CONFIGURING A PHISHING CAMPAIGN IN MICROSOFT DEFENDER.

Configuring a phishing campaign in Microsoft Defender (specifically Microsoft Defender for Office 365) involves creating a simulated attack to test and educate users on recognizing and responding to phishing attempts. Here’s a step-by-step guide:

Firstly, you check Jira ticket, find the previous or current phishing monthly campaign. The previous report would have taken a screenshot and what the payload. The payload is the technical link, it's also what and how it is delivered. 

Access Microsoft Defender for Office 365

1. Sign in to the Microsoft 365 Defender portal at https://security.microsoft.com.
2. In the left-hand navigation pane, select "Email & collaboration".

Navigate to Attack Simulation Training

1. Under "Training & simulation", click on "Attack simulation training".
2. If this is your first time using the feature, you might need to go through a brief setup process to enable the Attack simulation training feature.

Create a New Simulation

1. Click on "Simulations & Training" in the top menu.
2. Click "Create a simulation".

Define Simulation Details

1. Simulation Name: Enter a descriptive name for the phishing campaign.
2. Target Users: Choose the users or groups you want to target. You can select specific users, groups, or even upload a CSV file with the targeted email addresses.

Choose an Attack Technique

1. Choose "Phishing" as the attack technique.
2. Select a specific type of phishing attack, such as credential harvesting, link in attachment, or link to a fake login page.

Select a Template

1. Microsoft provides various phishing templates. Choose a template that best fits the campaign you want to run.
2. You can preview the template to see how the phishing email will appear to the end-user.

Customize the Phishing Email

1. You can either use the selected template as is or customize the content to better fit your organizational needs.
2. Modify the subject line, body content, and sender name if necessary.

Set Launch Options

1. Choose the launch date and time for your simulation. You can launch immediately or schedule it for a future time.
2. Optionally, you can choose to repeat the simulation to cover different users or to run periodic tests.

Assign Training

1. After the phishing simulation, users who fall for the attack can be assigned training automatically.
2. Choose or create specific training courses that will be assigned to users who clicked on the phishing link or submitted credentials.

Review and Launch

1. Review all your settings and make sure everything is configured as desired.
2. Click "Launch simulation" to start the campaign.

Monitor the Campaign

1. Once the campaign is launched, you can monitor its progress from the "Simulation & Training" dashboard.
2. Track which users received the phishing email, who clicked on it, and who submitted credentials.

Analyze Results

1. After the campaign concludes, go to the "Reports" section to analyze the results.
2. Review metrics such as click rates, credential submission rates, and completion rates for any assigned training.
3. Use these insights to understand the organization's susceptibility to phishing and to refine future training efforts.

Follow Up

1. Based on the results, consider scheduling additional training sessions for users who were susceptible to the phishing simulation.
2. Continue to periodically run phishing simulations to track improvement and maintain user awareness.

Reference:

Microsoft

PHISHING STIMULATION

Ensuring Compliance in Phishing Campaign Training.

At Company ABC, a recent phishing campaign report revealed that six employees failed their internal mandatory phishing awareness training. The campaign was designed to educate employees on recognizing and avoiding phishing attempts, with automated reminders set to encourage timely completion. However, the compliance team noticed that some employees were still vulnerable due to incomplete training.

The compliance team's objective was to ensure that all employees completed the training within the designated timeframe. The team aimed to prevent the accumulation of unfinished training from multiple campaigns, which could lead to delays and employee fatigue. The goal was to maintain a security-first mindset across the organization by reinforcing the importance of cybersecurity awareness.

The compliance team investigated the training campaign's setup and discovered that automated reminders were sent bi-weekly during the phishing campaign. Additionally, employees were given an extra seven days to complete the training after the campaign ended. If employees still failed to complete the training, manual reminders and training assignments were issued. The compliance team emphasized the need for consistent follow-up to avoid piling up training obligations, which could dilute the effectiveness of the program.

The team also considered the impact of delayed training on employees' vulnerability to phishing attempts. To address this, they coordinated with the training administrators to ensure that training deadlines aligned with the company's overall cybersecurity strategy. They also set up escalation procedures for repeat offenders who failed to complete multiple training sessions.

