Anti-Phishing Checklist

I'll start with some numbers:

• 80% of successful attacks begin with phishing (and someone believes that 95% are completely)
• 10% of alarms in most SOCs are related to phishing attacks
• Success rate for phishing links - 21%
• Download / launch rating of malicious attachments - 11%

All this suggests that phishing remains one of the main causes of many incidents and a source of problems for many information security professionals. At the same time, phishing is often underestimated and the fight against it is quite fragmented. Therefore, we decided to draw up a checklist that describes a set of organizational and technical measures to combat this cyber threat.







I would single out 5 sets of measures to protect against phishing attacks that must be implemented at each enterprise:

• The study of information. Which of your users indicated their contact details in social networks or in other sources? It is with the collection of this data that a phishing attack begins. Therefore, do not wait for the attackers to do this; find out how your company looks from the point of view of the attackers.
• Staff training and awareness raising. Since phishing is aimed at users who are unskilled in information security, it is necessary to start the fight against phishing with them. And although this does not guarantee complete protection, it will protect them from simple mistakes, with which serious incidents begin.
• Basic protective measures. Before you go buy and implement means of protection against phishing attacks, you should start with the inclusion of basic security mechanisms, many of which are built into mail servers and services, email clients and browsers.
• Advanced protective measures. Since phishing can be quite complex and basic measures do not always save, you may need advanced protective measures that detect and neutralize a phishing attack at different stages - from getting into a mailbox or clicking on a phishing link to trying to infect a workstation or communicate with team servers.
• The alignment of the process. Finally, in order to move from episodic protection actions to a holistic defense strategy, it is necessary to build appropriate processes.

Analyze information about you

• Check the social networks and pages of your employees who can indicate their contact details that will be used by cybercriminals. If this is not required by official duties, it is better not to publish such information.
• Use specialized tools (for example, TheHarvester or recon-ng utility included with Kali Linux) in order to “see through the eyes of a hacker” which contact information can be obtained from the Internet.
• Check typosquatting domains using special utilities (e.g. URLcrazy ) or cloud services (e.g. Cisco Umbrella Investigate ).

Training and Awareness Raising

• Train non-UIB employees on phishing and social engineering issues and teach them to pay attention to the signs of phishing messages and sites (for example, you can use the simple attentiveness test on the Cisco Umbrella website).
• Provide training for IS personnel on the methods used to organize phishing companies (for example, see the Cisco Phishing Defense Virtual Summit entry).
• Teach ordinary users to redirect to the IS service all suspicious or explicitly malicious messages missed by the security system.
• Implement a computer-based training system for employees.
• Perform regular phishing simulations using purchased or free software (such as Gophish ) or outsourcing this service.
• Include the topic of protection against phishing in an employee awareness program (for example, through the use of posters, screen savers, gamification, stationery, etc.).
• If necessary, notify clients and partners about phishing attacks and the main ways to combat them (especially if the legislation requires you to do this, as is necessary for financial institutions in Russia).

Technical measures: basic

• Configure anti-phishing capabilities of mail servers, including cloud-based mail services (for example, Office 365), and clients.
• Regularly update system and application software, including browser plug-ins, and operating systems to eliminate vulnerabilities that could be exploited in phishing attacks.
• Configure browsers to protect against visits to phishing domains (due to built-in features or additional plug-ins).
• Enable on your mail gateway SPF (Sender Policy Framework), which allows you to check the IP address of the external sender (checking only the sender host, not the message itself) for incoming messages.
• Enable DKIM (Domain Keys Identified Mail) on your mail gateway, which provides internal sender identification (for outgoing messages).
• Enable on your mail gateway DMARC (Domain-based Message Authentication, Reporting and Conformance), which prevents messages that appear to be sent by legitimate senders.
• Enable on your mail gateway DANE (DNS-based Authentication of Named Entities), which allows you to deal with attacks "man in the middle" inside the interaction over the TLS protocol.

Technical measures: advanced

• Implement a means of protection against phishing attacks in e-mail (for example, Cisco E-mail Security ), which includes various protective measures (reputation analysis, anti-virus scanner, control of attachment types, anomaly detection, spoofing detection, URL inspection in links, sandbox, etc. P.).
• Install security features on a PC (for example, Cisco AMP for Endpoint ) or mobile devices (for example, Cisco Security Connector ) to protect against malicious code installed on the terminal device as a result of a successful phishing attack.
• Subscribe to Threat Intelligence feeds for up-to- date phishing domain information (such as Cisco Threat Grid or SpamCop ).
• Use the API to check domains / senders in various Threat Intelligence services (for example, Cisco Threat Grid , Cisco Umbrella , etc.).
• Filter communication with C2 by various protocols - DNS (for example, using Cisco Umbrella ), HTTP / HTTPS (for example, using Cisco Firepower NGFW or Cisco Web Security ) or other protocols (for example, using Cisco Stealthwatch ).
• Track interaction with the Web to control clicks on links in messages, malware downloads when launching attachments, or to block phishing via social networks.
• Use plug-ins for email clients to automate interactions with a security service or manufacturer in case of detection of phishing messages that are missed by the security system (for example, Cisco E-mail Security plugin for Outlook ).
• Integrate a dynamic file analysis system (sandbox) with an email protection system to control email attachments (such as Cisco Threat Grid ).
• Integrate your Security Monitoring Center (SOC) or incident investigation system (such as Cisco Threat Response ) with an email protection system to quickly respond to phishing attacks.

The processes

• Develop regulations for working with clients or other persons reporting the discovery of taipskotting domains or clone domains.
• Develop a playbook for monitoring typosquatting or clone domains, including responding to them.
• Develop a playbook for monitoring phishing attacks, including responding to them.
• Develop regulations and notification templates for FinCERT (for financial organizations) and State SOPKA (for KII subjects) about phishing attacks.
• Investigate phishing domains (for example, using Cisco Umbrella Investigate) to find out about new phishing domains that might be used in the future.
• Develop rules for interaction with authorized organizations (for example, FinCERT or NCCSC) for the separation of phishing domains.
• Develop a system of indicators for assessing the effectiveness of protection against phishing.
• Develop an anti-phishing protection reporting system and track its dynamics.
• Organize regular anti-phishing protection cyber orders for your employees.
• Develop an email policy for your organization.

The more fully this checklist is implemented, the more effective your protection against phishing will be.