Anti-phishing Strategies to Defend Your Organisation

Tash Postolovski
Tash Postolovski
Technical Marketing Manager
Anti-phishing Strategies to Defend Your Organisation
March 5, 2024

If you feel like your phishing response team has been seeing more attacks than ever before, you’re not alone.

The frequency of phishing and spearphishing attacks appears to be ever-increasing as people conduct more of their work and personal lives online.

This post will cover the state of the art in anti-phishing techniques, with a focus on strategies that SOC teams, anti-phishing teams and fraud teams can use to defend customers against phishing attacks, and staff against spearphishing attacks.

At Cosive, we work with many high-profile fraud targets, such as major banks, that face thousands of attempted phishing attacks every year. These anti-phishing strategies are borne out of these experiences.

Phishing vs. Spearphishing

Customer-facing organisations often need to deal with two main types of phishing attacks: phishing attacks targeting customers and spearphishing attacks targeting staff. We’ll address both of these separately, although some of the anti-phishing strategies listed here are useful in protecting against both types of attacks.

Defending against phishing attacks targeting customers

An example from Bendigo Bank on outlining service boundaries to customers in response to a high-profile cyber attack in the Australian financial services industry.

Outline privacy boundaries and things you’ll never ask for

When your organisation is clear about things it will never do (such as asking customers to share their password or pin number over email) it is much easier for users to identify phishing attacks that violate these boundaries. A good place to communicate these service boundaries is during user onboarding and via email newsletters sent to customers.

Swift take-downs

According to IBM researchers, 70% of credentials are harvested within the first hour of a phishing attack, on average. This means that taking down phishing sites immediately is a critical step in limiting the impact of an attack.

As soon as you discover a phishing site you’ll want to perform a lookup on the domain using a WhoIs service and note down the name servers, registrant and registrar, and abuse contact information. Next, you can repeat the WhoIs lookup on the name servers to obtain their contact information. Contact the hosting service and the domain registry to report the malicious website and (hopefully) get it taken down as quickly as possible.

Sometimes, phishing websites are hosted on legitimate domains that have been compromised. In this case, you’ll need to contact the business to get them to take action to remove the malicious site.

The record highlighted in red is an example of a canary credential, designed to be indistinguishable from actual victims, including browser profile and fingerprint.

Use canary credentials to ruin the payload for credential harvesting attacks

Similar to canary tokens, canary credentials are realistic fake user credentials that organisations can use to deter phishing attacks and track the activity of credential harvesters.

Anti-phishing software like Phishfeeder can be used to automatically poison phishing websites with canary credentials while you wait for the website to be taken offline. This negatively impacts phishing attackers in three ways:

  1. If the attacker tries to sell a credential dump on cybercriminal forums many of the credentials will be fake and worthless, harming their reputation in that community.
  2. If the attacker wants to use the credentials themselves they’ll need to waste significant time sorting real credentials from fake, making your organisation a less appealing target.
  3. You can trigger alerts on any attempted use of these canary credentials. This enables either an automated or manual response to the use of stolen credentials, such as blocking the phisher or monitoring their activity to learn more about their methods and motives.
How canary credentials work for phishing defense (source: Automating anti-phishing canary credentials at scale).

Give customers clear and easy to follow steps for reporting phishing

A savvy customer receives a phishing email impersonating your business. They want to notify you about the attempted attack. What happens next?

Many customers will google ‘report a scam <your business name>’ to look for information on how to report what they perceive as a scam (they may not be familiar with the term ‘phishing’).

Provide a page on your website with instructions on what to do about a suspected phishing email or SMS. As shown below, National Australia Bank (NAB) goes so far as to provide a dedicated email address and phone number for forwarding phishing lures.

NAB’s security guide lists a dedicated email address to forward suspicious email messages and a dedicated phone number for forwarding suspicious text messages.

Configure DMARC, SPF and DKIM to prevent spoofing of your domain

Spoofing attacks involve the sender using forged email headers to display a fake sender address (typically one that the user would be expected to recognise, or trust).

With DMARC, SPF and DKIM configured, receiving email servers can determine whether the sender is actually authorised to send email from the domain, check the email’s digital signature to authenticate it, and follow the rules for handling unauthenticated messages specified with DMARC (do nothing, quarantine, or reject).

It’s worth noting however that many phishers register their own domain because people often don’t twig that phishing URLs aren’t owned by the legitimate organisations they’re impersonating (such as a bank). While we definitely recommend configuring DMARC, SPF and DKIM, it can only help protect against certain specific types of phishing attacks involving email spoofing.

Defending against spearphishing attacks targeting staff

Use anti-spam email filters updated with machine-to-machine feeds to protect against spearphishing attacks and block suspicious emails

While almost every organisation uses some kind of email filter, not every organisation keeps these filters up to date with the latest threat intelligence (learn more about threat intelligence here). Doing so can provide a powerful layer of extra protection against phishing attacks.