As a result of these efforts, the company was able to significantly improve its training completion rates. By enforcing strict deadlines and providing consistent reminders, the compliance team ensured that all employees completed their training before the next phishing campaign.

This proactive approach not only reduced the risk of phishing attacks but also reinforced the organization's commitment to cybersecurity. The team successfully instilled a security-first mindset among employees, emphasizing that everyone plays a crucial role in protecting the organization.

END OF INTERVIEW.

 

Leaving a Lasting Impression: Five Questions to Ask at the End of Your Interview

You've reached the end of your interview, and the hiring manager asks, "Do you have any questions?" This is your golden opportunity to shine and leave a lasting impression. Here are five insightful questions to ask:

1. How Do You See the Team Evolving in the Next Five Years?

Asking about the team's future shows that you're interested in long-term growth and stability. It also provides insight into the company's strategic vision and how you might fit into their future plans.

2. Could You Tell Me More About Your Goals and How the Team Supports Them?

Understanding the hiring manager's goals and the team's role in achieving them demonstrates your interest in contributing to the company's success. It also helps you gauge how your potential role aligns with the broader organizational objectives.

3. Can You Provide Examples of the Types of Projects I Might Work On and How I Can Succeed in Them?

This question shows your eagerness to hit the ground running and succeed in your new role. It also gives you a clearer picture of what to expect and how to prepare yourself for the challenges ahead.

4. Are There Opportunities for Stretch Assignments Where I Can Learn and Develop New Skills?

Expressing a desire for continuous learning and skill development highlights your ambition and commitment to personal growth. It also indicates that you're looking for a dynamic environment where you can take on new challenges.

5. Could You Share a Project You're Particularly Proud Of and Its Impact on the Business?

This question not only allows the hiring manager to share their achievements but also helps you understand the type of work that is valued and recognized within the company. It can provide insights into the company's culture and what it takes to succeed

QUESTIONS TO ASK AUDITOR

Depending on your organization, if your organization is yet to acquire SOC 2 certification. The project manager will liaise with the audit team to get the project framework in acquiring a SOC 1 & 2 certification. 

 For study purposes;You can start your conversation or email like this:

I am the cybersecurity compliance analyst. The essence is to understand the timeline and the expectation from me and you with regards to SOC

Questions:

What should be done on our side.

Scope and purpose:

1. Can you provide a detailed explanation of the scope and purpose of the 13 SOC list you sent us? 

2. Are we getting more SOC list? How will the information be exchanged.

Controls:

3. Could you specify the exact controls and criteria we need to implement and document for each SOC list.

4. How often should we plan for progress review meetings to ensure we are on track.

AUDIT EVIDENCE -SOC 2

  When it Comes to a SOC 2 Report

In terms of common audit evidence, there are three categories:

1. Governance and Risk Management

This includes evidence such as:

• An organizational chart
• Policies and procedures
• Leadership meetings to govern the organization (e.g., information risk council)
• Risk assessment and risk register
• Penetration tests and vulnerability scans, along with evidence that actions are being taken based on those results
• Incident response and business continuity policies and procedures, including tabletop exercises
• Vendor risk assessments

2. Human Resources (HR)

Many do not realize that SOC 2 includes HR controls. HR will need to provide:

• Employee roster
• Documentation for employee onboarding and offboarding
• New hire checklist compliance
• Onboarding processes, including background checks and performance reviews
• Employee handbook
• Evidence of security awareness training

3. Technical Controls

This includes evidence such as:

• IT asset inventory
• Network and data flow diagrams
• Access lists for networks, key systems, and cloud environments
• Configuration settings for hardware, laptops, and password policies
• Multifactor authentication status
• Endpoint protection measures (e.g., antivirus software on laptops)
• System development life cycle documentation (e.g., change tickets, QA and testing evidence)
• Monitoring and alert configurations
• Backup procedures for system recovery

