Six Best Practices for a Pragmatic Approach to Phishing Resistance
The importance of implementing pragmatic phishing resistance strategies has transitioned from being a “nice to have” to an absolute necessity. This shift signifies a notable contrast in cybersecurity programs, as, over the past few years, many security teams have deprioritized the long-standing threat and redirected their focus toward defending against the “latest and greatest” attack methods, including ransomware, supply chain breaches, and critical infrastructure attacks.
But recently, there have been several factors that have contributed to the resurgence of phishing, including the rise of remote work and the emergence of generative AI – and the threat vector has become more common, more sophisticated, and more effective than ever. In fact, one study found that phishing attacks have increased up to 350% in the post-COVID remote workforce. A Forbes article noted there were over 500 million phishing attacks reported in 2022, more than double that in 2021. And our Passwordless Authentication survey, fielded by Enterprise Strategy Group (ESG) and announced in June 2023, found 92% of respondents are concerned about compromised credentials because of phishing or social engineering attacks, which points to the recent rise and success of both attack vectors.
Cybersecurity watchdogs and regulators have taken notice of this market data and responded by providing regulations and guidance on becoming phishing resistant. For example, in January 2022, the U.S. White House Office of Management and Budget (OMB) issued a memorandum that requires government agencies to achieve specific Zero Trust guidelines by the end of 2024 – and within, it addressed the concept of phishing resistance 23 times, in just 29 pages of total text. CISA followed that guidance by stating in an October 2022 alert that it “strongly urges all organizations to implement phishing-resistant MFA to protect against phishing and other known cyber threats.” And in February 2023, the National Institute of Standards and Technology (NIST) issued a blog on the importance of implementing phishing-resistant authenticators.
Given these recent developments, many security teams understand they can no longer put phishing on the backburner, but now need to proactively prepare for it. However, knowing they have to act and understanding what steps to take are two different things, entirely – and many security teams don’t know where to begin. If your organization falls into this category, not to worry.
Six Best Practices for Pragmatic Phishing Resistance
Here are six best practices for implementing a pragmatic approach to phishing resistance:
- Go back to basics. Similar to how organizations can be easily diverted from defending against well-established threats when new ones arise, security teams also can become so fixated on the latest and most advanced features, tools, and technologies that they neglect security fundamentals. But, if you don’t have the basics down, your organization won’t be secure – no matter how many advanced tools are in your ecosystem. Before doing anything else, focus on authentication fundamentals, such as categorizing end users by role (e.g., knowledge worker, compliance, IT, security executive), mapping authentication levels to each group, prioritizing high-risk gaps when rolling out new solutions, avoiding easily compromised credentials, and enforcing critical policies for onboarding employees on their first day.
- Understand the limitations of your existing security tools. Too often, organizations mistakenly believe if they have basic multi-factor authentication (MFA) and broad-based identity and access management (IAM) tools in place, they are phishing resistant – but this isn’t the case. Traditional MFA, such as SMS authentication, OTP, and mobile push application notifications are all susceptible to phishing. Similarly, many IAM solutions leveraging older MFA capabilities can be easily compromised. Making things more complicated, many organizations use more than one IAM system, which often causes authentication to be completed in a fragmented fashion – and when this happens, it opens the door to phishing-related attacks. Take the time to conduct an assessment, so you know what authentication tools you have in place, how they are (or are not) working together, and where there may be security gaps. Only when you identify weaknesses in your existing ecosystem, can you start to plug the holes with the right authentication tools and a phishing-resistant strategy.
- Leverage the right authentication methodology. There are several options when it comes to phishing-resistant technology and determining which will be most effective for your organization might take some analysis. This is why an initial environment assessment is so important. From there, you can choose the solutions that will close security gaps, remediate risk, and successfully protect your organization from phishing attacks. Here are a few of the most common phishing-resistant technologies:
- Personal Identity Verification (PIV) Cards – A public key infrastructure, PKI-based authentication, solution for U.S. Federal Government identity, credentials, and management.
