"We Want to Mitigate the Risk that Phishing Poses to Companies" - An Interview with mStorm's Founders

A sit down with mStorm's founders on the first year anniversary since coming out of stealth mode.

March 19, 2021

It’s been a year since mStorm GmbH came out of stealth mode by publishing the website mStorm.io . To commemorate this occasion Claus Overbeck, Markus Vervier and Michele Orrù speak about why they founded mStorm, its services and what will come in the future.

Interview and mic

Q: It has been a year since you publicly launched mStorm. How did you come to collaborate and who takes care of what predominantly?

Markus: The founding of mStorm is a two-fold story with me as the linking part in it. I knew Claus from maybe 2005 during our studies at RWTH Aachen University. We both shared a lot of common interests in ethical hacking, information security and have been working on collaborative projects for some time already.

In 2015 I met Michele at a conference in Heidelberg. We had really good discussions and I realized that Michele could bring something new to the table as he was already working in the phishing domain.

By late 2018 we decided to bring together our expertise to found mStorm.

I bring technical expertise in offensive technology and am involved in the development of the framework. Mostly I am involved in the operations side of planning and running phishing campaigns, driving the release of new features that the customers request.

Claus: I too am an IT security expert with an entrepreneurial mindset. But over the last years, I have been more involved in the business side of running companies and look into making the venture successful by steering the marketing and sales division.

Michele: With more than ten years of experience in the phishing domain, I am the main person behind most of the coding and infrastructure development. I work on bringing out new features and selecting which technologies to use for applications.

Q: So, what is the problem that you are trying to solve? Have you had any personal experience with the problem that motivated you to come up with solutions?

Claus: In the last decade companies have invested heavily in making IT networks and applications more secure. While conducting penetration tests or evaluating existing IT security, we realized that the frameworks in place were often already very mature and secure.

Because of this, attackers have shifted their attention to the human factor as breaking into networks is not so easy anymore. This is achieved for example by phishing and that is exactly the problem we are trying to solve.

Michele: We offer a 360-degree service around phishing. This means it is not only limited to simulated phishing campaigns and awareness training but also covers filter testing and other research projects to get better insights on the current IT security and employee awareness levels.

We mainly want to mitigate the risk that phishing poses to companies. Our services give a lot of data and analysis while making the employees more aware of possible phishing scenarios in the future.

Markus: To sum it up, we offer a multilevel fight against phishing.

Q: What would you say is your company’s Unique Selling Point (USP) and what has been your experience with mStorm clients so far?

Claus: Well to answer the first part of the question on our USP, we are a lot more technical than other companies out there. Each of us has more than ten years of experience in IT security. And this is not limited to defensive strategies like setting up filters and firewalls but also offense such as taking the perspective of an attacker to get into systems. What we have learned from our clients is that there is a lot of need for customized simulated phishing campaigns. They need phishing campaigns to be tailored to their employees by hitting the right tone and topics. This customization is not only related to phishing campaigns but also to training materials. For example, the action of reporting phishing incidents is done differently in different companies and training materials need to reflect those differences.

The need for customization means that most off-the-shelf phishing campaign solutions that you can buy from some providers will not be useful as they can’t be customized. But with mStorm’s services we can offer these tailored solutions, which can also be counted as one of our USP.

Markus: Currently our customers are from very different sectors ranging from finance, IT, software development, asset management, insurance and education among others. The feedback we receive has mostly been that we are technically very good and can offer a lot of flexibility and customization to suit their needs.

Michele: Yes, the customer experience has been smooth. We have ongoing monthly discussions to decide which campaigns to run and also this is done well in advance to offer a lot of flexibility to the customer. We have been able to adapt in a very agile way to what they need.

Q: Can you give some insights into the technology behind mStorm?

Michele: Our main stack of technology is Golang, React for the Javascript UI part. We have a microservice-oriented architecture where all our various components are split in various services so that they can be scaled up easily and even add or remove certain services based on what we need. Pretty much all the software we use is custom built and written from scratch except for standard libraries.

The core technology is built keeping scalability in mind. For example, mStorm-AM and mStorm-AT can be scaled up to target any number of users for the e-mail delivery part. This means that nothing special has to be done to send the training to 100 or 100,000 employees!

Claus: Also mStorm-FP is not only a software but also a collection of sample e-mails, attachments, texts, URLs and other data that we use for testing the filters. It is essentially a vast database of e-mail samples that is updated regularly. These samples are recombined and mutated to create a set of unique test e-mails that can be used to test e-mail filters. Thanks to the Monte Carlo simulation that we run, you get a detailed statistical report of what goes through your filters an and what is stopped.

Q: Let’s talk about the future: What are your plans for mStorm in the next years?

Claus: Well we can’t tell too much about it right now, but there are several products in the pipeline as well as research projects where we are developing new data insights as well as tools.

This year we will be adding a more top-down strategic consulting service for customers who want to get an overview of their phishing protection, weak spot identification, and improvements to reduce the risk of e-mail based attacks and other messaging-based attacks.

We will also be launching a new section in our “Knowledge” part of the website aiming to educate anyone seeking to understand cybersecurity in simple terms.

Markus: Our goal has always been to offer services to defend against attacks on both the infrastructure and the employees. We are building tools to automate this so that it can be run frequently and regularly. This would mean that there are continuous checks and it is harder for the attackers.

We are also looking forward to some interesting projects where we will be collaborating with e-learning experts.

There are a lot of new aspects with regard to phishing in the cloud. Attackers are always looking for new ways to exploit the infrastructure and users, so we will keep fine-tuning our services to cover any new form of attack.

Michele: Apart from the already mentioned features and interactive dashboards for our clients, we are also going to release more technical blog posts that cover phishing from an offensive perspective. This will explain in detail with a lot of images a step-by-step process on how attackers target employees and will in turn help the reader to understand if they are not following the right steps to keep themselves safe.

There will also be new tools to analyze e-mails that can be used by anyone on the mStorm website.

Phishing is a problem that will not be solved or going away anytime soon. Secure your enterprise by talking to IT security experts offering a multilevel fight against attackers. We are looking forward to hearing from you.