Back in April of 2018, PhishLabs released its “2018 Phishing Trends & Intelligence Report” which offers insight on significant industry trends, tools, and techniques being used by threat actors to carry out phishing attacks. It also sheds light on why shifts are occurring and what to expect in the coming year.
Unsurprisingly, just as years past, phishing remains the top threat vector for cyber-attacks. As you may know already know, threat actors will continue to target the human element as long as this avenue is the most successful path to compromise organizational assets and data. Other key findings in the report, demonstrates a shifts in tactics, techniques, and procedures (TTP) of threat actors leveraging phishing as their primary attack vector. Listed are few of more interesting findings:
- Industry shift shows signs of threat actors switching from primarily targeting individuals to targeting organizations.
- Email and online services (26% of attacks) overtook financial institutions (21%) as top phishing target.
- Nearly one-third of all phishing sites observed by end of 2017 were located on HTTPS domains, up from only five percent at the end of 2016.
- Attacks targeting SaaS exploding with more than 237% growth.
- Attacks targeting social media platforms have nearly tripled since last year due to the inherent trust between users and the platform or brand.
- The ransomware landscape is maturing and is no longer experiencing exponential growth of new threat families.
- Mobile malware continues to rise, and new techniques take advantage of the increased use and security shortcomings of mobile devices.
What can be done?
The Center for Internet Security (CIS) publishes a set of 20 controls that are intended to provide organizations with a set of actions to protect their organization and data from known cyber-attack vectors. CIS control 7: Email and Web Browser Protection directs “Minimize the attack surface and opportunities for attackers to manipulate human behavior through their interaction with web browsers and email systems.
This is foundational control that covers the main two entry points of attack which are web browsers and email. It is not our intent for you to misconstrue the implementation of these security controls as simplistic or wholly applicable to every organization; we understand attempting to implement these controls will be a gradual process with consideration of costs, time and resource constraints. However, this is a core control and in most environments shouldn’t be too cumbersome to implement. Listed are the recommended controls to consider to strengthen email and web browser protection:
- Ensure that only fully supported web browsers and email clients are allowed to execute in the organization, ideally only using the latest version of the browsers and email clients provided by the vendor.
- Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
- Enforce network-based URL filters that limit a system’s ability to connect to websites not approved by the organization. This filtering shall be enforced for each of the organization’s systems, whether they are physically at an organization’s facilities or not.
- Subscribe to URL categorization services to ensure that they are up-to-date with the most recent website category definitions available. Uncategorized sites shall be blocked by default
- Log all URL requests from each of the organization’s systems, whether on-site or a mobile device, in order to identify potentially malicious activity and assist incident handlers with identifying potentially compromised systems.
- Use DNS filtering services to help block access to known malicious domains.
- To lower the chance of spoofed or modified emails from valid domains, implement Domain based Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by implementing the Sender Policy Framework (SPF) and the Domain Keys Identified Mail (DKIM) standards.
- Block all email attachments entering the organization’s email gateway if the file types are unnecessary for the organization’s business.
- Use sandboxing to analyze and block inbound email attachments with malicious behavior.
In addition to CIS Control # 7 – organizational leadership and security practitioners should strive to institute all or some components of CIS Control #17: Implement a Security Awareness and Training Program which we will address in another posting.
