4 steps to prevent spear phishing

It seems like not a day goes by without another ransomware attack making headlines. And where do many of these attacks start? In your users’ email inboxes.

By now you know that your users are both your first line of defense and your weakest link and you need to not only add additional spam filtering to all emails coming into your office, but also train to your users to identify when they’re being phished. Additionally you may want to harden the operating system to be more resilient to attacks. Recently some of these recommendations were suggested by Microsoft.

Here are some key ways to protect your users from recent spear phishing campaigns:

Ensure that all email goes through a filtering system of some kind. Whether it’s an on-premises mail server or a cloud-based email service, you have to have a filtering system that looks for attack patterns. Even if you still have on-premises mail servers, having a service that shares information with other servers means that you can see patterns emerge. Often these mail hygiene platforms also provide mail storing and forwarding should anything happen to your on-premises mail server. Having this sort of solution installed is a necessity for anyone using email servers.

If budget is an issue, you should investigate open source, community, or free solutions to better protect your firm. Solutions such as Security Onion can be added to your network as a Linux distribution for threat hunting, enterprise security monitoring, and log management. Recently 2.3.50 version was released for the Security Onion platform along with training videos. Snort is another open source platform that can be added to your network to add additional protection and monitoring capabilities.

Prioritize patching based on potential impact on your network. In many organizations, patches are not immediately installed but rather are deployed after fully testing.  This may mean that weeks go by without deploying updates. Patching should be prioritized for those users that either have been targeted in the past or could be seen as a potential target. Review all of the software installed on the system to ensure that it is all supported and maintained by vendors. Pay specific attention to operating system patches, as well as any browser-based tools that may be used, such as PDF viewing software.

Ensure that your patching team stays aware of any vulnerabilities under active attack to ensure that your firm is protected. Review for past patching interactions and if the workstations have had any side effects with updates. If the workstations haven’t had historical issues with patching, you can accelerate deployment. The use of patching tools such as Config manager, Batch Patch, or any number of patch management tools should be investigated. Make it a goal for the remainder of 2021 to deploy updates faster to your impacted workstations. If you typically wait a month to deploy updates, see if you can deploy in three weeks. Then push your processes of testing to deploy in two weeks. Shorten the window between release of updates and deployment of updates.

Restrict the use of browsers and file sharing platforms. This restriction can be cumbersome, but it may be necessary to best protect users from targeted attacks. Discuss these limitations with your staff to ensure that they understand the risks of the file sharing platforms. In my own firm we recently adjusted our policies to be more restrictive. Too many of the file sharing platforms can be spoofed, making it easier for attackers trick your users into opening a malicious link. Standardize on a specific platform and communicate that to your customers, partners, and users. Ensure that portals are branded and processes are explained and documented, and ensure that your employees know not to circumvent the process.

Enable attack surface reduction rules for your Windows 10 deployments. You will be able to monitor and enforce ASR rules with Microsoft 365 E5 and Enterprise licenses, but even with a Professional only network, you can enable the protection to better protect your network. Specifically turn on the following attack surface reduction rule to block or audit activity associated with this threat. You’ll want to enable ​Block JavaScript or VBScript from launching downloaded executable content. As Microsoft notes in their console, this isn’t a common line-of-business use, but line-of-business applications sometimes use scripts to download and launch installers. This security control is only applicable for machines with Windows 10, version 1709 or later, and Windows Server 2019.  If you have Microsoft 365 ATP access you can review the console to see what, if any, impact it will have on your network.

Susan Bradley

This user impact report can immediately alert you if you can deploy the recommended protection with little to no impact on your environment. If you don’t have access to this report, set the ASR rules to “warn” setting in order to determine if you will be impacted.

Note that warn mode is not supported for the following three attack surface reduction rules when you configure them in Microsoft Endpoint Manager (if you use Group Policy to configure your attack surface reduction rules, warn mode is supported):

• Block JavaScript or VBScript from launching downloaded executable content (GUID d3e037e1-3eb8-44c8-a917-57927947596d)
• Block persistence through WMI event subscription (GUID e6db77e5-3df2-4cf1-b95a-636979351e5b)
• Use advanced protection against ransomware (GUID c1db55ab-c21a-4637-bb3f-a12568109d35)

To enable using Group Policy, open the Group Policy Management Console, right-click the Group Policy Object you want to configure, and select “Edit.”  In the Group Policy Management Editor, go to Computer configuration and select “Administrative templates.” Expand the tree to Windows components, then go to “Microsoft Defender Antivirus,” then to “Microsoft Defender Exploit Guard,” then to “Attack surface reduction.” Select “Configure Attack surface reduction rules” and select “Enabled.” You can then set the individual state for each rule in the options section. Enter the value name of d3e037e1-3eb8-44c8-a917-57927947596d and the value of 6 to begin with and then 1.

Your users are in the crosshairs of the best attackers out there. Even without an E5 license ensure that you use these ASR rules to protect your workstations.