“Nope, Go Phish” – How Organizations Can Finally Put a Stop to The Oldest Hacking Trick

635

By Torsten George, cybersecurity evangelist, Centrify

Phishing is one of the oldest tricks in a hacker’s playbook. The tactic can lure any employee from blissfully going about their day-to-day activities to being an unknowing accomplice in a major cyberattack with the click of a link. With the pandemic adding extra stresses on employees, adversaries have been launching a new wave of phishing attacks to capitalize on the distraction. Since February 2020, phishing campaigns have skyrocketed by more than 600%, according to Barracuda Networks.


The majority of cyberattacks begin as phishing campaigns. Despite security teams being aware of the threat, nearly one third of all breaches in the past year alone have involved phishing. While lacking in sophistication, if an adversary gains access to legitimate credentials through phishing, organizations can still face devastating consequences.

Even worse, Forrester has estimated that 80% of security breaches involved compromised privileged credentials. If an adversary has access to a privileged account, they more or less have the control of the entire network in the palm of their hands. The attackers can operate undetected and exfiltrate data sets from right under the noses of security analysts. With this in mind, it’s not a surprise that an overwhelming number of today’s adversaries use phishing to go after API keys, AWS Identity & Access Management credentials, IP addresses and more.

As time goes on, phishing campaigns are only going to get more creative. However, not all hope is lost. There is a two-phased approach organizations must take to make adversaries pack up their phishing rods and lures.

Create a Phishing-resistant Culture

Nearly 38% of users who don’t undergo cyber awareness training fail phishing tests. Security awareness training for end users is critical in stopping phishing campaigns. Employees — especially those with privileged access such as IT and network admins and C-suite members — need to know that they could become a target at any time. Basic training should emphasize that employees need to:

  • Always check the sender address carefully for misplaced letters or other slight variations

  • Avoid clicking on links and go to the sender’s website to validate the authenticity of the page

  • Check for spelling and grammatical mistakes as well as strange phrases

After providing information on how to avoid becoming the victim of phishing, organizations should reinforce the knowledge with mock attacks to test and reinforce good user behavior.

Build an Arsenal of Anti-phishing Protection

Unfortunately, even the best trained employee can fall victim to a phishing campaign. Therefore, organizations need to adopt an in-depth defense strategy that focuses on identities in order to solidify their security perimeter. This strategy should include the following:

  • Elevate Multi-Factor Authentication (MFA)

    MFA is still one of the most reliable options for augmenting an organization’s existing access controls. Supplementing or replacing username and password authentication with MFA provides a steel roadblock for adversaries, reducing the rate to compromise to almost zero. Based on studies conducted by Microsoft, an account is more than 99.9% less likely to be compromised if using MFA.

    A growing number of industry standards and government regulations, such as PCI, HIPAA, NYDFS, NIST and more are now requiring organizations to have MFA. Incorporating MFA into your security strategy now can save your company from being fined due to lack of compliance later.

  • Telecommute Securely

    Remote work is likely here to stay, at least for the beginning of 2021. Historically, remote employees, outsourced IT and partners have relied on Virtual Private Networks (VPNs) to keep them secure. However, if an attacker gets inside a VPN they now have access to the entire network. Adversaries can then inject malware onto the remote system, easily posing as a legitimate user whose credentials they accessed via a phishing campaign.

    Proxy-based technologies are a safer alternative to VPNs. These technologies give privileged internal IT admins access to the infrastructure necessary. They also limit outsourced teams’ or remote workers’ access to only the servers and hardware their roles require, thus preventing lateral attacks.

  • Live by Least Privilege

    For IT administrators, least privilege access with just enough, just-in-time privileged access management is a best practice. By providing admins with the needed level of privilege to perform a certain task in a controlled amount of time, security incidents are dramatically less likely to occur because a hacker’s attack window is closed at a certain time.

Old dogs don’t learn new tricks, so adversaries are likely going to continue exploiting end users with phishing campaigns. As we move into 2021 and continue navigating these unprecedented times, it is more important than ever for organizations to take the right steps to combat phishing. By implementing security training against campaigns and solidifying their perimeter with MFA, proxy-based technologies and least privilege, enterprises can lessen the likelihood of becoming the next data breach victim in the headlines.

About Torsten George

Torsten George is currently a cyber security evangelist at Centrify, which helps organizations secure privileged access across hybrid and multi-cloud environments. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 25 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).