August 29, 2024 at 07:48AM
Attackers are increasingly using new phishing toolkits, like adversary-in-the-middle (AitM), which lets them bypass traditional prevention controls. AitM phishing uses dedicated tooling to act as a proxy between the target and a legitimate login portal for an application, enabling attackers to steal live sessions. AitM toolkits employ reverse web proxies and Browser-in-the-Middle (BitM) techniques. These attacks primarily focus on circumventing controls like multi-factor authentication (MFA). With the shift towards web-based services, AitM phishing is an identity equivalent to a Command and Control (C2) framework in the world of endpoint and network attacks. Existing phishing prevention solutions have limitations in detecting AitM phishing sites. To detect and block phishing sites reliably, security teams need to leverage browser-based security controls, offering the opportunity to stop identity attacks before they happen.
Based on the meeting notes, the key takeaways are as follows:
1. Attackers are increasingly using new phishing toolkits, such as AitM (Adversary-in-the-Middle) attacks, to bypass traditional phishing prevention controls and gain unauthorized access to sensitive data.
2. AitM phishing involves using dedicated tooling to act as a proxy between the target and a legitimate login portal for an application. The attacker can observe all interactions and take control of the authenticated session to gain access to the user account.
3. AitM toolkits utilize two main techniques: reverse web proxy and Browser-in-the-Middle (BitM), which allow attackers to mimic legitimate websites and trick users into sharing their credentials or controlling the attacker’s browser remotely.
4. Phishing attacks have evolved, and identity has become the new perimeter for cyber security, leading to an increase in SaaS-native attack techniques targeting web-based services and applications.
5. Existing phishing prevention solutions that focus on blocking known-bad domains and URLs have proven to be ineffective, as attackers can easily obfuscate or change these components to evade detection.
6. To improve phishing site detection, organizations should focus on finding indicators that are harder for attackers to change by leveraging browser-based security controls and identifying generic parts of phishing attack techniques.
7. Leveraging browser-based security controls can provide a new surface for detection and control enforcement, enabling security teams to intercept users at the point of impact and stop identity attacks before they occur.
These takeaways highlight the evolving nature of phishing attacks and the need for organizations to adapt their security measures to effectively detect and prevent AitM phishing and other identity attacks.