Guide helps organizations understand what malicious actors are doing so defenders can adopt appropriate mitigations to phishing.
The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI) and Multi-State Information Sharing and Analysis Center (MS-ISAC) published “Phishing Guidance, Stopping the Attack Cycle at Phase One” to help organizations reduce likelihood and impact of successful phishing attacks. It provides detailed insight into malicious actor techniques, as well as technical mitigations and best practices to help prevent successful phishing attempts.
A form of social engineering, malicious actors commonly use phishing with the intent to get their targeted victims to visit an illegitimate website or to download malware. To help organizations better understand this activity, this guide categorizes phishing into two common tactics: phishing to obtain login credentials and phishing to deploy malware. It expands upon the two tactics by detailing the techniques frequently used by these actors, such as impersonating supervisors/trusted colleagues, using voice over internet protocol to spoof caller identification, and using publicly available tools to facilitate spear phishing campaigns.
“For too long, the prevailing guidance to prevent phishing attacks has been for users to avoid clicking on malicious emails. We know that this advice is not sufficient. Organizations must implement necessary controls to reduce the likelihood of a damaging intrusion if a user interacts with a phishing campaign – which we know many users do, in every organization,” said Sandy Radesky, Associate Director for Vulnerability Management, CISA. “With our NSA, FBI, and MS-ISAC partners, this guide provides practical, actionable steps to reduce the effectiveness of phishing as an initial access vector. We also know that many of the controls described in this guide can be implemented by technology vendors, reducing burden and increasing security at scale. We strongly encourage all organizations and software manufacturers to review this guide and implement recommendations to prevent successful phishing attempts – by design wherever possible.”
“Knowing how to navigate phishing danger is essential because anyone can fall victim to these attacks,” said Eric Chudow, NSA’s Cybersecurity System Threats & Vulnerability Analysis Subject Matter Expert. “Cyber threat actors are constantly evolving their techniques and harnessing new technologies to their advantage, including artificial intelligence. They are also finding it easier to deceive people who have transitioned to hybrid work environments and have fewer face-to-face-interactions.”
“Our goal in putting out this product is to provide organizations with the necessary knowledge to prevent them from falling victim to phishing,” said Bryan Vorndran, Assistant Director of the FBI’s Cyber Division. “Cyber is a team sport, which is why we strive to arm our partners with the necessary tools needed in combatting malicious actors that use this intrusion technique.”
“Phishing continues to be the most successful method for gaining unauthorized access to state and local government networks,” said John Gilligan, CIS Chief Executive Officer. “Organizations and their employees must understand the risks posed by this attack vector and how to successfully identify and avoid phishing threats. This joint guide is a great reference for state and local organizations.”
This joint phishing guide is intended to be a one-stop resource to help all organizations protect their systems from phishing threats. All organizations, from small- and medium-sized businesses to software manufacturers, are encouraged to review this joint guide to better understand evolving phishing techniques and implement tailored cybersecurity controls and best practices to reduce the risk of compromise.