Guide to Combat Phishing: Recommendations from US Agencies

By | 2023-10-20

The US cybersecurity agency CISA, in collaboration with the NSA, FBI, and MS-ISAC, has published a guide outlining prevalent phishing strategies and offering countermeasures.

Phishing attacks employ social engineering to deceive victims into disclosing credentials or accessing malicious sites, subsequently compromising enterprise systems. A common approach in credential theft phishing involves the impersonation of reliable sources, like IT staff, to solicit passwords. Recent tactics have seen threat actors using mobile messages across chat platforms and manipulating VoIP to misrepresent caller IDs.

The agencies suggest the deployment of multi-factor authentication (MFA) to combat credential theft but caution against weak implementations like MFA without FIDO or PKI activation, push-notification MFA lacking number validation, and SMS or voice-based MFA.

Another type, malware-based phishing, tempts users into launching harmful attachments or links, potentially leading to malware deployment, data theft, or system damage. Attackers frequently use public tools for spear-phishing, distribute malicious macros, or share harmful attachments via popular messaging platforms.

To shield against these attacks, organizations should:

  1. Educate staff about social engineering.
  2. Enforce firewall and email safeguards against suspicious content.
  3. Monitor emails and messages.
  4. Apply phishing-resistant MFA.
  5. Prevent redirection to dangerous domains.
  6. Blacklist malicious domains and IPs.
  7. Limit user admin rights and employ the least privilege principle.
  8. Inhibit macro and malware operations.

Furthermore, the agencies emphasize that software developers should adopt secure development practices to reduce phishing attack success.

This guidance is crafted for all organization sizes, with a section specifically addressing the unique challenges faced by small- to medium-sized businesses.

Author: dwirch

Derek Wirch is a seasoned IT professional with an impressive career dating back to 1986. He brings a wealth of knowledge and hands-on experience that is invaluable to those embarking on their journey in the tech industry.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.