Arguably one of the biggest threats that businesses face today is phishing. With a greater understanding of external security, the criminal element is relying on phishing attacks as a method of compromising organisations and bypassing traditional defences. Additionally, phishing attacks are a common way of distributing malware such as ransomware. With off the shelf phishing attacks available for purchase, the opportunity for even the untrained criminal to launch an attack is now possible. With reported phishing cases on the rise, what can be done to help defend staff and the business they work for from the threats of phishing?
Because phishing relies on people to perform an action, it is possibly one of the hardest areas that an Information Security Manager is challenged with. At Dionach, we run frequent phishing attacks and the proportion of those in which we manage to fully compromise the target is alarming, often allowing us full access to critical systems and data.
Part of Dionach’s methodology when running a phishing attack is to run a staged approach over a period of time. Stage one will be to test the organisation’s overall susceptibility to phishing and try to entice staff to click on links, which we have blatantly created. Stage two is to move on to a slightly more specific approach, maybe focusing on a smaller target group and with some relevant information they would find interesting. The final stage will be to select a number of specific individuals, identify their possible likes and motivations and stage our final attack, which will be specific to those individuals.
Defence in depth is a fundamental part of any information security strategy. In the vast majority of cases, someone targeting your organisation will have some level of success. A phishing campaign will help to understand your organisation’s exposure from an external perspective. Analysing the effective attack vectors used in a phishing exercise will help improve the understanding of some common internal vulnerabilities that increase the likelihood of a phishing attack being successful.
Dionach consultants have successfully managed to compromise a number of organisations in this way; we have compromised PCs, user accounts, escalated privileges and have been able to move around the internal network infrastructure as if it was our own, in many cases for days on end without being detected.
What can be taken from a well-planned phishing campaign? Performing regular attacks are vital, for both staff awareness within the workplace but also at home. Asking staff to apply the same level of security to workplace information as they would to their own benefits both the individual and the business. Ensuring that staff members have regular training and are aware of how to identify common phishing techniques will ultimately reduce the likelihood of a successful attack.
As previously mentioned, phishing is now a well-established method of compromising organisations from an external perspective. Ensuring the necessary internal controls are in place is ultimately your best level of defence and it will go a long way in helping to reduce the effects of any phishing based attack.