Skip to content
Login

The Adversarial Phishing Simulation Kill-Chain

Real-World Threat Actor Tactics

Adversarial Phishing Simulations go beyond simply sending out generic fake emails using recycled templates. We replicate the sophisticated, often targeted attacks that break through traditional defence mechanisms and deceive individuals by applying offensive security principles and adopting real threat actor tactics. This is outlined in our APS Kill-Chain:

Reconnaissance

We replicate how threat actors gather intelligence - understanding job roles, technology stacks, suppliers and partners and leveraging public data.

Pretext Development

We create realistic narratives that feel credible to your organisation - use realistic branding, relevant context, familiar language and tone, and exploit current events.

Delivery Mechanism

Phishing today is more than just inboxes - we deploy emails, SMS messages, AI-voice calls and QR codes.

Bypass Technical Controls

Our simulations find ways around technical security measures - lookalike domains, embedded links, redirection tactics, and polymorphic attacks.

Exploit Human Behaviour

Our simulations tap into human emotions to test employees' critical thinking skills under pressure - creating urgency, concern/fear, or curiosity.

Payload Delivery

Simulated collection of credentials, the triggering of a simulated download, or the recording of information provided during an AI-powered voice call.

Detection and Reporting

Our portal provides reporting on how employees interact with each simulation, as well as trend analysis. We also offer technical debriefs with an Offensive Security Consultant.
 
Enquire Today

Phase One - Strategising the Approach

Reconnaissance
Just as attackers conduct reconnaissance before launching an attack, we gather relevant intelligence to inform the pretext of our simulations. This crucial step ensures our scenarios are realistic and tailored to your organisation.
 
  • Understanding Job Roles - different roles within an organisation have varying levels of access and responsibilities, making them potential targets for different types of phishing attacks.
     
  • Analysing Technology Stacks - awareness of the technologies an organisation uses can inform the creation of technical lures and which phishings forms would be most effective.
     
  • Identifying Suppliers and Partners - we consider your key suppliers and partners to create simulations that mimic communications from these entities.
     
  • Leveraging Public Data - simulating spear-phishing, we conduct Open Source Intelligence (OSINT) to uncover information available online to enable highly convincing, personalised attacks.
Crafting Believable and Relevant Pretexts
Generic phishing attempts are often easy to spot. To truly test employee awareness, APS closely mirrors the threats they might encounter in their daily operations.
  • Realistic Branding - using the actual logos, colour schemes, and language of familiar companies, services, and internal communications.
     
  • Contextual Relevance - tailoring the subject lines and content to industry trends, departmental operations or internal organisational announcements that employees might expect to see.
     
  • Familiar Language and Tone - adopting the communication style commonly used by the impersonated entity, whether it's formal business language or a more casual tone from a colleague.
     
  • Exploiting Current Events - leveraging timely topics or news items that might make a phishing attempt seem more legitimate or urgent.
Different Types of Lures
We use the established pretext to tailor lures to exploit different departments and professional responsibilities.
 
  • Financial - exploiting organisations' financial operations or individuals' financial anxieties or desire for gains by mimicking urgent payment requests, fraudulent invoices, investment opportunities, or tax-related scams.

  • Technical - preys on organisations' digital operations and users' fear of security breaches by posing as IT support or a Managed-Service Provider with software updates, warnings about compromised accounts, or by notifying them of critical system errors.

  • Social - builds rapport or creates a sense of obligation through impersonating colleagues, managers, or HR.

Phase Two - Simulation Delivery

Dynamic Stages
Real-world attacks rarely involve a single click and immediate compromise. but are multi-stage, progressively luring targets and bypassing security measures, as replicated by our APS.

  • Initial Contact - first communication designed to pique interest or create urgency.

  • Action Trigger - based on the attackers' goals - a link to a fake login page, or a prompt to provide sensitive information.

  • Follow-Up Communication - additional correspondence to verify the initial contact and action request.
Multiple Methods of Delivery
Phishing is no longer solely an email-based threat, we offer simulations that reflect this multi-vector reality.
 
