The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even worse if a stolen identity belongs to a privileged user, who has even broader access, and therefore provides the intruder with “the keys to the kingdom”.
According to a 2019 study, 74 percent of respondents whose organizations have been breached acknowledged the incident exploited privileged account access. This number closely aligns with Forrester’s estimate that 80 percent of security breaches involve compromised privileged credentials. By leveraging a “trusted” identity a hacker can operate undetected and exfiltrate sensitive data sets without raising any red flags. As a result, it’s not surprising that most of today’s cyber-attacks are front ended by phishing campaigns. So, what can organizations do to prevent their users from falling for the bait of these attacks?
The Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security defines phishing as “an attempt by an individual or group to solicit personal information from unsuspecting users by employing social engineering techniques. Phishing emails [or text messages] are crafted to appear as if they have been sent from a legitimate organization or known individual. These emails [or SMS messages] often attempt to entice users to click on a link that will take the user to a fraudulent website that appears legitimate. The user may then be asked to provide personal information, such as account usernames and passwords that can further expose them to future compromises. Additionally, these fraudulent websites may contain malicious code.”
According to the 2019 Verizon Data Breach Investigations Report (DBIR), nearly one third of all breaches in the past year involved phishing. For cyber-espionage attacks, that number is a whopping 78%. Phishing attacks can be categorized into the following four types:
• Deceptive Phishing – The most common type of phishing attacks, whereby threat actors impersonate a legitimate company to steal users’ personal data and access credentials.
• Spear Phishing – These types of attacks are more sophisticated, whereby the threat actor customizes the attack email with the target’s name, job title, company, and other personal information to make the recipient believe they have a connection to the sender.
• CEO Fraud – This type of attack targets executives to steal their access credentials, often to commit financial fraud by subsequently tricking employees to authorize fraudulent wire transfers or gain access to W-2 information.
• Smishing – Phishing attacks are no longer limited to email, since threat actors are now also sending malicious text messages to users’ phones.
How to Protect Against Phishing
Users should apply common sense in all their communications and keep the following precautions in mind:
• Don’t post personal data that can be used for social engineering, like birthdays, travel plans, or personal contact information, publicly on social media.
• Check the sender’s email address by hovering over the ‘from’ address.
• Don’t click on links, but rather go to the sender’s website and validate the authenticity of the page indicated in the email.
• When an email from a known source seems suspicious, contact that source with a new email, rather than just hitting reply.
• Read the email and check for spelling and grammatical mistakes, as well as strange phrases. Legitimate companies know how to spell.
• Slow down. Urgency, which forces users not to think, is the fuel attackers rely on. Take a breather and revisit the steps above before taking any action.
For businesses, IT security professionals can implement the following proactive measures to protect their organization:
• Educate users about the risk of phishing and the characteristics of these attacks.
• Implement email protection software to “sandbox” inbound emails and validate, as well as sanitize links users might click on.
• Exercise caution when deploying third-party Web tools. Investigate their security protocols to determine if they’re comprehensive enough to minimize malware injections. Obviously, restricting the use of third-party Web tools must balance security with providing a differentiated customer experience.
• Implement multi-factor authentication (MFA), which requires multiple methods for identification (something you know, something you have, and something you are), and therefore is one of the best ways to prevent unauthorized users from accessing sensitive data and moving laterally within the network. This should be standard practice for all organizations.
• Apply risk-based access controls to define and enforce access policies based on user behavior. Through a combination of analytics, machine learning, user profiles, and policy enforcement, access decisions can be made in real time, to ease low-risk access, step up authentication when risk is higher, or block access entirely. Risk-based access controls are often used in combination with MFA.
Ultimately, stealing valid credentials via phishing attacks and using them to access a network is easier, less risky, and ultimately more efficient than exploiting existing vulnerabilities, even a zero-day. Cyber security defenses need to adapt to this reality. User education and beefing up an organization’s authentication systems are two essential steps that can minimize the risks associated with phishing and subsequent cyber-attacks aimed at data exfiltration.
