What is a full spectrum attack simulation?
Full spectrum attack simulation includes a wide range of cyber attacks designed to exploit all areas of your defence landscape.
As a business, your data is one of your biggest assets. Protecting your data is critical. Data breaches occur constantly and the effects can be devastating. Systems can be taken off line for days or weeks, customer data could be shared with competitors. Confidential information could be published publicly leading to large fines.
Attacks can be opportunist or targeted. Understanding what an attack could look like, or how it will affect your business is difficult. It’s a common mistake to think that strengthening your IT infrastructure is the ultimate defence. Your people, your processes and your communications are all potential vulnerabilities too.
Samurai determine how to maximise your defences with the minimum cost and time. We do this by establishing the points within your organisation that are in most need of strengthening, from staff awareness training to web applications and networked systems.
What's getting through your defences?
When it comes to an organisations defences being breached, there are several areas that could be leveraged by a malicious hacker, threats can range from internal or external and can be exploited in a range of ways.
Phishing is one method of attack, this could come in the form of a call, text or email, with the intention of getting the target to click on a malicious hyperlink or to divulge sensitive information. This is often done by impersonating a business, person of authority, or a family member in need. When done to target an organisation, it may be sent out to employees with a spoofed email, which looks like it came from a CEO, or the technical department, in order to mis lead the target into sending money or confidential information to the malicious hacker.
Social engineering is another possible threat to your organisation, this is performed in several ways, and is used to gather information or gain entry into secure areas systems, this can be done in conjunction with phishing emails, and can also be attempted in person. Social engineering is where the malicious hacker attempts to trick their target into divulging sensitive information.
Vishing is Voice phishing, this is similar to phishing and social engineering, in that the attacker will attempt to trick the target into divulging sensitive information, or manipulating the target into browsing a malicious website, which could infect their machine with a virus or malware. Vishing is done using a voice message over email, or through a call, where the attacker will assume the position as someone of authority, such as a boss or colleague, the attacker may also impersonate a business or provider such as Amazon or PayPal, and attempt to get the target to divulge payment details or login credentials.
Disgruntled employees are a leading cause for internal cyber-attacks, this happens when an organisation decides to terminate an employee for any reason and their access isn’t removed immediately, or they kept some sensitive information from the business. This can be avoided by ensuring all work related information and property is kept at the organisations premises only, and that all work computers, laptops and phones are handed back at the time of termination, all access should be revoked from company systems, ensuring all areas are covered.
Simulating an incident can be be done using an internal cyber security team, or a third party cyber security company, such as Samurai. This team would conduct a full vulnerability test or penetration test on the systems agreed on, a report will then be produced outlining all issues and vulnerabilities that were found, how much information was able to be accessed and would include a set of instructions to remediate any vulnerabilities and risks found.
Simulating an attack can be done on any system, secure area, device, application or network that requires testing, and all vulnerabilities and risks are noted and explained in detail in the form of a high level technical report, with an easy to understand and concise management summary.
Phishing attacks make a big impact on businesses, especially when they target employees who aren’t fully aware of the threat. It is recommended to conduct a yearly phishing campaign to ensure that all employees who use or access emails, are aware of the risks and know how to spot a phishing attempt.
Phishing campaigns are where fake phishing emails are released into the organisation and directed towards employees, anyone who follows the instructions, or falls for the email, will be shown on the system used to perform the phishing campaign and trends for which departments require more training become apparent. It is also good to highlight which departments flagged the email as unsafe, or followed the correct organisational procedure for phishing emails.
Once a phishing campaign has been completed, a report details how many people fell for the emails, which departments, and how much information would have been divulged had this been a real phishing attack.
The organisational website, and the internal network, are two big areas of concern for businesses, if these go down, the business may not be able to run as intended, and profit could be reduced with downtimes.
Attackers will target web applications and websites in order to deface them and make a negative impact on the image of the organisation, or target confidential information. The internal network could also be targeted for holes or vulnerabilities in order to access sensitive or confidential files and data.
A vulnerability assessment or penetration test should be conducted on a scheduled basis, either once every 6 or 12 months would suffice, all new technology and systems being put into place should also be penetration tested before being implemented. A penetration test can help with finding any vulnerabilities in the networks, applications or systems within the organisation and then aid in resolving these issues quickly and efficiently, before an attacker can exploit them.
Social engineering is a method in which an attacker will try to trick or manipulate their target into divulging confidential or sensitive information, this is done in several ways, from impersonating a boss, or colleague during a call, or email, to wearing a high-vis and following an employee into secure area and looking like they “belong”. Social engineering has many methods and a worryingly high success rate.
Social engineering attempts could be testes within the organisation, just like a phishing campaign can highlight weak areas for training employees, employing a third party organisation to conduct a physical penetration test could ensure that all policies and procedures around security checking people who are walking around a building, are being followed as expected.
Risk management methodology
A cyber security risk management methodology, is the methods, or rules which are used to identify and assess the cyber security risks in an organisation, the risks would be identified, communicated with upper management and the cyber team, and steps would be taken to reduce or avoid the risks. Once risks are identifies, upper management would be notified and steps would be put into place, to prevent the potential risks.
The cyber team would work closely in ensuring all risks are identified, from each area in the organisation, and a risk management procedure should be adopted for each scenario, for example, if a breach occurs, the cyber department should be notified, with a report detailing which areas were targeted, what information was lost or stolen. This report can be handed over to cyber security teams, top management and any other relevant departments, who will aid in ensuring the breach has been responded to as expected.
The cyber security risk management methodology should also include information about what happens post-incident. If an incident occurs, the department(s) the incident has affected should be assessed and relevant training offered where required.