Phishing is one of the most enduring security risks IT professionals face. It’s been a common avenue for credential theft for years — but despite all the notoriety, phishing campaigns continue to fool even the most vigilant among us. As attacks become more sophisticated, the security that prevents them is evolving as well, moving beyond network-based tools to an identity-based model.
Historically, phishing has been conducted by sending mass email campaigns designed to collect credentials to a broad group of people. The logic is that if a hacker can reach enough people with a phishing campaign, statistically someone will take the bait. Modern phishing is much more targeted, and social engineering is often involved. Through social engineering, attackers gather information about their targets through meticulous research and manipulative interactions. If they’re able to piece together enough information about an organization’s infrastructure and employees,
they may be able to pose as a legitimate user and infiltrate the organization’s networks. The hacker may seem unassuming and respectable, possibly claiming to be a new employee, helpdesk contact, or contractor and may even offer credentials to support that identity. This targeted form of social engineering is called spear phishing. Like any other phishing attack, the goal of spear phishing is to acquire sensitive information, install malware or steal credentials. Unlike other phishing attacks, however, spear phishing takes advantage of uniquely human traits — like habits, personal motivations and incentives — to encourage their targets to fall for the attack.
Most modern phishing attacks occur in several phases — hackers start by gathering information about their targets to gain initial unauthorized access into an organization’s networks, and then escalate privileges as they traverse the networks.
80% of breaches involve brute force or the use of stolen passwords, per Verizon’s 2020 Data Breach Investigation Report (DBIR).
Hacking and phishing tools, along with documentation on how to use them, are readily available online — so launching an attack is easier than ever.
Over the years, phishing has become harder to spot. Rather than casting a wide net, attackers now target specific individuals.
Phishing is an insidious problem where attackers prey on human nature. [...] By relying on socially engineering their victims by using methods such as dark patterns, the attackers utilize their access to purloined credentials for financial gain in many cases. Security controls to limit the access of an attacker are essential to shore up enterprise defenses. Read the Customer Story— Dave Lewis, Global Advisory CISO, Cisco
Because it targets the unpredictable human element of security, phishing sounds scary — but it doesn’t have to be. With a few best practices in place, organizations can achieve phishing resistance and prevent unauthorized access.
Requiring multi-factor authentication (MFA) significantly reduces risk of unauthorized access — but not all authentication methods are equal. Using WebAuthn or FIDO2 security keys provides the highest level of assurance for secure access.
Single sign-on serves as a unified visibility and enforcement point for application-specific policies, while also enabling seamless access to multiple applications with a single set of credentials. With fewer credentials to remember, users are less likely to reuse or create weak passwords that can easily be targeted by hackers.
It’s hard to prevent access from devices you don’t know about. Visibility into all the devices accessing your resources is the first step in ensuring every access attempt is legitimate.
With many different devices accessing company resources, it’s important to ensure they’re all healthy and up-to-date. Compliant devices are less likely to create gaps in security, making them more difficult for hackers to exploit.
Ensure that the right users, with the right devices, are accessing the right applications. By creating granular security policies, you can enforce a least-privilege access model and ensure that users and their devices meet rigorous standards before they can login to critical resources.
Utilize behavioral analytics to monitor the unique access patterns of your users. This practice helps you spot suspicious activity — and stop breaches before they happen.
Learn more about modern phishing attacks and what you can do to prevent credential theft.
Hackers can’t steal a password if there’s no password to steal. Passwordless authentication is becoming a viable and attractive way to reduce credential theft.
Phishing attacks depend on human behavior to be successful — so verifying user identities with strong MFA is the first step in preventing a breach.
Assigning access permissions by application ensures that your most critical resources are also your most protected.
In this guide, we dissect the anatomy of a phishing attack using a real life case study of a popular company that was breached through targeted phishing and how it could have been prevented.