  • Email Phishing - the traditional and still most prominent method, involving impersonation through email communications that may include malicious attachments and links or urge action or information from the recipient.

  • Smishing - SMS messages containing malevolent links or requests for sensitive information, often leveraging a sense of urgency or authority.

  • Vishing - Phone calls where attackers impersonate trusted entities to extract information or persuade users to take specific actions.

  • Quishing - Malicious QR codes that can lead to phishing websites or trigger malware downloads when scanned.
Bypassing Technical Controls
Threat actors are adept at finding ways around technical security measures. Our APS incorporate elements that test employee vigilance when these controls are circumvented.

  • Lookalike Domains - using dedicated domains that are very similar to the real ones (e.g., echoesecure.co.uk instead of echosecure.co.uk) to see if employees notice subtle discrepancies.

  • Embedded Links - hiding malicious links behind seemingly legitimate text or buttons.

  • Redirection Tactics - simulating scenarios where a user clicks a seemingly safe link but is then redirected to a phishing site.

  • Social Engineering Bypasses - crafting scenarios that puts time-sensitive pressure on employees to bypass standard security protocols.

  • Polymorphic Attacks - dynamically changes their characteristics, such as email content, links, or attachments, with each attempt to evade detection by security filters.
Exploiting Human Behaviour
Successful attackers are masters of psychological manipulation, APS tap into these human emotions to test employees' critical thinking skills under pressure.

  • Urgency - crafting scenarios that demand immediate action to bypass careful consideration.

  • Concern/Fear - simulating threats of data breaches or operational disruption if specific actions aren't taken.

  • Curiosity - using intriguing or sensationalised subject lines and content to entice users to click links or open attachments without proper scrutiny.
Adapting Tactics
Cybersecurity is a dynamic field, and phishing tactics are constantly evolving. We believe in a continuous improvement cycle.
  • Regularly Conduct Simulations - we recommend conducting simulations on an ongoing basis to track progress, reinforce learning, and identify new emerging vulnerabilities.

  • Evolving Content and Focus - with each subsequent Adversarial Phishing Simulation (APS), we adapt the content, complexity, and focus based on the lessons learned from previous campaigns and the latest intelligence on real-world threats. This ensures your employees are constantly challenged and prepared for the current threat landscape.

Phase Three - Outcomes

Results Analysis
The Echo Secure AI Portal provides access to simulation reports and trend analysis. We meticulously track how employees interact with each simulation, recording who clicked links, submitted data, opened attachments, and the specific actions taken. Furthermore, following each phishing simulation, we offer a technical and lessons-learnt debrief with an Offensive Security Consultant to provide detailed feedback.

  • Identify Susceptible Groups and Individuals - pinpoint specific departments, roles, or even individuals who may require additional focused training.

  • Recognise Prevalent Patterns of Behaviour - understand which types of lures, behavioural triggers, or attack vectors were most successful within your organisation.

  • Highlight Areas of Weakness in Awareness - determine specific attack vectors where employees demonstrated a lack of understanding or vigilance.
Training Webinars
We provide customers with training webinars to lay out clear steps to remediate prevalent weaknesses we observe.

  • Highlight Common Vulnerabilities - based on our extensive experience analysing real-world attacks and simulation results, we pinpoint recurring weaknesses that make organisations susceptible to phishing.

  • Explain the Risks - we clearly articulate the potential impact of these vulnerabilities, translating technical jargon into understandable business risks.

  • Provide Step-by-Step Remediation Guidance - we offer practical, actionable steps that organisations can take to address these common weaknesses, including policy adjustments, configuration changes, and employee training strategies.

  • Answer Questions and Facilitate Discussion - these interactive sessions provide a platform for customers to ask specific questions and share their own challenges.

  • Role-Based Training - we can tailor specific training content for departments to focus on the phishing pretexts they are most likely to see in the real-world.

  • Bespoke Sessions - we offer the option for organisations to have bespoke webinars based on the results and analysis of their simulation campaigns
Contact Us