In August 2019, Air New Zealand suffered a data breach. According to reports, attackers were able to gain access to personal details of customers enrolled in the victim’s Airpoints loyalty programme. The way in? A phishing attack that was able to compromise two staff accounts. Phishing attacks certainly aren’t a new phenomenon and according to figures 32% of breaches now involve the technique. Attacks of this nature can have two main motives:
• to steal user data, including login credentials and credit card numbers etc,
• gain a foothold within corporate or government networks as part of a wider attack.
Awareness of the issue is growing and there is plenty of advice out there on how to spot the potential warning signs.
This awareness seems to have had the desired effects and sanctioned simulations have shown that click rates on malicious phishing emails have decreased from around 25% in 2012 to just under 3% in 2019. Education and training around phishing is an important step, but the nature of attacks, which target human fallibility, will likely mean we never eradicate the issue fully. You could have all the training and technology in place, but if a phishing attack is done well, you can almost guarantee that at least one person will be caught out.
So, if that’s the case, what should you be doing to reduce the likelihood of an initial phishing attack turning into a damaging attack chain?
1. Make it difficult for phishing attacks to reach users
The use of well-designed spam filters can reduce the likelihood of your end-user receiving phishing emails that come from malicious domains (for example, instead of example.co.uk, the malicious domain would be example.co).
Well-developed and sophisticated host-based firewalls can prevent computers from receiving or sending malicious network traffic to and from users on the network. This stops the propagation of an attacker on the network by reducing the ability of an attacker to scan from a host or scanning the host itself.
Anti-virus can further help prevent a malicious user from running malware that may have been embedded in email attachments. By stopping the malware from compromising the host, you stop the attacker from leveraging this access as a foothold into the network.
2. Encourage staff to report suspicious activity
As we mentioned before, continued education is important, and staff need to understand what to look out for so they can help stop an attack before it’s even begun. But education is only the first step.
The reporting of suspected phishing attacks needs to be positively encouraged and staff shouldn’t be fearful of reporting suspect communications, even if they have clicked on them. There should never be a culture of blame attached to reporting and to do so would only encourage staff to keep quiet, potentially giving attackers more precious time.
3. Reduce the impact beyond the initial phishing attack
Phishing attacks are often used as the entry point to a more complex attack chain and considerations need to be given to what could happen if an attacker does manage to successfully gain access. Barriers need to be put in place to restrict attackers and reduce the impact they could have. These include:
> Segregate your network
Once an attacker has gained access to a network, they will usually look to move within it, searching for sensitive information they can benefit from.
A flat network can be an attacker’s dream, allowing them to potentially access all areas of the organisation without the need to jump between networks and to keep their activity hidden.
A segregated network is much more effective from a security standpoint and different departments should sit on different VLANs. By closing off, or restricting, access to networks it makes it far more difficult for attackers to move and to keep their activity concealed.
> Review staff privilege levels and increase authentication around sensitive data
Staff privilege levels can go years without review and often mean that staff have access to information or networks they shouldn’t.
Access to information should always be granted on a need-to-know basis and by keeping privilege levels tightly controlled it minimises the chances of staff leaking sensitive data in response to a phishing campaign.
If an attacker does manage to gain control of an account, then strict privilege levels can restrict what an attacker has access to and can make it much harder for them to escalate privileges to a higher level.
Increased authentication measures should be used to further strengthen access restrictions to particularly sensitive data. Two factor authentication, or even three factor for extremely sensitive data, can be employed to strengthen access control. Data monitoring services can also allow internal teams to see who has accessed critical data and to alert them of any potential data extraction.
> Whitelist domains
By only allowing access to approved domains, you limit the chances of somebody clicking on a malicious link, landing on a fraudulent website, and giving away vital information that may lead to a wider compromise.
4. Detect and be prepared to respond quickly
Detecting a phishing attack is all about spotting the subtle, and sometimes not so subtle signals. These can include user login attempts at unusual times, login attempts from suspicious or foreign IPs or even if a compromised laptop tries to connect to anther laptop using the same domain user, suggesting an attacker is trying to laterally move across the network.
The more you know about the ‘usual’ day to day activities of your users the easier it can be to spot something outside of the ordinary, and once you suspect a user has been compromised it’s time to act quickly.
> Plan and practice your incident response
Planning your response to a variety of phishing scenarios is vital and internal teams should know what to do when it happens for real.
But it’s more than just having a plan set down, it’s about practicing those plans.
As Mike Tyson once said, “everyone has a plan until they punched in the mouth” and it’s the same for information security incidents. You need to ensure you’re regularly engaging teams with practice exercises, fine tuning the plans, and ensuring that security teams are providing a swift and effective response.
> Empower your team to act
Internal defence teams should be empowered to act quickly. This could include blocking requests from suspicious IPs and locking down emails or accounts of users suspected of being phished. Imagine, within 5 seconds of being popped, your team have isolated the affected account, reset all passwords, and blocked the IP address of the attacker. Even if happens again, the same process will happen and the next IP blocked. And so on.
Automation can be of benefit in this situation and rules can be set to identify, and quickly act upon, a potential phishing campaign. However, automation is only as good as the rules set and therefore, cannot be relied on fully to catch all attempts. A blend of automation and human decision making is probably the best, but whatever you choose acting fast is key. You may wish to put your internal teams to the test, any hesitation could result in the attacker being able to escalate their access.
There’s always the chance your security team may identify a legitimate communication as a phishing attempt but it’s far better to act quickly and have short-term loss of access rather than hesitate and have the long-term pain of a data breach.