Credential Phishing Prevention

Phishing sites are sites that attackers disguise as legitimate websites with the aim to steal user information, especially the user credentials that provide access to your network. When a phishing email enters a network, it takes just a single user to click the link and enter credentials to set a breach in motion. You can now identify and prevent in-progress phishing attacks by controlling sites to which users can submit corporate credentials based on the site’s URL category. This allows you to block users from submitting credentials to untrusted sites while allowing users to continue to submit credentials to corporate and sanctioned sites.
Credential phishing prevention works by scanning username and password submissions to websites and comparing those submissions against valid corporate credentials. You can choose what websites you want to either allow, alert on, or block corporate credential submissions to based on the URL category of the website. Alternatively, you can present a page that warns users against submitting credentials to sites classified in certain URL categories. This gives you the opportunity to educate users against reusing corporate credentials, even on legitimate, non-phishing sites. In the event that corporate credentials are compromised, this feature allows you to identify the user who submitted credentials so that you can remediate.
Take the following steps to prevent phishing attempts by controlling the sites to which your users can submit credentials.
  1. Decide what user credential detection method you want the firewall to use to detect corporate credential submissions and configure User-ID as required to support the selected method.
    Each of the Methods to Check for Corporate Credential Submissions requires a different User-ID configuration to check for corporate credential submissions:
    • If you plan to use the group mapping method, which detects whether a user is submitting a valid corporate username, Map Users to Groups .
    • If you plan to use the IP user mapping method, which detects whether a user is submitting a valid corporate username that matches the username of the user logged into the source IP address of the session, Map IP Addresses to Users .
    • If you plan to use the domain credential filter method, which detects whether a user is submitting a valid username and password and that those credentials match the user who is logged in to the source IP address of the session, Configure Credential Detection with the Windows-basedUser-ID Agent and Map IP Addresses to Users .
  2. Configure URL Filtering to detect corporate credential submissions to websites that are in allowed URL categories.
    If you have not done so already, configure a best practice URL Filtering profile to ensure protection against URLs that have been observed hosting malware or exploitive content.
    1. Select ObjectsSecurity ProfilesURL Filtering and Add or modify a URL Filtering profile.
    2. On the User Credential Detection tab, select one of the Methods to Check for Corporate Credential Submissions :
      • Use IP User Mapping—Checks if username submissions match the user logged into the source IP address of the session.
      • Use Domain Credential Filter—Checks for valid corporate usernames and password submissions and verifies that the submitted credentials match the user logged into the source IP address of the session.
      • Use Group Mapping—Checks that submitted usernames match a username in the user-to-group mapping table.
        With group mapping, you can apply credential detection to any part of the directory, or limit it to selected groups that have access to your most sensitive resources, such as IT.
    3. Set the Valid Username Detected Log Severity the firewall uses to log detection of corporate credential submissions. By default, the firewall logs these events as medium severity.
  3. Block (or alert) on credential submissions to allowed sites.
    The firewall automatically skips checking credential submissions on sites that have never been observed hosting malware or phishing attacks to ensure the best performance even if you enable checks in the corresponding category. The list of sites on which the firewall will skip credential checking is automatically updated via Application and Threat content updates.
    1. On the Categories tab, for each Category to which Site Access is allowed, select how you want to treat User Credential Submissions:
      • alert—Allow users to submit credentials to the website, but generate a URL Filtering log each time a user submits credentials to sites in this URL category.
      • allow—(default) Allow users to submit credentials to the website.
      • block—Block users from submitting credentials to the website and display a response page.
      • continue—Present a response page to users that requires them to click Continue to continue with credential submission.
    2. Select OK to save the URL Filtering profile.
  4. Apply the updated URL filtering and credential detection settings to the Security policy rules that allow web traffic.
    1. Select PoliciesSecurity and Add or modify a Security policy rule.
    2. Select Actions and set the Profile Type to Profiles.
    3. Select the new or updated URL Filtering profile to attach it to the Security policy rule.
    4. Select OK to save the Security policy rule.
  5. Commit the URL Filtering profile and Security policy rule updates.
  6. Monitor credential submissions the firewall detects.
    A new ACC widget provides a view into the number of users who have visited malware and phishing sites. Select ACCHosts Visiting Malicious URLs.
    Select MonitorLogsURL Filtering.
    The new Credential Detected column indicates events where the firewall detected a HTTP post request that included a valid credential:
    credential-phishing-log-column.png
    (To display this column, hover over any column header and click the arrow to select the columns you’d like to display).
    Log entry details also indicate credential submissions:
    credential-phishing-log-detail.png

Related Documentation