In an effort to test the cyber awareness of U.S. Air Forces in Europe and Air Forces Africa personnel, an Air Force Information Aggressor Squadron conducted a “blue on blue” spear-phishing attack exercise against a number of specified users July 16 to 22.
Exercise blue-on-blue: you just received an email from an unknown email address stating you would be given a free all-inclusive vacation package to a beautiful resort in Garmisch-Partenkirchen, Germany. All you have to do is sign up by clicking on the link provided in the email.
Would you click the link? If your answer is “yes,” you may have just fallen victim to a cyber phishing attack. Phishing utilizes social engineering techniques through electronic communications to acquire sensitive information such as usernames, passwords, and other personally identifiable information from unsuspecting victims.
The exercise mimicked real-world hacking tactics that could be used by the adversary. The message content was crafted using local information and tailored to a USAFE-AFAFRICA target audience. The goal of the exercise was to evaluate cyberspace training effectiveness, and identify attack mitigation deficiencies.
Of the users who were sent the email, most did not take the bait; unfortunately a small percent did. This essentially means personnel who accomplished their Department of Defense Cyber Awareness Challenge course within the past year, did not identify the general warning signs of a phishing attempt. Why is this significant? Successful phishing attacks on just one user could result in the adversary gaining unabated access to network resources, which could have negative implications with regards to critical mission accomplishments.
The 86th Communications Squad-ron Commander, Lt. Col. Steven P. Brummitt, also indicated the importance of such phishing exercises.
“This blue-on-blue phishing exercise was well-crafted and a good example of the level of sophistication we’re likely to see in a real-world attack. Gone are the days when spear phishing emails were easy to recognize due to misspelled words and nonsensical grammar. Today’s adversary has done their homework … they know how we bank, how we shop, and know what we’re interested in. They know more than enough to craft a clever email that makes it very tempting to click that link. We have to remember our Information Assurance Awareness training and follow those principles, check for digital signatures, and be wary of any request to click a link, download or open an attachment; and remember that if it sounds too good to be true, it probably is.”
The best way to protect yourself from this type of attack is to defer to your Air Force IA training. Department of Defense Cyber Awareness training teaches us unsolicited emails should be thoroughly scrutinized to identify obvious discrepancies in their legitimacy. Additionally, if you are unsure about an email you receive, contact your local Communications Focal Point