Previously in our first chapter we saw that phishing attack could drive both Alice's and Ben's companies out of Business.
They adress the issue using three different approaches: Reduce exposure, train the users and facilitate detection. Let's read today how our two security experts will manage the reduction of exposure.
Do you want to read the full story and get some advices to reduce phishing threats? Download our cyber security story here
A story written by Emmanuel Nicaise, our Human-Centric Cyber Security expert and Storyteller.
Reduce exposure and impact of phishing attacks
Alice and Ben agreed on a lot on this matter. To mitigate the risk of a successful phishing attack, they can reduce either the likelihood or the impact thereof.
They both used the same service. What does it do?
1. Prevent the attacks by reducing their likelihood
The likelihood of a successful phishing attack can be reduced at different stages. There are multiple points of controls to reduce the likelihood of a successful phishing attack, as we know the underlying process:
Email sender controls
With the increase of spam flooding our mailboxes, we have a broad choice of technical solutions at our disposal to prevent unsolicited emails better. Phishing email is unsolicited. Criminals send the emails pretending to be someone else (even if sometimes phishers can use a domain they own or a hacked email account). Alice and Ben can therefore stop a large part of frequent phishing attacks with “simple” anti-spam controls. A.com and B.com implemented the same controls on their inbound mail servers:
- Reverse DNS Check:
The receiving email server (also called the SMTP server) checks whether the domain of the sender of an email exists in the Domain Name Service (DNS) server before it accepts the email.
- Prevent spoofing of email addresses:
Theoretically, all email coming from a domain (like @A.com or @B.com) should come from machines belonging to the organisation’s network or connected using a Virtual Private Network (VPN).
Both A.com and B.com use a few cloud-based solutions. Each of these solutions uses a sub- domain of A.com and B.com (something like @service.A.com) to send emails on behalf of their companies. This should preclude receiving an email purportedly from their organisation’s domain which actually comes from a machine outside their network. Email spoofing refers to sending an email from outside a company (anywhere on the Internet) while pretending it originates from inside, i.e. making it look like it comes from a colleague we should trust.
Spoofing is a very effective way of making people click on links. We tend to trust people from our immediate circle, our organisation, our family, more than the people outside of these groups.
We can easily configure email servers to block spoofed emails. Still, we might need exceptions for a trusted source like our internal network, a SaaS provider or an authenticated user.
- Use Sender Policy Framework (SPF) and Sender ID (Microsoft’s version of SPF)
to block emails from any domain coming from a server that is not listed as trusted by the owner of the domain. In simple terms, a company like C.com lists the addresses of the servers from which it sends emails. If another server sends an email, the servers of A and B will block it. Such blocking of non-trusted servers will reduce the volume of spam and phishing landing in our mailboxes.
- Domain Keys Identified Mail (DKIM) signature check
More and more organisations use DKIM to sign their outgoing emails electronically.
Every email leaving these organisations is signed in this way. This enables us to authenticate such emails as coming from their organisation. Organisations advertise their use of DKIM and their electronic keys using specific DNS records. If an email coming from an organisation using DKIM does not include a signature or if the signature is not correct, it is from a suspicious source and must be blocked. “Spoofing” any domain belonging to an organisation that uses DKIM becomes a challenging task as a result.
Domain-based Message Authentication, Reporting and Conformance (DMARC)
DMARC is used to detect when people try to impersonate an organisation.
In addition to the email sender controls, Alice and Ben use several add
itional products and services to block unsolicited and malicious emails:
This system analyses the content of their emails and compares potential malicious content against a list of known malicious files or links. In the event of risks, the email is blocked or quarantined.
- Reputation filter:
This system compares the address of a server sending an email with a list of servers categorised on the basis of their reputation. Every time a user identifies a malicious or unsolicited email, he or she reports the server that delivered it to the maintainer of the list (known as a blacklist). The server’s reputation is adjusted (the blacklist receives information from thousands or millions of customers) to decide whether the server is to be blocked or not.
Sandboxes are servers that will automatically execute email attachments in a secure virtual environment and monitor how they behave. If an attachment performs suspicious actions, the server can delay delivery of the file. It sends the file to a team of cybersecurity professionals who will analyse it in greater depth before giving expert opinion on whether to release or block the file.
All these controls help reduce the likelihood of a successful attack. They all have weaknesses however, which allow hackers to bypass them or to remain undetected. They are therefore far from being effective 100% of the time
2. Failure is not an option – be prepared for the worse
Alice and Ben are seasoned security professionals. They know that whatever they do to protect their organisation, criminals will work hard to break their defences. They both wanted to be prepared for the worse and use different solutions to reduce the impact of a successful attack.
Ben and Alice use multiple mitigations against malware. More specifically they:
- prevent unidentified (unsigned) and unauthorised applications from running on their devices as well as lateral movements (especially for ransomware).
- use Anti-malware on end-user clients or gateways. They have moreover deployed User-Behaviour analysis and a Security Incident Response Team stands ready.
- use an online backup system with versioning, and regularly test the “restore- from-scratch” procedure.
Ben and Alice had fewer options to reduce the impact of data leakage. When users leak their credentials, they need to change passwords immediately. In order to do so, however, they must be able to detect the leak first. For Alice, the best “tool” to that end consists of her users. Even if they got tricked into giving their credentials, they are trained to recognise the breach and report it to the Cyber Security Response Team. They know their management will not blame them, and they can still keep their company safe. Such an alert will moreover enable the Cyber Security Response Team to react faster.
A.com is currently implementing a two-factor authentication system. They have covered only the critical functions so far, but this already reduce the likelihood of a successful attack significantly.
At B.com, Ben invested in a Data Leakage Prevention system. This is a promising technology, but they are still busy defining all the use cases for detecting a data leak. They already manage to prevent a large number of accidental disclosures.
Following a case of CEO fraud in a Belgian bank, Alice broached the issue of implementing strong governance and processes in finance and customer support. They decided to limit the amount of money one person alone can transfer (implementing the four-eyes principle for large amounts). Ben decided to set-up a Behaviour Analysis System to detect and block unusual transactions.
Alice and Ben have picked excellent technical choices, yet wars are won by people ! Find out in our third chapter coming up next week.
Discover our security awareness solution and contact us!