Phishing happens. It is probably happening as you read this. Right now, some well-defended company is having data under its care exposed. This data may contain sensitive information, such as login credentials, and in many cases, it is only known that an attack of this type has taken place after the fact. Protecting yourself and your employer against phishing attacks relies foremost on critical thinking; however, there are some business processes and technologies that can help.
Your company, no matter how well-protected, no matter how secure, will be compromised. It is simply a fact of life. This is why it is utterly imperative to not only detect phishing attacks (preferably as they happen), but to have an incident response plan in place to minimize the damage.
There are preventative measures that can be taken beforehand. A good cybersecurity plan should have data breach prevention and mandatory anti-phishing/social engineering detection training as a few of its key points.
Unfortunately, not all phishing attacks can be prevented. When both technological defenses and the critical thinking of the individual being phished fail, it is important that IT security teams learn about this sooner, rather than later.
Once IT security teams learn about a successful phishing attack, they can attempt to constrain the scope of the compromise. Finding out about a compromise later—or not at all—could have disastrous personal and business consequences.
The weakest link in an organization is not the networks, applications, nor any component of the computers themselves. The weakest link in any organization is the people. Whether through deliberate action, inaction, or because they succumbed to pushing or social engineering, an organization’s employees pose a significant threat to the security and integrity of stored data.
The first thing to consider is that accidents happen. Whether it’s something as simple as an employee clicking a link in an email without checking its authenticity, or forgetting to authenticate a phone call instructing them to change a password on a server, failings of the human mind are responsible for more than 36% of data breaches.
If 36% doesn’t sound like a lot, bear in mind that this number might be seriously underestimating the percentage of breaches that are attributable to employees being phished or socially engineered. Many attacks that are attributed to “malicious or criminal attacks” (59%), begin with phishing or social engineering. This aspect is often lost during the attribution phase of many cyberattack post-mortems.
This human vulnerability is why putting in multiple layers of defenses is important; data breaches (and the phishing attacks that often precede them) can come from anywhere. These attacks can and do originate from inside an organization, something most IT teams don’t expect, until it’s happened to them at least once.
Whether the author of the attack is an external malicious actor, or an internal malicious employee, the goal with all phishing attacks is the same: cause someone else to follow instructions that are not in their best interests, and/or the best interests of their employer. Social engineering is one of the easiest ways to obtain privileged information; how many employees would verify credentials if they got a call from the IT team asking them to do something slightly unusual?
This is where authentication of staff—and training them to authenticate automatically—is important. The digital chain of custody technologies is also important. These technologies keep a record of all actions done, by whom, and for what purpose. Combining multiple technologies with ongoing training, and security-aware business practices is essential to mitigate phishing attacks, especially when they are being authored by knowledgeable insiders.
A spear phishing attack’s effectiveness relies on authenticity. An attack demonstrating in-depth knowledge of company terminology, department names, graphics (what, for example, does a contractor’s ID card or a Wi-Fi login page look like?), and other important details, looks authentic. Authentic communications allow attackers to pose as anything from a regular employee, to a contractor, to a tech support agent. This is the realm of spear phishing: carefully targeted phishing attacks.
To obtain this information, reconnaissance is carried out beforehand, so the phisher can start with a well-backed, well-researched platform of inside information. There are a number of signs—some subtle, some obvious—of a reconnaissance attack. If noticed, these tells can be used to shut such things down before they continue.
There are innumerable ways to perform reconnaissance. Catching phishers in the act requires the ability to think like a phisher. A certain degree of paranoia helps too. In order to provide insight into how digital attackers think, two types of reconnaissance attacks will be discussed: rogue Wi-Fi networks and concealed recording equipment.
Rogue Wi-Fi networks (sometimes called “evil-twin” networks) are just what they sound like: Wi-Fi networks set up to trick employees’ devices into connecting to them, instead of the real organizational network. Most often, the Extended Service-Set Identifier (ESSID) and Basic Service-Set Identifier (BSSID)—better known as the “name” of the Wi-Fi network—are configured so that rogue Wi-Fi access points appear to be part of the same network as the “official” organizational network.
In addition, security or transmission power settings for these rogue Wi-Fi access points are modified to make employees’ devices prefer the rogue access points. One example of this would be using a directional or high-power antenna to ensure connection to the strongest network.
Once devices are connected to the rogue network, attackers can present a fake login page, which looks just like the real network’s login page would. Attackers can forward the logins through to the legitimate network, ensuring that employees do not notice anything wrong, and allowing the attacker to capture the employee’s credentials. The attacker can then impersonate the employee by using these stolen credentials.
