The U.S. Air Force’s Cyber division used spear-phishing tactics to test whether airmen can proficiently recognize and avoid email-based attacks.
Nation-state warfare is no longer waged with bullets and bombs; instead it’s accomplished today with the click of a mouse, and is a concern to every division of a nation’s government and military. With 70 percent of breaches associated with state-affiliated actors involve phishing, according to the Verizon 2018 Data Breach Investigations Report, it makes sense that the armed forces of every nation should be on alert.
So, it’s pleasing to hear of the Air Force testing their own to see if security awareness is an integral part of the daily mindset. In November of last year, the U.S. Air Force’s Cyber division coordinated an “attack” on bases in Europe to test the likelihood of adversary state-actors being able to successfully gain a foothold within Air Force networks.
For the test, the threat emulation team sent several emails mirroring tactics utilized by real attackers. Emails were sent from non-Department of Defense email addresses to network users, containing legitimate-looking content, adversaries. The emails provided a variety of scenarios, urging Airmen to follow certain steps. For example, one email appeared to come from an Airman & Family Readiness Center, asking users to update a hyperlinked spreadsheet for an upcoming sale. Another email claimed to be from a legal office, and requested users to provide data in a hyperlinked document for a court-martial jury panel.
The really cool part about this test was that the Air Force performed a comprehensive simulation of an email-based threat. They didn’t just send out emails and see who clicked links; the emails contained links to documents that contained embedded “malicious” code that would enable their security team to access the user’s computer.
Results from the test demonstrated the most recipients did not fall for the emails, providing great feedback for where to improve cyber readiness and security awareness.
This test comes at a good time, considering the recent release of the Defense Department Inspector General audit that showed the Army, Navy and Missile Defense Agency are failing to take the most basic cybersecurity steps to secure America’s ballistic missile defense system.
Military divisions, as well as both public and private sector organizations should follow the Air Force’s lead – performing phishing testing, married with Security Awareness Training helps to enhance the security-mindedness of its employees, lowering the risk of falling for phishing scams, social engineering tactics, and being the cause of data breaches, fraud, or espionage.