The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the National Security Agency (NSA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing & Analysis Center (MS-ISAC), has released a comprehensive guidance document to help organizations in preventing phishing attacks. The joint document, titled “Phishing Guidance: Stopping the Attack Cycle at Phase One,” provides valuable insights into common phishing techniques used by threat actors and offers instructions on how organizations can protect themselves effectively.
Phishing attacks are a prevalent method used by cybercriminals to exploit organizations and individuals. The attackers have two primary objectives when it comes to phishing: obtaining login credentials and installing malware on targeted systems. With this in mind, the guidance emphasizes the importance of understanding these objectives and implementing appropriate measures to thwart the attacks.
The document highlights various social engineering tactics employed by threat actors to phish organizations for login credentials. These tactics include impersonating trusted colleagues, such as IT administrators, and using voice over internet protocol to spoof caller identification and pose as a trusted phone number. Furthermore, the guidance points out that malware installation often occurs through spam emails, either via malicious hyperlinks or attachments containing macro scripts.
To counter these phishing tactics effectively, CISA suggests a range of mitigations. One crucial recommendation is to provide user training on social engineering and phishing attacks to enhance employees’ awareness. Additionally, organizations are advised to implement Domain-based Message Authentication, Reporting, and Conformance (DMARC) for received emails. DMARC, along with Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM), enables organizations to establish policies for emails sent and received by their users. By checking published rules, these email authentication protocols verify the sending server of received emails. If an email fails the check, indicating a spoofed email address, the mail system will quarantine and report it as malicious. Enabling DMARC with a reject policy ensures the rejection of incoming emails with spoofed domains.
Another key recommendation is the utilization of FIDO (Fast Identity Online) or PKI (Public Key Infrastructure)-based multifactor authentication to fortify login credentials. These authentication methods provide an additional layer of security, making it significantly more challenging for threat actors to gain unauthorized access.
Moreover, CISA advises organizations to implement firewall rules and incorporate allowlists and denylists at the email gateway level to prevent phishing attempts resulting in malware installation. By using denylists, organizations can effectively block known malicious domains, URLs, IP addresses, and file extensions that cybercriminals commonly exploit. This proactive approach significantly reduces the threat landscape and enables organizations to strengthen their defenses against phishing attacks.
When questioned about the timing and relevance of releasing this guidance, CISA declined to comment. However, a blog post by CISA senior technical advisor Bob Lord sheds some light on the matter. Lord emphasizes the need for a more comprehensive conversation about the cybersecurity products available to organizations. He suggests that the blame cannot be solely attributed to the defenders when compromises occur. Instead, the industry needs to focus on delivering products and solutions that not only prevent these attacks but also mitigate the risks effectively.
In conclusion, the joint guidance issued by CISA, in collaboration with the NSA, FBI, and MS-ISAC, provides crucial insights and actionable recommendations for organizations to prevent phishing attacks. By identifying common phishing techniques and emphasizing necessary mitigations, the document aims to empower organizations in strengthening their cybersecurity posture. With the constant evolution of cyber threats, organizations must remain vigilant and implement robust security measures to protect themselves from phishing attacks.