Phishing Campaigns: Defending organisations against phishing

What is phishing?

Phishing defines a type of social engineering where attackers trick users into disclosing information. Phishing can be directed through a text message, social media, phone or via an email. Email is an ideal delivery technique for phishing as it can reach users directly as well as hide amongst benign emails that busy users may receive.

Phishing emails can hit an organisation of any size and type and can be done with no technical knowledge. Attackers can install malware to sabotage systems or steal information for further computer related offenses. Users may get caught up in a mass campaign, where the attacker uses enumeration techniques to gather confidential or personal information, or it could be the first step in a targeted attack against a company, where the aim could be something much more specific, like the theft of sensitive data. In a targeted campaign an attacker may use information about a user or company to make their message more persuasive. This is typically referred to as ‘spear phishing’.

Why does phishing work?

Phishing works because it exploits the weakest point to cyber security – humans. Social engineering is designed to exploit social instincts such as curiosity and kindness, by developing trust. Phishing attacks can be particularly powerful because these instincts and characteristics can sometimes make employees good at what they do and shouldn’t be discouraged. The mitigation included in this blog requires a combination of technological, process and people-based approaches. A mixture of these mitigation must be considered for defence to be effective.

What is the common defence for Phishing?

Distinctive defence against phishing are dependent on employee training. However, by widening the defence, this could advance the resiliency against phishing without disrupting the robustness of an employee’s duties. Accepting the fact that some phishing campaigns will find a way through will help you plan for the day when an attack does occur. National Cyber Security Centre (NCSC) splits the mitigation into four layers:

Layer 1: Make it difficult for attackers to reach your user

Attackers can spoof trusted emails, making their emails look like they were sent by reputable organisation. These spoofed emails can be used to exploit customers, or people within an organisation. Implementing an anti-spoof control can stop email addresses being a resource for attackers. Examples of these include DMARC, SPF and DKIM.

Attackers can use publicly available information of organisations and employees to make their phishing message more convincing. This is often gleaned from websites and social media accounts often known as digital footprints. This can be controlled through understanding the impact of information shared online, being aware what partners, contractors and suppliers give away and helping your staff understand how sharing their personal information can affect them and an organisation. CPNI’s Digital Footprint Campaign contains a wide range of resources to help organisation work with employee to minimise online risk.

Filtering or blocking incoming phishing emails before it reaches employees not only reduces the probability of a phishing incident; it also reduces the amount of time employees need to spend checking and reporting emails. Ideally, this can be done on end user devices (client mail, email provider) or a bespoke service for email servers. If a cloud-based email provider is used make sure it is sufficient for an employees’ need and is switched on by default. If a host uses an email server, ensure that a proven filtering/blocking service is in place. This can be implemented locally or purchased as a cloud-based service. Filtering services usually send email to a spam/junk folder, while blocking ensures that mails will never be reached to recipient. Emails can be filtered or blocked using a variety of techniques including: IP addresses, domain names, email address blacklist, public spam and open relay blacklist, attachment type and malware detection.

Layer 2: Help user's identity and report suspected phishing email

Relevant training can help employees spot phishing emails, but no amount of training can spot every email. Training users in the form of phishing simulations is often over emphasised in phishing defence. This can be achieved through several holistic approaches such as:

1. Making it clear that phishing messages can be difficult to spot
2. Do not expect employees to be able to identify them 100 percent of the time
3. Foster a mindset that it is OK to ask for further guidance when something feels suspicious
4. Never punish employees who struggle to recognise phishing emails
5. Train to improve confidence and willingness to report future incidence
6. Ensure that employees understand the nature of the threat posed by phishing
7. Help users spot the common features of phishing emails, such as pressuring authorities
8. Table top such as discussion, quizzes or workshop

Think carefully before considering using phishing simulations. Phishing employees through simulation can help employee gain an idea of susceptibility to a specific type of phishing message thus having an unintended consequence. For example, it could impact on productivity by creating uncertainty about whether to respond to normal email or users feeling ‘tricked’ by an organisation. Organisation are advised to liaise with HR to ensure simulation complies with HR policies.

Layer 3: Protect organisations from the effects of undetected phishing emails

Password are a key target for attackers, especially if motivated by attaining sensitive information, handling financial assets or administering IT systems. Protect email accounts through adding two factor authentication (2FA) would mean that an attacker cannot access an account using a stolen password. Passwords are often stolen by credential harvesting from a fake website. A single sign on method can eliminate the risk of credential harvesting. In addition, introducing an alternative login mechanism such as biometric or smart card can reduce the risk of password theft. Lastly, introducing and evaluating an existing password policy should reduce the chances of password reuse.

Links to malicious websites are often a key part of a phishing email. However, if the link is unable to open the website, then the attack cannot continue. Protecting employees from malicious websites can be achieved by using proxy server and updated browsers – though this may not always be the case specifically for mobile devices. Public Sector organisations should use the DNS service which will prevent users resolving domains known to be malicious.

Malware is often hidden in emails or fake websites that an employee is directed to. Well configured devices and good end point defences can stop malware installing, even if the email is clicked. By making sure that software and hardware are updated with the latest patch, this will prevent attackers from using known vulnerabilities. By limiting administrator accounts to those who need those privileges can prevent employees from accidentally installing malware from a phishing email. There are many other defences against malware and it will need to be considered based on security needs. Some defences are specific to particular threats, such as disabling macros or autorun, and some may not be appropriate for all device.

Layer 4: Respond quickly to incidents

Employees should feel confident reporting incidence without the fear of punishment or blame. Employees should know in advance how they can report. Bear in mind, that they may be unable to access normal means of communication if their device is compromised. Ensuring that an organisation knows what to do in the case of a different type of incident is vital. For example, how will employee force a password reset if the password is compromise? Who is responsible for removing malware from a device, and how will they do it?

Incident response plan should be practised before an incident occurs. At a minimum, ensure that everyone is familiar with their roles and know who to call for support. To help improve the defence against phishing incidents, you may want to answer certain questions such as “how, when and to what extent the incident has affected the organisation?” If an organisation collected logs as part of their monitoring, these can be used to help answer these questions.

Conclusion

Phishing has been around for more than three decades and is still an effective means for harvesting information. As of 2018, there has been a gigantic incline in the use of phishing campaigns against organisation. Thus, understanding how to defend against phishing is of paramount importance for the confidentiality and integrity of data.

Cyber Security training from QA

QA have uniquely positioned themselves to help solve the Cyber skills gap from our CyberFirst and Cyber Apprenticeship programmes and Cyber Academies to Cyber Challenges, Training and Certifications and Consultancy for Cyber Security.

They offer end-to-end Cyber training and certifications from Cyber Awareness to deep dive Cyber Programmes and solutions; from Cyber Investigations, Cyber Crisis Management, Proactive Security to Offensive Defence. QA only employ world leading Cyber trainers who have the expertise to deliver bespoke Cyber solutions, GCHQ accredited courses and proudly the CyberFirst programme. This is all to support in tackling the UK's National Cyber Security skills shortage.

QA also have state-of-the-art CyberLabs, where companies can simulate real-life Cyber-attacks on their infrastructure, helping them to prevent & combat breaches without risking their own network.