‘Phishing’ exercise increases awareness

  • Published
  • By Master Sgt. Mark Steenwyk
  • 60th Communications Squadron
TRAVIS AIR FORCE BASE, Calif. --  The 60th Communications Squadron Network Operations team recently went on a "phishing" trip. These Grizzlies weren't after salmon swimming upstream, but rather to see how many Golden Bears they would catch with an email sent to all base users with the subject, "Network Latency Fix."

During the exercise, more than 300 Travis users clicked an active hyperlink within an attachment to this non-digitally signed email, which appeared to originate from the Travis Comm Focal Point, but actually came from a commercial email provider.

Air Force members remain targets for both individual and state sponsored actors attempting to infiltrate our networks. Relentless adversarial cyber-attacks occur several times each day, 24/7. Adversaries attack computers at work and at home, knowing that Airmen communicate with the Air Force network via email or transfer information from one system to another.

Every Airman operates within the Cyberspace domain, almost all Air Force capabilities are dependent on Cyberspace functions; therefore, every Airman, government civilian and contract partner must become a cyber-defender. Acculturation of Cyberspace is critical in the operation and defense of the Air Force Information Network. We all complete our Information Assurance Awareness computer based training every year, but how much do we really gain from this training?

We must adopt a Cyberspace culture and incorporate it into our doctrine: "Fly, Fight and Win--in Air, Space and Cyberspace!"

To help promote awareness, the 60th Communications Squadron relayed a fake email with a spoofed email address and went "phishing," and the result was more than 300 users on Travis took the bait. Maj. Adrian Cercenia, 60th CS director of operations, developed the concept of operations and execution of the exercise.

"We wanted to accurately assess the user population's cyber defense posture for Travis," said Cercenia. "To gauge our users, we developed a phishing scenario based off of real-world intel and known attack vectors."

Launching the phishing exercise accomplished exactly what Cercenia had hoped for, as it accurately evaluated the cyber defense posture for Team Travis and the susceptibility of network users.

Senior Airman Luong Phan and Senior Airman Andrew Smetana, both 60th CS, were the crafty technicians that engineered the deceitful email.

"Our goal was to create something that paralleled real-world threats and actions that we often see while conducting defensive cyber operations," Phan said. "We had to create a scenario that we could control and monitor. The message had to be complex and appear to be legitimate, while at the same time incorporating indicators and red flags those cyber-conscious users would quickly be able to identify."

The indicators in the email were obvious when pointed out, such as the lack of a digital signature. The Air Force's Digital Signature Enforcement tool automatically ensures users apply digital signatures to any outgoing email containing hyperlinks or attachments in accordance with Air Force Manual 33-152, User Responsibilities and Guidance for Information Systems.

Additionally, the email address itself revealed the message was sent from a commercial account, and the message contained numerous grammatical errors--all indicators that the email was not from a legitimate source. To help users recognize phishing threats, the Network Operations team recommends using the R-E-A-D mnemonic: Relevant? Expected? Addressed properly? Digitally Signed?

Any Travis member who receives a suspicious email should immediately report it to their unit Information Assurance Officer, or contact the 60th Air Mobility Wing Information Assurance office at 424-8728. All Airmen must remain vigilant to protect our networks by using good judgment before clicking web links or opening attachments within emails from unknown senders that are not digitally signed. Specifically, be mindful of themed spearphishing messages on health care, military force reductions and taxes.

Never provide Personally Identifiable Information to an unknown source, as this could lead to identity theft. Also remember that financial institutions will never request account numbers or financial information via email--they have your information already.

Additionally, when sending emails, ensure you are protecting PII IAW AFI-33-332. Be attentive when using the "reply to all" function, remain cognizant of the names and distribution groups that are in the "To" and "Cc" blocks before sending, and always use proper email etiquette as outlined in Air Force Handbook 33-337.

The good news: the vast majority of Team Travis did not take the "bait," and several users actually reported the suspicious email. Had this been an actual phishing attempt, for official use only data, PII and/or Travis network security could have been compromised. The intent of the exercise was not to identify those individuals not practicing good cyber security, but rather to promote user awareness. As Airmen, we conduct frequent exercises that prepare us to respond to accidents, disasters, contingencies, and deployments, but often we fail to evaluate our ability to operate securely within the cyber domain. Conducting cyber exercises helps secure our network by addressing the greatest network vulnerability: user complacency.

Cyber Security is everyone's responsibility--don't take the bait!