Merely filtering emails and website links to protect users is no longer enough, according to one identity access management expert.

One of the biggest myths and misconceptions about phishing is the assumption that we can solve the problem at the edge of the corporate network: by filtering emails arriving in user inboxes and filtering requests users make to websites.

According to Brett Winterford, Regional Chief Security Officer (APJ), Okta, while these are very useful controls, they do not reflect the reality of the modern workforce. CybersecAsia.net found out more about his chain of reasoning…

CybersecAsia: Please tell us more about what “the reality of the modern workforce” is all about, in relation to phishing and other cyber risks.

Brett Winterford (BW): Phishing is a means by which an attacker tricks the user of a system into sharing their access credentials. The majority of cyber security incidents begin with an attacker gaining access to the valid credentials of a user.

Today, a user is just as likely to be directed to a phishing website from their personal device via SMS, via messaging apps like WhatsApp, or via any social media platform. The only way to protect users is to ensure they can only share their credentials with the service provider they enrolled with. That is what we mean by phishing resistance.

CybersecAsia: How can organizations achieve phishing resistance?

BW: According to the National Institute of Standards and Technology (NIST) in the US, phishing resistance requires that the channel being authenticated is cryptographically bound to the output of the authenticator. In more simple terms, this means that the domain (address) of the website you are signing in to is tied to your authenticator, to ensure that your authenticator will not issue your credentials to a fake phishing web page. 

One good approach to phishing resistance is to provide administrators with the tools they need to make the user enrolment, authentication, and recovery process resilient to phishing attacks:

    • Administrators create enrolment policies that determine which sign-in methods (authenticators) are required, optional or disabled. When a user enrolls in any of these authenticators, a cryptographic binding is established.
    • For user access to any given resource or application, administrators can create sign-on policies. One of the many constraints an administrator can impose is to enforce the use of enrolled phishing resistant authenticators for access to some or all applications.
    • Even if a user is directed to an Adversary-in-the-Middle phishing website that acts as a proxy and relays password and/or MFA challenges between the user and the legitimate service they wish to access, the authenticator will not share the user’s access credentials via the malicious website.
    • If a user attempts to sign into an AiTM phishing proxy via a phishing resistant system, a system log alert will be raised, providing security teams with a high confidence signal that the organization is under attack.

I recommend that security teams use these detections to automate the process of phishing remediation, such as adding the IP address of the phishing page to a network deny list, and searching the system log for any previous sign-in via that IP address. to potentially revoke sessions or reset passwords. 

CybersecAsia: How does an established authenticator function for phishing resistance?

BW: Take FIDO2 WebAuthn: It is an industry body that developed standards upon which most approaches to phishing resistance are based. This authenticator can be built into modern devices that can be accessed via biometric challenges (e.g., TouchID, FaceID, Windows Hello) or via roaming authenticators such as physical security keys.

FIDO2 standards underpin PassKeys (discoverable WebAuthn credentials), which I strongly believe have the potential to replace the use of passwords in customer identity uses (for signing in to online banking services, webmail or social networks, for example). The beauty of web standards is that they provide a consistent baseline upon which new cyber innovations can emerge. 

Brett Winterford,
Regional Chief Security Officer (APJ), Okta