15 October 2020, 0 Comments

Defender for Office 365: Attack Simulator

By now we’re all aware of the disastrous effects of ransomware, in recent times a number of New Zealand organisations have been affected by this and the results have meant huge costs in both recovery and the inability to operate during the recovery.   There are a lot of statistics on how widely spread this problem, and here’s just 10 of them: 

  • 65% of ransomware infections are delivered via phishing  
  • A ransomware attack will take place every 11 seconds by 2021  
  • 85% of ransomware attacks target Windows systems.  
  • The average cost of a ransomware attack in 2019 was $133,000  
  • 50% of IT professionals don’t believe that their organization is ready to defend against a ransomware attack.   
  • Hackers attack every 39 seconds or an average of 2,244 times a day  
  • Between January 1st and June 30th, 2020, ID Ransomware received 100,001 submissions relating to attacks that targeted companies and public sector organizations.  
  • 90 % of IT pros had clients that suffered ransomware attacks in the past year  
  • Ransomware costs will reach $20 billion by 2021  
  • 51% of businesses have been impacted by ransomware in the last year 

Although these stats might not be entirely relevant to the New Zealand market, there’s no denying that this is something that keeps those responsible for protection up at night.  The first statistic being what we want to go into, 65% of ransomware infections are delivered vis phishing.  I’d be very surprised if any organisation doesn’t have some form or e-mail protection, but obviously these are never 100% reliable, there’s always a chance that one will get through, and there’s always going to be that one user who acts on the request for credentials, and it only takes one.   

So how do we know who this one person will be?  A lot of organisation have short videos and educate their people on what Phishing is and how to detect it, but what if you could perform random Phishing simulations and, in a safe and educational way, report on which of your organisations people have clicked through.  Attack Simulator has been around a while, yet I’ve not known a lot of organisations to avail of it.  Probably due to the requirements of having mailboxes in Exchange Online and the licencing requirements, but these requirements should be now met by most organisations these days.  In Microsoft speak, “you can use Attack Simulator in the Security & Compliance Center to run realistic attack scenarios in your organization. These simulated attacks can help you identify and find vulnerable users before a real attack impacts your bottom line”. 

With Attack Simulator you can choose to run the following campaigns: 

Spear Phishing campaigns, there are two types: 

  • Spear phishing (credentials harvest): The attack tries to convince the recipients to click a URL in the message. If they click the link, they’re asked to enter their credentials. 
  • Spear phishing (attachment): The attack tries to convince the recipients to open a .docx or .pdf attachment in the message. 

Password attack campaigns, also two types:

  • Brute force password (dictionary attack): A brute force or dictionary attack uses a large dictionary file of passwords on a user account with the hope that one of them will work (many passwords against one account).  
  • Password spray attack: A password spray attack uses the same carefully considered password against a list of user accounts (one password against many accounts). Password spray attacks are harder to detect than brute force password attacks (the probability of success increases when an attacker tries one password across dozens or hundreds of accounts without the risk of tripping the user’s incorrect password lock-out). 

Note: For users that have MFA enabled, even if the password attack tries their actual password, the attempt will always register as a failure. 

For more information on how to create a campaign using Attach Simulator, have a look at the Microsoft docs page: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulator?view=o365-worldwide  

Write a Comment

Your email address will not be published. Required fields are marked *