This October 2021 marks the 18th annual Cybersecurity Awareness Month. Highlighting the importance of cybersecurity, and bringing awareness to the general public, this year’s theme is “Do Your Part. #BeCyberSmart”.
A joint venture between the Cybersecurity & Infrastructure Security Agency (CISA) and the National Cyber Security Alliance (NCSA), the aim is to ensure “that all Americans have the resources they need to be safer and more secure online”.
create and implement broad-reaching education and awareness efforts to empower users at home, work and school with the information they need to keep themselves, their organizations, their systems and their sensitive information safe and secure online and encourage a culture of cybersecurity.
Each week this Cybersecurity Awareness Month has a different focus. Starting out with Week One and “Be Cyber Smart”, the theme of Week Two is “Phight the Phish!”.
What is Phishing?
Phishing is an attack technique that uses social engineering to trick victims into taking an action that will grant the adversary access to the victim’s systems or data.
With 75% of organisations experiencing a phishing attack in 2020, and 22% of data breaches involving phishing, it’s clear that we need more awareness and more protections against phishing attacks.
What is the current state of affairs?
The COVID 19 pandemic saw a rise in phishing attacks targeted at individuals, seeking to capitalise on the fear, uncertainty and financial insecurity brought on by the pandemic. In the UK, HMRC related email scams saw people receive emails promising eligibility for income support, and tax returns from fraudsters trying to steal personal information. Additionally, employees reported an increase in phishing emails targeting their corporate emails, with “25% saying they’ve seen increase in fraudulent emails, phishing attempts and spam since the start of the COVID-19 crisis”. Overall, the number of phishing attacks was reported to have soared as much as 220% in 2020 compared to 2019.
How are they doing it?
The MITRE ATT&CK framework provides us with a common language with which to think and communicate about security defences in a methodical and structured way, as well as translate the tactics and techniques of attackers into the language of the board.
In the MITRE ATT&CK Enterprise Framework, Phishing, or Technique T1566, has three sub-techniques – ways that an attacker can achieve their goal of “Phishing” their victim. The sub-techniques are Spearphishing Attachment (T1566.001), Spearphishing Link (T1566.002), and Spearphishing-via-Service (T1566.003).
As an attack technique, “Spearphishing Attachment” relies on the victim opening a file, likely delivered as an attachment to an email. Upon opening, malware, “the adversary’s payload” will either exploit a vulnerability or directly execute on the user’s system. The adversary will use social engineering to convince the victim to click to open the attachment, for example claiming it’s an unpaid invoice requiring urgent attention.
Again leveraging social engineering and relying on User Execution, the use of the Spearphishing Link technique relies on the victim either clicking, or copy and pasting a malicious link in their browser. The malicious website may compromise the victims browser and subsequently their machine directly, or prompt the user to download a file or application containing the exploit.
Spearphishing via service attempts to exploit services like social media platforms, where the victim is likely to be more relaxed and less constrained by strict security policies and protections that may be in place on corporate accounts. They may do this in an attempt to gather information on a company’s environment, in order to better orchestrate an attack, or send malicious links and attachments directly, bypassing corporate restrictions and protections.
What can we do?
Installing antivirus software should detect malicious documents or files once downloaded. Similarly endpoint protection can potentially detect malicious event once files are opened, and security teams can then take remediation actions. An email security software that stops malware and can identify and block impersonation attempts, such as Proofpoint, will help to secure digital channels. Above all, phishing, and cybersecurity awareness education can help empower employees to recognise and avoid phishing attacks.