Strengthening Government Employee Defense Against Phishing

Non-Disclosure Agreement

Due to the sensitive nature of the work performed, a Non-Disclosure Agreement (NDA) was signed with the client, preventing the disclosure of their name, location, and specific infrastructure details. This case study highlights the key cybersecurity challenges faced and the solutions implemented while maintaining client confidentiality.

Executive Summary

7%-8% of phishing emails still land in the inboxes of employees after deploying state-of-the-art email security solutions. Advanced Persistent Threats (APTs), as the name suggests, are persistent in hacking organizations. They use multiple methods to obtain information.

Only one email triggering the right nerve is enough for the entire organization to fall. This is exactly what happened to one of our clients in the government sector. The attacker repeatedly targeted a fixed set of employees using various methodologies. Six employees fell for a phishing email, leading to the exposure of the entire database containing personal identifiable information (PII) of the organization's employees.

At P.I.V.O.T, we believe in customizing services and solutions for our clients. This case study involves a government organization (in the power sector) facing persistent phishing threats from APTs. Given the sensitive nature of the client's operations and the presence of sensitive data (PII), employee awareness training and phishing simulations became necessary for the 5,000+ workforce.

Key Highlights

Key Challenges

1. Persistent phishing threat from APTs
2. 6 employees fell trap for similar phishing email
3. PII data involved

Solution

1. Analyse the phishing emails
2. Determine sentiments triggered in employees
3. Run customized phishing simulations
4. Educate on tailored awareness trainings

Resources and Timelines

1. Deployment of Phish-E within 72 hours
2. Only 1 mid level technical resource required to operate the platform
3. Run simulation in under 2 minutes with existing templates

Remediation Steps

1. Automated phishing simulations every month
2. Detailed analysis of the simulation reports
3. Using smart templates to create customized mails
4. Continuous security posture assessment

Problem Statement

The government organization was persistently targeted by phishing attacks, affecting a group of mid-level employees. Initially, the phishing emails were unsophisticated, and no employee fell for them. However, after four months, the emails became more targeted, and employees began receiving phishing attempts every few weeks.

Although the organization had a basic email security system and spam filter in place, it wasn’t enough to detect advanced phishing emails. While employees were aware of phishing tactics, the advanced emails eventually tricked them. Over 1,800 email addresses were publicly exposed, along with the hierarchical details of each department in the organization.

Our team conducted a basic security check through our advanced offensive security platform and discovered critical email passwords available on the web. This revelation came as a surprise to the organization.

Phishing Email Details

The phishing email that employees fell victim to had the following characteristics:

• It claimed to offer a top-up to the existing health insurance policy of the employee.
• The email address appeared to be from a legitimate health insurance company.
• The language used was professional.
• There were call-to-action buttons that redirected users to the landing page of the health insurance company.
• The login page displayed a "500 Internal Server Error" upon entering credentials.

Employees refreshed the page several times and entered different credentials, giving attackers more data.

Solution

Our team at P.I.V.O.T was initially pleased that it required an advanced phishing email to deceive the employees of this organization, but we were also concerned about the results once we launched our sentiment-driven, smart templates using the latest attack vectors through Phish-E.

Phishing Simulation Process Followed

1. We analyzed the previous phishing emails, identified common themes, mistakes made by the attackers, and the factors that led employees to click on the emails and links.
2. We then used our industry-specific customized templates for government organizations and scheduled phishing simulations. The sentiments of urgency, fear, and authority were used in the email templates.
3. We conducted the simulations in batches on Monday, Tuesday, and Thursday mornings, considering the best open and click rates.
4. A real-time reporting dashboard revealed that 11% of employees opened the email within 2 minutes of receiving it.
5. After one week, we generated a report that showed 30.37% of employees had been phished.

Remediation Steps and Preventive Measures

• Perform AI-Based Sentiment Analysis: Our platform analyzed the most triggered sentiments in the email templates and employee responses.
• Run Callback Phishing: Based on sentiment analysis, we reran the campaign to see if more employees would fall for the phishing attempts.
• Track Employee Progress: We tracked the progress of employees in the provided training. Both general and customized training on phishing awareness were delivered.
• Run Another Phishing Simulation: We ran another phishing simulation using different sentiments to gauge the phishing rate. After our training and multiple phishing simulations over 3 months, we reduced the phishing rate to 6.44% using the automated Phish-E platform.

Conclusion

Automated phishing simulations through Phish-E and security awareness training helped the organization reduce the phishing rate from an initial 30% to 6.44% after 3 months and 4 simulations. Easy reporting structures and automated report delivery to the executives allowed for tailoring the training initiatives within the company. Employee awareness increased significantly through live simulations and real-life demonstrations of phishing campaigns.