While a friend and I were having coffee he took a second to check his office email. “OH OH,” he said. “What is it?” I asked. “Well, it could be a malicious phishing message or … maybe not.” After thinking a moment about it, he decided not to open the message.
He explained that his Fortune 500 company has an active and assertive anti-phishing, anti-spam program for its 15,000 employees. There are bulletins and security awareness reminders. And on at least a monthly basis the IT department sends suspicious looking emails to all employees. Click on the fake malicious email and a pop up box announces You’re busted! Click instead on the ‘phish alarm’ button on the Outlook menu and you get a Congratulations! popup message.
Basically, it’s red teaming.
It did not take long from program inception for the employees to be thinking twice before opening or clicking, for folks learned what to look for and to develop an adversarial outlook. Because the lesson was in real time, the mindset shift happened quickly. That is the beauty of red teaming.
This particular company has a lot to protect: intellectual property, competitive market information, technology and more. Their deliverable scope and pace means the slightest disruption of IT servers via email would be very expensive. Malicious email meant to social engineer access to sensitive areas could also have bad consequences. The threats is real. A few examples from recent news:
- A spear phishing attack against the city of Ocala, Florida resulted in the mistaken transfer of $640K to a scammer’s bank account. The email was made to look like it was from a current contractor working for the city.
- The U.N., the Heritage Foundation and International Red Cross have been frequent targets this year of spear phishing attacks meant to snag user login credentials.
- The so-called Colbalt Dickens campaign (first uncovered last year) attacks to steal IP to be exploited or for profit. Universities in over 16 countries including the U.S., UK, Canada, Hong Kong, Australia and Switzerland have been targeted anew this year. Email recipients claim user needs to reactivate library services by clicking on link …
The form a malicious attack takes is limited only by the creativity of the adversary.
The message here is twofold. Cyber threats are everywhere and each of us need be vigilant, at work and in our personal lives online.
But from Chameleon’s perspective, the second message is equally important: the best way to counter threat and measure the effectiveness of your security measures is via red teaming.