One of today’s most challenging security issues for the enterprise is stopping social engineering attacks. This is a common entry point for many attackers, and any organization can fall victim. Look at the recent attack on the SANS Institute, and, of course, Twitter. Despite the frequency and potency of social engineering attacks, we often see inadequate security controls as well as incident response plans in place by organizations.
Every organization will have its own definition of what an acceptable level of risk is and should make strong security decisions and investments backed by their risk threshold. Beyond employee training and education, organizations will want to focus on getting the basics right to ensure there are layers of controls in place to make them more resilient even if their users fall victim to social engineering.
In this eWEEK article, Associate Vice-President of Consulting Dan Wood at Tempe, Ariz.-based security firm Bishop Fox provides businesses with best practices that can be applied to enforce the strongest possible security posture to help strengthen an organization’s social engineering defensive strategy.
Here are his most important top tips/best practices:
Further reading
Best Practice No. 1: Ensure that your organization doesn’t expose itself via open mail relays.
These can increase email spoofing because they allow unauthenticated email to be sent externally to an organization, which makes it harder to defend against phishing since the emails will look legitimate to internal users. By implementing strict user authentication and IP authorization at the gateway, you can take this opportunity away from the attacker.
Best Practice No. 2: Use email filtering processes.
Some email security controls provide an email filtering capability that provides the ability to strip all external attachments and links to prevent execution and clicking on malicious links with drive-by downloads as well as label external emails with designators such as [EXTERNAL] in the subject line and/or in the body of the email when received or put a colored bar across the email with a warning. This will help reduce the chance of pretexting a victim as an internal user.
Best Practice No. 3: Analyze suspected email as often as possible.
Security controls such as Cofense PhishMe provide an email client plug-in called PhishMe Reporter that allows an end-user to submit a suspected phishing email for analysis. It also enables an organization’s SOC to rapidly delete all occurrences of the offending email from user mailboxes to prevent those additionally spread if the phishing campaign is cast with a wide net. Other security controls have similar capabilities and should be reviewed to see what works best for the organization.
Best Practice No. 4: Educate defenders about attacker tactics.
If you do fall victim to a social engineering attack, knowing how attackers operate and educating your defenders on these tactics will be helpful when they’re tasked with monitoring the networks and identifying the exfiltration of data.
More advanced examples based on the maturity of an organization’s defensive posture include:
Best Practice No. 5: Remove unneeded administrative accounts.
Remove privileged and administrative accounts where they are absolutely not needed and leverage a just-in-time secrets management system; if an end-user is successfully phished, it reduces how much access rights they could begin with when establishing their foothold.
Best Practice No. 6: Install a credential check-out process.
For privileged and administrative accounts, institute a credential check-out process that requires a two-part approval process with justification review and the ability to automatically expire credential access after a set period of time.
Best Practice No. 7: Deploy user-behavior analytics.
Establishing user baselines with user and entity behavior analytics (UEBA) to serve as an early alert system if your endpoint controls fail, you may be able to detect an attack based on deviations from these baselines of usage and access patterns.
Best Practice No. 8: Use machine learning in the SOAR process.
Similar to above, as you start to generate baselines of activity for users and entities, you can start to enrich your data with intelligence that will allow you to start applying machine learning with technologies and security controls through what is known as security orchestration, automation and response (SOAR). Instead of relying on a human analyst to review potential incidents, there are solutions out there that provide an automated task management approach to repeatable and mundane tasks which allows the analysts to focus on more complicated security issues and investigations. SOAR technologies provide scalability and speed to organizations that have a hard time manually identifying threats and responding to them.
Best Practice No. 9: Start a no-fault social engineering testing program.
Lastly, a no-fault social engineering testing program is a good way to test employees via phishing, and other social engineering techniques. Ensure end-user profiles are created with known access rights to which assets and data. Knowing what could be potentially exposed if an end-user is compromised may inform what controls you put in place and where – not all controls are equal for every user. Some users may require unique controls based on their business processes and technical aptitude, while others may not be exposed to critically sensitive information or processes.