SEI Insights

Insider Threat Blog

Real-World Work Combating Insider Threats

Defending Against Phishing

Posted on by in

When IT and security professionals discuss phishing, the need for improved user education is often the main focus. While user education is vital and can lead to faster discovery of attacks through increased reporting of phishing attempts, it's important to understand the limits of user education when trying to reduce phishing risks.

In many cases, the goal of a phishing attack is to gain initial access to the internal network, which means that if a single email gets through to an end user who runs the payload, the attack is successful. When the attack surface is limited, such as in very small organizations or highly targeted spear phishing, well-educated users may be able to thwart an attack. However, in mass phishing campaigns perpetrated against medium-to-large organizations, it's unrealistic to expect every single user to avoid falling victim to the attack. User education may not be an effective preventative measure against this kind of phishing. Education can, however, be effective for encouraging users to report phishing emails. A well-designed incident response plan can help mitigate the impact of attacks.

In this blog post, I describe some technical controls that you can implement alongside a user education program to prevent successful phishing attacks, particularly when the goal of the attack is to gain an initial foothold in your internal network.

For an attack to be successful, it must complete three steps:

  1. The phishing email must make its way through the gateway to the user's inbox.
  2. The user must successfully execute the payload.
  3. The payload must be able to successfully communicate with an external command/control server.

During each of these steps, there are defenses you can implement to thwart the attack. I walk through each defense below and describe how a persistent attacker may still be able to overcome them.

Defense 1 - Filter emails at the gateway. The first step stops as many malicious emails as possible from reaching users' inboxes. A range of techniques exist to accomplish this, such as blocking all attachments or certain file types, stripping URLs from messages, analyzing sender domains, and performing natural language processing (NLP) on messages to detect phishing. These steps stop many initial phishing attempts, but a persistent attacker who tries multiple messages and payloads from various domains may still be able to get through.

Defense 2 - Implement host-based controls. Host-based controls can stop phishing payloads that make it to the end user from running. Basic host-based controls include using antivirus and host-based firewalls, which stop certain file types and known payloads. However, by using custom-compiled payloads, attackers can often circumvent these controls.

Defense 3 - Implement outbound filtering. Outbound filtering is one of the most significant steps you can take to defend your organization's network. With proper outbound filtering, attacks that circumvent all other controls can still be stopped. Even with filtering, two common weak points that can allow for successful exploits include HTTPS and DNS.

Defenses against command/control channels through HTTPS include domain whitelisting, SSL decryption, and traffic volume analysis. Domain whitelisting can prevent attacks with unknown domains or IP addresses, and is the most difficult for attackers to circumvent. SSL decryption can allow for analysis of traffic going over HTTPS sessions to identify malicious traffic. Since traffic volume and frequency profiles for command/control traffic are often quite different from standard web browsing sessions, analysis of encrypted sessions can identify suspicious-looking HTTPS connections.

DNS can almost always be used to tunnel malicious traffic through even the most locked-down networks. However, it is usually easy to quickly and automatically detect and block it because it looks different from normal DNS traffic. DNS command/control channels typically involve large numbers of A or TXT record requests, with the requests and responses containing encoded commands. You can put threshold-based controls in place to block DNS requests to domains over a set volume. You can also analyze requests to differentiate human-readable strings typically seen in domains from malicious encoded commands that appear to be random characters.

User education is not enough. Instead, combine user education with all three of the defenses I discussed to provide your organization with the best defense against phishing.

More from Michael J. Albrethsen


View other blog posts by Michael J. Albrethsen.