Is Phishing Prevention Possible?
The sheer volume of business communications is exponentially growing - within organizations, across organizations, with customers, and even with autonomous systems. At the same time, we are seeing an increasing sophistication of attacks against individuals, governments, and businesses. In addition, the commoditization of hacking tactics is primarily using those same means of communication.
Nefarious individuals can access victim information on the dark web in packaged offerings. These ‘offerings' are priced based on the target's potential value, ability to pay, ease of access, as well as the contents of the 'package.' This may include not only the entry keys and ransomware tools to deploy, but also the options for executing the financial transactions to facilitate payments made to hackers in which victims comply in order to avoid reputational blackmail, data destruction, or other outcomes of the attacks.
What is to be done?
One way to minimize phishing is by leveraging DMARC. The Domain-based Message Authentication, Reporting, and Conformance protocol is a de facto global standard for e-mail authentication, which helps greatly minimize e-mail spoofing as the most common way for phishing e-mail delivery. However, minimizing the volume of potential phishing e-mail is just the beginning. Phishing attempts ultimately steal user credentials and impersonate the users, thus opening the doors to the attack. Phishing is on the rise and used in over 31% of external attack breaches in 2021, up from 23% (2020) and 18% (2019), according to Forrester Analytics Business Technographics® Security Survey.
Zero Trust Principles are a critical foundational approach to security; however, they require organizational maturity and, in many instances, the resolution of technical debt and a cultural change as a part of a larger digital transformation that will not happen overnight. Under the Zero Trust Architecture Model (ZTA) officially published in NIST SP 800-207 in late 2020, by default, no person is trusted from inside or outside of a network, and verification is continuously required to gain access to resources on that network. The key is to establish the person is trusted and ensure their identity. Since identity is the cornerstone of modern security, it has always been recommended and assumed that once Multi-Factor Authentication (MFA) is in place, this box can be checked. While MFA is still an important milestone on every security journey, it is no longer sufficient in preventing phishing attacks because not all MFAs are created equal. It has been proven in recent years, both conceptually and in practice, that using tools such as Modlishka, relying on any second form authentication is not sufficient.
This issue has recently been recognized by the US Federal Government following a string of phishing attacks in 2021 against the US's core infrastructure. On September 7, 2021, the Office of Management and Budget (OMB) released the Federal Zero Trust Strategy outlining how the Federal government will accelerate agencies towards embracing Zero Trust architectures. A fundamental change is the requirement to use phishing-resistant MFA. This is a significant enhancement from the Presidential Executive Order (EO) 14028, issued just four months earlier requiring improvements in the Nation's Cybersecurity. The Federal Zero Trust Strategy initiates a sweeping government-wide effort to ensure baseline security practices are in place – including migrating the Federal Government to a zero-trust architecture and realizing the security benefits of cloud-based infrastructure while mitigating associated risks.
What is phishing-resistant MFA and how does it help?
Phishing-resistant MFA implementations currently rely on hardware such as smart cards – requiring smart card reader hardware, as well as more versatile and user-friendly FIDO2-compliant MFA devices. FIDO2 cryptographic login credentials are unique across every website, never leave the user's device, and are never stored on a server. In this way, if a user is tricked into visiting a fake website, their MFA solution will simply fail and not provide any authentication. This security model eliminates the risks of phishing, all forms of password theft, and replay attacks.
While technical solutions such as FIDO2 and Zero Trust Architecture models are critical, it is a must to not forget the third pillar of any good security approach – people. This element is usually the weakest link. Educating at a personal level and facilitating training at the organizational level are equally essential to prevent and minimize the social aspects of hacking. A good start here is reading and adopting the guidance on social engineering and implementing organizational training courses.
The foremost goal should be an ever-improving security posture - because there is no such thing as 100% secure. Cybersecurity is never done. We need to focus on reducing attack opportunities and making it harder or more expensive for the attackers. Following the latest NIST standards and recommendations, particularly for identity protection, will go a long way in securing personal or professional identity from attacks.
In summary
- The US Federal Government and regulated industries worldwide have adopted NIST SP 800-63 digital identity guidance.
- Not all authentication is created equal - pay extra attention to verifier compromise (phishing) resistance.
- For BYOD, the most viable phishing-resistant authenticator is FIDO2 compliant security keys.
- Start thinking about moving to phishing-resistant authentication while adopting a Zero Trust Architecture model.
- Continuously educate your employees.
Additional resources/references
- Phishing NG. Bypassing 2FA with Modlishka
- Hadnagy, Christopher. Social Engineering: The Science of Human Hacking 2nd Edition
- Phantom Phishing Haunts The Inbox
- How Does DMARC Prevent Phishing?
- SP 800-207, Zero Trust Architecture | CSRC (nist.gov)
- NIST Special Publication 800-63B
- Moving the U.S. Government Towards Zero Trust Cybersecurity Principles