Email Phishing Methodology

RedTeam Security’s Email Phishing Methodology

RedTeam Security's email Phishing Methodology combines industry-standard methodologies with our experience to develop a customized approach to testing employee’s adherence to company procedures and their ability to protect company assets. As part of an email Phishing engagement, RedTeam Security will assess:

• Whether employees can identify a suspicious or malicious email
• How well procedures for disclosing information are followed and/or whether they are sufficient to protect company and client information
• Whether suspicious emails are reported appropriately
• In some instances, an email Phishing engagement will test the ability of technical controls to protect against phishing
  

RedTeam Security employs a standard methodology that includes multiple phases. These phases build on each other and ensure an effective and comprehensive test.

Information Gathering/ Open-Source Intelligence

As with other types of penetration testing, the first phase in an email phishing engagement is to focus on gathering as much information as possible about the target. This is done through passive reconnaissance and Open-Source Intelligence (OSINT). This is one of the most critical steps in the process because it helps to examine your organization from the perspective of a “bad guy” and enables RedTeam Security to see everything an attacker would by utilizing public tools, such as Google Earth, social media, and job boards. Using this approach, it is usually possible to learn a great deal about the business, its surroundings, and environment. 

In an email Phishing test, Information Gathering will consist of gathering employee email addresses and names and learning information about the company that can be used to develop relevant pretexts for phishing emails.

The depth of this phase will vary based on the specific engagement. In many cases, the client will provide much of the information needed to create the pretext and launch the attack (i.e., vendors and software used, the list of names and email addresses to target).

Attack Planning & Pretexting

Intelligence gathered through the previous steps is combined into a plan of attack. The plan of attack for an email phishing engagement includes creating a Pretext (the story being used and who will be shown as the sender of the phishing email), the email content, the email addresses and names of targets, the goals of the engagement (i.e., will RedTeam Security attempt to gather credentials, will the email infrastructure be tested to determine if they filter malicious files), timing, etc. RedTeam Security will also work with the client contact to obtain approval of the content and the format of the phishing emails.

Execution

This is where the team executes the attack, launches the email campaign, and monitors the results. Generally, phishing emails will be sent out in a phased manner, over a period of hours or days depending on the number of employees in scope, and then the email campaign will stay open/active for a week or two to allow for recipients who do not read their email timely.

Reporting

RedTeam Security will provide a report that includes the pretext/content included in the email, a summary of the results (who read the email, who took an action, etc.) and then each target’s results. You can use the results to develop or enhance your security awareness training.

Tools

To perform a comprehensive real-world assessment, RedTeam Security utilizes commercial tools, internally developed tools, and the same tools that hackers use on every assessment. Once again, our intent is to assess security by simulating a real-world attack, and we leverage the many tools at our disposal to effectively carry out that task.