The UK National Cyber Security Centre (NCSC) has called for a defense-in-depth approach to help mitigate the impact of phishing, combining technical controls with a strong reporting culture.
Writing in the agency’s blog, technical director and principal architect, “Dave C,” argued that many of the well-established tenets of anti-phishing advice simply don’t work.
For example, advising users not to click on links in unsolicited emails is not helpful when many need to do exactly that as part of their job.
This is often combined with a culture where users are afraid to report that they’ve accidentally clicked, which can delay incident response, he said.
It’s not the user’s responsibility to spot a phish – rather, it’s their organization’s responsibility to protect them from such threats, Dave C argued.
As such, they should build layered technical defenses, consisting of email scanning and DMARC/SPF policies to prevent phishing emails from arriving into inboxes. Then, organizations should consider the following to prevent code from executing:
- Allow-listing for executables
- Registry settings changes to ensure dangerous scripting or file types are opened in Notepad and not executed
- Disabling the mounting of .iso files on user endpoints
- Making sure macro settings are locked down
- Enabling attack surface reduction rules
- Ensuring third-party software is up to date
- Keeping up to date about current threats
Additionally, organizations should take steps such as DNS filtering to block suspicious connections and endpoint detection and response (EDR) to monitor for suspicious behavior, the NCSC advised.
“Let's be clear that if your organization implements the measures above, and tests and maintains them, it’s likely there will be a significant drop in attackers exploiting your users to gain initial access,” said Dave C. “However, it’s still worth training users to spot suspicious links.”
This is so that users can spot attacks targeting their personal accounts as a pathway into corporate systems, and that they flag suspicious emails in order to improve intelligence gathering, he added.
Organizations must also move away from the blame culture surrounding phishing reporting, the NCSC urged.
“Imagine a scenario where a user isn’t embarrassed to report when they’ve clicked on a malicious link, so they do so promptly, the security team thanks them for their swift action and then works quickly to understand the resulting exposure,” Dave C concluded.
“This is a much more constructive sequence of events, and with the added security benefit that an attack is identified early on.”