Phishing is the most common way that malicious actors gain access to the networks of their victims. A single response to a phishing email by an employee is all it takes for a threat actor to get the foothold they need in the network to conduct a devastating attack. Once initial access has been gained, threat actors escalate privileges, move laterally, and conduct a range of malicious activities. What starts with a phishing email, often ends up with ransomware being deployed, with vast amounts of sensitive data stolen in between. This month, as part of Cybersecurity Awareness Week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued joint guidance on combatting phishing.
Phishing is a term that covers social engineering techniques used by malicious actors to trick people into revealing sensitive information such as login credentials or installing malware. The federal agencies explained that it is all too common for IT security teams to put the blame on employees for clicking links in emails, opening malicious attachments, and disclosing their credentials, but this blame game doesn’t solve the problem. Organizations need to create, implement, and maintain phishing defenses that account for human error, as it is inevitable and impossible to avoid.
Various tactics, techniques, and procedures (TTPs) are used by cyber actors in these campaigns, and different mitigations are required for each type of attack. Credential phishing attacks are usually conducted via email, so one of the most important defenses in an email security solution. Email security solutions will reduce the volume of spam and phishing emails reaching inboxes. SpamTitan, for example, blocks more than 99.99% of spam and phishing emails. The federal agencies recommend using DMARC, Sender Policy Framework (SPF), and Domain Keys Identified Mail (DKIM) for verifying the sending server of received emails by checking published rules and DMARC, SPF, and DKIM, are all incorporated into SpamTitan.
An email security solution that relies on signature-based detection methods such as anti-virus engines will block all known malware but cannot block novel malware threats that have not yet been identified, and more novel malware variants are now being released than ever before. To improve defenses against malware-based phishing, email security solutions should incorporate machine-learning and AI-based detection, which look for the actions performed by emailed files rather than malware signatures. This is usually implemented through email sandboxing. Emails are sent to a safe and secure isolated environment where they are detonated, and their actions are analyzed for malicious actions.
No email security solution will block all malicious emails without also blocking an unacceptable number of genuine messages, and as the federal agencies point out, email security solutions cannot detect and block phishing attempts via SMS, instant messaging services, and voice phishing. It is therefore important to provide security awareness training to all members of the workforce. The purpose of security awareness training is to reduce susceptibility to phishing attempts by teaching employees about the threat of phishing, providing examples to help them recognize phishing attempts, and conditioning employees to stop and think and report any suspicious emails, SMS messages, and voice calls to their security teams.
Over time, employees will improve and get better at identifying phishing attempts, especially when training is combined with phishing simulations. Phishing simulations are a safe way to give employees practice at putting their training to the test, and these internal campaigns allow security teams to identify individuals who have not taken the training on board, as well as types of phishing emails that are proving effective, both of which can be addressed through further training. Security awareness training using SafeTitan has been shown to reduce susceptibility to phishing attempts by up to 80%; however, training will not totally eliminate employee mistakes. Employees are, after all, humans and not machines.
In addition to email security solutions and training, it is vital to add multi-factor authentication (MFA) to accounts. In the event that a phishing email bypasses technical defenses and fools an employee, MFA should prevent the obtained credentials from being used to access accounts. While any form of MFA is better than none, phishing-resistant MFA is recommended – FIDO or PKI-based MFA.
To increase protection against malware execution, denylists should be used to block malicious domains, URLs, and IP addresses, and rules should be implemented to prevent downloads of common executable files from the internet such as scr, .exe, .pif, .bat, .js, and .cpl files. This is easiest to implement with a web filtering solution such as WebTitan. WebTitan will also block all attempted visits to known malicious websites and can restrict access to only trusted, white-listed domains or URLs, or URLs and domains can be blocked by category.
Further information on improving phishing defenses can be found on the CISA website, and TitanHQ’s friendly sales team will be happy to discuss email security, web security, and security awareness training solutions with you and will help get you set up for a free trial of SpamTitan, WebTitan, and/or SafeTitan. The important thing is not to ignore the threat of phishing and to start taking steps to improve your defenses.