In recognition of Cyber Security Awareness Month, RedLegg’s 96 Bravo team will be providing security focused content for the Information Security community at large in hopes of proactively fostering a security conscious mindset. In this week’s diary, we tap into one of the most common attack vectors – phishing attacks.
Phishing attacks fall among the most trivial, yet copious attack strategies used by threat actors today. Attackers have become more and more intrepid in their efforts to cast their nets into the wide-open digital abyss, with sophisticated lines set on reeling in a fresh catch. Cyber threat actors employ phishing campaigns in order to elicit sensitive information, such as user credentials and financial data.
Historically, attackers have proven their ability to be persistent in developing technical and socially dependent techniques that play on the intricacies of human behavior. In recent studies, statistics have shown that less than five percent of attacks are exclusively centered around technical-based exploits. In light of this research, it is obvious that attackers have found phishing ploys to be a viable attack vector.
Phishing attacks ultimately take advantage of emails, text messages, and websites as a medium to lure in an unsuspected target. Ironically, vishing and smishing attacks have played a vital role in prevailing over many of the more recent high-profile attacks. Similar to actual fish bait, the medium used to employ these attacks will generally evoke a more realistic appearance such as a trusted sender. This may include a more frequented e-commerce store, a bank, or an employer.
Phishing attacks, or larger campaigns, remain under the guise of social engineering. Phishing and social engineering are two concepts that are virtually cleaved together. Social engineering plays on the social construct of the intended target, which incidentally, involves a considerable number of attack vectors. Threat actors utilize social and operational norms by enticing their targets to expose data they otherwise wouldn’t.
- Defense against phishing attacks begins with awareness and educating users on key indicators that distinguish non-malicious emails from malicious emails.
- Taking a few minutes to review incoming electronic messages, without clicking on any links or attachments can help in significantly improving organizational posture.
- In addition to bringing awareness to users, incorporating multi-factor authentication, and intrusion detection/prevention tools offers a defense in depth approach for effective security. Multi-multifactor authentication provides a layered method in defense that requires users provide at least two authentication factors before access can be granted.
In many cases, the bait attackers use to lure in a target has many discrepancies that can easily be identified upon further inspection. Examples include:
- Grammatical and spelling errors.
- Sketchy sender’s address.
- Generic acknowledgement.
- Suspicious attachments and/or links.
Threat actors generally use phishing attacks to achieve reconnaissance, initial access, and lateral movement. During reconnaissance, attackers focus on the collection of information to facilitate a favorable attack outcome. For example, an attacker may initially target an employee, with the ultimate goal of attaining credentials for the company’s CFO. Attackers typically use three sub-techniques when executing phishing attacks:
- Phishing (T1566)
- Sub-technique: Spearphishing Attachment (T1566.001)
- Sub-technique: Spearphishing Link (T1566.002)
- Sub-technique: Spearphishing via Service (T1566.003)
A great way to defend against phishing attacks includes a combination of security awareness training with a focus on phishing simulations, enforcing multi-factor authentication, and the integration of phishing services to your inventory of defensive tools. Bringing security awareness to the forefront and recognizing common indicators is one way security professionals help to change the tide in today’s threat landscape.