A quick reaction to a phishing threat can mean the difference between a massive breach or a fast fix. This reaction typically requires strong coordination across non-tech employees and their teammates over in security who can help them verify and conquer phishing campaigns. In any organization with more than one employee, the specter of phishing increases exponentially. If you’ve got hundreds or thousands of employees regularly collaborating electronically, each one of those endpoints is a potential vulnerability.
Technology can help mitigate this threat with phishing-protection solutions. Employees can easily report suspected attempts and security professionals can investigate—and potentially stop—the threat in minutes.
What does phishing look like?
Is it alarmist to say that it’s not a matter of if you’ll be attacked, but when? We don’t think so. It’s simply the nature of how we work in the modern age. Training and security products prevent many attacks, but the reality is that some will slip through. Let’s look at typical phishing scenarios.
Email is the most commonly used phishing method of attackers. Many people pride themselves on being able to spot the telltale signs of a phishing email, but malicious actors are becoming more sophisticated, often switching only one character in an email address or refining how they disguise incentives to click. Instead of big call-to-action buttons urging a reader to click, there may be a more subtle cue such as hyperlinked text that someone clicks before they even know what they’ve done. Other common phishing email indicators could be deadlines urging the reader to act quickly or an unrecognized sender email address, albeit one related to your business or industry.
Phone attacks have also become an extremely common form of phishing. Malicious callers may identify themselves as a representative from a company that can help your business, touting unrealistic benefits. They could also say they’re from your organization’s phone company or bank and implore you to activate a new corporate card. Phishing texts employ similar tactics to email, often hyperlinking text within the message or addressing you or your organization by name. Text messaging is more immediate and personal; phishers are aware of this and are betting a recipient is more likely to be hooked.
Whether it’s a person or tool that detects an attack, speed matters. By holding a company-wide incident review to discuss what happened, employees can stay informed and help block future phishing incidents.
Reactive: Build your incident-response playbook
In cases where you are a target of a phishing attack, an incident response plan is key. This will help you to stop attacks early in the killchain by putting in place processes to safeguard your systems and networks.
When phishing is verified, it’s important to identify the source(s) and determine the attack path and users targeted. Security automation can empower admins to leverage your organization’s current ticketing system to provide real-time alerts to everyone—particularly the reporting employee—that it’s a verified phishing attempt and provide next steps. Your phishing response playbook should include these five actions:
- Identification: What processes do you have in place to identify that a user in your organization has been phished? How will you determine the scope of the incident and understand its context?
- Containment: How will you contain the infection or compromised credentials being leveraged against your environment?
- Remediation: How will you repair any damage caused by infection or compromised credentials?
- Root-cause analysis: How will you determine what broke down in your people, processes, or technology that allowed this incident to occur?
- Compensating controls/awareness training: What steps will you take to update the configuration, implement new compensating controls to guard against repeat incidents, and educate employees about attack methods?
Proactive: Create a security-awareness culture
Attackers know that less security-minded employees—and it only takes one—aren’t as informed about the dangers of an email attachment or embedded link. That means organizations should take every opportunity to educate team members on what a phishing attack looks like and how to respond.
Traditional security training is usually an annual event that’s often virtual. While it’s always better to conduct more hands-on, in-person education, that scenario simply may not be possible until after the COVID-19 pandemic has passed. In the meantime, it’s safest to keep phishing awareness training programs virtual with continuous (such as quarterly or bi-annual) sessions so that employees keep security measures top-of-mind. Try to have security-education experts focus on the latest schemes and tactics. They’ll conduct theoretical scenarios and mock phishing campaigns as well as proper responses.
Employees should come out of these training sessions knowing how to spot a malicious attachment, website, sender, or request. Conducting phishing tests—such as email—will help organizations gauge whether or not education initiatives are sticking. Phishme, Knowbe4, Phishproof, and Phishd are examples of services that can measure how effective your training program is at preparing employees for real-life phishing scenarios.
Proactive: Automate security to detect and respond faster
Move beyond manually investigating every attachment, text, or suspicion with solutions like Rapid7’s InsightConnect. You can automate investigatory tasks and more quickly focus human resources on mitigating malicious content and employee education. With InsightConnect, you can:
- Create workflows to identify threats
- Scan attachments and URLs
- Designate specific decision points
Phishing remains a top attack vector behind successful breaches. With the right tools, you’ll be able to build out proactive and reactive solutions to detect, educate, respond, and remediate phishing—and other suspicious behavior—before things get out of control.