Académique Documents
Professionnel Documents
Culture Documents
Simulation Report (Summary
Prepared by: Cyber Security Specialists (on behalf of usecure)
5th June 2020
Contents
1. Introduction
2. Executive Summary
3. Approach
4. Simulation Results
5. Recommendations
CONFIDENTIAL
1
Executive Summary
Hooli have been concerned about the increased threat from email phishing and what this could
mean for their staff and organisation. To combat this, Gavin Belson, CEO at Hooli, agreed a
programme of work with usecure to run a series of mock phishing simulations on the Hooli staff
base. These simulations encompassed a number of approaches commonly used by cyber
criminals to best imitate a real world cyber-attack and provide actionable results for Hooli senior
management. It is understood that only Gavin Belson of Hooli was aware that this exercise was
undertaken.
The results of the simulations were varied. The templated phishing attack, which impersonated
an email from Microsoft, was opened by 85% of Hooli users but the attack was unsuccessful as
only 9% of users divulged any login credentials. This is a positive outcome which shows that
Hooli users have a good basic understanding of the more common forms of phishing attack.
The spear phishing attack, which used a bespoke Hooli branded ‘Xmas IT Audit’ template,
yielded the most concerning results: 60% of users clicked on the malicious link and entered their
user credentials. The impact of this type of compromise can be severe. These employees have
unknowingly provided their login credentials for their Workstation and Email accounts to a
malicious actor (or cyber-criminal) who could, if motivated, use them to perform a number of
nefarious acts which could lead to confidential corporate and client information being
compromised.
The impact of a successful spear phishing campaign such as the one demonstrated in this
simulation could be devastating for Hooli. Such attacks can lead to loss of revenue, reputational
damage, financial theft, loss of data, loss of customers and also regulatory fines.
Based on the output of the two phishing simulations, a number of recommendations have been
made within this report to improve the security posture of Hooli and its employees.
CONFIDENTIAL
2
Introduction
Hooli was established in 1997 and is one of the world’s biggest brand names, helping users
throughout the world connect on their market leading operating system.
Hooli is concerned about the increased threat from email phishing and what this could mean to
their staff and organisation. To combat this, Gavin Belson, CEO at Hooli, has agreed a programme
of work with usecure to provide a managed service in running a series of mock phishing
simulations on the Hooli staff base. These simulations will encompass a number of approaches
used by cyber criminals to best imitate a real world cyber-attack.
Usecure have worked in partnership with Cyber Security Specialists, a Manchester based Cyber
Security Consultancy, to analyse the findings of the phishing simulations and deliver this report to
Hooli.
Usecure
Usecure are a team of industry, commercial and technical experts, committed to delivering a
leading, user-focused security platform to businesses of all sizes and in all industries, because we
understand that cyber-crime can affect anybody.
CONFIDENTIAL
3
Approach
The success of any phishing campaign, legitimate or simulated, is to mislead the user base into
believing that the email received is genuine and from a trusted sender. To provide the most
realistic simulation and uncover the true areas of risk within Hooli, usecure adopts a two-pronged
methodology which includes both templated and spear phishing attacks:
This is the most common form of phishing attack and one that all users of email are likely to be
familiar with. The emails are created to look like they have come from a reputable vendor, for
example Apple, Microsoft or PayPal. There will typically be a call to action and a request to click
on a link, but doing so can result in the loss of personal data or the infection of your computer
with malicious software.
This attack is more sophisticated and will typically be researched beforehand using social
engineering techniques. These techniques allow the attacker to better understand the target and
create an email that will have a higher chance of success. Spear phishing attacks are generally
considered more of a risk to businesses as they are harder for employees to spot if not properly
trained.
This two-pronged approach allows usecure and Hooli to truly gauge the cyber security posture of
Hooli staff in the defence against phishing threats.
The simulated phishing campaign ran over the course of 3 months from December 2017 to
January 2018 and targeted 300+ Hooli employees. It is understood that only Gavin Belson of
Hooli was aware that this exercise was undertaken.
CONFIDENTIAL
4
As shown in the figure below, Hooli employees were sent a phishing email disguised as
legitimate Microsoft email asking them to change their account password. The email is sent from
an imitation domain which looks similar to one that Microsoft would use to provide a sense of
assurance that the email is genuine.
CONFIDENTIAL
5
If an employee clicks on either of the two links contained within the email they are taken to a fake
login page and asked to enter their email address and password, as shown in the figure below:
CONFIDENTIAL
6
As shown in the figure below, Hooli employees were sent a second, more targeted email
impersonating Rita Book, the Social Media Manager of Hooli. The email signature is a simple
screen grab of Rita’s actual email signature and it appears as a large image rather than text. The
intention was to create a ‘real life’ business situation which is time limited and business critical.
With this goal, a request for information on the upcoming Xmas party was used, with all users
being asked to provide their email and login information before the end of the weekend.
CONFIDENTIAL
7
Once the link is clicked on, users are taken to a credential harvest page which asks them for their
email address and password. The page is branded with the Hooli logo which is freely available
from a Google image search or the Hooli website.
CONFIDENTIAL
8
Results
The results are positive, although 85% of users opened the email, this does not present a risk to
the organisation as only 28% clicked on the links within the email and visited the fake login page.
Overall, only 9% of users were compromised by entering their login credentials.
However, although only 9% of users were compromised, 28% of users still clicked on the link
within the phishing email. In this instance, users were directed to a credential harvesting web
page, however, in a real world attack the link could just as easily lead to a malware infection by
triggering the automatic download of malicious software.
CONFIDENTIAL
9
The results are less positive as 89% of users opened the email, with 60% of users clicking on the
link and entering their user credentials.
The impact of this type of compromise could be severe. The compromised employees have
unknowingly provided their login credentials for their Workstation and Email accounts to a
malicious actor (or cybercriminal) who could use these details to perform the following nefarious
acts:
▪ In this section of the report we disclose the possible implications of the results from the
phishing simulation. The results differ dependent on the size and industry of a business,
below are some examples of the area we look at:.
o Impact on Business operations, including short term at the onset of a breach, to long
term ramifications.
o Data loss, potential impact of what this would mean to the business.
o Client impact, revenue drop, client loss, impact to brand and reputation.
o Compliance, potential to become non-compliant if a breach is investigated.
Dependent on the industry and compliance requirement.
CONFIDENTIAL
10
Results Summary
The figure below summarises the results of both phishing campaigns:
•A full breakdown of engaged users can be provided in separate .csv upon client request.
CONFIDENTIAL
11
Recommendations
Phishing attacks have become one of the most prevalent threats to organisations in recent years
and there is no sign of this changing anytime soon. The number of phishing scams are increasing
significantly and the tools and techniques used by cyber criminals have become more and more
sophisticated. It is very difficult for organisations to completely mitigate the risk of phishing
attacks due to the nature of the attack, however, Hooli can certainly reduce the risk of a
successful attack by implementing a defence in depth strategy. Defence in depth is an
information security concept in which multiple layers of security controls are placed throughout
an organisation to protect against cyber threats. These controls consist of People, Processes and
Technology.
Based on the output of the two phishing simulations, the following recommendations are made
within this report to improve the security posture of Hooli and its employees.
Recommendation 4 - Software - We provide best practice guide on software that can be used to
strengthen security and cyber resilience.
Recommendation 5 - Frameworks - We list applicable frameworks that the client can work towards
which will help with their security profile, also advice on how best to implement the project from a
high level.
•All recommendations are specific to the business in the report and as such not all areas in the
example may be included.
CONFIDENTIAL
12