For every new phishing URL that impersonates a financial institution, there are at least seven pretending to be tech companies, according to the 2017 Webroot Threat Report. What's more, the PhishLabs 2017 Phishing Trends & Intelligence report suggests that scams specifically targeting cloud storage providers will likely be the fastest growing attack vector in the coming 12 months. The magnet for this unwanted criminal attention is the sheer number of users.
Who else has large numbers of users? Yep, managed service providers (MSPs)—if you missed the recent news of the Cloud Hopper attacks, then check out this article. Yet while social engineering in general, and phishing in particular, will no doubt continue to grow as an attack vector that doesn't mean MSPs are defenceless. Quite the opposite, in fact, as an MSP you are in an ideal position to help mitigate the threat to your customers. But first you need to understand exactly what the threat is, and that means understanding the different types of phishing attack and how to spot them.
1/ Phishing isn't actually that clever when you get under the hood: send a hundred thousand identical emails to a random list of email addresses and hope that a few will click on a malicious link or open an infected attachment. It works because the bad guys know that people will do just that when they are distracted or busy, and if that grants access to a bank account or three, or allows them to hop onto an organisation's network, then there are profits to be made. How do you stop this? Staff awareness training to decrease the likelihood of getting fooled, is the single most effective deterrent you have.
2/ Spear Phishing throws more resources into researching the target, and narrows the focus dramatically. A typical spear phishing campaign will target a department or even an individual within a business rather than adopting the typical scattergun approach. By building a relationship with the target, the attacker builds trust and that is leveraged when the payload is finally released. After all, opening a document you are expecting from a contact you have been communicating with doesn't seem so risky, does it? While more difficult to mitigate against, this again comes back to awareness training. If you know the kind of tactics that are employed, you are less likely to fall for them.
3/ Whale Phishing is a variation of the Spear Phishing approach, but aimed at wealthier targets such as CEOs; so-called big-phish, hence the 'whale'. One of the reasons that these attacks work is that top-level executives are often the ones signing off on staff awareness programs, yet rarely participate in them. Do I need to repeat the mitigation advice again?
4/ Phish Pharming—will these puns never end—relies upon 'poisoning' the domain name system (DNS) to enable the redirection of traffic from a legitimate site to a cloned one where the process of credential harvesting can take place. Mitigating such attacks is harder but remains mainly an awareness issue. This time focussed on understanding that login credentials should never be input across a non-HTTPS protected connection.
Phishing comes in a myriad of disguises; but 'pretending to be what they are not' remains a constant throughout. This means that the same basic mitigation principles apply across the board. It's important to realise that MSPs should definitely 'practice what they preach' when it comes to phishing mitigation, and that means ensuring that all your own staff are fully up to speed with the potential threats and how not to fall for them.
But there's more to mitigating this threat than just the education factor, and basic security hygiene can go a long way to preventing an attempted “phish” becoming a successful one. These include:
1. Ensuring a good patching regime. The malicious links and documents that form the payload of a phishing attack rely largely upon being able to exploit unpatched vulnerabilities. It would be a rare thing in the extreme for a zero-day to be used by anyone other than a state-sponsored actor involved in an advanced persistent threat (APT) scenario. If you and your customers are up to date with both Operating System and application security patches, the window of compromise opportunity is greatly reduced.
2. Reducing the administrative privilege footprint. By removing admin privileges where not absolutely essential to workflow, organisations can prevent the majority of email-based malware threats from executing successfully.
3. Putting in place web filtering. If web-filters exist to block known malicious domains from access, then you add a further hurdle to the chances of phishing success.
4. Implementing two-factor (2FA) authentication. With 2FA in place where possible, and certainly some form of single sign on with strong authentication, spotting the fraudsters requesting password login credentials becomes a deal easier.
While certainly the mainstay of your defenses, it’s a mistake to consider that awareness training is the be-all-and-end-all of an anti-phishing strategy. Relying on the user alone to mitigate the risk of an attack is just asking for trouble. It's important, yes, but not the only tool in the box!
Like so many things in the security realm, there is no one single solution to the phishing menace. However, by applying layers of defence you can strengthen your security posture tremendously.
Davey has been writing about IT security for more than two decades, and is a three times winner of the BT Information Security Journalist of the Year title. An ex-hacker turned security consultant and journalist, Davey was given the prestigious 'Enigma' award for his 'lifetime contribution' to information security journalism in 2011. You can follow Davey on Twitter® at @happygeek
Want to know more about mitigating different security threats, download our Cyber Threat Guide.
Click here to find out how SolarWinds MSP can help you defend your clients’ networks.
© 2017 SolarWinds MSP UK Ltd. All Rights Reserved.