NSA offers simple advice to stop the phishing attack cycle
NurPhoto via Getty ImagesWherever you look in the world of cybersecurity, you can pretty much guarantee that social engineering, or phishing if you prefer, will be involved at some point. Be that through emails with malicious links, the use of AI to generate convincing messages, or sophisticated deepfakes that can almost fool even a cybersecurity professional at times. Getting the right advice to mitigate the chances of becoming a victim of the phishing cybercriminal is essential if you are to maintain a robust security posture in the face of this ongoing threat. You might not have considered looking to the National Security Agency for that advice, but here we are, looking at the NSA’s phishing guidance: stopping the attack cycle at phase one.
The NSA Provides Common-Sense Cybersecurity Advice For All
Although published almost exactly a year ago, in October 2023, the NSA phishing guidance document, stopping the attack cycle at phase one, remains a go-to publication for common-sense cybersecurity advice for organizations of all sizes as well as consumers. You probably don’t need an explainer as to what phishing is, or the end goals of those who participate in executing it, but the TL;DR from the NSA report sums it up nicely enough: malicious actors lure victims to malicious sites or to execute malicious files in order to obtain login credentials for initial account access or deploy malware to conduct ongoing threat campaigns.
This down-to-earth and easy-to-understand tone continues through what could be a stodgy and boring technical diatribe in the wrong hands. Luckily, the right hands are the NSA, Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation and Multi-State Information Sharing and Analysis Center analysts and operatives who authored this document.
It aims to help reduce the impact of phishing attacks in obtaining credentials and deploying malware, which is as simple as that. The aim, that is, although the mitigation guidance is thankfully pretty simple as well. Obviously, implementing the mitigations will vary depending upon the nature of your organization, the size, sector and complexity of your business, or whether you are just a consumer looking for solid-gold security recommendations. So, you do need to read the entire thing and take from it the information that is the right fit for you. Luckily, the authors make this pretty easy to do.
Restrict Windows And MacOS User Rights, Implement Google Safe Browsing, NSA Says
Protecting login credentials is at the top of the advice when it comes to mitigating any phishing attack as this is, more often than not, the end goal of the campaign. Therefore, the obvious user awareness training and application of two-factor authentication is recommended straight off the bat. The NSA goes further though, and I’m happy to say includes a recommendation to enable Domain-based Message Authentication, Reporting, and Conformance for all emails received. I’ve been banging the DMARC authentication drum for some time now, along with the likes of Google it has to be said. This, along with Sender Policy Framework and Domain Keys Identified Mail helps authenticate the sending server is who it claims to be. Phishing campaigns exist because of deception, and anything that clears the muddy glass is to be welcomed.
The second end goal of phishing campaigns, although the two can be interchanged when it comes to primary objectives depending upon the attacker and the attack at the time, is malware distribution. Preventing malware execution is, therefore, also addressed at length in the document. I suggest you read the entire thing to get a handle on this, but there are two mitigations that I consider to be often overlooked yet are so easy to implement that I wanted to cover them here: admin rights and web browsing protections.
The NSA recommends restricting the administrative rights available to users of both Windows and MacOS operating systems. Use the principle of least privilege when doing this, meaning admin access is only available to those accounts who actually need it for the work they do and nobody else. Consumers can jump on this restricted rights bus as well. Simply set up an admin account protected by a strong password in addition to a separate user account without admin rights. Use the user account for your day to day computing needs and if something potentially risky, such as installing software, is required the operating system will ask your to enter your admin credentials.
Next comes the web browsing bit, which the NSA says you should do, having implemented free security tools to help mitigate the risk of attack. CISA has an entire page of such resources to choose from, but the NSA document cuts straight to the chase and recommends one of the most straightforward for the majority of users: Google Safe Browsing. I would also add Google’s Chrome Safety Check feature to the list as this can notify the user if any installed extensions could be posing a security threat.
