Phishing is becoming a major threat vector and preferred method for attackers to break into victim networks. Verizon Data Breach Investigations Report shows that more than two-third attacks in espionage category used phishing as an attack vector.
Typical phishing attacks start well before people start receiving phishing emails.
Attackers use social media web sites to do research on potential targets and to craft “real-looking” emails. Once phishing emails are launched, it is almost certain someone will click on a link or download a file and open it. However, the good news is that a phishing attack is not successful just because someone clicked on a link. There are a number of additional steps before data exfiltration where information security teams can interrupt the attack and break the chain of events to avoid the data breach.
Following are typical steps that are part of a phishing attack that happen in a sequence (which I call as a “phishing attack chain”):
- Attackers do research on public sources of information, craft phishing emails, and send to potential victims.
- When someone clicks on a link or downloads a file, attackers exploit an existing vulnerability to install malware or create a backdoor.
- Attackers use the malware or backdoor to download additional malware components.
- The malware is used to scan victim’s network, gather interesting information, and collect data.
- Exfiltrate data as last step of the attack.
Information security professionals can use the following security controls to break the phishing attack chain and avoid data loss:
- Create social media policy and educate employees about phishing attacks. This will not stop phishing attacks but can make the attackers task difficult.
- Use spam filters. However, spam filters are limited in the face of sophisticated and targeted phishing attacks.
- Sandboxing technologies, when used effectively for email, can be very helpful in identifying and blocking phishing emails by testing links and attachments for malware.
- If email software provides option for rewriting subject line or adding a footer to each email, use this feature for all email incoming from the Internet. Add specific words to subject line or a footer at the bottom of emails to warn recipients that that email is coming from outside of the company. This will help them be a little more cautious when clicking on links.
- Apply patches on end-user devices so that a click does not result in exploiting old and known vulnerabilities.
- Restrict outbound traffic on firewalls which will help deny malware unrestricted outbound access. Monitor for dropped outbound packets on firewalls to detect potential malware infections and as an early warning mechanism.
These are just few quick and simple controls but a comprehensive strategy is required to guard against phishing email attacks. A comprehensive approach will include many additional steps. For example, network segmentation, restricting email access on laptops/desktops that are used for controlled parts of the network, denying email and web access from servers, and other measure can be very helpful. Some businesses also use products and services for education and awareness which could be an effective tool. Cost-benefits analysis of all controls will help decide picking up the ones that have the best potential of mitigating risk associated with phishing attacks.