October 19, 2023 at 08:42AM
The US cybersecurity agency CISA, along with the NSA, FBI, and MS-ISAC, has released a joint guide on phishing techniques. Threat actors use social engineering to trick victims into revealing their credentials or visiting malicious websites. To mitigate credential theft phishing, organizations are advised to implement strong multi-factor authentication and train employees on social engineering. To prevent malware-based phishing, organizations should use email protections, block malicious domains and IPs, and restrict administrative privileges. Software manufacturers should incorporate secure-by-design principles. The guidance is applicable to all organizations, including small- and medium-sized businesses.
Key takeaways from the meeting notes:
1. The US cybersecurity agencies CISA, NSA, FBI, and MS-ISAC have collaborated to release a joint guide on phishing techniques and mitigation strategies.
2. Phishing attacks rely on social engineering to trick victims into revealing credentials or visiting malicious websites.
3. Threat actors often impersonate trusted sources like supervisors or IT personnel to send phishing emails and obtain usernames and passwords.
4. Attackers are using mobile devices and VoIP to send text messages and spoof caller ID as part of phishing attacks.
5. Organizations are advised to implement multi-factor authentication (MFA) but avoid weak forms, such as MFA without FIDO or PKI-based MFA enabled, push-notification MFA without number matching, and SMS and voice MFA.
6. Malware-based phishing involves impersonating a trusted source to trick recipients into opening malicious attachments or following malicious links.
7. Threat actors use free tools, spear-phishing emails, macro scripts in attachments, and popular chat services for malware-based phishing.
8. To prevent successful credential phishing attacks, organizations should train employees on social engineering, implement email protections and monitoring, enable phishing-resistant MFA, block malicious domains and IPs, restrict administrative privileges, implement the principle of least privilege, and block macro and malware execution.
9. Software manufacturers should integrate secure-by-design and secure-by-default principles in their development processes to mitigate phishing attacks.
10. The guidance is applicable to network defenses at all organizations, including small- and medium-sized businesses that may have limited resources for defense against phishing attacks.