By now (hopefully), most people will be aware of phishing and the associated dangers. However, despite the increased knowledge, phishing isn’t going away. In fact, phishing is still one of the most reliable methods in an attacker’s arsenal, trust us, many successful red team engagements have used phishing as their starting point.
The great thing about phishing, from an attacker’s perspective, is that it targets human fallibility and emotion, rather than just technical vulnerabilities, and these emotions haven’t changed since the dawn of time. Playing on people’s fear, greed, shame, guilt, anxiety etc.. will often trigger a response and that means, if done well, you can almost guarantee that at least one person will fall for an attack. The other great thing is that they don’t take too much time to create, especially when compared to crafting a technical exploit.
So, relatively easy set up + high success rate = complete no brainer for attackers.
Phishing education has been key in reducing phishing success rates, however, this education has typically focused on the end-user – i.e. what users can do to spot phishing attempts. But in the age of AI, these tell-tale signs are a getting a little harder to spot. Even when staff are educated, a well-crafted, timely attack can catch anyone off guard – even security professionals. So, what can organisations now be doing to continue reducing the risk of phishing attacks damaging their organisation?
Focus now needs to go beyond the user, and beyond the click, to look to implementing robust technical barriers and processes that can limit phishing campaigns reaching targets and prevent any initial mistakes turning into a damaging attack chain. That’s exactly what this insight sets out to explore.
1. Make it difficult for attacks to reach targets
To make it difficult for attacks to reach users, you can implement various technical measures that help limit the number of malicious emails that enter their inboxes. While these measures may not capture every attempt, if executed correctly, they can significantly strengthen your security posture.
These strategies are not new and should already be part of your security protocols. They include spam filters, firewalls, and anti-virus protection.
Spam Filters: Effective spam filters are vital for reducing the risk of end-users receiving phishing emails from malicious domains. For example, a phishing attempt might come from a domain like example.co instead of a legitimate domain such as example.co.uk.
Firewalls: Advanced host-based firewalls play a crucial role in preventing computers from sending or receiving malicious network traffic. By limiting the ability of attackers to scan or exploit hosts on the network, firewalls can help contain the spread of an attack.
Anti-Virus Protection: This software is essential for blocking malware that may be hidden in email attachments. By preventing the execution of this malware, you stop attackers from gaining a foothold in your network. Taking this a step further, solutions such as App Control for Business and AppLocker can be used to prevent execution of unauthorised software, even when it does not match a known malware signature.
2. Reduce the impact a successful attack could have
Phishing attacks often serve as the entry points for more complex attack chains. It is therefore crucial to consider the potential consequences if an attacker does gain access to your internal network through a phishing attempt. To restrict escalation and mitigate the impact of such attacks, several barriers should be implemented.
Segregate Your Network
Once an attacker gains access to a network, they typically seek to move within it, looking for sensitive information to exploit. A flat network is an attacker’s dream, allowing potentially unrestricted access to all areas of the organisation without the need to navigate between different networks or conceal their activity.
Implementing network segregation is a more effective security measure. Different departments should operate on separate VLANs (Virtual Local Area Networks) with only required access between them permitted. By closing off or restricting access to certain networks, you make it significantly more challenging for attackers to navigate across networks and hide their actions.
Review Staff Privilege Levels and Enhance Authentication for Sensitive Data
Staff privilege levels often go years without review, which can result in employees having access to information or networks they shouldn’t. Access to information should always be granted on a need-to-know basis and by tightly controlling privilege levels, you can minimise the risk of an employee inadvertently leaking sensitive data in response to a phishing attack.
If an attacker does manage to gain control of an account, strict privilege levels will help limit their access to information and make it much harder for them to escalate privileges to a higher level.
Implementing increased authentication measures is also crucial for strengthening access restrictions to particularly sensitive information. Multi-factor authentication should always be employed for extremely sensitive data to enhance access control and, additionally, data monitoring services should be utilised to help internal teams track who has accessed critical information and alert them to any potential data breaches.
Whitelist Domains
By allowing access only to approved domains, you reduce the likelihood of someone clicking on a malicious link, landing on a fraudulent website, and inadvertently providing vital information that could lead to a larger compromise.
3. Plan, Detect, Respond
Detecting a phishing attack involves recognising both subtle and overt signals. These signals can include user login attempts at unusual times, attempts from suspicious or foreign IP addresses, or instances where a compromised laptop tries to connect to another laptop using the same domain user. This behaviour suggests that an attacker is attempting to move laterally across the network.
The more familiar you are with the typical day-to-day activities of your users, the easier it becomes to spot anything unusual. Once you suspect that a user has been compromised, it’s essential to act quickly.
Plan and Practice Your Incident Response
Planning your response to various phishing scenarios is crucial. Internal teams should know exactly what to do when a real incident occurs. However, having a plan is only the first step; practicing that plan is equally important.
As Mike Tyson famously said, “Everyone has a plan until they get punched in the mouth.” This applies to information security incidents as well. Ensure that you regularly engage your teams in practice exercises, fine-tune your plans, and provide security teams with the tools they need for a swift and effective response.
Empower Your Team to Act
Your internal defence teams must be empowered to act quickly. This might involve blocking requests from suspicious IP addresses and locking down the emails or accounts of users suspected of being victims of phishing attacks.
Imagine that within five seconds of an attack, your team isolates the affected account, resets all passwords, and blocks the attacker’s IP address. If an attack occurs again, the same process should be followed, with the new IP blocked as well.
Automation can be beneficial in these situations, as rules can be established to quickly identify and respond to potential phishing campaigns. However, automation is only as effective as the rules you create, so it should not be relied upon solely to catch every attempt. A combination of automation and human decision-making is likely the best approach. Regardless of the method you choose, acting quickly is crucial.
There’s always the chance your security team may identify legitimate communication as a phishing attempt, but it’s far better to act quickly and have short-term loss of access, rather than hesitate and have the long-term pain of a data breach.
4. Put your defences to the test
The measures set out above will help limit the potential of a phishing attack reaching users and reduce the chances of it becoming a more damaging attack chain. But, like all security measures, they need testing to ensure they are as effective as possible. That’s where penetration testing can help.
Our infrastructure testing is designed to put your existing network security measures to the test and help uncover security vulnerabilities that could potentially be exploited following a successful phishing campaign.
So, if you’ve put in place security measures to prevent phishing but you’re not sure whether they’re effective. Why not contact us and see how we can provide you with the security assurances you need.
