Back to Service Library
Service Catalog / Strategic Advisory & Professional Services / Security Program Development / Security Awareness Phishing Campaign
158SAPC Base

Security Awareness Phishing Campaign

On this page

    Service Overview

    Security Awareness is a critical component of an information security program in that the organization is ensuring personnel are aware of threats and tactics commonly used by adversaries. This phishing assessment will send simulated phishing emails to personnel and provide an overview of who can and cannot identify phishing emails so remediation and risk management functions can be facilitated.

    Objectives

    The objectives of this initiative are as follows:

    • Test organization users on the ability to recognize a social engineering attempt.

    Methodology

    This project consists of the following phases: 

    1. PLANNING 
      1. Allow use of phishing tool in client's environment. (If available)
      2. Collaborate with client point of contact to generate the phishing email, credential harvesting page, and training page that will be utilized in this campaign. 
      3. Test campaign to validate whitelisting was successful and emails will arrive in inboxes as intended.
      4. Identify the targets for the phishing test.
    2. PHISHING CAMPAIGN
      1. Send out phishing emails over period of time specified in scope section. 
        1. Phishing Email - Seemingly legitimate email that attempts to convince users to click on an unknown link to an untrusted domain.
        2. Credential Harvesting - Users that click on the link in the phishing email will be directed to a login screen to attempt to capture credentials.
        3. Training Page - Users that click on the link in the phishing email and enter credentials will be directed to a training page to provide tips on how to identify phishing emails in the future.
      2. Once the tool has sent all phishing emails, reporting will continue for a period of time specified in scope section to capture any relevant actions.
    3. FINDINGS
      1. Analyze and compile the results of the social engineering test and document as the deliverables so that appropriate remediation and risk management can be facilitated.
      2. Findings report, including Executive summary, findings, and recommendations.


    This Awareness initiative is based on the following regulations and standards:

    • NIST SP 800-50 Building an Information Technology Security Awareness and Training Program
    • NIST SP 800-16 A Role-Based Model for Federal Information Technology/Cyber Security Training

    Deliverables

    DeepSeas will produce the following deliverables:

    1. SOCIAL ENGINEERING TEST DETAILS - DeepSeas to provide an output from the social engineering test, which includes detailed outcomes and results for all targeted users and allows for filtering to easily identify users that passed or failed.
    2. SOCIAL ENGINEERING TEST SUMMARY REPORT - DeepSeas to summarize results in a report that shows high level observations and recommendations on steps for remediation.

    Service Assumptions

    PROJECT-SPECIFIC ASSUMPTIONS

    1. DeepSeas will validate campaign is operating as expected during day 1 of campaign launch, then will re-validate at campaign close.
    2. DeepSeas will generate one (1) phishing campaign for this initiative.

    Client Responsibilities

    • Client to assign a point of contact (POC) responsible for client coordination and logistics. 
    • Client to identify targets for phishing test and provide target names and emails in spreadsheet format (.csv).
    • Client is responsible for whitelisting phishing tool IPs in active on-premises and cloud defense systems.
    • Client to provide example portal to mimic for credential harvesting prior to testing.
    • Client to approve phishing email template and training landing page prior to testing.
    • Client is responsible for tracking end-user security incident reporting as a result of testing.