On March 28, 2024, Krebs on Security published an article titled "Thread Hijacking: Phishes That Prey on Your Curiosity". The article detailed a cybersecurity attack where a journalist's email account was compromised and used to send exploiting emails to their contacts. This article will show you how to plan and execute an effective tabletop simulation based on this real-world incident.
This is a perfect use case for:
- IT security teams across all industries
- Incident response teams
- Executives responsible for cybersecurity strategy
- Organizations using Microsoft Outlook and Office 365
Simulation Start Points
Choosing an interesting start point is key to an engaging tabletop exercise. Some ideas for this scenario:
- A user reports receiving a suspicious email from a known contact that contains an attachment
- IT notices an account sending an unusually high volume of external emails
- A security alert detects multiple failed login attempts on executive email accounts
- The PR team receives media inquiries about a potential email breach
Tabletop Simulation Phases
Walk through each phase of the NIST incident response process:
- Detection and Analysis
- Analyze header information and email metadata
- Identify other potentially compromised accounts
- Determine attack vector (e.g. phishing, credential stuffing)
- Containment
- Block malicious IPs and domains
- Force password resets on impacted accounts
- Notify employees of the incident
- Eradication
- Remove malware and backdoors from compromised systems
- Patch vulnerabilities that enabled the attack
- Recovery
- Restore systems to pre-incident state
- Validate security controls are effective
- Post-Incident Activity
- Conduct root cause analysis
- Identify opportunities to improve security posture
- Update incident response plan based on lessons learned
Inject Ideas
Add these injects to make your simulation more challenging:
- Emails are sent from the CEO's account authorizing fraudulent wire transfers
- Customer data is leaked and posted on a hacker forum
- The attacker conducts a DDoS attack during remediation efforts
- Incident responders identify an insider threat during the investigation
MITRE ATT&CK Techniques
Techniques potentially used in this attack:
- T1566.001 Spear Phishing Attachment - The initial compromise vector
- T1110.003 Password Spraying - To gain access to additional accounts
- T1114.001 Email Collection - Attacker accesses sensitive data in inbox
- T1036 Masquerading - Spoofing the "From" field to appear as a known contact
About ChaosTrack
Running a tabletop exercise like this is crucial to improving your cyber resilience, but planning one can be time-consuming and expensive. ChaosTrack can reduce the time spent by 85% and cost by 90%, enabling you to run simulations more frequently. Prepare your team for real-world attacks with ChaosTrack.