The out-of-the-box Intrusion Prevention Policies (Windows Core/Limited Execution/Strict and Unix Protection policies) are excellent tools to prevent an attack.
Phishing, or the attempt to gather credentials from an end user usually via carefully crafted emails that look legitimate - or via social engineering - are not easy to block. So, while SCSP cannot block phishing attempts, it can provide protection in case of a credential compromise.
With SCSP there are several means that you can use to prevent an attack, even if someone's credentials are compromised.
- You can de-escalate privileges by giving users - or groups of users - "Safe Privileges", so even a person with Administrator rights cannot access core system files, user-defined resource lists, or the SCSP files, preventing the system from being compromised.
- SCSP out of the box Prevention Policies provide protection against Buffer Overflow (BO) and Thread Injection (TI) attacks of core OS Services and widely used applications like SQL and Exchange. The vast majority of system attacks come from BO and TI attacks.
- SCSP Blocks modification of OS Services and widely used applications' executable files.
- SCSP can also be configured to protect any application from BO or TI attacks.
- SCSP can be configured to give users or groups of users custom rights to an endpoint, so they can be locked down to perform only certain tasks.
- SCSP also locks down services, so even if an attacker were able to gain access to a service, if locked down, the service will not be able to change anything that is not specifically allowed.
So, while SCSP cannot specifically block a phishing attack, it can prevent changes to a protected endpoint in case a user's credentials are compromised.