The US cybersecurity agency CISA, in collaboration with the NSA, FBI, and MS-ISAC, has published a guide outlining prevalent phishing strategies and offering countermeasures.
Phishing attacks employ social engineering to deceive victims into disclosing credentials or accessing malicious sites, subsequently compromising enterprise systems. A common approach in credential theft phishing involves the impersonation of reliable sources, like IT staff, to solicit passwords. Recent tactics have seen threat actors using mobile messages across chat platforms and manipulating VoIP to misrepresent caller IDs.
The agencies suggest the deployment of multi-factor authentication (MFA) to combat credential theft but caution against weak implementations like MFA without FIDO or PKI activation, push-notification MFA lacking number validation, and SMS or voice-based MFA.
Another type, malware-based phishing, tempts users into launching harmful attachments or links, potentially leading to malware deployment, data theft, or system damage. Attackers frequently use public tools for spear-phishing, distribute malicious macros, or share harmful attachments via popular messaging platforms.
To shield against these attacks, organizations should:
- Educate staff about social engineering.
- Enforce firewall and email safeguards against suspicious content.
- Monitor emails and messages.
- Apply phishing-resistant MFA.
- Prevent redirection to dangerous domains.
- Blacklist malicious domains and IPs.
- Limit user admin rights and employ the least privilege principle.
- Inhibit macro and malware operations.
Furthermore, the agencies emphasize that software developers should adopt secure development practices to reduce phishing attack success.
This guidance is crafted for all organization sizes, with a section specifically addressing the unique challenges faced by small- to medium-sized businesses.