WOLF & CO Insights Implementing a Secure Infrastructure: Phishing Attacks & Malware

Implementing a Secure Infrastructure: Phishing Attacks & Malware

Written by: Sean D. Goodwin, GSE William J. Nowik, CISA, CISSP, QSA, PCIP

Malicious actors are taking advantage of the panic and disruption caused by COVID-19—with many of them turning to phishing emails as an effective way to lure businesses and individuals into a trap created to distribute malware, steal credentials, and scam users out of money. With the recent 667% increase in phishing attacks related to the coronavirus, organizations must ensure that their security systems are durable and preventive.

A strong, layered approach is needed when defending against these targeted phishing attacks. We’ve compiled some technical protections and tips for defending against these phishing emails and malware:

  • Use DomainKeys Identify Mail + Sender Policy Framework (DKIP+SPK) or header analysis to detect spoofed emails
  • Run active content screening at the gateway and disallow content based on policy
    • This tool will analyze any attachments and links at the gateway before passing it to the end user
  • Implement blacklist that disallow code execution
  • Implement application whitelisting
  • Monitor the network and assets activity using network intrusion detection system (NIDS), host intrusion detection system (HIDS)
  • Send event logs from all assets and security monitoring systems to a security information and event management (SIEM) system
  • Implement strong firewall rules both inbound and outbound
  • Block uncategorized sites and site reputation filtering controls are useful in detecting and preventing phishing attacks
  • Monitor for unauthorized software installation and disallow the ability for end users to install unauthorized software
  • Use strong malware detection and response tools such as Endpoint Detection and Response (EDPR) solutions
    • These solutions defend well against todays advanced persistent threats (APTs) leverage behavior analysis and threat intelligence
  • Use two-factor authentication for domain administrators and consider it for all users
  • Stay on top of security patches
    • Ensure that all new technology downloaded in response to COVID-19 (such as Zoom) is adequately examined and has the correct operating systems and applications
  • Use secure configuration standards on assets
  • Perform regular phishing tests against your employees
  • Consider more frequent and robust internal and external network penetration tests
    • Put the organization’s layered security controls to the test
    • Ensure your penetration testers are testing the institution’s ability to prevent and detect attacks
    • Work with your pentesters to make sure that they’re focused on increasing preventive measures rather than only defensive measures (i.e. testing for the detection of malicious activity before it occurs)
  • Increase communications to your employees on security awareness
  • Develop specific incident response procedures to respond to phishing and malware attacks
    • Have a dedicated contact method such as a “[email protected]” or “[email protected]” email address to which employees can forward suspicious messages
    • Track the reporting rates during phishing testing (aiming to see as close to 100% of the suspicious messages reported as possible)
    • Have detailed playbooks available to all help desk staff regarding how to triage suspected phishing emails and malware infections
    • This might include disconnecting from VPN, identifying all other email recipients, or identifying other impacted users/endpoints

By focusing on these technical measures, your organization will be in a better position to prevent these phishing attacks in the first place, and also mitigate the negative effects of these attacks when they do occur.