Phishing attacks account for about half of all cybercrime, making them by far the biggest threat to your company’s cybersecurity. A well delivered phishing email can be devasting for a company. I should know; in my experience in the intelligence world, phishing attacks were one of my favorite attacks to gain quick and easy access to an enemy’s systems.
The goal of a phishing attack is to eventually gain access to sensitive data. This can be achieved through either of two paths. One being the installation of malicious software onto the company workstation that will call out to the attacker and give them access to the internal network. The other being the harvesting of credentials that will give an attacker access to email, a VPN or other systems.
Employees fall for phishing emails everyday and this causes great pains for many companies. A lot of money is spent on training employees in security awareness with the idea that employees are the weakest link in a company’s security. Well, in my experience, it’s the IT staff that are the weakest link. In this case it is because they give a lot of power to the general employees and tell them not to compromise the company through their actions. Good luck with that! The better approach is to not give them this power to make mistakes. Instead, try the following layered approach:
- Stop the emails
The first thing to do is to stop your employees from receiving the emails in the first place. Email spam filters need to be setup properly. In my experience, they are rarely setup correctly. Ensure they are setup to not allow certain files to come through and stop emails from coming from domain names similar to yours. For example, if your domain is examplecompany.com, drop all mail coming from domains such as examplecompany.co and examplecompny.com. In fact, it would be a good idea to purchase all similar domains names.
- Train employees on what to look for
So the email comes through anyway. What then? Ensure employees know how to spot and report a phishing email. They likely won’t spot the good ones but security must be a multilayered approach.
- Harden workstations
Good cyber-hygiene and a hardened workstation will heavily reduce risk. Remove PowerShell, remove local admin and install rights, remove all unnecessary software from the workstation, ensure all the latest security patches are installed, and ensure that domain admin account (or similarly powerful accounts) haven’t logged into the system. There is much more to write on this but in the limited context of a blog post, these should take you far.
- Setup MFA
So an employee visits a phishing site and divulges their credentials. What then? Having MFA setup on all internet facing systems will heavily reduce the risk of attacker being able to use the credentials. There are ways around this for an attacker, however, this it’s all about reducing risk.
- Setup strong outbound filtering
The user manages to execute the malware? It will try and make an outbound call to the attacker’s server. Having strong outbound filtering should block the attempt and alert the security admins that the system has been compromised. This will stop an attacker from gaining internal access to the network. All systems should have to go through a proxy server to gain web access. Any general employee should not need direct outbound access on all ports. Too many companies allow full outbound access, however, putting the company at great danger. Additionally, these proxy servers should be configured to not allow employees access to domains similar to those of the company domain (see above for examples).
Phishing is seen as a high risk and hard to deal with issue for many companies. I’ve seen many a company spend hours a day reacting to attacks that should have been prevented in the first place. Ensure you have implemented these 5 steps and you will no longer need to worry as much or be spending all day investigating phishing attacks.
Written By: James Knight