Audit Workflow

The majority of your audit will involve providing audit evidence to the auditor, reviewing that evidence, and engaging in a cycle of acceptance or rejection. Here's a typical workflow between you and the auditor:

1. Information Request: The auditor will send you a SOC 2 request list, detailing nearly 100 different requests.
2. Gather Evidence: You will interpret these requests, gather screenshots of configuration settings, download access lists, and retrieve policies.
3. Upload Evidence: Typically, you will upload these documents to a cloud repository like ShareFile or OneDrive.
4. Review and Feedback: The auditor will review each file and determine whether to accept or reject the evidence. If accepted, you move forward. If rejected, you will receive an email detailing additional information needed.

Common Challenges

• File Naming: Ensure files are named accurately to avoid confusion.
• Feedback Visibility: Lack of visibility into whether the auditor has reviewed your evidence can be frustrating.
• Coordination: Coordinating with stakeholders (e.g., engineers) to gather necessary evidence can be complex.

Best Practices

1. Ask Your Auditor: Clarify how information will be exchanged.
2. Request Process: Understand the process for requesting evidence.
3. Feedback Process: Ensure you know how feedback will be provided and what constitutes acceptable evidence.

*************

How Auditor conduct the Audit SOC2 .

 So when it comes to thinking through how the auditor is actually going to conduct the audit, there's really only three types of audit techniques that we use to assess your organization.

1. Those are walkthroughs, 

2. Inspection of evidence and 

3. Observation of processes.

So that's literally the terminology that they use to describe what they're doing.

So I'll walk through those so you can you'll know how that applies to our organization.

So first walkthroughs are simply meetings with IT and talk about how the network is designed. Our network diagram and talk about data flow. They'll schedule a meeting with the engineering team and talk through product overviews, change control, SDLC.

These are literally interviews with the people on our team to understand how processes work and they'll hear directly from our team members.

However, an auditor is not permitted to rely exclusively on walkthroughs to perform an audit.

So SOC 2 requires that you look at evidence to also validate anything that someone said, which is our second process, an audit reuse.

And this is the most common process that an auditor will use to audit.

And there's a whole ecosystem of;

So if you've never been through an audit, what basically happens is the SOC 2 auditor will provide you a whole request list of type of information they need. Just like for SOC 2, there's usually at least 100 line items that'll include things like policies, configuration settings, system access lists, change tickets.

Then our team is going to go start grabbing screenshots, You're going to pull down the policy and you're going to upload it to the auditor's portal and the auditors will review all the evidence.

And then based on their review, they're probably going to come back with questions or want some clarification, or they may even have additional requests that they need to make to get through the audit.

So that's the most robust and time consuming piece of the audit, is that inspection of evidence part.

The third way an auditor will audit our organization is through observation. If you have an on prem data center or server closet, they might want to look at that data center to make sure it has physical and environmental controls there.

If you have a facility, they might inspect the locks on each door to make sure they're actually physically locked.

WHAT AUDITORS WRITE DOWN:

This is what the auditor is writing down. So for a SOC 2, you're going to have controls. You might have 50 or 100 controls.

So our example control here ;Is our company maintaining security policies and procedures. Policies and procedures are made available to employees and the company's policy document repository.

So then how will the auditor review that?

What will they do to test that control?

So there's two test procedures.

The auditor will inspect the company's security policies and procedures to determine if policies are documented and up to date. So they inspected the policy.

The second thing they do is inspect the company's policy document repository to determine if policies and procedures are made available to the employees and the company's policy document repository.

So to to audit test. They looked at the policy and they read it.

Then they made sure that that policy was actually available to all the employees. Through the document repository, like the control said, the thing that's going to impact you is the evidence that they're requesting to validate that.

So the two pieces of evidence that an auditor would request to validate this control is one, the information

security policy, and two, they're probably going to ask for screenshots of your document repository to validate that you actually have a document repository and the whole company has access to it.

So that's how one control might have two different evidence requests.

And if you have 50 or 100 controls, you can see how that might be 100 or 200 pieces of evidence.

So I hope that adds some clarity to what the auditor is actually doing and how they're testing us.