Implementing a Secure Infrastructure: Phishing Attacks & Malware

Malicious actors are taking advantage of the panic and disruption caused by COVID-19—with many of them turning to phishing emails as an effective way to lure businesses and individuals into a trap created to distribute malware, steal credentials, and scam users out of money. With the recent 667% increase in phishing attacks related to the coronavirus, organizations must ensure that their security systems are durable and preventive.

A strong, layered approach is needed when defending against these targeted phishing attacks. We’ve compiled some technical protections and tips for defending against these phishing emails and malware:

• Use DomainKeys Identify Mail + Sender Policy Framework (DKIP+SPK) or header analysis to detect spoofed emails
• Run active content screening at the gateway and disallow content based on policy
  • This tool will analyze any attachments and links at the gateway before passing it to the end user
• Implement blacklist that disallow code execution
• Implement application whitelisting
• Monitor the network and assets activity using network intrusion detection system (NIDS), host intrusion detection system (HIDS)
• Send event logs from all assets and security monitoring systems to a security information and event management (SIEM) system
• Implement strong firewall rules both inbound and outbound
• Block uncategorized sites and site reputation filtering controls are useful in detecting and preventing phishing attacks
• Monitor for unauthorized software installation and disallow the ability for end users to install unauthorized software
• Use strong malware detection and response tools such as Endpoint Detection and Response (EDPR) solutions
  • These solutions defend well against todays advanced persistent threats (APTs) leverage behavior analysis and threat intelligence
• Use two-factor authentication for domain administrators and consider it for all users
• Stay on top of security patches
  • Ensure that all new technology downloaded in response to COVID-19 (such as Zoom) is adequately examined and has the correct operating systems and applications
• Use secure configuration standards on assets
• Perform regular phishing tests against your employees
• Consider more frequent and robust internal and external network penetration tests
  • Put the organization’s layered security controls to the test
  • Ensure your penetration testers are testing the institution’s ability to prevent and detect attacks
  • Work with your pentesters to make sure that they’re focused on increasing preventive measures rather than only defensive measures (i.e. testing for the detection of malicious activity before it occurs)
• Increase communications to your employees on security awareness
• Develop specific incident response procedures to respond to phishing and malware attacks
  • Have a dedicated contact method such as a “phishing@” or “security@” email address to which employees can forward suspicious messages
  • Track the reporting rates during phishing testing (aiming to see as close to 100% of the suspicious messages reported as possible)
  • Have detailed playbooks available to all help desk staff regarding how to triage suspected phishing emails and malware infections
  • This might include disconnecting from VPN, identifying all other email recipients, or identifying other impacted users/endpoints

By focusing on these technical measures, your organization will be in a better position to prevent these phishing attacks in the first place, and also mitigate the negative effects of these attacks when they do occur.