Networks without login pages are far more vulnerable, as attackers have to get everything—or almost everything—right about the login page and process not to be noticed. It is important, therefore, that all employee wireless networks that use a login page, even if it is possible for them to be spoofed.
Using externally verified TLS certificates can make it significantly more difficult for an attacker to simulate a login page convincingly, as the lack of a certificate can make it obvious that a page is fake, if employees are trained to look for it. Certificates can also be used for entirely certificate-based authentication for wireless networks, while tedious, eliminates the need for passwords and login pages altogether, and as a result is less susceptible to phishing or social engineering.
Another key reconnaissance measure is concealed recording equipment, including cameras, microphones, and ID card skimmers. Cameras and microphones can be used to record things like spoken pin numbers. With sensitive enough equipment, these devices can even pick up numbers being entered into phone menus, door locks, etc.
Hidden recording equipment can also expose gaps in security which attackers can exploit, such as the tendency for employees to let others behind them in through secure doors. “Tailgating”—allowing others access while not requiring that they scan their ID cards as well—is a common problem, especially in larger organizations, where it is common for employees not to know one another well.
Checking for signs of reconnaissance such as these is one part of a multilayered phishing defense plan that will go a long way to preventing these types of attacks.
The Importance of Convenience
What is important to consider is the careful balance that must be maintained between keeping an organization’s assets and networks secure, and not unduly burdening employees. For example, a policy wherein passwords are required to change every week seems highly secure, but employees will do whatever they must to bypass it.
In the case of regularly changing passwords, working around the policy will include using the same password each time, with just enough iteration to get past any password reuse detection. Similarly, passwords in such an environment are more likely to be written down, e-mailed to one’s self, and so forth.
Perhaps most importantly, burdensome security measures like highly regular password changes are not tolerated when an immediate benefit is not readily apparent. One way of easing the burden on employees is using a single, well-trusted, unified authentication platform for all company assets. For individuals in sensitive positions, or where authentication grants access to vital data, two two-factor authentications (a password plus a fingerprint, for example) is frequently considered to be an acceptable compromise.
Two-factor authentication makes it reasonable to loosen password restrictions, as, even if that password is disclosed, malicious actors cannot use it without the second factor of authentication. This authentication platform can also be linked into additional checks, such as time checks (is an employee logging in after hours), statistical checks (is an employee trying to open a command prompt when they have never done so before), and geolocation verification. Together, these checks will be able to verify that a legitimate employee is logging in, during the hours expected and from the location expected.
While none of these measures will prevent phishing attacks, they can make such attacks more difficult, removing the need for security-defeating workarounds. They also lower the frustration level of employees. Frustrated employees are more likely to succumb to decision fatigue, and make mistakes in critical thinking that they would otherwise not make.
Some more key points to consider:
Zero trust – do not assume that a login, or other action, is in any way legitimate. Verification is helpful here, requiring multiple factors of authentication, or for particularly sensitive operations, external verification.
Least privilege – The principle of least privilege is also helpful. The principle of least privilege requires providing employees the permissions—and only the permissions—that they require to do their jobs. This reduces the attack surface of those who may be socially engineered; an employee cannot grant an attacker access to something they themselves cannot access. When the principle of least privilege is used effectively, attackers are forced to compromise someone with privileges equal or greater to those the attacker wishes to obtain. This allows organizations to concentrate their education, awareness, and critical thinking training on those with higher levels of privilege.
Defense in Depth – Do not rely on a single layer to protect you from all attacks; as attacks vary, so should defenses. From physical authentication at doors, to full-disk encryption and AAA (authentication, authorization, and accounting) on servers and other networked assets, a defense plan that covers multiple facets of the company will dramatically reduce the chances of success.
With phishing and spear phishing becoming an increasingly prevalent problem, it’s important that employees know how to detect and avoid it. This includes an awareness of all phases of a modern cyberattack, from physical reconnaissance to social engineering, to a full loss of data integrity.
Organizational defenses should include an analysis of suspicious logs, multiple forms of authentication, and these defenses must layer over one another; one set of technologies, policies, and/or business practices covering the holes left by another. Internal simulations of phishing attacks are an excellent way to train employees. External penetration testers (white hat hackers) are also useful.
In the end, however, defense against phishing always boils down to critical thinking. All the technologies, policies, and business practices, in the world can only serve to reduce the number of attacks that make it to an employee. They will never eliminate all attacks. Successful defense against phishing attacks relies on the critical thinking capabilities of each and every employee, and these start with education, training, and encouraging employees to ask questions.