Attackers can teach you to defend your organization against phishing
People click on links and attachments and will, unfortunately, keep clicking even if they should know better. They’ll click for the chance of winning a holiday, or even something as cheap as a $2 cup of coffee.
No amount of awareness training is going to eliminate every click. However, you can always raise the cost for attackers and reduce the chances they’ll reach their objectives. You can do this by building a path of maximum resistance, and that begins by considering how an attacker sees your company.
Getting in the mind of a criminal preparing to craft a phishing attack is easier when you consider the classic Cyber Kill Chain developed by Lockheed Martin, which we’ve adapted to the following eight steps:
- External reconnaissance
- Delivery
- Code execution
- Persistence
- Command and control
- Internal reconnaissance
- Lateral movement
- Objective
Using the kill chain to assess how an attacker would approach your organization makes it easier to understand which steps, at a minimum, would need to be taken by an arbitrary attacker to succeed in a phishing attack against your company. This allows you to go and build preventative or detective controls to counter them every chance you get.
Phishing is usually thought of as only occurring during the “delivery” phase of an attack. In reality, a successful phishing attack requires success during the first four stages, providing you with opportunities to prevent, detect, and respond before the attacker has an opportunity to establish a foothold.
Here’s a look at how attackers see the first four stages, and practical steps you can take now to stop criminals from getting their way.
External reconnaissance
An attacker’s first activity is to observe your company, likely starting with something as simple as a Google search. The goal is to understand how to breach the organization.
To see how an attacker views your company, conduct an open-source intelligence (OSINT) exercise. Both automated and manual techniques—such as Google hacking—can be used to collate information useful to an attacker.
This can come from a variety of online sources, such as Facebook, Twitter, your company website, blogs, and other forums. Ask yourself, what sort of info do we put in job postings? What sort of information do we put up on LinkedIn? Or what sort of information do we allow users to put up on LinkedIn?
Identify the information that could be used to target employees and the employees most likely to be targeted. Manage the information you make available to attackers and decrease their chances of success.
Phishing attack delivery
This stage is where the attacker emails your employees. This is happening constantly. But because of the attacker’s work in the first stage of the kill chain, these phishing emails are far more likely to be effective than non-targeted attacks.
The attacker’s goal is delivering malware that will provide access to the network, or to coerce employees into divulging sensitive information (e.g., login credentials).
You need to understand whom the attacker is likely to be targeting, and how. You also need to decide exactly what can be delivered. Evaluate which malicious executables and URLs attackers can deliver to your network. Configure your mail gateway to limit exposure as much as possible.
Most environments have web and mail gateways, so you can’t just send any type of URL or email. It’s up to the security team to understand what sort of URLs can be delivered to your employees’ inbox. Most businesses also have some sort of exclusion set. Most environments, for example, don’t allow EXE files to be delivered, but there’s many other ways to execute payloads, including macro-enabled documents and HTA files.
You also need to train your employees to recognize and report suspicious emails. Traditionally, user awareness training teaches people not to click. However, there is something even more important than reducing your company’s click rate. You need to teach people to focus on reporting phishing emails. Someone on the attacker’s target list needs to report that email as quickly as possible. The quicker that happens, the sooner the situation can be handed over to the security team to handle.
Code execution
Should the attacker’s email manage to evade your mail gateway, the goal is to trick an employee into performing an action that executes a malicious payload. This payload is designed to exploit a vulnerability and provide the attacker with access to the environment.
Ideally, you’ve got code execution policies in place so only certain types of files can be executed. You can prevent anything that’s delivered by email to be executed, to restrict things as much as you possibly can.
The attacker knows this and is constantly trying to work around it, which is why you need to maintain an ability to detect the execution of malicious payloads from phishing emails on employee endpoints. But how?
Design and frequently run test cases that simulate malicious payloads being executed on your employee endpoints. Monitor logs and alerts when performing code execution test cases to validate that you have both the necessary coverage and telemetry to recognize indicators of compromise. Where blind spots in telemetry are identified, develop and validate new detection use cases.
You can also build on the earlier steps you’ve taken. Feed data from the security awareness program into your security information and event management (SIEM) tooling, so that adjustments can be made to the detection logic based on the risk posed by certain employees and teams.
Command and control
Once the code from the phishing email is successfully executed, a command-and-control channel is established between the compromised system and a system controlled by the attacker. This gives them a foothold on the network and an internal position from which they can continue their attack.
Knowing this, your goal is to prevent communication to malicious hosts on the internet. Detect anomalous behaviors indicative of an attacker taking control of a system on your network.
Do you know what it would look like if an attacker were to establish a command-and-control connection from your internal network? Find out by conducting an exercise to simulate a range of outgoing connection types from your IT estate.
If you have multiple proxy servers or web gateways, review and align their configuration to prevent unintended exposure. Develop a profile of “normal” user activities and flag any action that is considered abnormal.
Some attackers won’t plan to move around in your network and escalate privileges to reach their objective. Instead, they will impersonate the legitimate user of a compromised account to defraud the organization, its customers, or its partners. This is known as Business Email Compromise (BEC). Tackle this by implementing policies to reduce the risk of employees following the attacker’s request.
Next steps
Building ongoing efforts to establish prevention and detection at every step of the kill chain are key to mitigating the risks of phishing. Even more important than this is to understand what isn’t prevented, and what cannot be detected. As these are the shadows in which attackers will move.
Some ideas to consider are a cross-departmental task force to combat phishing, running phishing simulation exercises that target the most susceptible parts of your company, and scheduling regular reviews to assess changes to the threat landscape and your organization.
With a commitment and focus to seeing phishing from the mind of an attackers, you can build a robust, layered defense that turns an unavoidable inherent risk into a manageable residual risk. And you’ll get to understand exactly why that frustrates attackers so much.