CISA, NSA, FBI publish phishing guidance

CISA, in coordination with the National Security Agency, FBI and Multi-State Information Sharing and Analysis Center, published guidance Wednesday to assist organizations with preventing phishing attacks.

The joint document, titled "Phishing Guidance: Stopping the Attack Cycle at Phase One," outlines common phishing techniques used by threat actors and instructs organizations at all levels on how to protect themselves. CISA covered two primary phishing objectives: obtaining login credentials and installing malware.

According to the guidance, threat actors attempt to phish organizations for login credentials through social engineering tactics such as impersonating a trusted colleague -- an IT administrator, for example -- or by using VoIP to spoof caller identification and pose as a trusted phone number. As for malware installation, threat actors often do so through spam emails, via either malicious hyperlinks or attachments poisoned with macro scripts.

The agency provided a large number of suggested mitigations for both phishing types. To prevent the theft of login credentials, CISA recommended that organizations implement user training on social engineering and phishing attacks, enable DMARC for received emails, use FIDO or PKI-based multifactor authentication, and more.

DMARC, an email authentication protocol, enables organizations to set policies for emails sent and received by its users.

"DMARC, along with Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM), verify the sending server of received emails by checking published rules. If an email fails the check, it is deemed a spoofed email address, and the mail system will quarantine and report it as malicious," the guidance read. "These tools reject any incoming email that has a domain that is being spoofed when a DMARC policy of reject is enabled."

To prevent phishing intended to result in the installation of malware, CISA advised organizations to enable firewall rules and incorporate both allowlists and denylists at the email gateway level. The agency said organizations can use denylists to "block known malicious domains, URLs, and IP addresses as well as file extensions such as .scr, .exe, .pif, and .cpl and mislabeled file extensions (e.g., a .exe file that is labeled as a .doc file.)." A complete list of mitigations is available in the joint guidance.

TechTarget Editorial contacted CISA for additional information regarding why the agency decided that now was the right time for phishing guidance, but the agency declined to comment. However, some context can be found in a Wednesday blog post written by CISA Senior Technical Advisor Bob Lord.

"When we see news of compromises that stem from phishing, it's all too easy to blame the victim organization for not having implemented all the mitigations that would have stopped the attack. With the benefit of 20/20 hindsight it's easy to see what went wrong. But the ease of compromises cannot be solely blamed on the defenders," Lord wrote. "We need to have a more robust industry-wide conversation about the products that are delivered to customers in a state that not only makes these attacks possible, but in many cases, inevitable."

Alexander Culafi is an information security news writer, journalist and podcaster based in Boston.