In the final installment in our series of blogs on the Fundamentals of Phishing we will explore how to prevent phishing attacks.
To truly prevent email phishing attacks - like targeted spear phishing - we need to consider the ‘Phishing Kill Chain’. This uses the principles of the popular Cyber Kill Chain methodology, a military-theoretical approach to network asset defense that can be quite valuable, especially when you expand the definition of "assets" to include your customers. If you're not familiar with the concept, CSO Online has an article on it that's appropriate for any level of pre-existing knowledge.
The Phishing Kill Chain in Context
| Military Kill Chain | Cyber Kill Chain | Phishing Kill Chain |
| Find | Reconnaissance | Targeting |
| Fix | Weaponization | Delivery |
| Track | Delivery | Deception |
| Target | Exploit | Click |
| Engage | Installation | Surrender |
| Assess | Command & Control | Extraction |
So what does the Phishing Kill Chain look like? Cybercriminals need to achieve seven steps in order to conduct a successful phishing attack on email:
- Target: Decide who they're going to try to defraud and assemble an email list
- Deliver: Send messages to the people on their target list
- Deceive: Trick the user into following their call to action
- Click: Get customer to click on the phishing site and attempt to load it in their browser
- Surrender: Spur user to input their data or their credentials to the phishing site, surrendering it to the criminals
- Extract: Transmit the stolen credential or other information to the criminal
- Act: Log on to the account in question and transfer money, use the stolen card number online or in person, or place an order to perpetrate the final fraud.
The key point to note is that many security solutions aim to stop criminals later in the chain, such as at the Click, Surrender and Extract stages. But the earlier in the kill chain that controls can be inserted, the better the chance that organizations have of preventing their customers from being phished.
To that end, DMARC and Agari deliver a solution that can cut the chain at Delivery, where a proactive DMARC reject policy can prevent the message from even having a chance of landing in the inbox.
Even beyond initial rejection, Agari uses DMARC forensic data to extract threat details and provide them to takedown vendors, who validate and classify the threat. This intelligence is then passed onto Google and Microsoft for inclusion in their anti-phishing lists so that browsers block the threats. This makes the controls at step 4 in the kill chain, the Click, far more effective in preventing emerging threats.
If your organization is serious about preventing phishing and defending your customers as well as your brand reputation, you need to be deploying systems that help you move up the kill chain. Only then can you ensure your organization is safe from falling victim to the growing pain of phishing attacks.