Credential Phishing Prevention
Phishing sites are sites that attackers disguise as legitimate websites with the aim to steal user information, especially the user credentials that provide access to your network. When a phishing email enters a network, it takes just a single user to click the link and enter credentials to set a breach in motion. You can now identify and prevent in-progress phishing attacks by controlling sites to which users can submit corporate credentials based on the site’s URL category. This allows you to block users from submitting credentials to untrusted sites while allowing users to continue to submit credentials to corporate and sanctioned sites.
Credential phishing prevention works by scanning username and password submissions to websites and comparing those submissions against valid corporate credentials. You can choose what websites you want to either allow, alert on, or block corporate credential submissions to based on the URL category of the website. Alternatively, you can present a page that warns users against submitting credentials to sites classified in certain URL categories. This gives you the opportunity to educate users against reusing corporate credentials, even on legitimate, non-phishing sites. In the event that corporate credentials are compromised, this feature allows you to identify the user who submitted credentials so that you can remediate.
Take the following steps to prevent phishing attempts by controlling the sites to which your users can submit credentials.
- Decide what user credential detection method you
want the firewall to use to detect corporate credential submissions and
configure User-ID as required to
support the selected method.Each of the Methods to Check for Corporate Credential Submissions requires a different User-ID configuration to check for corporate credential submissions:
- If you plan to use the group mapping method, which detects whether a user is submitting a valid corporate username, Map Users to Groups.
- If you plan to use the IP user mapping method, which detects whether a user is submitting a valid corporate username that matches the username of the user logged into the source IP address of the session, Map IP Addresses to Users.
- If you plan to use the domain credential filter method, which detects whether a user is submitting a valid username and password and that those credentials match the user who is logged in to the source IP address of the session, Configure Credential Detection with the Windows-basedUser-IDAgent and Map IP Addresses to Users.
- Configure URL Filtering to
detect corporate credential submissions to websites that are in
allowed URL categories.
- Select ObjectsSecurity ProfilesURL Filtering and Add or modify a URL Filtering profile.
- On the User Credential Detection tab,
select one of the Methods to Check for Corporate Credential Submissions:
- Use IP User Mapping—Checks if username submissions match the user logged into the source IP address of the session.
- Use Domain Credential Filter—Checks for valid corporate usernames and password submissions and verifies that the submitted credentials match the user logged into the source IP address of the session.
- Use Group Mapping—Checks that submitted usernames match a username in the user-to-group mapping table.With group mapping, you can apply credential detection to any part of the directory, or limit it to selected groups that have access to your most sensitive resources, such as IT.
- Set the Valid Username Detected Log Severity the firewall uses to log detection of corporate credential submissions. By default, the firewall logs these events as medium severity.
- Block (or alert) on credential submissions to allowed
sites.The firewall automatically skips checking credential submissions on sites that have never been observed hosting malware or phishing attacks to ensure the best performance even if you enable checks in the corresponding category. The list of sites on which the firewall will skip credential checking is automatically updated via Application and Threat content updates.
- On the Categories tab,
for each Category to which Site Access is
allowed, select how you want to treat User Credential
- alert—Allow users to submit credentials to the website, but generate a URL Filtering log each time a user submits credentials to sites in this URL category.
- allow—(default) Allow users to submit credentials to the website.
- block—Block users from submitting credentials to the website and display a response page.
- continue—Present a response page to users that requires them to click Continue to continue with credential submission.
- Select OK to save the URL Filtering profile.
- On the Categories tab, for each Category to which Site Access is allowed, select how you want to treat User Credential Submissions:
- Apply the updated URL filtering and credential detection
settings to the Security policy rules that allow web traffic.
- Select PoliciesSecurity and Add or modify a Security policy rule.
- Select Actions and set the Profile Type to Profiles.
- Select the new or updated URL Filtering profile to attach it to the Security policy rule.
- Select OK to save the Security policy rule.
- Commit the URL Filtering profile and Security policy rule updates.
- Monitor credential submissions the firewall detects.A new ACC widget provides a view into the number of users who have visited malware and phishing sites. Select ACCHosts Visiting Malicious URLs.Select MonitorLogsURL Filtering.The new Credential Detected column indicates events where the firewall detected a HTTP post request that included a valid credential:(To display this column, hover over any column header and click the arrow to select the columns you’d like to display).Log entry details also indicate credential submissions:
Prevent Credential Phishing
Prevent Credential Phishing Phishing sites are sites that attackers disguise as legitimate websites with the aim to steal user information, especially the credentials that provide ...
User Credential Detection
User Credential Detection Objects > Security Profiles > URL Filtering > User Credential Detection Enable the firewall to detect when users submit corporate credentials. The ...
Set Up Credential Phishing Prevention
Set Up Credential Phishing Prevention After you have decided which of the Methods to Check for Corporate Credential Submissions you want to use, take the ...
Configure URL Filtering
Configure URL Filtering After you Determine URL Filtering Policy Requirements , you should have a basic understanding of what types of websites and website categories ...
URL Filtering Categories
URL Filtering Categories Objects > Security Profiles > URL Filtering > Categories The following table describes URL filtering category settings. Categories Settings Description Category In ...
Methods to Check for Corporate Credential Submissions
Methods to Check for Corporate Credential Submissions Before you Set Up Credential Phishing Prevention , decide which method you want the firewall to use to ...
URL Filtering Response Pages
URL Filtering Response Pages The firewall provides three predefined response pages that display by default when a user attempts to browse to a site in ...
URL Filtering Profile Actions
URL Filtering Profile Actions The URL Filtering profile specifies web access and credential submission permissions for each URL category. By default, site access for all ...
WildFire Phishing Verdict
WildFire Phishing Verdict The new WildFire phishing verdict classifies credential phishing links found in emails separately from emailed links found to be exploits or malware. ...