![Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VIDEO]](https://assets.crowdstrike.com/is/image/crowdstrikeinc/video-ATTCK2-1)
![Qatar’s Commercial Bank Chooses CrowdStrike Falcon®: A Partnership Based on Trust [VIDEO]](https://assets.crowdstrike.com/is/image/crowdstrikeinc/Edward-Gonam-Qatar-Blog2-1)
![Endpoint Protection and Threat Intelligence: The Way Forward [VIDEO]](https://assets.crowdstrike.com/is/image/crowdstrikeinc/GK-Blog_Images-1)
This is Part 2 in our four-part blog series for Cybersecurity Awareness Month. Read Part 1 | Part 3 | Part 4.
This week's Cybersecurity Awareness Month's theme, “Fight the Phish,” is a very challenging one for cybersecurity professionals as one of the best defenses against this popular adversary tradecraft is education. As such, this week's theme presented a great opportunity to again provide a tool to cybersecurity professionals to help spread the word and educate end users about ransomware in simple terms. The following blog from CrowdStrike Chief Information Security Officer, Jerry Dixon, is designed for cybersecurity professionals to share directly with their end users as a tool for education.
The term “phishing” dates all the way back to 1995. This cyberattack tactic has been used by a wide range of adversaries, from script kiddies to the most sophisticated nation-state actors. The biggest threat phishing presents to cybersecurity professionals is not the tactic itself (described below) but the damage it can cause.
One of the most effective ways to protect against this threat is to teach people how to spot a phishing attempt and why they must report it to the right people. In the following blog post, I describe the phishing threat and outline the best practices for tackling this persistent problem.
Let’s start with an explanation of this important piece of adversarial tradecraft. Phishing is a social engineering technique that uses email to entice or trick unsuspecting people to click on web links or attachments that appear to be legitimate but are instead designed to compromise the recipient’s machine or trick the recipient into revealing credentials or other sensitive information. Adversaries, whether an individual criminal or a nation-state, craft such messages to appear to be legitimate. A phishing email can appear to be from your bank, employer or boss, or use techniques to coerce information out of you by pretending, for example, to be a government agency. Whether an adversary is an individual criminal or a nation-state determines the motivation behind the phishing attempt. Motivations are many and varied; in a phishing email an adversary may attempt to:
- Steal account credentials to siphon funds from you or your company
- Steal your work account credentials to access your employer
- Deploy malicious software that will allow them to gain entry to your work or home computer or access your network to steal intellectual property
To craft a spear-phishing email, the adversary typically collects information about their targets that’s readily available on corporate websites or social media such as LinkedIn, Facebook and Twitter.
The adversary uses such information to tailor highly personalized emails to entice the user to click on a link, aiming to pilfer sensitive information from their machine or network, or using the information to target other employees through business email compromise to steal money from the organization. Phishing is challenging to fight with technology alone. While many solutions can help prevent such attacks, most are reactive rather than proactive, meaning that some phishing emails — upward of 20% with some solutions — will get through. And in some cases, such as when a company’s corporate email account is compromised and used to send phishing emails, anti-phishing technology won’t stop an email that’s sent from a legitimate source.
Stopping phishing, then, relies on more than just technology — it requires vigilance by everyone. People must be trained to recognize and constantly be on alert for the signs of a phishing attempt, and to report such attempts to the proper corporate security staff. Here are five signs of a phishing attempt to watch for and report:
- An unexpected email that prompts you to take action such as changing a password, sending funds, buying gift cards or logging in to a website
- An email whose body appears to be legitimate, but was sent from a known free email site or an unfamiliar web domain (e.g., an email that appears to be from your local electricity provider but was actually sent from a @gmail account)
- An email with misspelled words, bad grammar or poor formatting
- An email that appears to contain suspicious file attachments
- An email containing web links that appear legitimate but are revealed to be from fake or unknown web domains when the cursor is hovered over them
Jerry Dixon is Chief Information Security Officer of CrowdStrike.
Additional Resources
- Learn how the powerful CrowdStrike Falcon® platform provides comprehensive protection across your organization, workers and data, wherever they are located.
- Get a full-featured free trial of CrowdStrike Falcon® Prevent™ and learn how true next-gen AV performs against today’s most sophisticated threats.
