The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Feds Issue Guidance on Stopping the Phishing Attack Cycle at Phase One

Posted By on Oct 24, 2023

Phishing is one of the most common methods used by malicious actors to gain initial access to internal networks. Phishing is a form of social engineering where victims are tricked into disclosing their credentials or visiting a malicious website where malware is downloaded. Stolen credentials are used to access accounts and sensitive data, and the malware downloaded gives threat actors persistent access to internal networks and allows them to perform a range of nefarious activities. A large percentage of data breaches on the Office for Civil Rights (OCR) breach portal started with a response to a phishing email.

Defending against phishing attacks can be challenging. While cybersecurity solutions such as spam filters and secure email gateways can be implemented, phishing emails often bypass these defenses and land in inboxes. Network defenders often blame successful phishing attacks on users who opened the emails, followed links, or disclosed their credentials, but the emails can be difficult to identify, and it is impossible to completely prevent human error even with regular security awareness training.

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) have recently issued guidance for network defenders to help them improve their defenses against phishing and build a defense system against phishing that accounts for inevitable human error.

The joint guidance separates the two main tactics used in phishing attacks to create a clear mental model about what threat actors are doing, as this makes it easier to adopt appropriate mitigations. The first tactic is phishing attacks that are conducted to steal credentials. These attacks are most commonly associated with email, but they may also be conducted via messaging apps like Telegram, Signal, Slack, Facebook, Twitter, Teams, iMessage, and Google Chat, over the phone, or via SMS messages.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Email security solutions can block some of the phishing emails but will not block SMS-based attacks (smishing), voice phishing (vishing), and attacks via messaging apps. Security awareness training can help to improve resilience to phishing attacks, but it can be difficult for humans to identify phishing, and the use of AI in phishing makes it even harder. CISA et al instead recommend multi-factor authentication as the primary mitigation for this type of phishing, and in order to block MFA bypass attacks, phishing-resistant MFA such as FIDO authentication, should be used.

The second tactic in phishing is distributing malware, either via malicious attachments in messages or links to malicious websites where malware is downloaded. Defending against these attacks requires measures that can detect and block malware downloads and prevent malicious code from running, such as application allow-listing and running an endpoint detection and response (EDR) agent.

The focus of the guidance is not on scanning for malicious content, which is fine for email but not effective for other forms of phishing. CISA et al instead focus on the method of intrusion, as this approach allows defenders to take more granular steps to improve their security posture and deny adversaries an easy path into their networks.

“For too long, the prevailing guidance to prevent phishing attacks has been for users to avoid clicking on malicious emails. We know that this advice is not sufficient. Organizations must implement necessary controls to reduce the likelihood of a damaging intrusion if a user interacts with a phishing campaign – which we know many users do, in every organization,” said Sandy Radesky, Associate Director for Vulnerability Management, CISA. “With our NSA, FBI, and MS-ISAC partners, this guide provides practical, actionable steps to reduce the effectiveness of phishing as an initial access vector. We also know that many of the controls described in this guide can be implemented by technology vendors, reducing burden and increasing security at scale. We strongly encourage all organizations and software manufacturers to review this guide and implement recommendations to prevent successful phishing attempts – by design wherever possible.”

The Phishing Guidance – Stopping the Attack Cycle at Phase One – can be downloaded here.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist