5 ways to minimize phishing attacks

Data breaches are a hot button topic right now. Many vendors are quick to point out how their device (I often simply refer to as a “blinky box”) solves all the problems. I beg to differ. Despite the CAPEX used to secure the device and the OPEX used to maintain the device, there is another avenue that reaps catastrophic outcomes: social engineering. More specifically, phishing.

In the wake of having won the DerbyCon Social Engineering Capture the Flag (SECTF), I offer the following advice based on my experience.

1. Implement technical controls

There are numerous technical controls available to help minimize the impact of social engineering attacks. For starters, Proofpoint is a company that specializes in detection and response to phishing. If you ever see an email with [EXT] or [EXTERNAL] added to the subject line, Proofpoint is likely the culprit of these changes to the subject line.

If you are involved with a US Federal agency, the Department of Homeland Security has promulgated Binding Operational Directive 18-01 (BOD 18-01). This directive recognizes the threat from phishing and web attacks. The email portion specifically aims to minimize or eliminate Business (or Agency) Email Compromise (BEC) and requires two aspects: encryption via STARTTLS and the technical controls of the following:

Sender Policy Framework (SPF)

A method by which an organization can define which domains an organization can receive email from. SPF creates a record in DNS that can be viewed publicly, which creates a fundamental flaw allowing an attacker to circumvent the intention of SPF by compromising another email platform, as well as enumerate IP schema.

Domain Keys Identified Mail (DKIM)

A method of preventing forgery by essentially digitally signing each email from a domain. Note: DKIM has weaknesses in key length, forwarding, and handling mailing lists.

Domain Message Authentication, Reporting & Compliance (DMARC)

Built on top of SPF and DKIM, creates rules based on the outcome of DKIM, SPF, or both methods and counters forging the FROM: field.

2. Run phishing exercises

There are many solutions out there to help organizations with their phishing campaigns. The levels of interaction and quality may vary, as do the prices.

Maria Korolov wrote a piece here that discusses such companies. There are even companies that will do the engagement from start to finish for you; all you do is provide an email list and optionally approve the phish.

Personally, I am a fan of doing the process internally. For the sake of time and length of this post, I will publish that blog post next month.

3. Train your people

Only a fraction of a company is information security professionals, unless you work for a security consulting firm. As professionals, we should not expect HR, accounting, shipping, and sales to be security professionals, just as most of us do not want to do those jobs. Therefore, the security experts should strive to build rapport with these other departments and make them aware of these threats and how they can avoid falling victim.

In such a training program, I recommend general training as well as role-based training. After all, some roles like HR, accounting, and sales are expected to receive and open email attachments. When they inadvertently infect a system with ransomware, which is on us – not them. We must make them aware of suspicious signs and establish the security architecture to protect our network.

Train users quarterly. You can do one long training and supplement the other three in 15-30-minute bursts to keep them up to speed on phishing metrics and new trends.

Below, I discuss two other strategies to implement in a culture to increase reporting and decrease the response time when things go wrong, since they will!

4. Incorporate training and awareness into the corporate culture

I recommend two strategies to enhance the security program; gamification and a non-punitive policy.

Gamify the reporting. Find a way to provide a careful incentive to avoid the competition getting out of hand (think Wells Fargo) for a measurable metric of reporting.

In terms of a non-punitive policy, do not punish an employee that clicks a phish. Rather retrain them and move on. People who fear punishment will not report. Reporting quickly needs to be "safe."

As security professionals, we need to define what actions we want the user to take if they a) receive a phish and b) click a phish. Here are some questions to ask yourself when defining the program:

1. Do we want the system powered off?
2. Do we want the system logged off?
3. Should we require users to disconnect from the network?
4. How should users contact us? (Hint: email or a ticket are not good answers)
5. How could we have prevented this?

5. Do not rely on a single technology or solution

This should go without being said for the most part. Putting all the proverbial eggs in a single basket is a recipe for disaster. While training is great, and many solutions work to varying degrees, it is naive to rely on a single method for protection. I recommend using all the above steps to collectively protect your organization and decrease the response time in the event something happens. I like to maintain the mentality that it is not “if” but “when,” but I also do many incident response engagements.

In conclusion, phishing and social engineering are mainstays. They predate technology and will likely outlive it. We must take proactive steps like those defined above to ensure that our organizations are protected and resilient. I hope the 5 steps above will help you implement a program that involves awareness and defense in depth to counter the threats of phishing.

More on phishing:

• 8 types of phishing attacks and how to identify them
• What is spear phishing? Examples, tactics, and techniques
• 10 top anti-phishing tools and services
• 5 best practices for conducting ethical and effective phishing tests