Three key elements of a phishing defense in depth approach
Phishing is possibly the oldest and most powerful attack vector threatening organizations today. Over 90% of all cyber attacks start with a phishing email. Google is reportedly blocking 18 million scam emails every day and reported a record two million phishing websites last year.
And phishing attacks don’t seem to be going away any time soon. In fact, they’re going to become even more targeted as organized crime syndicates get their hands on dark web data dumps. Fighting and mitigating these attacks can be difficult and requires multiple layers of defense. Let’s explore the three main elements of a multi-level defense-in-depth approach:
1. Policies, procedures and documentation
It is essential that organizations establish guidelines for employees and vendors on what is allowed and what is not allowed regarding devices and services and personal responsibilities.
Acceptable Use Policy (AUP) is a key element that must be documented, read, signed and reviewed by each individual, each year. Employees should be transparently informed about the importance of security awareness training, how their progress will be monitored and the potential consequences (further training, tips, Internet access lockdown, etc.)
Anti-phishing policy covers awareness topics on phishing, common social engineering scams and recent examples, and education on how a stakeholder should deal with suspected threats. The document should describe best practices such as: users should not install unauthorized software; always analyze URLs before clicking; never reply to a suspicious email or text message and always report any email or interaction that seems (or smells) “sketchy”. Wire transfers above a certain threshold should be verbally confirmed with the requester to avoid compromise of business email or wire transfer fraud.
A business continuity and disaster recovery plan helps minimize damage in the event of a cyber attack. This can include detailed steps on who to contact (crisis management consultants, cybersecurity insurance, etc.), which teams to include (legal, HR, public relations, etc.) and advice on whether to pay a claim. ransom or not in case of ransomware attack.
2. Technical defenses
While policies are an important strategic basis for phishing prevention, having the right technical defenses can effectively combat phishing attacks. Below is a summary of the most popular approaches for defense in depth:
Malware Mitigation: Endpoint security and network security tools such as antivirus, endpoint detection, and intrusion detection are some of the most basic tools available to tackle the root causes of phishing attacks such as DDoS attacks, eavesdropping, man-in-the-middle and buffer overflow attacks.
Content filtering: Many companies fall prey to phishing attacks because their employees are carelessly surfing the Internet. Web filtering or content filtering policies can help prevent access to certain sites, greatly reducing the likelihood of visiting risky websites.
Email client specific protection: Most email clients, web browsers, and email providers provide anti-phishing functionality by default or built-in (for example, block all file downloads by default).
Multifactor authentication: MFA can significantly reduce certain types of phishing attacks. Your password can be accidentally phished, but a secondary authentication method can prevent you from being hacked.
Reputation Services: Reputation services will provide a risk score and advise, block, or allow content based on the origin of a URL. Blacklist services will block emails from known malicious domains, while whitelist services will only allow content from previously verified or authorized domains. A greylist service will confirm the legitimacy of an unrecognized email address by rejecting the email first and requesting a copy from the server later.
Password managers: Password managers can allow users to easily store long and complex passwords across multiple sites without having to rely on their memory. They dramatically reduce password reuse and the risk of a single password being compromised.
Global phishing protection standards: Phishing standards such as Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), Domain-based Message Authentication, Reporting and Conformance (DMARC) help protect domains against identity theft. When these are enabled, recipients can verify the authenticity of an email claiming to be from a particular domain.
Red / green systems: In environments with low tolerance for risk and very high value assets, users may have two separate systems. Red systems are highly secure and contain only critical applications, while green systems are less secure and can be used for internet browsing and routine business activities.
3. Security awareness training
Research proves that technical guarantees alone are not enough to provide the ultimate protection against phishing. Studies show that 90 days of fake phishing can help develop a culture of skepticism and reduce an employee’s Phishing Predisposition Percentage (PPP) by up to 60%. Positive reinforcement by employers, such as special public recognition, gift certificates, pizza parties, and even cash bonuses, can have a positive influence on adopting a healthy safety posture.
Remember that phishing susceptibility has no correlation with intelligence. A higher IQ doesn’t mean you won’t be phished; some of the smartest people have fallen prey to phishing attacks. What helps organizations is having a multi-layered approach: having the right policies and the right technical defenses combined with building muscle memory to get people used to recognizing, rejecting and reporting phishing attempts. A defense-in-depth approach is a good start to improving a business’s cyber resilience.