🎯
DEBRIEF & LESSONS LEARNED
What you faced. What you learned. What's next.
↑ ↓ SPACE to advance
2 / 15
What Just Happened
You faced a coordinated, multi-vector attack in 60 minutes.
- 6 different attack vectors — how real attackers work
- Each one realistic — based on actual breaches
- Each one tested your decision-making — under pressure
This wasn't a game. This was a simulation of a real threat your company faces.
3 / 15
The Full Attack Timeline
HOUR 0: OSINT GATHERING
Attacker scrapes public data (LinkedIn, GitHub, press releases)
HOUR 12: PHISHING EMAIL
Spear phish sent to employees. Credentials stolen.
HOUR 24: NETWORK ACCESS
Attacker uses credentials to access company systems
HOUR 30: VISHING ATTACK
Deepfake voicemail from CFO requesting $250k wire
HOUR 36: PHYSICAL ATTEMPT
Attacker tries physical tailgating at the badge gate
HOUR 42: VENDOR COMPROMISE
Compromised vendor email requests banking change
4 / 15
What Stopped the Attack?
You did. Here's how:
- Stage 1: Verified the caller through official IT channels
- Stage 3: Identified the phishing email
- Stage 4: Called the CFO directly to confirm the voicemail
- Stage 5: Asked the delivery person for ID
- Stage 6: Didn't approve the vendor bank change without verification
Key insight: You don't have to be perfect at every stage. You just have to catch it once.
5 / 15
If We Didn't Catch It...
| Vector |
If Compromised |
Cost / Impact |
| Pretexting (Stage 1) |
Vendor account compromised |
$50k–100k in fraudulent transfers |
| Phishing (Stage 3) |
Employee credentials stolen |
Data breach, lateral movement |
| Vishing (Stage 4) |
Wire fraud |
$250k lost (actual scenario) |
| Supply Chain (Stage 6) |
Vendor payment diverted |
$150k lost (actual scenario) |
Total potential damage: $450k–500k+
6 / 15
Why Social Engineering Works
- It's faster than technical hacking. No need to find zero-days or break encryption.
- It exploits human psychology. Urgency, authority, trust, helpfulness.
- It scales. One phishing email to 1,000 people costs the same as one email.
- It's hard to detect. People feel bad flagging colleagues or seeming unhelpful.
82% of data breaches involve social engineering
Verizon Data Breach Report 2023
7 / 15
🔍 Vector 1: PRETEXTING
The Tactic
Attacker impersonates an authority figure (IT support) to gain trust.
Why It Works
- People generally want to help
- Authority creates urgency
- Specific details (vendor name, company knowledge) increase credibility
Defense: Verify through known channels. If unsure, hang up and call the person back on their official number.
8 / 15
🔍 Vector 2: OSINT
The Tactic
Attacker gathers public information to build a target list and personalize attacks.
What They Find
- Employee names, titles, photos (LinkedIn)
- Email format patterns (name@company.com)
- Internal tool names and technologies (GitHub)
- Business relationships and vendor names (press releases)
Defense: You can't remove OSINT from the internet, but you can be strategic about what you publish.
9 / 15
🔍 Vector 3: PHISHING
The Tactic
Spear phishing — targeted phishing using OSINT to impersonate someone the victim knows.
Red Flags
- Generic greeting ("Hi team" instead of your name)
- Requesting sensitive info (handles, passwords, account numbers)
- Shortened URLs or suspicious links
- Unusual requests from someone's account (they wouldn't normally ask this way)
- Email address vs. reply-to mismatch
Defense: Train to spot red flags. Report suspicious emails. Never click unknown links.
10 / 15
🔍 Vector 4: VISHING & DEEPFAKE
The Tactic
Voice phishing (vishing): Calls or voicemails impersonating company leadership.
Now enhanced with deepfake voice AI for added realism.
Why It's Powerful
- Voicemail creates urgency and emotion
- Harder to "check" than an email
- Deepfake voice is increasingly convincing
- Targets people with wire/payment authority
Defense: NEVER approve wire transfers based on voicemail. Always callback on a known number.
11 / 15
🔍 Vector 5: PHYSICAL TAILGATING
The Tactic
Attacker gains physical access to building by following someone through a secure door.
Once Inside, Attackers Can
- Plug in USB devices to network ports (malware installation)
- Access unlocked workstations and data
- Steal equipment or documents
- Scout for security vulnerabilities
80% of employees will hold a door for someone carrying something
Defense: Ask for ID. Direct to proper entrance. Don't feel rude enforcing security.
12 / 15
🔍 Vector 6: SUPPLY CHAIN
The Tactic
Attacker compromises a vendor's email account and requests banking changes or payments.
Why It's Dangerous
- Takes advantage of trusted relationships
- Many companies don't verify vendor banking changes
- Money diverts before anyone realizes (weeks later)
- Vendor and buyer blame each other
Real case: $150k diverted to attacker via vendor banking change email
Defense: Always call vendors to verify banking changes. Document the process.
13 / 15
Layered Defense Strategy
No single control stops everything. Defense is layered.
| Layer 1: Technology |
Email filtering, multi-factor authentication, VPN, firewalls |
| Layer 2: Process |
Vendor verification, wire approval workflows, badge gates |
| Layer 3: People |
Awareness, critical thinking, reporting (that's you) |
You are the most important layer.
14 / 15
Action Items for {{company}}
This Week
- Review your vendor verification process. Is it clear? Is it documented?
- Check email filtering settings. How many phishing emails slip through?
This Month
- Establish a rule: No wire transfers based on voicemail. Always callback verification.
- Document your IT help desk process. How do employees verify IT calls?
- Review access controls at entry points. Is your badge gate effective?
Going Forward
- Report suspicious emails to {{reportingEmail}} — always.
- Trust your instincts. If something feels wrong, it probably is.
- You are {{company}}'s first line of defense.
🛡️
You're Prepared Now
You understand how real attackers think.
You know what to look for.
You know how to respond.
Trust your instincts. Verify. Report.
Questions? Contact {{reportingEmail}}