A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:


Attacker's Perspective: A Technical Demonstration of an Email Phishing Attack - Zac Davis BSides Philadelphia 2016 (Hacking Illustrated Series InfoSec Tutorial Videos)

Attacker's Perspective: A Technical Demonstration of an Email Phishing Attack
Zac Davis

BSides Philadelphia 2016

It’s no secret that a majority of the breaches and attacks we see today have a root in email phishing. According to Wombat Security’s 2016 State of the Phish report, two-thirds of the organizations they reviewed reported experiencing advanced, targeted phishing attacks. Whether the attacker’s goal is installation of ransomware, stealing private personal information or wiring money, the initial attack vector is often the same. Together we’ll walk through this common attack vector from a new perspective. Through a live demo you will see an email phishing attack from an attacker’s perspective. This will include: - Demonstrating OSINT techniques used to develop a targeted campaign against an organization; - Creating of a spear-phishing email showing common and advanced attack vectors for delivering a malicious payload; - Simulating the initial compromise of a workstation and establishment of a persistent foothold within an organization; - Demonstrating techniques for enumerating an internal environment while staying under the radar; and - Demonstrating techniques for moving laterally and elevating privileges within an internal environment. As each step of the attack is presented, baseline controls will be highlighted to counteract the most common risks presented to an organization, many of which are often overlooked. This talk aims to deliver a deeper understanding of one of the most common threats to organizations today. By witnessing the technical steps involved in targeting, attacking, and compromising an organization first hand, as well as keying in on proven strategies and techniques to deter these attacks, security professional will be better equipped to protect an organization from the ever present threat of email phishing attacks!

I am an Senior Information Security Consultant within the Information Security & Privacy Management division of Protiviti. I have a balanced skill set that encompasses network penetration testing, social engineering, physical security penetration testing, and information technology audit and consulting. I have over three years experience performing internal and external network penetration tests. I have taught classes and presented on topics related to information security at industry events across the country.

Recorded at BSides Philly 2016

Back to BSides Philly video list

Printable version of this article

15 most recent posts on Irongeek.com:

If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast