By David Higgins, Senior Director at CyberArk’s Field Technology Office
We’ve all become better at spotting phishing attacks, especially when they hit in our inboxes. In fact only 2.9% of employees click on phishing emails now. Yet, news of successful cyber attacks are still making headlines – highlighting how sophisticated some multi-pronged phishing schemes have become.
Five commonalities major phishing attacks share
Phishing can be accomplished in a number of ways, employing an ever-growing range of attack tactics, techniques, and procedures (TTPs). Layered protections are essential, since what deters a phishing attempt one day might not deter it the next.
Cyber defenders are best-placed by knowing when and where to concentrate their efforts. In this piece, we’re going to investigate five trends seen in recent well-known phishing attacks, at the same time relaying advice from our CyberArk Labs and Red Team on how to reduce cyber risk.
- Using social engineering to locate people employed by particular tech companies
According to a recent study of security leaders, security awareness training is the second-best defence-in-depth method for preventing ransomware, often delivered through phishing techniques.
To prevent employees from falling foul to targeted attacks, security-conscious behaviour must be integrated into business culture. To do this, and to keep staff members abreast of evolving social engineering and phishing attack strategies, hold regular training and education sessions. Think about adding phishing exercises to these trainings. Additionally, check that your spam filters are functioning properly to stop the flow of shady emails, mass mailings, and unsolicited marketing materials from getting to employee inboxes.
- Identity compromise through network entry using stolen first-factor credentials. For instance, by focusing on cached passwords kept in users’ browsers or by man-in-the-middle (MitM) assaults that intercept passwords
User phishing cannot always be avoided by awareness programmes, especially as they become more sophisticated in nature. When deploying endpoint security controls, focus on the higher risk users. In the grand scheme of defence strategies, endpoint privilege management – which can protect client-side credentials and help prevent the theft of cookies that could enable multi-factor authentication (MFA) bypassing – is an important layer.
- MFA fatigue attacks, which spoof reliable sources via voice and SMS phishing, repeatedly ask users to accept MFA notifications in order to “fatigue” them, then utilise their responses to access the corporate VPN and other target systems
Attackers continue to develop new techniques to target MFA and undermine security measures. These attempts can be thwarted by choosing phishing-resistant MFA factors, such as a FIDO, QR codes, or physical tokens.
Changing your organisation’s MFA setup or configuration to need a one-time password (OTP) rather than a push message is one way to lessen MFA fatigue. Users frequently grow careless and unintentionally open doors for attackers when confronted with repeated authentication notifications and touchpoints. OTP can reduce the danger brought on by MFA fatigue even if it demands greater user participation.
MFA fatigue occurs when the attacker already has access to the user’s credentials and must ask them to accept the MFA notice in order to obtain access. If a company is able to prevent MFA fatigue, the attacker will be compelled to select another attack vector. The OTP configuration can greatly lower risk and lessen susceptibility to this kind of attack for the user.
A more user-friendly approach is to require number matching for successful MFA authentication. Users who use the authenticator app to reply to MFA push alerts are shown a number when number matching is active. To complete the permission, they must enter that number into the app. The end-user cannot authorise the request during a phishing attempt since they are unaware of the proper number sequence.
Adaptive MFA adds another layer of protection, using information that the user does not proactively supply. Attributes such as location, device OS, previous login details as well as any geo velocity (a user cannot feasibly login, for instance, from New York and London within a 60 minute period) concerns can help determine which authentication factors should apply to a particular user in a particular situation. This context-aware approach can help balance security requirements with the user experience.
In order to prevent harmful acts from going unreported, it’s crucial to set up proactive reviews of risky occurrences and mandate MFA whenever a personal profile is altered while defending against attacks. Additionally, you may employ user behaviour analytics to set contextual triggers in your security operations centre which prevent user authentication from suspect IP addresses or alert you if aberrant behaviours are seen.
- Moving laterally to create persistence, hide footprints, and compromise more servers and systems. Increasing privileges to gain access to important systems, such as domain controllers
Implement least privilege across all infrastructure, applications, and data to reduce cyber risk. Although it seems like a simple idea, implementing it on a large scale can be difficult. When it comes to protecting your most important assets, intelligent privilege controls can seamlessly safeguard access for all identities and flexibly automate the identity lifecycle using behavioural analytics and ongoing threat monitoring and prevention.
- Data exfiltration
In one of the most recent phishing assaults, it was claimed that threat actors tried to re-enter the network after stealing data. They did this by focusing on workers who might have changed only one character in their passwords following a required credential reset. Although the attackers were fortunately unsuccessful, it is always important to use strong passwords. Better yet, let users automatically create secure passwords to entirely relieve them of the chore.
Phishing has advanced to new levels of creativity, and recent incidents demonstrate the lengths attackers will go to in order to deceive their trusting or MFA-weary victims. Since rogue clicks are unavoidable, effective anti-phishing defence should include both technological and human security components, prioritise spotting threats immediately before they grow to become more dangerous.