Resources to help security professionals and teams succeed

feature-phishing.jpg

A Handy Guide on Handling Phishing Attacks

June 21, 2016   |   Jen Andre   |   SecOps , Use Cases

Phishing is a problem as old as the internet, and it isn’t going away anytime soon. These attacks are designed to acquire sensitive information (like usernames and passwords) in order to gain access to otherwise protected data, systems, or networks. And considering that 90 percent of all the data in the world today has been created just in the last few years, it’s no wonder these attacks are on the rise. Just take a look at victims like Snapchat, eBay, and a list of other companies that grows longer by the week.

While most of us know what phishing is by now, social engineering tactics are becoming more sophisticated by the day. Because of this pervasive security challenge that affects both businesses and individuals, phishing requires a security strategy that is layered and well-coordinated. In this post, we will detail how to prevent, detect, and respond to phishing attacks.

Preventing Successful Phishing Attacks

Creating a Culture of Security Awareness

Only one employee needs to take the bait in a phishing attack for an entire organization to fall victim. That means employees need to be well-educated on what a phishing attack looks like and how to respond. Attackers know that less security-minded employees are an easy target, being less informed about the dangers of a sly URL redirect, embedded link, or email attachment, but it’s time for that to change.

While traditional security training is often conducted as a yearly event, and often done online, we recommend a much more hands-on and practical approach. The most effective way to do this is by providing training that is:

  • Quarterly or ideally continuously, keeping security top-of-mind
  • In-person, ensuring employees are tuned in and participating
  • Up-to-date, educating employees on the latest schemes and tactics
  • Experiential, demonstrating mock phishing scenarios and how to respond                                    

Employees should come out of these training sessions well-versed in what a malicious email attachment, URL, website, sender, or request looks like. For example, employees should know to never log into a non-HTTPs site and should be on the lookout for fake domains that switch letters (e.g. bankofamerica.com to bankofamer1ca.com). They should also be aware that no credible company will ask for a password or other login details over the email or on the phone.

The best way to ensure employees are ready to handle a phishing attack (and that management is enforcing anti-phishing policies), is by testing them regularly. We recommend sending a test phishing email using the likes of Phishme, Knowbe4, Phishproof, or Phishd across the organization to measure how effective your training program is at preparing employees for real-life phishing scenarios.

Detecting Phishing Attacks

How to Stop Bad Actors In Their Tracks

Because phishing attacks are so prevalent, it’s not a matter of whether you will be attacked, but when you will be attacked and how you will respond. While phishing training and email security products will prevent a large majority of attacks from succeeding, the reality is that some will slip through.  Building in defensive layers with tools and processes will safeguard your data, systems, and networks from further damage and allow you to stop attacks early in the killchain.

Specifically, you should have in place:

Email Security
Detects suspicious emails and prevents them from ever reaching employee inboxes

Examples
FireEye’s Email Security
Barracuda Email Security

Antivirus and Endpoint Security
Detects and potentially blocks damage by endpoint malware introduced via email.  Advanced endpoint solution can also monitor for behaviors (when attackers use credentials and built-in system tools for persistence)

Examples
McAfee Antivirus Plus
Kapersky Antivirus
CarbonBlack

Two-Factor Authentication (2FA)
2FA helps mitigate the damage of credentials stolen by phishing by requiring a 'second authentication factor' (such as a token or phone) to access systems

Examples
Duo Security
SecureAuth

Encryption
Protects email content from being read by anyone other than the intended recipient(s).  Additionally, if you use mail encryption as an organization policy,  you can train users to be wary of unsigned emails from internal employees.

Examples
PGP Encryption
GnuPG

SMIME

Browser Security
Adds a layer of security on top of the browser that scans for and blocks malicious webpages

Examples
Blockulicious
TrafficLight
Adblock Plus

Threat Intelligence
By tracking Tools, Tactics, and Procedures (TTPs) of attackers, threat intelligence can identify phishing attempts by the metadata and content in the email

Examples
TripWire
CarbonBlack

Email Sandbox
Isolates and analyzes suspicious emails to prevent damage on individual computers as well as across the network.

Examples
FireEye AX
Sandboxie

Using these tools in unison can be extremely powerful in detecting and mitigating damage from phishing attacks, but the effort to implement and manage them can also be significant, leaving little to no time to respond effectively. To avoid jumping from product to product to test and respond to potential phishing attacks, implementing security automation to automate routine investigatory tasks can free up time for you to respond while still allowing for human insight in the process.

Responding to Phishing Attacks

How to Mitigate The Impact of An Attack

Whether it’s an employee or a tool that detects an attack (or both), it’s important that it’s reported quickly to the appropriate stakeholders. Leveraging your organization’s current ticketing system is an easy way to accomplish this, integrating seamlessly into existing processes. With security automation, you can configure your security tools to connect directly with your ticketing system so that attacks can be reported in real-time, every time.

If a breach happens, the response is not markedly different than responding to any other breach: time and speed to response matter.  As part of your forensics and incident response process you should identify the source emails and determine if any other users were targeted and led to relateed incidents. By holding a company-wide incident review to discuss what happened, its impact, and the solution, employees can learn for future scenarios. The more employees are informed about attacks, the more successful they will be in blocking attacks.

It Begins and Ends With Employee Enablement  

With your employees as the most useful, yet most vulnerable part of the phishing equation, preparing for phishing attacks must begin and end with the right employee training. From there, it’s all about leveraging the right tools and automating tasks across them to get the most value with the least amount of impact on your employees. That means more time for responding and getting back to business, and much less on digging through the weeds.

Want to see this kind of security automation in action? Check out our pre-recorded demo webinar.

Jen Andre

About Jen Andre

Jen is the founder and CEO of Komand. Before Komand, she co-founded Threat Stack, a leading innovative cloud security monitoring company based out of Boston. She has spent a career in security working at companies Mandiant and Symantec and has a background in engineering and security operations.