- Certificate-Based Authentication (CBA) – Digital certificates that authenticate a user, machine, or device before permitting access to networks, applications, and other systems. Certificates are validated using secure communications and without shared secrets.
- FIDO – Fast Identity Online (FIDO) stores personally identifiable information (PII), including biometric information, locally on the device, to eliminate the need for password storage on external servers.
- FIDO2 (FIDO Passkeys) – According to the FIDO Alliance, this latest iteration of FIDO allows users to leverage common devices to easily authenticate to online services in both mobile and desktop environments.
- Windows Hello for Business (WHfB) – A strong option for Microsoft-centric environments, this authentication method replaces passwords with the WHfB credential (a biometric or PIN) that is tied to the device.
- Build a holistic authentication strategy. Just as security ecosystems riddled with point solutions all working in isolation can introduce risk, the same can happen when implementing phishing resistance in silos. To be successful, organizations must shift from a fragmented approach to a single, holistic strategy, and this means building an integrated authentication framework. By systematically authenticating across all users, machines, and interactions – regardless of underlying IT complexity – security teams can assimilate credentials, analyze in context, automate processes, authenticate uniformly, and adapt to emerging threats more efficiently. This enables organizations to not only improve their overall cybersecurity posture, but also to empower users and streamline processes for administrators.
- Balance protection with usability. Achieving a phishing-resistant strategy is a necessity, but organizations must be careful that, in the process, they don’t tighten the controls too much or make the authentication process too complicated. Doing so can hinder employee productivity and organizational efficiency and even cause workers to seek workarounds that put the business at risk. The best way to balance protection and usability is to use passwordless authentication. This process, which uses factors such as a user’s device, biometrics, or behavioral analytics to verify identity instead of a password, can deliver on the promise of phishing resistance and reduce user friction at the same time. One note of caution: Not all passwordless options are the same. Some may hide a password or secret from the end user but still store it in a way that can be exploited by cybercriminals. To be extra cautious, look for “no-password” passwordless solutions that secure all entities without passwords or shared secrets.
- Manage the authentication lifecycle. Once phishing-resistant MFA becomes the standard, cybercriminals shift their focus to the vulnerabilities exposed during the authentication lifecycle – from authenticator enrollment and credential issuance, to account recovery, credential renewal, and revocation. To keep them at bay, the authentication lifecycle must be secured at every stage, and it also must be operationalized with the right tools and capabilities for IT to manage efficiently.
Secure Today, Plan for Tomorrow
There are a number of phishing-resistant authentication technologies and approaches that organizations can put in place today to secure their organizations from phishing and other cyber-attacks. Equally as important to maintain security and resilience over the long term, however, is future proofing your environment to easily adapt to changing authentication methods.
For example, CBA is in the market today, and it’s trusted and proven. CBA can also supplement your existing IAM ecosystems and add on phishing resistance without requiring you to rip and replace what is already working. In addition, FIDO passkeys can provide a way for users to more quickly, easily, and securely sign in anywhere – from desktops to websites to applications. While there is still work to be done, this method is expected to become the gold standard in the near future.
How do you bridge the gap and make sure you’re protected today and in the future? A hybrid strategy that leverages CBA immediately but also is flexible enough to bring on new FIDO passkey strengths as they arise. Future proofing your organization in this way is the smart play.
We call this pragmatic phishing resistance, and Axiad can help on both fronts. Axiad has clear strengths in CBA borne out of years of experience and battle-tested technology in this arena. At the same time, we are one of a handful of organizations that sit on the FIDO Alliance Board, so we are constantly monitoring new developments with FIDO and optimizing around them. To find out how we can help your organization become phishing resistant, contact us today. To learn more about the steps to pragmatic phishing resistance outlined above, download Axiad’s eBook, “The What, Why and How of Phishing-Resistant MFA.”