Internal Phishing Attacks
Phishing attacks are already difficult to defend against when they start from outside the organization. Phishing attacks that start from within the organization are especially nasty. Some of the challenges presented by internal phishing attacks relate to common approaches to user security and awareness training. Typically users are trained to verify the origin of the email. For example, users are told to look at the email’s sender name, the domain name, and the destination of hyperlinks. For an internal phishing attack, each of those attributes likely will appear safe, because the email is coming from a real sender, a trusted domain name, and many of the links may be trustworthy.
Recently Trend Micro reminded us of an especially effective attack campaign called Eye Pyramid. Eye Pyramid made use of internal phishing attacks for years, starting in 2008 and running into approximately 2014. The attackers used spear-phishing to harvest victims’ credentials. Then the attackers used the exploited accounts to identify additional targets and to phish other accounts. Some of the phishing included internal phishing. Their approach allowed the attackers to reach thousands of targets across the globe. Some of their victims were high profile targets, such as politicians, executives, and military leaders.
Emphasis On Process
One of the things that makes phishing attacks so effective is that they take advantage of the interaction between people and technology. Even if you secure the technology (using multifactor authentication, for example, to better secure credentials) and even if you secure the person (implementing, for example, training programs, segregation of duties, and performance evaluations), the process of how the person interacts with that technology may have weaknesses.
Addressing process may include simple things, such as prohibiting the use of company email for personal use. Company’s with moderate to high risk of phishing attacks may want to limit their use of attachments and links to one another and ask senders to alert their coworkers verbally before sending links and attachments. For very high profile targets, the safeguards might get even more restrictive, such as prohibiting the receipt of attachments, links, or–in extreme cases–any email whatsoever.
Regardless of the approach, the determination should be based on a risk assessment and consideration of the organization’s risk appetite.