Three Key Elements of a Defense-in-Depth Approach to Phishing

Written by

Phishing is probably the oldest and the most potent attack vector threatening today’s organizations. More than 90% of all cyber-attacks begin with phishing emails. Google reportedly blocks 18 million scam emails every day and registered a record two million phishing websites last year.

And phishing attacks don’t look like they are going away anytime soon. In fact, they are going to become even more targeted as organized crime syndicates get their hands on dark web data dumps. Fighting and mitigating these attacks can be challenging and requires multiple layers of defense. Let’s explore the top three elements of a multi-layered, defense-in-depth approach:

1. Policies, Procedures and Documentation

Organizations must set guidelines for employees and vendors on what is allowed and what is not allowed regarding devices and services and personal responsibilities.

The acceptable use policy (AUP) is a key component that must be documented, read, signed and reviewed by every individual every year. Employees must be transparently communicative regarding the importance of security awareness training, how their progress will be monitored and any potential consequences (further training, counselling, lockdown of internet access etc.) if one consistently fails simulation exercises and tests.

The anti-phishing policy covers awareness topics on phishing, common social engineering scams and recent examples, and education on how a stakeholder should treat suspected threats. The document should outline best practices: users mustn’t install unauthorized software; always analyze URLs before clicking; never respond to a suspicious email or text and always report any email or interaction that looks (or smells) ‘sketchy.’ Wire transfers exceeding a certain threshold should be confirmed verbally with the requester in a bid to prevent business email compromise or wire transfer fraud. 

Business continuity and disaster recovery plans help minimize damage in the event of a cyber-attack. This can include detailed steps on who to contact (crisis management consultants, cybersecurity insurance, etc.), which teams to include (legal, HR, public relations, etc.) and guidance on whether to pay a ransom or not in case of a ransomware attack.

2. Technical Defenses

While policies are an essential strategic foundation for phishing prevention, having the proper technical defenses can effectively combat phishing attacks. Below is a summary of the most popular approaches for defense-in-depth:

Malware mitigation: Endpoint security and network security tools like antivirus, endpoint detection and intrusion detection are some of the most essential tools available to combat root causes of phishing attacks like DDoS, eavesdropping, man-in-the-middle and buffer overflow attacks. 

Content filtering: Many businesses fall prey to phishing attacks because employees carelessly browse the internet. Web filtering or content filtering policies can help prevent certain sites from being accessed, thereby significantly reducing the probability of visiting risky websites.

Email-client specific protection: Most email clients, web browsers, and email providers provide default or built-in anti-phishing functionality (e.g., block all file downloads by default). 

Multi-factor authentication: MFA can significantly reduce certain types of phishing attacks. Your password might get phished accidentally, but a secondary authentication method can prevent you from getting breached.

Reputation services: Reputation services will provide a risk score and advise, block, or allow content based upon the origination of a URL. Blacklisting services will block emails from known malicious domains while whitelisting services will allow content from only previously verified or authorized domains. A greylisting service will confirm the legitimacy of an unrecognized email address by rejecting the email first and requesting a copy from the server at a later time.

Password managers: Password managers can allow users to easily store long and complex passwords across multiple sites without needing to rely on one’s memory. They significantly decrease password re-use and the risk of a single password compromise.

Global phishing protection standards: Phishing standards like Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), Domain-based Message Authentication, Reporting and Conformance (DMARC) help protect domains against spoofing. When these are enabled, receivers can verify the authenticity of an email that claims to be from a particular domain.

Red/green systems: In environments with low-risk tolerance and extremely high-value assets, users can be provided with two separate systems. Red systems are highly secured and only contain mission-critical applications, while green systems are less secure and can be used for internet browsing and everyday business activities.

3 Security Awareness Training

Research proves that technical safeguards alone are not adequate in providing the ultimate protection against phishing. Studies demonstrate that 90 days of simulated phishing can help develop a culture of skepticism and reduce an employee’s Phish-Prone Percentage (PPP) by up to 60%. Employers’ positive reinforcement, such as special public recognition, gift certificates, pizza parties, and even cash bonuses, can positively influence adopting a healthy security posture.

Remember that phishing susceptibility does not correlate with intelligence. Higher IQ does not mean that you won’t get phished; some of the most intelligent people have fallen prey to phishing attacks. What helps organizations is having a multi-layered approach – having the right policies and technical defenses combined with developing muscle memory to habituate people into recognizing, rejecting and reporting phishing attempts. A defense-in-depth approach is a good start towards improving a company’s cyber resilience.

What’s hot on Infosecurity Magazine?