Phishing is a type of social engineering attack that aims to exploit the naivety and/or gullibility of legitimate system users.
This type of attack earned its name because, like its homophone "fishing," it uses bait. In a phishing attack, bait often appears as a compelling email. Attackers go to great lengths to ensure that their emails appear as legitimate as possible. These emails most commonly direct target recipients to an attacker-controlled website that delivers malware or intercepts user credentials.
Phishing bypasses technical security factors by exploiting the human component. This attack method has the potential to render technical security controls useless. Spear phishing attacks may allow attackers to gain a foothold into the organization’s systems—all while the organization remains unaware.
These attacks deliver malware that allows attackers to control a victim’s machine. This allows an otherwise external adversary remote access to the internal network.
Attacks also often provide attackers with users’ credentials. These credentials can provide access to restricted systems or data. Privileged access from compromised computers, or credentials to an organization’s systems, allow attackers to bypass many technical security controls. This may also allow attackers to pivot and escalate their access to other systems and data. Ultimately, this can result in the complete compromise of an organization. This could include customer and employee data theft, source code leaks, website defacing, etc.
The degree to which an organization holds up against phishing attacks is a measure of the firm’s security posture. Ideally, spam filters (or another form of intrusion detection system (IDS) block illegitimate emails; anti-virus software blocks malware; or, at the very least, the outbound firewall blocks communication with the attacker.
In the event that these measures fail (or are non-existent), properly configured domains and user accounts greatly reduce the extent to which an attacker can penetrate an organization. Since phishing targets the human component, social engineering awareness training should be a company-wide requirement.
There is no one-size-fits-all solution. An organization must tailor their defense mechanisms for their unique business needs. To identify the areas requiring improvement, many firms start with a red team security assessment. A red team assessment mimics a realistic attack scenario leveraging social engineering techniques. Upon completion, assessors can prescribe tailored mitigation techniques to strengthen the organization’s security posture.