Understanding Phishing:

Phishing is a trick used by attackers who pretend to be trustworthy to get users to share sensitive information. They create convincing messages or websites to lure individuals into providing personal details, passwords, or financial information unknowingly. This allows attackers to gain initial access to confidential data, taking advantage of human trust and risking digital security. Stay alert to protect your sensitive information from these deceptive practices.

Tenendo offers two distinct methods of conducting social engineering assessments. When performed as a part of a Threat Intelligence-Based Ethical Red Teaming engagement, phishing is used as one of the initial access methods, and thus the penetration testing team is focused on discovering a single method that would work against the target infrastructure.

When conducted separately, Tenendo prefers to dechain the phishing assessment to provide more coverage of different techniques and more transparency in remediation recommendations. The steps taken during the assessment are listed below:

  • Initial access method research and development. Tenendo continuously updates private techniques and tooling, but additional research is often required to tailor the payloads and scenarios to a specific target. When conducted separately, Tenendo can test a wide variety of up-to-date methods on a corporate workstation to test detection for a number of different threats.
  • Scenario development. Tenendo phishing scenarios are always custom, Threat Intelligence-Based, but can be tailored to prevalent threats in the target field.
  • Mail/messaging filter evasion. When conducted as a part of a compromise chain, Tenendo sets up a lab resembling the target mail/messaging infrastructure to ensure delivery of phishing pretexts and payloads.
  • Infrastructure setup. Tenendo sets up a separate infrastructure for each campaign, tailored to the specific payloads and pretexts.
  • Phishing delivery. If phishing is part of a red team engagement, scenarios are executed to gain access for further post-exploitation and lateral movement. When conducted separately, Tenendo collects comprehensive statistics on the success rate of different scenarios.

Key Benefits of Phishing in Red Team Engagements:

  1. Realistic Threat Simulation: Simulated phishing attacks closely replicate real-world threats, offering a realistic assessment of an institution’s susceptibility to phishing attempts.
  2. Comprehensive Security Assessment: Red Teaming, with a focus on phishing, evaluates both technical and human aspects of cybersecurity, providing a comprehensive view of an institution’s security posture.
  3. Strategic Training Opportunities: Identifying weaknesses in employee response to phishing enables targeted and effective training programs, empowering staff to become a proactive line of defence.
  4. Risk Mitigation: Proactively addressing phishing vulnerabilities reduces the risk of falling victim to actual attacks, safeguards sensitive financial data and maintains customer trust.