Reposted from CISA

Today, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) published “Phishing Guidance, Stopping the Attack Cycle at Phase One” to help organizations reduce likelihood and impact of successful phishing attacks. It provides detailed insight into malicious actor techniques, as well as technical mitigations and best practices to help prevent successful phishing attempts.  

A form of social engineering, malicious actors commonly use phishing with the intent to get their targeted victims to visit an illegitimate website or to download malware. To help organizations better understand this activity, this guide categorizes phishing into two common tactics: phishing to obtain login credentials and phishing to deploy malware. It expands upon the two tactics by detailing the techniques frequently used by these actors, such as impersonating supervisors/trusted colleagues, using voice over internet protocol to spoof caller identification, and using publicly available tools to facilitate spear phishing campaigns. 

With our NSA, FBI, and MS-ISAC partners, CISA produced this guide to provide practical, actionable steps to reduce the effectiveness of phishing as an initial access vector. Many of the controls described in this guide can be implemented by technology vendors, reducing burden and increasing security at scale.  

This guide also recommends software manufacturers incorporate secure by design principals and tactics into their software development practices. The authoring agencies provide several recommendations to mitigate the success of phishing emails reaching users and users interacting with the email.   

In addition to the joint guide, CISA published a blog with more information on phishing and this joint guide.  

All organizations, from small and medium-sized businesses to software manufacturers, are encouraged to review this joint guide and blog to better understand evolving phishing techniques and implement tailored cybersecurity controls and best practices to reduce the risk of compromise.

See Original Post