Credential Phishing Prevention
Phishing sites are sites that attackers disguise as legitimate websites with the aim to steal user information, especially the user credentials that provide access to your network. When a phishing email enters a network, it takes just a single user to click the link and enter credentials to set a breach in motion. You can now identify and prevent in-progress phishing attacks by controlling sites to which users can submit corporate credentials based on the site’s URL category. This allows you to block users from submitting credentials to untrusted sites while allowing users to continue to submit credentials to corporate and sanctioned sites.
Credential phishing prevention works by scanning username and password submissions to websites and comparing those submissions against valid corporate credentials. You can choose what websites you want to either allow, alert on, or block corporate credential submissions to based on the URL category of the website. Alternatively, you can present a page that warns users against submitting credentials to sites classified in certain URL categories. This gives you the opportunity to educate users against reusing corporate credentials, even on legitimate, non-phishing sites. In the event that corporate credentials are compromised, this feature allows you to identify the user who submitted credentials so that you can remediate.
Take the following steps to prevent phishing attempts by controlling the sites to which your users can submit credentials.
- Decide what user credential detection method you want the firewall to use to detect corporate credential submissions and configure User-ID as required to support the selected method.Each of the Methods to Check for Corporate Credential Submissions requires a different User-ID configuration to check for corporate credential submissions:
- If you plan to use the group mapping method, which detects whether a user is submitting a valid corporate username, Map Users to Groups.
- If you plan to use the IP user mapping method, which detects whether a user is submitting a valid corporate username that matches the username of the user logged into the source IP address of the session, Map IP Addresses to Users.
- If you plan to use the domain credential filter method, which detects whether a user is submitting a valid username and password and that those credentials match the user who is logged in to the source IP address of the session, Configure Credential Detection with the Windows-basedUser-IDAgent and Map IP Addresses to Users.
- Configure URL Filtering to detect corporate credential submissions to websites that are in allowed URL categories.
- SelectandObjectsSecurity ProfilesURL FilteringAddor modify a URL Filtering profile.
- On theUser Credential Detectiontab, select one of the Methods to Check for Corporate Credential Submissions:
- Use IP User Mapping—Checks if username submissions match the user logged into the source IP address of the session.
- Use Domain Credential Filter—Checks for valid corporate usernames and password submissions and verifies that the submitted credentials match the user logged into the source IP address of the session.
- Use Group Mapping—Checks that submitted usernames match a username in the user-to-group mapping table.With group mapping, you can apply credential detection toanypart of the directory, or limit it to selected groups that have access to your most sensitive resources, such as IT.
- Set theValid Username Detected Log Severitythe firewall uses to log detection of corporate credential submissions. By default, the firewall logs these events as medium severity.
- Block (or alert) on credential submissions to allowed sites.The firewall automatically skips checking credential submissions on sites that have never been observed hosting malware or phishing attacks to ensure the best performance even if you enable checks in the corresponding category. The list of sites on which the firewall will skip credential checking is automatically updated via Application and Threat content updates.
- On theCategoriestab, for each Category to whichSite Accessis allowed, select how you want to treatUser Credential Submissions:
- alert—Allow users to submit credentials to the website, but generate a URL Filtering log each time a user submits credentials to sites in this URL category.
- allow—(default) Allow users to submit credentials to the website.
- block—Block users from submitting credentials to the website and display a response page.
- continue—Present a response page to users that requires them to click Continue to continue with credential submission.
- SelectOKto save the URL Filtering profile.
- Apply the updated URL filtering and credential detection settings to the Security policy rules that allow web traffic.
- SelectandPoliciesSecurityAddor modify a Security policy rule.
- SelectActionsand set theProfile TypetoProfiles.
- Select the new or updatedURL Filteringprofile to attach it to the Security policy rule.
- SelectOKto save the Security policy rule.
- Committhe URL Filtering profile and Security policy rule updates.
- Monitor credential submissions the firewall detects.A new ACC widget provides a view into the number of users who have visited malware and phishing sites. Select.ACCHosts Visiting Malicious URLsSelect.MonitorLogsURL FilteringThe newCredential Detectedcolumn indicates events where the firewall detected a HTTP post request that included a valid credential:(To display this column, hover over any column header and click the arrow to select the columns you’d like to display).Log entry details also indicate credential submissions: