Phishing is one of the biggest security concerns for businesses at present. Phishing used to be about just gathering credentials and information, but with the advent of Phishing as a Service platforms and similar commoditization, it has become much more. Hackers mine data, drop malware, and in some cases even work to make deepfakes to get even more out of a business.
With the profitability of ransomware attacks combined with the low cost and risk to deliver them, they’re getting more and more prevalent and more complex. I hear about new attacks almost daily, and the only common thread is that a user clicked the wrong email attachment. That legitimate looking invoice email isn’t what you think it is, it’s advanced malware. Some may strike instantly, others will just mine the system and the site for data before dropping a payload. Either way, it ends with business being seriously impacted, even if it’s only for a few days.
How Phishing Works
The key to stopping phishing is to understand how it works. Modern phishing attempts rely on a mix of technical elements and human fallibility in order to get through to users, and to get users to actually interact with the payload. Solutions that only address the technical side are doomed to fail eventually, while only training users isn’t enough because humans aren’t perfect.
Old style phishing involved either compromising an email or automating the creation or sending of emails from a source. Your friend’s email “kathy1984@[email of choice].com” got compromised because she used “password123” as her password and now a bot is sending links out. Maybe it’s a pseudolegitimate looking email like “microsoftadmin2020@[provider of choice].com” sending you an email that your account was compromised and you need to click now to prevent it from being further exploited. Technology has made most of these obsolete, but they still work from time to time when they get through.
A technical solution can only get so perfect, and a person is going to make mistakes. Newer phishing attempts may link you to “app1e.com”. There’s a perfectly legitimate looking sign-in page and it will even redirect you through to the real Apple when you’re done, the phisher just has the credentials too now. If you don’t sit and inspect the certificate and the domain, it’s easy to get caught by this sort of attack. Many newer phishing attempts also tie in with exploits and similar to further maximize their ability to proliferate and to be profitable.
Technical Solutions to Phishing
While there are solutions at all levels, I’m going to focus on the easiest for an IT administrator to implement and maintain easily in addition to what is already at a site. I’m going to list tools which I have worked with, but any listed items in no way represent the entire market. We’re going to focus on network level solutions, email level solutions, and endpoint level solutions.
A network level solution is usually the easiest to integrate into a site. With something like OpenDNS, you just set the DNS server or forwarders to use the service and you stop a lot of attacks at a DNS level. There are more complex setups like setting up a Squid proxy to block malware and similar. Some firewalls even offer a malware filtering service or tie-in which can help prevent these types of attacks. Certificate enforcement at a network level is a great step to prevent some of the common name tricks with falsely signed certificates. The logic is, if a user can’t click the link, they can’t get phished.
The issue with network level tools is that they tend to be rather easy to get around and the lists tend to be somewhat static. While OpenDNS may have a malicious domain within 24 hours, that doesn’t mean you won’t get hit before they find out about it. Network level setups are just one component in the whole system to stop attacks from working. This sort of setup does basically nothing to prevent direct emails from getting through or other phishing attempts, but is extremely important nonetheless.
Despite a network level setup not targeting the root cause of phishing, it’s still the first step because it tends to be the easiest to setup and implement, and it blocks more than just phishing. This is a good security step for pretty much any site. Phishing is a huge threat, but so is just clicking the wrong thing on the internet and ending up with malware. Network setups are an easy blanket protection for multiple types of attacks.
A user can’t click a link if they never see it. Spam filters like Vipre Email or Spam Assassin help cut down on what users see in the first place. Not all phishing attempts come from email (spear phishing may use USB keys in a parking lot), but the vast majority do. A good email filter should be at the core of your phishing prevention efforts. The network level solutions are easier to implement, but only prevent the symptoms (user clicking the link) of a malicious phishing attempt rather than the cause (user seeing the link).
A properly tuned spam filter is going to block roughly 95–98% of the spam. The remaining 2–5% should be caught by a mix of other technical solutions and user training. Spam filters do require tuning and testing to make sure they work. A poorly configured email level solution can prevent a business from functioning if it latches onto the wrong address (like firstname.lastname@example.org) or targets the wrong kind of email (email@example.com, firstname.lastname@example.org, etc.).
Spam filters and other email level solutions are not just a set it and forget it solution. They need to be constantly tuned, and there needs to be a way to exclude certain emails. A solution which does not provide a whitelist and blacklist is completely useless for a modern business. The site most likely also needs an employee which can access the quarantine for the spam filter and training on how to use it. Without access, a client has to rely on you for every false positive.
No matter how good your solutions are above the endpoint level, some amount of garbage is going to get through. It might be run of the mill questionable enlargement pill ads, and it might be a fake bank warning. The individual endpoint needs some kind of protection. While deploying antivirus solutions and similar are best practice anyway, one which is often overlooked is pushing an adblocker to a user’s browser.
Proper hardening of the individual endpoint can prevent some attacks from working as well. Making sure the system is up to date can help stop things like curveball from being a usable attack vector. Ultimately, the endpoint shouldn’t be doing much for preventing phishing as it is best handled above, but this doesn’t mean that the endpoint can’t contribute to overall security against phishing.
Technical solutions can whittle away 95–98% of 95–98%, but with the sheer volume of phishing emails, something will eventually reach a user. Training is the only way to further whittle down on the attacks technology can’t get (yet). Not every user can wrap their head around technical training, so there is training to help with common sense to stop phishing, and technical training for more advanced users.
Training to Spot a Phishing Attempt
If you don’t use Bank of America and you get an email saying your Bank of America card is compromised, what should you do? Many users will click and go through the verification (including putting in their social security number) even though they don’t use Bank of America (let alone “Bank of Amreica”). Train your users to ignore services they don’t use at all, or at least verify by calling a known branch or known, verifiable contact method.
Look for obvious typos in the email as well. A professional email is probably not going to be littered with emojis and misspellings, but a lot of phishing emails are not written by native speakers. Some even intentionally use bad spelling and grammar to catch the most gullible people. Train users to forward it to their IT department if they are suspicious rather than risking a click. Make this a painless process for them and something which does not impact their job. Kyle may send an email or ten every day, but at least he’s not putting the company at risk anymore.
The next piece of training is to make sure users are familiar that most services won’t just reach out to them without verification. If you get an “important notification” from the bank, go to the bank website you know, log in, and check and see if the message is there. If it isn’t, there’s a good chance it’s a phishing attempt. Train your users to follow a specific process for interacting with financial institutes rather than just clicking links in an email. Check the URL for links and make sure it makes sense. Your bank isn’t going to link to “legitbank.[dynamic DNS host of choice].hk” for their “innvoice”.
Common sense training will get you far, but there are still phishing attempts which will beat common sense if they make it through the technical barriers. Make sure there are at least some users trained to know how to inspect a certificate chain for a website, and how to look at email headers. These are highly technical tasks for the average person, but showing your client how will show them that you are knowledgeable about the subject, and enable them to prevent issues themselves.
This type of training is going to be useless for the vast majority of users, but if they even learn a little, they can weed out some of the better attacks. The other effect I have seen from this type of training is that even if the user retains nothing about the technical work itself, they learn that “just because it looks legitimate does not mean it is.” This shift in mentality can make the difference between getting got and skirting by without incident.
Phishing is prevalent and getting smarter. Combine technology with training to prevent it from being effective. Phishing relies on people seeing it and then falling for it. By using technology, you reduce the first, and by training, you reduce the second.
Institute a technical stack from the network level and down to prevent spam and phishing emails from functioning. The network level prevents malicious links from working, the email level prevents spam and phishing emails from showing up, and the endpoint level can reduce the chance of an attack being successful. These also add security overall.
Training prevents the attack from being able to leverage the human element. It doesn’t matter if the phishing attempt from “Bank of America” gets through if the user knows they only have Wells Fargo. Use technical training to help show users that an email isn’t just what it appears to be. Even if the technical training doesn’t take, the mindset may.
By combining these factors, you make your users more secure and prevent liability if something goes wrong. Audit and secure their site and you prevent more than just phishing. Train them and you reduce the chance for incident. Even if the company doesn’t sue you in the event they get phished, they may go under costing you income. Securing them secures you.
Originally published at https://somedudesays.com.