As any security consultant will know, the more fun you have on an engagement (see part 1, part 2 and part 3 for the back story), the longer the report will be afterwards and the more important the executive and technical summaries will be in tying all the observations together in an actionable fashion. We are not going to bore you with an exhaustive write-up here, but needless to say, there was still room for improvement.

Overall, our Security Advisory Services team found that, whilst many users coped well with the attempts to phish them, a significant number of users did not. As a result, our recommendations for end users included:

  • Remind users that they should not follow untrusted links and/or submit credentials to untrusted websites
  • Ensure that users know what to do if they accidentally access an untrusted website (the answer is not to ‘blindly panic’!)
  • Remind users that responding by email can be as dangerous as following untrusted links, and that email headers can be routinely forged
  • Provide users with training on how to use social networks securely

Additionally, we also advised the customer that their blue team (including the SOC, platform owners etc) ought to (at a minimum) perform the following actions:

  • Ensure that system clocks are correctly synchronised across all key systems
  • Check DNS server caches and logs for our malicious domains and staging box IP addresses
  • Check mail server logs for our malicious domains and staging box IP addresses
  • Determine the scores with all inbound emails from our malicious domains to establish on what grounds they were accepted and delivered
  • Check web proxy logs for our malicious domains and staging box IP addresses
  • Investigate whether the mail server and web proxy can take custom filters to support activities such as greylisting for all non-role account addresses
  • Ensure that mail servers do not leak sensitive information
  • Check that all mobile devices use a VPN that prevents split tunneling to connect back into the main network, and only access the Internet through the VPN tunnel
  • Scan internal systems for known file hashes corresponding to the files used during the exercise
  • Ensure that any systems with identifiably out-of-date client software are included in asset management systems and that there are processes to patch them regularly

The above actions were recommended both to check that good practice controls actually exist, but just as importantly to ensure that the controls are functioning as expected, so that they are available in the event of a real incident. Obviously, these blue team actions should be performed on top of any specific remedial actions that are carried out to resolve specific issues. They should also be repeated on a regular basis to ensure that they remain functional.



Tim (Wadhwa-)Brown

Security Research Lead

CX Technology & Transformation Group