The IBM X-Force IRIS cyberattack framework initiates after an cyberthreat actor has launched an attack, beginning with a successful initial compromise. The initial compromise occurs when the attacker has gained access to at least one host on the network or has otherwise gained access to the network — perhaps via logging on with stolen or brute-forced credentials.
Phishing emails are the most common threat vector for attackers to gain network access. Therefore, focusing resources to harden this initial attack surface can help reduce the risk of initial compromise.
In a phishing or spear phishing attack, a fraudulent email or electronic communication is sent to users within an organization, luring them into revealing network credentials, clicking a link or downloading a legitimate-looking attachment with hidden malware. Depending on the attacker’s techniques and goals, phishing attacks can occur with or without the use of malware.
Implementing the following security features, educating employees, and revisiting internal security and reporting processes can reduce the risk of a phishing email being successful:
- Disable macros: Windows macros are programs that are embedded within other programs to automate repetitive tasks. Although Windows’ security features now include an automatic pop-up that requires the user to enable macros in many productivity files, users can still be fooled into doing so after receiving a well-crafted phishing scam. Disabling macros as a policy can help prevent malicious attachments from running the embedded malware and reduce chances of infection.
- Enforce policies that prevent users from running untrusted code: Macros are not the only option for attackers who want to embed malicious code within phishing emails or attachments. Since attackers use a variety of other methods, preventing users from running any untrusted code can further mitigate this threat.
- Create banners that identify emails coming from external addresses: Easily identifiable banners could alert employees to typo-changed email addresses. These are designed to look like trusted emails but are actually crafted by attackers, making them hard to spot visually.
- Configure intrusion prevention systems (IPS) and intrusion detection systems (IDS) to alert on potential phishing emails: IPS and IDS solutions monitor network traffic, and can either alert (in the case of an IDS) or block (in the case of an IPS) malicious traffic. These systems can be configured to alert on known or suspected malicious emails.
Both solution types are valuable defense layers. IDS can be configured to alert on a broader set of signatures, while IPS detection signatures should be based on higher confidence of malicious activity. To enhance protection, make a point of maximizing storage and retention policies for data collected from an IDS or IPS. This data can be valuable forensic evidence for incident response teams looking to analyze, contain and mitigate a breach.
- Employ protection platforms on email servers: A malicious email detection solution implemented at the email gateway can further help defenders identify and block fraudulent emails. These services can blacklist known sources of ransomware and phishing attacks and will analyze all attachments or URLs sent via email in a sandbox before users access them. Making sure email content is “clean” means employees are less likely to fall prey to a phishing attempt.
- Ensure hosts are equipped with solutions to identify and prevent malware from running: Endpoint protection platforms (EPPs) and endpoint detection and response (EDR) platforms are additional layers that can help detect indicators of an attack and may help stop malicious files from running. They can also alert the security team to a potential attack.
In addition to phishing attacks, which target the operating systems employees use (also known as client-side attacks), cyber adversaries can also employ server-side attacks that target servers and can include web compromise or exploit a network vulnerability to infiltrate servers the organization operates. Good network hygiene — such as securing open ports, performing input validation and ensuring effective patch management — is one way to reduce the risk of server-side attacks.