Telling users to ‘avoid clicking bad links’ still isn’t working by David C. - Technical Director for Platforms Research and Principal Architect - NCSC (UK)

Why organisations should avoid ‘blame and fear’, and instead use technical measures to manage the threat from phishing.

Infosec tenets simply don’t work

Advising users not to click on bad link: users frequently need to click on links from unfamiliar domains to do their job, and being able to spot a phish is not their job

Mitigating credential theft for organisational services

Mitigating malicious downloads through defence in depth

Implementing enterprise-level actions and greatly reduce the chance of successful attacks on your network.

Preventing delivery of phishing email:

  • use email scanning and web proxies to help remove some threats before they arrive
  • DMARC and SPF policies can significantly reduce delivery of spoofed emails to users

Preventing execution of initial code:

  • put in place allow-listing to make sure that executables can’t run from any directory to which a user can write,
  • for anything not covered in allow-listing, use registry settings to ensure that dangerous scripting or file types are opened in Notepad and not executed, – for PowerShell, you can minimise risk by using PowerShell constrained mode and script signing
  • disable the mounting of .iso files on user endpoints
  • make sure that macro settings are locked down (see the NCSC’s guidance on macro security) and that only users who absolutely need them – and are trained on the risks they present – can use them
  • enable attack surface reduction rules
  • ensure you update third-party software, such as PDF readers, or even better, use a browser to open such files
  • keep up to date with current threats with wider reading about any new attack vectors emerging

Preventing further harm:

  • allow-listing is again a powerful way to prevent further harm once a malicious file is opened
  • DNS filtering tools, such as PDNS (for UK public sector and also the private sector) can block suspicious connections and prevent many early-stage attacks
  • organisations can also carry out endpoint detection and response (EDR) and monitoring to look for suspicious behaviour on hosts

Source: National Cyber Security Center (UK)