Best practices for addressing phishing threats in corporate environment

Some useful tips from Flashpoint

Chris Camacho and Pierre Lamy from Flashpoint have published and interesting article on corporate blog titled “Best Practices for Addressing Four Common Threats”.

As cyber threat actors strive to acquire increasingly advanced skills and develop more damaging tactics, it’s our job as security practitioners to share our insights and promote awareness in order to help more organizations and individuals protect themselves from these threats.

The article focuses on this four possible threats:

  • Credential Dumps
  • Distributed Denial-of-Service Attacks (DDoS)
  • Phishing
  • Destructive Malware (Ransomware)

In my opinion, the most interesting part is the point related to phishing:

Typically, phishing emails solicit recipients to click a link or open an attachment. If the recipient complies, malware may execute on their system and inflict numerous damages, which can include stealing usernames and passwords, encrypting the recipient’s files with ransomware, taking control over the infected computer via remote-access applications.

The article continues suggesting some precautions:

• Deploy antivirus software on users’ workstations;

• Deploy application whitelisting. This is the single most effective protection for workstations;

• Disable or remove Internet Explorer; use Google Chrome;

• Deploy ad-blocking tools on Chrome;

• Use a commercial proxy server to block malicious sites;

• Use a third-party service to train users how to recognize phishing emails;

• Force all outbound web traffic to cross a proxy server so that it is logged and blocked by the service;

• Use an alternate PDF reader instead of Adobe;

• Ensure all workstations are patched frequently;

• Create an HR policy advising that frequent risky behavior on the network may result in repercussions, including termination.

… all correct and reasonable,and with some remediation in the event that a user has clicked on a link or executed an attachment:

• Re-image the user’s workstation using a recent backup. Do not simply restore files — restore the entire operating system;

• If possible, conduct a forensic analysis on the workstation as well as proxy logs;

• Identify how the file or link was received and put blocks on the email system and proxy server to prevent further infections;

• Provide remedial training for staff members who open malicious links;

• In extreme cases in which the same employee has repeatedly opened malware, consider termination using a documented HR policy.

(the last point is pretty radical!)

I suggest you to read the original article on Flashpoint blog: