Understand the attack kill chain to beat phishing

Johannesburg, 17 Nov 2021
Read time 3min 20sec
Riaan Naudé, director of consulting, F-Secure.
Riaan Naudé, director of consulting, F-Secure.

Phishing attacks have become so sophisticated that the average user will remain vulnerable, but by understanding the attack kill chain and putting defence measures in place at every stage, organisations can significantly reduce their risk. 

This is according to Riaan Naudé, UK director of consulting at F-Secure Corporation, who was addressing a webinar on Beating Phishing, hosted by iOCO and F-Secure.

Naudé said around 36% of breaches today have a confirmed instance of phishing. “It is an incredibly popular attacker action. The reality is that the people targeting and compromising businesses aren’t the stereotypical hackers sitting in basements arbitrarily targeting businesses – there are big, sophisticated organisations involved. Businesses need to take a holistic approach to protecting against phishing since no single or individual control will offer enough protection,” he said.

The cyber kill chain starts with external reconnaissance. “In this phase, attackers gather information about the target network, potential exploits and privileged employees. Attackers might even gather information about the technologies in use within an organisation by scanning technical job postings," Naudé said.

In the next phases of the attack, the attackers will craft a payload to email it to a user, and the code will execute. A command and control channel will be established, and persistent access is often obtained. Internal reconnaissance will then get underway, with attackers often spending some time understanding the victim’s networks and systems, before ultimately achieving their objective.

Said Naudé: “The first four phases need to be successfully completed for the attack to be successful, so organisations need to prevent those phases from being executed. They need to look at the business from an external perspective, considering what information they have exposed on the internet and social media, and which of it might be of use to the attacker.”

Paul Spagnoletti, business unit executive for Cloud & Security SA, iOCO.
Paul Spagnoletti, business unit executive for Cloud & Security SA, iOCO.

It is important to understand what sort of payloads attackers could deliver if they were able to phish the organisation, he said.

“You can start by sending benign payloads such as macro enabled word documents to your own email, to see what sort of payloads can be delivered to your environment. It’s also important to look at whether users would actually recognise a phishing email – and this requires training and exposing users to actual phishing emails.”

Naudé said organisations also needed to evaluate what their web and mail gateways allow to enter the environment. “Look at how payloads might execute and ensure that you have the right solutions in place to stop them. Then, even if all three of the first steps were successful, the command and control phase provides another opportunity for us to stop the attack. By understanding what is possible at all of these phases; and looking at the environment through an attacker’s perspective, you can better understand and mitigate your risks."

Paul Spagnoletti, business unit Executive for Cloud & Security SA at iOCO, said: “Cyber crime is the new world war and I don’t believe it will ever go away. It’s not some kid playing around in a dark room, these are highly sophisticated, structured criminal organisations doing this word 24/7. We may never get ahead of them, but we are getting much better at mitigating the risk.

“Cyber security is complex and extremely broad, so to manage this we have partners like F-Secure to deliver a solution stack that helps organisations protect their environments. We take a holistic approach to cyber security. We also have a SOC and SEIM at iOCO to provide targeted or broad managed services,” he said.

See also