US security agencies issue guidelines for preventing phishing intrusions, offer mitigation strategies

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI) and Multi-State Information Sharing and Analysis Center (MS-ISAC) roll out guidance to help organizations understand what malicious actors are doing so defenders can adopt appropriate mitigations to phishing. The document provides detailed insight into malicious actor techniques, as well as technical mitigations and best practices to help prevent successful phishing attempts.  

Titled, ‘Phishing Guidance, Stopping the Attack Cycle at Phase One,’ the joint guide is intended to be a one-stop resource to help organizations protect their systems from phishing threats. It outlines phishing techniques malicious actors commonly use and to provide guidance for both network defenders and software manufacturers, and provides advice that focuses on secure-by-design and -default tactics and techniques. It also offers detailed insight into technical mitigations and best practices to help prevent successful phishing attempts.  

The guidance for network defenders is applicable to all organizations but may not be feasible for organizations with limited resources. Therefore, the guide includes a section of tailored recommendations for small- and medium-sized businesses (SMBs) that may not have the resources to hire IT staff dedicated to a constant defense against phishing threats. By reviewing the guide, these operators can better understand evolving phishing techniques and implement tailored cybersecurity controls and best practices to reduce the risk of compromise.

The advice provided to software manufacturers emphasizes the implementation of secure-by-design and secure-by-default tactics and techniques. Manufacturers should develop and supply software that is secure against the most prevalent phishing threats, thereby increasing the cybersecurity posture of their customers. 

Earlier this week, the CISA, in collaboration with 17 U.S. and international partners, published an updated ‘Secure by Design’ principles joint guide. The document included expanded principles and guidance for technology providers to increase the safety of their products used around the world, while also offering additional insights into essential principles and guidance and has been endorsed by eight more international cybersecurity agencies.

A form of social engineering, malicious actors commonly use phishing with the intent to get their targeted victims to visit an illegitimate website or to download malware. To help organizations better understand this activity, the guide categorizes phishing into two common tactics: phishing to obtain login credentials and phishing to deploy malware. It expands upon the two tactics by detailing the techniques frequently used by these actors, such as impersonating supervisors/trusted colleagues, using voice over internet protocol to spoof caller identification, and using publicly available tools to facilitate spear phishing campaigns. 

“For too long, the prevailing guidance to prevent phishing attacks has been for users to avoid clicking on malicious emails. We know that this advice is not sufficient. Organizations must implement necessary controls to reduce the likelihood of a damaging intrusion if a user interacts with a phishing campaign – which we know many users do, in every organization,” Sandy Radesky, associate director for vulnerability management at CISA, said in a media statement. “With our NSA, FBI, and MS-ISAC partners, this guide provides practical, actionable steps to reduce the effectiveness of phishing as an initial access vector.” 

Radesky added “that many of the controls described in this guide can be implemented by technology vendors, reducing burden and increasing security at scale. We strongly encourage all organizations and software manufacturers to review this guide and implement recommendations to prevent successful phishing attempts – by design wherever possible.” 

“Knowing how to navigate phishing danger is essential because anyone can fall victim to these attacks,” according to Eric Chudow, NSA’s cybersecurity system threats and vulnerability analysis subject matter expert. “Cyber threat actors are constantly evolving their techniques and harnessing new technologies to their advantage, including artificial intelligence. They are also finding it easier to deceive people who have transitioned to hybrid work environments and have fewer face-to-face-interactions.”  

“Phishing continues to be the most successful method for gaining unauthorized access to state and local government networks,” John Gilligan, CIS chief executive officer, said. “Organizations and their employees must understand the risks posed by this attack vector and how to successfully identify and avoid phishing threats. This joint guide is a great reference for state and local organizations.”

To reduce the likelihood of successful login credential phishing, the CISA, NSA, FBI, and MS-ISAC advise organizations to train users on social engineering and phishing to mitigate successful login credential phishing. The guidance also calls for enabling Domain-based Message Authentication, Reporting, and Conformance (DMARC) for received emails; ensuring DMARC is set to ‘reject’ for sent emails; implement internal mail and messaging monitoring; implement free security tools; harden credentials; and review multi-factor authentication (MFA) lockout and alert settings and track denied (or attempted) MFA logins. 

To minimize the chance of successful malware execution after phishing attacks, the guideline suggests integrating denylists at the email gateway and activating firewall rules to hinder successful malware deployment. It also recommends using denylists to block known malicious domains, URLs, and IP addresses; restrict MacOS and Windows users from having administrative rights; implementing the principle of least privilege (PoLP) when administering user accounts, and only allow designated administrator accounts to be used for administrative purposes; and implementing application allowlists. 

The guidance also suggests blocking macros by default; implementing remote browser isolation (RBI) solutions that prevent malware propagation through quarantining the malware sample upon user execution; and implementing free security tools like Quad9 or Google Safe Browsing to identify and stop malware upon user execution. It also proposes setting up a self-serve app store where customers can install approved apps and block apps and executables from other sources; and implementing a free protective DNS resolver to prevent malicious actors from redirecting users to malicious websites to steal their credentials.  

If an organization identifies compromised credentials and/or successful malware from phishing activity, remediate the activity by re-provisioning suspected or confirmed compromised user accounts to prevent malicious actors from maintaining continued access to the environment. They can also audit account access following a confirmed phishing incident to ensure malicious actors no longer have access to the initially impacted account; isolating the affected workstation after the detection of a phishing attack; analyze the malware; eradicate the malware; and restore systems to normal operations and confirm they are functioning properly. 

In the latest edition of the ‘Industrial Cybersecurity Technology, Solutions and Services Guide,’ Jonathon Gordon, directing analyst at Takepoint Research, identified phishing as a specific type of social engineering that involves the use of fraudulent emails, text messages, or websites to trick individuals into divulging sensitive information such as usernames, passwords, or financial information. 

“In an OT environment, phishing attacks can be particularly dangerous, as they can be used to gain access to critical systems and cause damage or disruption. Phishing prevention in OT environments involves a combination of technical controls and user education,” according to Gordon. 

He added that organizations must implement email security measures to prevent fraudulent emails from reaching users and conduct regular phishing awareness training for employees to educate them on the dangers of phishing and how to identify and report suspicious emails. They must also adopt MFA for access to critical systems, to prevent unauthorized access even if a user’s credentials are compromised.

Back in July, the CISA outlined four foundational cybersecurity goals for organizations to prioritize. Eric Goldstein, CISA’s executive assistant director for cybersecurity laid down straightforward and essential practices including changing default passwords, implementing phishing-resistant MFA, separating user and privileged accounts, and building incident response plans.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.