Written by: Sean D. Goodwin, GSE William J. Nowik, CISA, CISSP, QSA, PCIP
Malicious actors are taking advantage of the panic and disruption caused by COVID-19—with many of them turning to phishing emails as an effective way to lure businesses and individuals into a trap created to distribute malware, steal credentials, and scam users out of money. With the recent 667% increase in phishing attacks related to the coronavirus, organizations must ensure that their security systems are durable and preventive.
A strong, layered approach is needed when defending against these targeted phishing attacks. We’ve compiled some technical protections and tips for defending against these phishing emails and malware:
- Use DomainKeys Identify Mail + Sender Policy Framework (DKIP+SPK) or header analysis to detect spoofed emails
- Run active content screening at the gateway and disallow content based on policy
- This tool will analyze any attachments and links at the gateway before passing it to the end user
- Implement blacklist that disallow code execution
- Implement application whitelisting
- Monitor the network and assets activity using network intrusion detection system (NIDS), host intrusion detection system (HIDS)
- Send event logs from all assets and security monitoring systems to a security information and event management (SIEM) system
- Implement strong firewall rules both inbound and outbound
- Block uncategorized sites and site reputation filtering controls are useful in detecting and preventing phishing attacks
- Monitor for unauthorized software installation and disallow the ability for end users to install unauthorized software
- Use strong malware detection and response tools such as Endpoint Detection and Response (EDPR) solutions
- These solutions defend well against todays advanced persistent threats (APTs) leverage behavior analysis and threat intelligence
- Use two-factor authentication for domain administrators and consider it for all users
- Stay on top of security patches
- Ensure that all new technology downloaded in response to COVID-19 (such as Zoom) is adequately examined and has the correct operating systems and applications
- Use secure configuration standards on assets
- Perform regular phishing tests against your employees
- Consider more frequent and robust internal and external network penetration tests
- Put the organization’s layered security controls to the test
- Ensure your penetration testers are testing the institution’s ability to prevent and detect attacks
- Work with your pentesters to make sure that they’re focused on increasing preventive measures rather than only defensive measures (i.e. testing for the detection of malicious activity before it occurs)
- Increase communications to your employees on security awareness
- Develop specific incident response procedures to respond to phishing and malware attacks
- Have a dedicated contact method such as a “phishing@” or “security@” email address to which employees can forward suspicious messages
- Track the reporting rates during phishing testing (aiming to see as close to 100% of the suspicious messages reported as possible)
- Have detailed playbooks available to all help desk staff regarding how to triage suspected phishing emails and malware infections
- This might include disconnecting from VPN, identifying all other email recipients, or identifying other impacted users/endpoints
By focusing on these technical measures, your organization will be in a better position to prevent these phishing attacks in the first place, and also mitigate the negative effects of these attacks when they do occur.
