June 12, 2018 | SSS Security Consulting
Phishing is on the rise. Below we explain the techniques used by phishers, and approaches and controls we recommend organisations deploy to combat Phishing.
It was highlighted during a recent RSA conference that over 90% of successful cyber-attacks originate from email. New Zealand is no exception to this trend and the Computer Emergency Response Team (CERT NZ) has shown in recent quarterly reports that more than 50% of reported attacks are attributed to phishing. In addition, attacks via email also consisted of scams, fraud and credential harvesting.
Over the past 18 months, phishing emails have increased dramatically in both frequency and sophistication, making them harder to detect and stop. Bad actors are constructing phishing emails with innocuous text that looks and reads like a standard business email and without the common features you would normally see in a typical spam (e.g. poor spelling and grammar). They send emails from clean IP addresses and clean domains, sometimes using legitimate domains that have been compromised; they might also use clean URLs and URL redirection to avoid detection. All of this means that it is incredibly hard for standard anti-spam and content filters to detect and block these messages, and even harder for your average user to spot them.
This is an issue we have seen across all our customers and within sites using every imaginable email filtering technology; hence combatting the threat of phishing requires a comprehensive approach.
At SSS we recommend the following approaches and controls to best protect your organisation, its people and reputation.
- Tailored training and awareness for end-users
- Effective email security technology to block the bulk of junk/spam:
Configure your email gateway securely - use SPF, DMARC & DKIM
By using industry standard email security techniques such as SPF (Sender Policy Framework) DMARC (Domain-based Message Authentication Reporting and Conformance) & DKIM (DomainKeys Identified Mail) you can reduce the chance that others can spoof your domain and send spam out purporting to be from your organisation. Using these is now mandatory for US government agencies, and adoption is spreading across the UK and Australia and New Zealand. The more organisations that adopt this, the safer email will be for all. It is a bit like immunisation in that regard.
- Supplementary tools and configurations that provide protection from the actions within phishing emails (e.g. ransomware, malware transfer, credential harvesting and invoice payments). These include the following:
This will help to search for, detect and remove viruses that might be delivered in an email (e.g. via links and/or attachments).
Outbound spam and email anomaly detection
Many organisations protect themselves from what comes into their network but what about spam, malware and phishing attacks that originate from within your infrastructure. Outbound spam and email anomaly detection can help identify and prevent an outbreak.
Endpoint detection and response
Endpoint protection will help to evaluate an endpoint before permitting it access to your network. Endpoint protection looks at the operating system, browser, and other applications, ensuring that they are up-to-date and meet defined security standards before access is granted.
By implementing MFA into your security model, any user’s credentials that might be stolen (e.g. via a scam) cannot be used by the attacker to gain access to your network unless they have the additional authentication factor (e.g. a security token).
Privilege Account Management and Whitelisting
Privileged Access Management (PAM) is a solution that helps organisations restrict privileged access. It can isolate the use of privileged accounts to reduce the risk of their credentials being stolen.
Whitelisting will restrict where privileged accounts can be accessed from (e.g. your organisation’s IP only).
Web filtering can screen and exclude access to web pages that are deemed objectionable. Some phishing attacks redirect users to such pages when a link is selected.
Vulnerability assessments and patching
Vulnerability assessments and patching will help to identify and protect your network from known vulnerabilities that might be exploited by an attacker using malware delivered by phishing.
Established processes for invoice and payment approval that include an internal approval component
Ensure that your process includes robust internal processes to ensure that you retain the control for any invoice and payment approvals so that in the event of a compromise there is an additional layer of protection. This might include the requirement for two management approvals before releasing a payment.
Testing to see that your products are working effectively and that your users exhibit the right behaviour
Routine testing of your network and its users can help to identify and reduce vulnerabilities that may be manipulated by an attacker. For example, having aware and competent users will massively reduce your chances of them inadvertently falling for phishing emails.
We are a dedicated IT Security provider that can help you with all these components; we offer end-to-end solutions that are scalable and fit-for-purpose. Contact us for a free, no-obligation chat and one of our consultants will be in touch!
Along with our existing tools and services, we are continually evaluating exciting and innovative technologies based on AI. This enables us to offer tools that radically improve the detection and notification of sophisticated phishing attacks.