For example, let’s imagine you are subscribed to a threat intelligence feed which identifies an email address as potentially malicious because of its association with recent phishing attacks. With the right tools and configuration, details about this email address can be automatically pushed out to your email filter without any human intervention, potentially preventing your organisation from being targeted by the same attacker. This is one of the most powerful use cases for Threat Intelligence Platforms (TIPs) like MISP.

Focus on staff education

Organisations are doing a better job than ever before at equipping staff to recognise phishing attacks.

Even so, aiming for 100% detection isn’t realistic. It’s equally important to equip staff to recognise when they’ve fallen victim to an attack, and to feel safe to report this. You can’t mitigate phishing attacks that you don’t know about.

A core part of this step is maintaining a blame-free culture around phishing and having realistic expectations that staff will occasionally fall victim to attacks.

Run phishing simulations

An excellent way to test the effectiveness of your anti-phishing training is to run a phishing simulation. This involves your organisation or a trusted external party launching a fake phishing attack against your users and observing the results. The most valuable use of this data is to identify trends in your organisation’s response to phishing attacks. Running multiple simulations using different techniques and at different times can help you to identify gaps and weak spots in your anti-phishing training.

Phishing attack simulations have proven to be such a useful tool that Microsoft have added phishing attack simulations into some enterprise editions of Microsoft 365.

Source: Microsoft

Expand your staff phishing training to cover more channels than just email

Phishing lures are increasingly being delivered via SMS (a.k.a. “smishing”) and on services like LinkedIn, WhatsApp, Office 365, Google Workspace, Telegram, Slack, Teams, and others (source). In particular, SMS is one of the fastest growing phishing channels.

An unsuccessful WhatsApp spearphishing attack against an employee impersonating Cosive’s Managing Director.

Many core business processes are moving out of email and into SMS and specialised services, making them a valuable target for phishing attackers. It’s important that your anti-phishing training and education programs also covers SMS and other ancillary services, rather than focusing solely on email.

Have clearly defined and documented business processes that apply to everyone, regardless of seniority

Many spear phishing attacks involve faking extraordinary, urgent requests from senior leadership, such as a rushed request from the CEO to transfer money to a previously unknown bank account.

Having clearly documented business processes makes it much easier for staff to identify when such requests go against protocol.

If your organisation doesn’t have a strong culture around documentation, start with documenting your most sensitive processes first: things like approving payments, initiating bank transactions, sharing documents, providing access to systems, or providing customer or employee data.

Develop and share a simple and clear process for spearphishing victims to notify you

Sometimes victims don’t recognise a phishing attack until after they’ve fallen victim to it. Perhaps only after opening a file did the victim realise it contained malware. Or perhaps only after inputting sensitive data did the victim realise that the website was suspicious.

The worst thing that can happen after a phishing attack is that the victim fails to notify anyone that they’ve been compromised. There are two common reasons why this happens:

  • The victim is afraid of being punished or suffering reputational damage for falling victim to the attack.
  • The victim doesn’t know how or where to report the incident.

As mentioned earlier, establishing a blame-free culture around phishing attacks is key to addressing the first reason. Victims should be able to report phishing attacks confidentially, and without negative repercussions. Rather than punishing the victim, treat these reports as a data-point that you feed into your overall anti-phishing training program.

Having a clear process for reporting phishing attacks is the first step to addressing the second reason why victims might not report a successful attack. Victims should know who to contact and what information to include in their report. Victims should also be assured upfront that the report will be treated in confidence. Finally, phishing reports must be responded to as quickly as possible. Every minute a phishing site is online increases the risk to your organisation.

Mitigate the impact of the attack (as much as possible)

Finally, your reporting process should help you efficiently extract the information you need to mitigate the impact of the attack, such as by isolating and analysing machines potentially compromised with malware, or figuring out which credentials have been stolen.

Implement a patching regimen to keep all your organisation’s devices up to date

Timely patching of software is one of the best ways to combat phishing attacks involving malware. Malware often “phones home” to the attacker to transmit information about the compromised host machine. If malware repeatedly fails to infect your systems because your devices fully are patched and up to date, it’s logical that malware attackers may decide to move on to perceived “softer targets” without an effective patching regimen.

Enable safe browsing filters in web browsers

Another strategy is to enable safe browsing filters in web browsers to block malicious content, since most modern browsers include a built-in safe browsing mode. However, keep in mind that there’s often a lag between a phishing lure being sent out and protection being effective in the browser.

