Security Agency Recommends Businesses Change their Approach to Combat Phishing

The UK National Cyber Security Centre (NCSC) has issued advice to businesses to help them improve their defenses against phishing, one of the most common ways that malicious actors gain initial access to business networks. Phishing targets employees, who are weak links in the security chain. Employees are prone to make mistakes, and all it takes is for one employee to fail to recognize a phishing threat for a threat actor to gain access to the network. Since employees are targeted, it makes sense to provide training to help employees recognize and avoid threats, but a common mistake made by many businesses is to punish employees who click on malicious links or open malicious files. Phishing threats can be difficult to identify and even seasoned IT professionals can be fooled by phishing emails, so it is unreasonable to expect other employees to be able to do so 100% of the time.

The problem with blaming employees for responding to phishing emails is it creates a culture of fear, where employees are reluctant to report threats. The delay in notifying the security team when a malicious attachment is opened or a phishing link is clicked results in a delay in mitigating the attack. That delay could give the attacker sufficient time to move laterally, steal data, and deploy ransomware or cause other harm. What businesses should strive for is to create a culture of reporting. Employees should be encouraged to report threats they identify as well as any errors they have made and to make it clear that employees will not be blamed for mistakes.

The NCSC also draws attention to the advice given by many businesses to their employees in security awareness training. Telling employees not to click links or open attachments in unsolicited emails or messages from unknown senders is good advice in theory, but not particularly helpful in practice, because employees often have to click links in emails or open attachments as part of their job.

The NCSC has instead suggested a change in mindset, and that is to assume that users will sometimes, completely unintentionally, click on bad links when they are at work. Rather than it being the responsibility of the employee to recognize, avoid, and report phishing attempts, businesses must understand that it is their responsibility to protect employees. Security awareness training is important as it will help employees identify and avoid threats, but ultimately it is the responsibility of the business to protect against and mitigate phishing threats, and that requires a range of technical measures.

The key to effective phishing defenses is to adopt a defense-in-depth approach. Multiple safeguards and technical controls need to be implemented to block and mitigate attacks because no single measure or cybersecurity solution is capable of blocking every threat. Security awareness training is one layer, but it is not the primary defense. It is a layer that provides protection when others fail.

Phishing attacks often seek credentials, so one of the best ways of defending against attacks is to do away with them and implement passwordless authentication, using a FIDO token. If this is not currently possible, then ensure that multi-factor authentication is set up and use single sign-on for any third-party websites that the business uses. Since passwords will likely be required for other websites and services not covered by single sign-on, provide employees with a password manager.

A password manager is an important, yet often forgotten layer of security for combatting phishing. The password manager stores passwords for specific URLs or domains. If a user lands on a phishing page that requests credentials – a spoofed Microsoft 365 page for example – the password manager will not auto-fill the password, as there is no password associated with that URL or domain. Password managers are low-cost solutions, with many having free tiers. Bitwarden, for example, even has a free tier for small businesses. Also, configure the password manager’s 2FA and instruct employees on creating secure, unique master passwords. The NCSC also suggests only permitting the business’s devices to access resources or by denying OAuth/consent phishing to arbitrary sites at cloud tenancy levels.

Phishing attacks often involve malicious attachments or files linked in phishing emails, which are used to deliver malware. Controls therefore need to be implemented to protect against these malicious files. A spam filtering solution is essential as this will block files with known malicious URLs and will scan attachments. Choose a spam filter that has a sandbox, as the AV engines of spam filters will only block known malicious files. A sandbox will allow unknown files to be analyzed to identify suspicious behavior. The spam filter should incorporate DMARC and SPF, or these policies should otherwise be set to block spoofed emails.

Web filters can help as they will prevent access to known or malicious websites and can be configured to prevent the downloading of executable files from the Internet. You should also use allow-listing to make sure that executables can’t run from any directory to which a user can write and use registry settings to cover anything not covered by allow-listing, for example, to ensure that dangerous scripting or other file types are opened in Notepad and are not executed. Also consider using PowerShell in restricted mode, blocking .iso files from being mounted, and ensuring that macros are disabled and locked down. Only users that must use macros for work should be able to run them.

With such a defense-in-depth approach, the majority of phishing threats can be blocked or mitigated and it will be less important for every employee to be able to identify and report phishing attempts, although if they can that would be ideal. “It’s time for organisations to move away from using blame and fear around clicking links, even if it’s usually unintentional. This means, for example, not running phishing exercises that chastise users for clicking on bad links,” suggests NCSC.

Author: NetSec Editor