Phishing campaigns are growing more sophisticated as industries become increasingly aware of the threat they pose. Some of these attacks are so clever and meticulously crafted that many will inevitably succeed. But when the crooks phish, what are they phishing for? Usually credentials, of course, but why do they want them?
Very often they want them for quick theft of funds, as is the case with business email compromise. But there’s actually a range of things the attackers could be after. A researcher at Endgame, Devon Kerr, described that range in an essay posted by SecurityWeek.
Phishing is still the most common delivery mechanism for malware like ransomware, cryptojackers, and keyloggers. However, attackers also use phishing to establish a foothold in a network to carry out long-term attacks. While user awareness is the best last line of defense against phishing, organizations need to be able to detect attackers after they’ve gained access to the network.
Attackers can gather a significant amount of seemingly benign information about a network even without having administrative privileges or access to more than one computer. They can learn the hostnames of other devices, which subnet they are on, which pieces of software are installed, and much more.
This information can then be used to facilitate further attacks within the network or to improve additional spear phishing attempts. Security teams should take steps to prevent this type of activity, including restricting unnecessary privileges for applications and monitoring the network for reconnaissance commands.
Defenders should also track metadata about their organization’s cloud services, since security teams often lack access to the cloud-based evidence. If an employee’s cloud application credentials are stolen, the attacker can steal sensitive information directly from the cloud, unbeknownst to defenders. By establishing a pattern of typical user behavior from the information available to them, defenders can identify unusual logins to flag for further investigation.
Organizations should take every measure possible to ensure that phishing attempts are thwarted, and that attackers are detected if they succeed. One small mistake or lapse in judgment by an employee can be the catalyst for a major cyberattack. New-school awareness training can make your employees more resistant to social engineering, reducing the likelihood that they will fall for phishing attempts.
Kerr’s points are interesting and well-worth consideration. No serious observer would deny that every organization should be prepared to mitigate the effects of phishing, and use such defensive tools as are available. But in one other respect his conclusion is simply too pessimistic: he suggests that employee training can too often be an exercise in futility.
Not so, unless you take the view that training can’t go beyond an hour of PowerPoint in the break room, once a year. It’s not a set-it-and-forget-it solution, but then nothing is. For an organization that owns its security challenges, however, tailored, interactive awareness training makes an indispensable contribution to building the kind of culture that makes for resilience.
SecurityWeek has the story: https://www.securityweek.com/hook-line-and-sinker-after-phish-get-caught