Many hardware and software providers have implemented stringent protections and secure defaults in response to high-profile security breaches.
Because of their actions, the process of identifying conventional “low-hanging fruit” vulnerabilities to breach organizations has become significantly more challenging, costly, and a noisy attack vector. Rather, assailants are employing a novel organizational attack vector: its personnel.
We should examine the methods by which an organization can implement security controls that protect its employees without compromising their privacy or productivity.
Employee training
Employees are the least resistant path to assailants when it comes to devising an exploit. A compromise can be initiated by a single vulnerable user. A user who is unaware is an easy target, and easy targets are ideal for a wide dragnet phishing attack (i.e., a phishing attack that targets a significant portion of the organization with the straightforward objective of compromising users’ laptops with malware or harvesting credentials and valid identities).
The solution is to provide regular training to establish a baseline of user phishing awareness, as well as intermittent employee reminders that reinforce the information they have learned in the training sessions. Users should be provided with examples of phishing attacks, context on how to identify such attacks, and actions to take if they suspect they may be the target of a campaign during training.
Another effective approach is to frequently implement red team engagements to test the organization’s security capabilities. We have found that this training can protect against even the most sophisticated dragnet campaigns at Synopsys. Organizations that implement a phishing awareness program frequently identify the campaign through user reports and promptly blacklist the source within hours.
Additionally, it is probable that employees will disclose their participation in fraud awareness programs on their LinkedIn profiles and resumes. This is likely to discourage an attacker from obtaining user information from publicly available social media profiles and resumes.
Participating in an active defense
Phishing attacks can be prevented only to a limited extent by the most effective employee training. Socially engineered phishing assaults specifically target qualities such as kindness, generosity, and helpfulness, which are qualities that the majority of individuals wish to cultivate in themselves, despite the fact that humans are fallible.
The solution (although it may appear straightforward, it is rarely observed in real-world situations) is active defense, or a SOC (security operations center) that proactively monitors, or employs tools that monitor, the email perimeter. If the SOC becomes aware of a dragnet attack, blacklists the associated domain, and removes the email from all targets’ inboxes, employees are unable to act on a phishing email.
A different method is to employ a domain typosquatting notification service. A successful typosquatting technique involves altering a character in a URL that an employee would anticipate seeing in an email, and registering it as an assault domain. Employees who frequently access my.example.com may not be aware that they have landed on my.exampIe.com (which is spelled with a capital eye instead of a lowercase ell) or my-example.com. A typosquatting detection system would alert the SOC or other designated contact that an individual, somewhere, has registered a domain in question, enabling you to take preemptive action.
Prevent attacks through network segmentation
There is no such thing as an ideal defense. What happens if an employee acts on a phishing email that has evaded your active defense system? The most meticulous, rule-abiding team leader can make a simple error, and even the most technically proficient, phishing-aware employee can be deceived by a customized attack. Is your organization comprised of a specific number of individuals? Someone will eventually fall victim to phishing. The matter of social engineering susceptibility is one of when, not if.
The potential for an employee to be phished is much more extensive than the confines of the office. This is doubly accurate in the era of social media. It is impossible for organizations to regulate the activities of their personnel during off-hours and outside of the office. A phishing attack on an employee’s personal account presents a distinctive risk, as it provides an attacker with additional opportunities to compromise corporate information that the employee inadvertently transmitted to themselves via their personal email. This includes extortion and ransomware-style attacks.
In a not-so-unlikely scenario, a cunning assailant may attempt to access the victim’s place of employment, which they discovered on LinkedIn, by using the employee’s Instagram password, which they obtained by posing as a relative on Facebook. It is impossible for an organization to determine whether an employee’s corporate account is associated with their Google, Facebook, or other social media accounts. It is highly probable that malicious assailants could coerce an employee to provide them with corporate credentials if their identity is at risk of being stolen.
The solution: a well-trained SOC equipped with the appropriate tools and an additional layer of defense that is situated beneath users’ phishing awareness. The most effective method of preventing a significant breach initiated by a single user is to design your network to be resistant to compromise, despite the fact that it is much easier to discuss than to implement.
A single employee’s error could result in your organization being featured on the evening news if you have a flat network, inadequate endpoint protection, and a weak credential policy. However, if you have a segmented network with stringent permission requirements across mandated two-factor authentication, active defense, and robust endpoint protection, you may be able to detect the intrusion immediately and contain it to only affect that one user.
Regularly evaluate your defenses against phishing.
A multi-pronged approach that includes a combination of knowledgeable users, an internal security structure that can remain one step ahead of an attacker, and the expectation that an attack will succeed one day, with a plan to mitigate damage, is the most effective defense against phishing and social engineering.
It is of the utmost importance to be aware of the potential consequences of an employee’s workstation being compromised and the ease with which it is possible to socially engineer my employees. Testing your employees is the sole method of determining the potential impact of a phishing or social engineering attack on your organization. Conduct routine security assessments throughout the organization to ascertain your baseline security level.
The availability of additional assault surfaces against employees worldwide is increasing as more and more lives become internet-connected. Malicious actors are able to target employees through their social media accounts with greater ease, as they are not required to adhere to corporate IT policies. Even as organizational risk is reduced, it becomes increasingly crucial to educate employees about the potential hazards of social engineering attacks.
The initial step in evaluating your employee’s resistance to phishing is to conduct a simulated phishing exercise to identify any knowledge gaps that may exist. However, evaluating your active defense, which is slightly more challenging, necessitates a more sophisticated version of a mock phishing exercise. An engagement that is comparable to a red team exercise would be the most appropriate for evaluating your organization’s capacity to respond to threats in a realistic manner. The most effective method of evaluating your organization’s ability to resist compromise is to conduct internal and external network penetration tests, or red team assessments.