Recent news is filled with stories of companies being compromised, a pattern that goes back years, if not decades. The compromises might lead to attackers deploying ransomware, or other types of malicious activity like the theft of intellectual property and customer data. Stories of these compromises often start the same way, namely through a tactic called phishing.
But what exactly is phishing? Looking at different sources, it’s easy to get confused since the term is overloaded with very different meanings. It’s doubly confusing when we see other offshoot terms like spear phishing, whaling, smishing, and vishing. It seems hopelessly complicated and it’s not clear what defenders can do to reduce the chance of compromise. And all too often they end up blaming users “who clicked on a link” (whatever that is supposed to mean) rather than building a system that accounts for inevitable human error.
Today, CISA announced the release of a joint guide that attempts to separate the two main tactics that we lump into the generic term “phishing”. Doing so helps create a clear mental model about what the attackers are doing so defenders can adopt appropriate mitigations.
The first tactic is phishing to obtain login credentials. The attacker sends to the potential victim an email with a link to an imposter site that convinces them to enter their username and password. In some attacks, the imposter site also asks for MFA codes (called “MFA bypass”). Note that scanning emails for this type of attack will not catch phishing messages sent via SMS or messaging apps like Telegram, Signal, Slack, Facebook, Twitter, Teams, iMessage, and Google Chat, and others.
The primary mitigation for this class of attack is to enable MFA, especially phishing-resistant MFA like FIDO authentication. See CISA’s guides on those topics here: MFA portal, blog post, phishing-resistant MFA whitepaper.
The second tactic is malware phishing. The attacker sends an email with a malicious attachment that the user can be tricked into launching.
There are a range of mitigations to prevent malicious code from running, including application allow listing or running an endpoint detection and response (EDR) agent.
I’d be remiss if I didn’t also mention that defenders need to do more than just protect against the two main types of phishing. They need to implement, with their senior leadership teams, a comprehensive information security program. A great place to start that journey is by implementing the CISA Cyber Performance Goals (CPGs).
Some astute readers will by now wonder about this framing and why the focus of the guide is on login credentials and malware rather than on other areas, like scanning emails for malicious content. Email scanning can be an important tool for defenders, but as noted above, it cannot catch malicious content delivered via some other mechanism like SMS. However, by focusing on the method of intrusion rather than the method of delivery, defenders can take more granular steps to improve their security posture and deny adversaries an easy path into the network.
In addition to providing guidance to defenders, we want to address the safety of the software that organizations of all sizes rely on. When we see news of compromises that stem from phishing, it’s all too easy to blame the victim organization for not having implemented all the mitigations that would have stopped the attack. With the benefit of 20/20 hindsight it’s easy to see what went wrong. But the ease of compromises cannot be solely blamed on the defenders. We need to have a more robust industry-wide conversation about the products that are delivered to customers in a state that not only makes these attacks possible, but in many cases, inevitable.
That’s why CISA’s Secure by Design whitepaper calls on software manufacturers whose products are abused in the commission of login credential phishing and malware phishing attacks to update their software development practices and default settings to raise the cost of attack for the attackers. Secure by design software development would move the burden of staying cyber safe from the customer to the manufacturers. Doing so will be no small effort, and yet the impact of safer products would dramatically reduce the risk for customers and the nation.
Phishing is going to continue to be a popular attack vector because it works so well. Until the software we depend on makes both login credential theft and malware deployment more expensive for the attackers, defenders are going to need to take aggressive action. And one of the right ways to do that is to start building defenses with the right mental models.
###