Security Experts:

Hook, Line and Sinker: After Phish Get Caught

Phishing is nearly as old as email, but it is still a major attack vector for cybercriminals. Some of the most prominent cyber incidents of the past few years are the result of phishing attempts. Despite the maturity of this problem, the solutions proposed by the industry during the past decades haven't been successful. At the recent Black Hat conference, several vendors all offered the same tactic for squishing phishing: user training to increase recognition of phishing attacks. 

If that advice was going to work, it would have started working more than a decade ago and we would not have the scandals resulting from hacked political campaigns that have emerged since 2016. It is time for us to accept that user training is not going to work because phishing is becoming increasingly sophisticated even as our awareness of the threat it poses grows. Not only are the attacks becoming harder to distinguish from legitimate emails, but they also play on a fundamental flaw of human nature that we will struggle to solve. IT and security teams need to adjust their postures and practices so that they can actually reduce the harm of this ever-present threat. 

The first step to preparing defenses against phishing is to understand the full extent of the role they play in cyberattacks. Phishing plays a large role in distributing malware directly onto user systems by deploying ransomware, cryptojackers and keyloggers. However, subtler, more advanced adversaries can use this common technique to do much more. After stealing the credentials of a user or injecting code into another process acts as a back door, hackers can establish a persistent foothold on the network, conduct network reconnaissance at their leisure or even forego compromising any endpoints and access sensitive documents stored in cloud-based services. 

The best defense is to stop these attacks before they ever reach the targeted endpoint. But if phishing attacks slip past the first line of defense, security teams need to be able to identify suspicious activity and stop it before hackers can learn enough about their enterprise to execute a full attack. 

Stopping persistent footholds

Seemingly benign programs such as word processing documents or PDFs can result in a major hole in an organization’s defenses in the hands of a skilled phisher. In one recent case, a user downloaded a document that purported to offer information on upcoming releases from a major media streaming site. The document had a macro enabled that opened the doc as expected, leaving the user none the wiser that it had also installed a rogue application to upload and download files on demand. This particular file was able to avoid detection for a long time by limiting its core functionality to avoid detection by traditional AV measures, using a command and control server URL that mirrored those used by CDNs and implementing SSL encryption for all of its communications.

For cyber defenders, this means that they need to have visibility into the network connections of endpoint devices and monitor for suspicious communications. The domain was very young, only three days old from the time to the first contact, which made it suspicious. At a deeper level they need to be able to see the destination and real content of communications across their network, even if it is encrypted, which helps determine what information has been share with the adversary. 

Disrupting network reconnaissance

From those kinds of footholds, cybercriminals can do more than access a specific endpoint. They can use their presence to learn more about the configurations of an organization’s network. There is a surprising amount of relatively benign information available to computers on the same network such as the hostnames of other connected devices or which subnet they are on and certain pieces of software they have installed. This information can help inform other phishing attacks to users at the same organizations and increase their success rate, among other things.

To protect against this kind of attack, defenders should add more granular control over the kind of information devices can learn about other computers on the network. Monitoring for the use of commands associated with reconnaissance will send up red flags, especially if they come from outside the IT department. Defenders can also restrict which applications have access to the network. For example, there are very few legitimate reasons for productivity software, such as a word processing document, to connect to the internet. 

Block cloud application theft

If a cybercriminal steals a users login credentials, they might decide not to bother moving about the network and steal data directly from a cloud application. This can be accomplished either directly through the phishing attachment—such a macro-enabled document—by installing a keylogger on their endpoint or tricking the user into granting the cybercriminal’s application access privileges to their cloud account. 

This kind of attack is substantially more complicated to investigate because IT and security teams often do not have evidence available to identify them. It is important for these teams to track metadata about how users access critical cloud services such as what device they used, their location and the time. By comparing that time to typical patterns or known facts they can identify malicious attempts at compromise before they impact the business. And adding multi factor authentication too never hurt, though it cannot be relied on as an absolute failsafe as it is still vulnerable to OAUTH attacks

We cannot afford to wait around for the phishing crisis to resolve itself. Cyber defenders need to take action to make sure that their networks are secure against the consequences of phishing attacks regardless of user actions. You will never find what you don’t look for. Therefore, a robust monitoring strategy to find and stop threats is the foundation of success. User training is never going to be enough, so let’s stop them at the source.

view counter
Devon is a principal researcher at Endgame, focusing on detection and response technologies. Formerly a Mandiant incident response and remediation lead, Devon has over 6 years of experience in security professional services where he has worked with clients in a nearly every conceivable industry. He has significant experience helping Fortune 500 organizations with the detection, response, and containment of advanced targeted threat actors and has led large-scale network and application architecture reviews, post-incident strategic planning, and regulatory gap assessments. He has delivered a range of technical presentations for security conferences, industry organizations, and the United States Department of Defense. Prior to his career in information security, Devon spent 15 years in operations roles as a system administrator and network engineer.
Previous Columns by Devon Kerr: