Phishing Campaign Penetration Test

Phishing Campaign Penetration Test

Secure Network’s Phishing Campaign penetration test will determine the likelihood of a threat actors’ ability to compromise the customer domain via spear phishing. This test will implement malware and Command and Control (C2) typically seen in real world attacks to illustrate the most likely attack paths that would be used by an attacker who successfully phished a user within the customer domain.

SNT applies a consistent and reproduceable approach that combines comprehensive identification and validation of risk-based vulnerabilities. This methodology ensures that both new and common threat actor Techniques, Tactics, and Procedures (TTPs) are applied to each test, identifying real world attack paths that could be exploited within mature organizations.

Planning Phase

During the Planning phase, SNT will collaborate with customer Point of Contacts (PoC) to discuss Scope, Rules of Engagement, and to outline what to expect during the phishing campaign penetration test. Senior cyber security engineers will be involved with PoC planning meetings to detail engagement information and to answer any questions or concerns. Planning will also include payload and delivery testing with the customer to determine the capabilities of the host-based AV/EDR, and which payloads, if any, are able to bypass security controls.

Reconnaissance Phase

The Reconnaissance phase will be the beginning of the phishing campaign. This phase consists of gathering information about users and employees within the customer environment. SNT will perform Open Source Intelligence (OSINT) gathering to emulate the information that is available to threat actors about the customer business. SNT will create a list of discovered users and email addresses and validate this information with the customer to create a target list.

Exploitation Phase

The Exploitation phase will begin once a target list has been approved, and payload and delivery testing has completed. SNT will spear phish individual users with the intent to socially engineer the user to download and execute a malicious application which will give SNT engineers access to that users context and workstation via C2.

Post-Exploitation Phase

The Post-Exploitation phase continues the exploitation of the attack path to validate the likelihood of a real-world threat actors’ ability to compromise the customer domain. In-depth analysis of Active Directory, base line security configurations, user access, AV/EDR capability, and defense in depth will be exposed to demonstrate the actual impact that an adversary would have within the environment.

Reporting Phase

The Reporting phase will occur after the conclusion of testing. Any attack paths or vulnerabilities that have been discovered and exploited will be disclosed. Mitigation techniques are included in details of findings, where applicable, to provide guidance and a starting point to reduce the overall risk to the customer environment. Complete movements of the threat emulation, along with their corresponding Mitre ATT&CK mapping, will be included in the report to give the customer an exact replication of the attack. A phishing report with metrics of user clicks and malicious application execution will be delivered as well.

Deliverables

SNT will deliver both the final report and the phishing report to the customer along with detailed mappings of the attack path. The deliverables will also include any artifacts gathered during the attack, such as Active Directory enumeration output, privilege escalation tests, etc.