Phishing is one of the most common ways that cybercriminals attack businesses. Phishing is used to install malware and steal credentials, both of which will provide them with initial access to the network. Since phishing targets individuals, one of the most important steps to take to prevent phishing attacks is to provide security awareness training to the workforce.
Employees should be warned about the risk of phishing attacks and taught what to look for to help them identify, avoid, and report phishing threats. Training alone is not the answer though, as employees need practice at identifying phishing. Phishing simulations should therefore be conducted. These are realistic but fake phishing emails that are sent to all members of the workforce, the responses to which are tracked. When a user fails a phishing simulation, they can be provided with relevant training to help them identify similar threats in the future and to correct any risky behaviors. The combination of security awareness training and phishing simulations – both of which are provided through SafeTitan – can reduce susceptibility to phishing attacks by up to 80%.
Security awareness training should teach employees the red flags that indicate a phishing attempt. Employees should also be encouraged to report phishing attempts to their security team, as there is a good chance that the phishing email will not be the only such threat in the email system. When these threats are reported, security teams can remove all other copies of that message from the email system, thus preventing other users from being exposed to the threat. It is also important to encourage users to report phishing threats that they have responded to, as the faster the security team is made aware of a clicked link or file download, the faster mitigations can be implemented to reduce the harm that can be caused.
One problem for businesses is employees are often fearful of reporting responses to phishing emails due to the potential for negative repercussions, such as disciplinary action. If reporting is delayed, then mitigations are also delayed, which can potentially have serious consequences. The UK’s National Cyber Security Centre (NCSC) has recently suggested that in order to address this issue, businesses need to change their mindset. At many businesses, employees are made to feel that it is their responsibility to identify and avoid phishing attempts when the reality is it is the responsibility of the employer to block threats by implementing a range of technical controls. Employees should be trained on how to identify phishing attempts of course, but in order to develop a strong reporting culture, employees must not be made to think that a failure to avoid a phishing threat is their fault. The NCSC also takes issue with the commonly provided advice that employees should not click hyperlinks in unsolicited emails as, in many cases, that is actually a requirement of their job.
Technical Recommendations for Protecting Against Phishing Attacks
So how should businesses combat phishing? What technical measures should be implemented to improve defenses and make it much harder for phishing attacks to succeed? TitanHQ has long recommended what the NCSC suggests, and that is phishing prevention requires a defense-in-depth approach, where multiple overlapping layers of protection are implemented. This is vital, as no single anti-phishing measure will be 100% effective, 100% of the time.
The NCSC recommends multiple technical measures, the most important of which are a spam filtering solution that scans all inbound emails for phishing signatures and the setting of DMARC and SPF policies, as these are effective at blocking the majority of phishing threats. TitanHQ’s SpamTitan solution incorporates DMARC, DKIM, and SPF for blocking phishing threats, machine learning for identifying zero-day threats, as has constantly updated blacklists of malicious IP addresses and domains. SpamTitan also has a sandbox for deep behavioral inspection of attachments, in addition to dual anti-virus engines.
The NCSC also recommends implementing web proxies or web filters to prevent employees from accessing malicious websites linked in phishing emails. SpamTitan Plus rewrites URLs in phishing emails and follows them, providing protection against these malicious links. The WebTitan DNS filter will block access to known malicious websites and will also prevent downloads of malicious or risky files from the Internet, such as executable files – another recommendation of NCSC.
While not often considered by businesses as a phishing prevention measure, a password manager does provide a degree of protection against phishing attacks that harvest credentials, so businesses should provide one for their employees to use and they should encourage employees to use it. Password managers suggest strong passwords and then autofill them when they are required. Since the password is tied to a specific URL or domain, if a user lands on a phishing site that spoofs a brand, the password manager will not auto-fill the password, since the URL/domain is not associated with that password. It is also important to ensure that multi-factor authentication is enabled. Ideally, businesses should opt for passwordless authentication with a FIDO token.
Additional safeguards that should be considered include allow-listing to prevent executable files from running from any directories that users can write them and configuring the Registry to ensure that dangerous scripting or file types are opened in Notepad and are not executed. NCSC also recommends using PowerShell in constrained mode, script signing, disabling the mounting of .iso files on endpoints, locking down the macro settings, and only allowing users to enable macros if they need to do so for their job. Businesses should also stay up to date on the latest threats and ensure that mitigations are implemented against those threats and that they are incorporated into security awareness training programs, as TitanHQ does with SafeTitan.
By implementing all of these mitigations and adopting a defense-in-depth approach it becomes less important that employees can recognize and avoid threats, although training is still important because one or more of the above measures may fail. Businesses should also avoid punishing employees for failing to identify phishing attempts, as that is likely to create a culture of fear rather than a culture of reporting threats.
TitanHQ can help businesses significantly improve their defenses and implement many of the NCSC recommendations for combatting phishing. For more information on TitanHQ solutions, give the team a call today, or take advantage of the free trials on all TitanHQ products.