No amount of awareness training can eradicate the cascading effects of a wrong click. But the costs for attackers can always be increased and the odds of achieving its aims can be reduced. It can be done by establishing a road of greatest resistance, and that starts with thinking about the way your firm is seen by an enemy.
Considering Lockheed Martin’s classic Cyber Kill Chain, which we have adapted to the following eight steps since we feel it is easy to think of criminal planning to make a phishing attack:
- External reconnaissance
- Delivery
- Code execution
- Persistence
- Command and control
- Internal reconnaissance
- Lateral movement
- Objective
Using the kill chain to evaluate how an assailant approaches an organization, it becomes easier to identify what steps an unpredictable assailant should be following to successfully attack any given company. This enables security professionals to take precautionary or investigative checks to address any chance.
Phishing is commonly considered to occur exclusively during an attack’s “delivery” phase. In fact, a successful phishing attack requires success during the first four phases, giving security professionals and organizations the opportunity to avoid, detect and react before an assailant gets a footing.
Take a look at how attackers see the first four phases, and organizations can take actual steps to prevent cybercriminals from getting around.
External reconnaissance
The first activity of an attacker is to monitor a given firm, which is likely to start off with a simple search via Google. The aim is to understand how the organization can be breached.
Conduct an open-source intelligence exercise (OSINT) to observe how an attacker would see the potential victim firm. Automatic and manual procedures, like Google hacking, can be used to collect information that is beneficial to an assailant.
This information can be found in a wide number of internet venues, including Facebook, Twitter, your website, blogging, etc. If a self-assessment is done ask, what kind of information do we put in postings for work? What kind of news are we providing on LinkedIn? Or what kind of information can we enable consumers to use LinkedIn?
Determine the information most likely to be utilized to target employees and employees. Information that is being shared needs to be managed to reduce the chances of success for attackers.
Phishing attack delivery
The attacker sends emails to the staff of an organization in this step. That’s continuously happening. But, due to the preparation of the assailant in the initial phase, these phishing emails are significantly more efficient than unspecified attacks.
The objective of the attacker is to supply malware to allow network access or to force employees to disclose sensitive information (e.g., login credentials).
Security professionals have to understand who is probably the target of the attacker and how. They must also decide what they are supplying precisely. Assess which dangerous executable and URLs can be sent to their network. To minimize vulnerability, a mail gateway needs to be configured.
The web and mail gateways are common in most situations therefore one can not simply send any kinds of URL or email. It is the security team’s responsibility to comprehend what kind of URLs can be sent to the staff’s inboxes. Most companies have a type of exclusion set as well. For example, in the majority of contexts, EXE files cannot be provided but there are a number of different ways to run payloads, including macro-enabled and HTA files.
Organizations must also train their personnel to identify suspicious emails and report them. User consciousness training is traditionally taught not to click. But there is more important than reducing the click rate of a company. People need to be taught to concentrate on email reporting. Anyone on the target list of the attacker should report the email as soon as feasible. The faster this occurs, the sooner the matter can be handled by the security staff.
Code execution
If the e-mail of the attacker manages to avoid the organization’s mail portal, the aim is to get an employee to take a malicious payload action. This payload is created to exploit a vulnerability and give the attacker access to the environment.
Ideally, code execution policies are put in place so that only particular file types can be run. The security team can block anything that is provided by e-mail from being executed so that things are as restricted as possible. The attacker understands this and is continuously attempting to work with it, thus security teams have to be able to detect dangerous payloads from phishing e-mails on employee endpoints. But how can it be done?
Design and run test cases often that imitate malicious payloads carried out on the endpoints of your employee. Monitor logs and alerts to confirm that the organization and its security team have the required coverage and telemetry to identify indicators of compromise when carrying out code execution test cases. When telemetric blind spots are identified, new cases of detection need to be developed and validated.
Security teams can also build on the measure they have taken earlier. They should transfer data from a security awareness program to the SIEM (security information and event management) platform so that the detection logic can be adjusted based on the risks posed by certain staff and teams.
Command and control
Once the phishing e-mail code has been executed successfully, a channel of command and control between the compromised system and an attacker-controlled system is formed. This allows them to take a footing in their network and to continue their attack from within.
The security team’s aim is to block communication on the internet to harmful hosts. Detect unusual behavior that suggests that an intruder is taking over the organizations’ networks.
Do you know what it would look like if an attacker were to establish a command-and-control connection from your internal network? Find out how to replicate a variety of outgoing connectivity types from your IT estate.
Security teams should review and coordinate their setup to prevent unintentional exposure if numerous proxy servers and web gates are present on the network. They should also develop a profile and mark any behavior that is considered anomalous for “typical” user activity.
Some attackers don’t intend to move about and increase privileges to achieve their goal. Rather, they will impersonate the legitimate user to deceive the company, its customers, or its partners in a compromised account. This is known as Business Email Compromise (BEC). This can be addressed with measures aimed at reducing employee risk at the request of the attacker.
Next steps
Continued efforts at preventing and detecting phishing are essential to reducing the hazards of phishing every step in the killing chain. It is still more vital to grasp what is not prevented and what is impossible to identify.
Some suggestions are a departmental cross-tail task force for combating phishing, perform phishing simulation exercises that target the company’s most sensitive components, and schedule frequent evaluations to evaluate changes in the threat landscape and a given organization.
Organizations and their security teams may develop a comprehensive, layered defense that reduces an inevitable risk into a manageable residual risk by taking a stand against phishing the mentality of attackers. And you’ll get to understand exactly why that frustrates attackers so much.
To read more, please check eScan Blog
