS, voice mail, etc.) that you intend to deliver to your victims. This message should attempt to get them to visit the site and enter their login information. An example:

Dear Bob,

This message is to inform you that an update to your W-2 tax form is required by human resources. Given the approaching tax deadline, entering this information will help us to determine if an error was made on your 2012 W-2. To access the application and complete the update process, please visit the online application by clicking here. (You would then link the clicking here text to your target URL obtained in step 4.)

6. Deliver the messages to your intended targets.

7. Watch and review the log file MSISimplePhishLog.txt (located in the same directory as the binary). Users who actually input a login and password will get written to the log as “caught”, including their IP address, the login name and **the first 3 characters** of the password they used.  Users who visit the page, but do not login, will be recorded as a “bite”, including their IP address.

** Note that only the first 3 characters of the password are logged. This is enough to prove useful in discussions with users and to prove their use, but not enough to be useful in further attacks. The purpose of this tool is to test, assess and educate users, not to commit fraud or gather real phishing data. For this reason, and for the risks it would present to the organization, full password capture is not available in the tool and is not logged. **

8. Let the exercise run for several days, in order to catch stragglers. Once complete, analyze the logs and report the information to the security stakeholders in your organization. Don’t forget to approach the users who use successfully phished and give them some tips and information about how they should have detected this type of attack and what they should do to better manage such threats in the future.

That’s it – lather, rinse and repeat as you like!

If you would like to do more advanced phishing testing and social engineering exercises, please get in touch with an MSI account executive who can help put together a proposal and a work plan for performing deep penetration testing and/or ongoing persistent penetration testing using this and other common attack methods. As always, thanks for reading and until next time, stay safe out there!