Limit administrator accounts and unnecessary access

Of late, there have been many high profile data breaches involving compromised employee credentials. One high-profile example is the CircleCI data breach which occurred in late 2022, where an attacker used malware to steal an authenticated session cookie. This allowed the threat actor to log in as the compromised employee, a software engineer with access to production systems.

What’s especially notable about this attack is the amount of sensitive data the threat actor was able to access with this employee’s credentials, including customer environment variables, tokens, and keys. Although the data was encrypted, the threat actor was able to use the same stolen credentials to access encryption keys and decrypt the data.

In this case, a single software engineer’s credentials gave the threat actor the “keys to the kingdom”, so to speak.

This attack demonstrates the importance of assuming that employee credentials could be compromised at any time, and therefore limiting their scope to only the products, services and tools essential to the employee’s current scope of work.

Administrator access should be given only to employees who can’t perform their role without them, and only for the systems essential to their role.

Equip employees to verify untrusted attachments

In some roles it is impossible to avoid opening untrusted email attachments from third parties (in particular, any role that interfaces with the public or with third party vendors). You can mitigate some of the risk of malware by having employees run unknown files through a malware analysis tool like VirusTotal to check whether security vendors or sandboxes have flagged the file as suspicious. (However, keep in mind that the confidentiality of files uploaded to VirusTotal can’t be guaranteed.)

Using VirusTotal to verify a PDF from a third party.

Use Multi-factor Authentication (MFA) to limit the impact of compromised credentials

If employee credentials are compromised in a phishing attack, MFA can prevent the attacker from logging in with those credentials. Google researchers determined that the most effective form of MFA are security keys (such as YubiKey), followed by on-app prompts (such as Google Authenticator). Although convenient, SMS authentication is vulnerable to SIM card cloning or hijacking and is therefore the least effective form of MFA.

Leverage anti-virus and anti-malware software to protect employee devices

Malware is a common payload for phishing attackers, delivered either via an email attachment or a phishing website. Protecting employee devices with anti-virus and anti-malware software can help to mitigate the impact of an employee downloading a malicious file.

Key Takeaways

An effective anti-phishing strategy includes tactics in each of the four layers we’ve covered here: filtering, target response, detection and mitigation, and prevention and deterrence.

We’ll leave you with some helpful questions you can work through as a team tasked with anti-phishing responsibilities. These questions can help you identify the strengths and weaknesses in your organisation’s anti-phishing strategy.

ANTI-PHISHING STRATEGY CHECKLIST

  1. Have you communicated the privacy boundaries of your service and things you’ll never ask for?
  2. Do you have a clear and timely process in place for phishing site takedowns?
  3. Have you provided customers with information on how to report phishing attacks?
  4. Are you using canary credentials to damage the payload of phishing attackers?
  5. Have you configured DMARC, SPF and DKIM for your domain?

ANTI-SPEARPHISHING STRATEGY CHECKLIST

  1. Are you using anti-spam filters enriched with a machine to machine feed of the latest threats (for example, using a threat intelligence platform like MISP?)
  2. Have you provided training to your staff about spearphishing?
  3. Do you have an established cadence for running phishing simulations?
  4. Do you educate staff about the potential for phishing attacks targeting channels other than email?
  5. Do you have clearly defined and documented business processes, with a focus on processes involving payments, transactions, access, and sensitive data?
  6. Do you have a simple and clear process for spearphishing victims within your organisation to report a phishing attack?
  7. Do you have a procedure in place for investigating and mitigating successful phishing attacks?
  8. Do you have a patching regimen in place to keep your organisation’s devices and software up to date?
  9. Have you eliminated non-essential administrator accounts and limited employee access to strictly necessary systems and data?
  10. Have you equipped employees with a means to check whether untrusted attachments like resumes and invoices are safe to open?
  11. Are you using MFA to protect employee accounts?
  12. Are you using reputable anti-malware and antivirus software to protect your employee devices?

Anti-phishing and anti-spearphishing is one of our main areas of focus at Cosive. Feel free to reach out to us for a no-obligation chat around opportunities to strengthen your organisation’s anti-phishing strategy.

Related posts

Browse all articles
February 21, 2024

Running Your SOC Playbooks as Code: Getting Started

You know when you run into someone you haven’t seen in for a while, and you’re like: “How’s that car you’re rebuilding?” And then for the next two hours they excitedly tell you about it? That’s pretty much what I’m like with SOAR at the moment (Security Orchestration, Automation, and Response). I’ve been living and breathing SOAR for the last two or three months. It’s a really interesting area, and probably the only thing in security that I think everyone should do.

February 21, 2024

Cosive Claims First Bounty on the Bluehat Threat Detection Platform

Cosive co-founder and Managing Director Kayne Naughton has claimed the first ever threat detection bounty on the recently launched Bluehat Platform, brainchild of Australian cybersecurity startup Illuminate Security.