Tim Sadler, CEO, Tessian
It’s reported that, today, 95% of all cyber-attacks on enterprises are the result of a successful spear-phishing attack. The battle against advanced phishing scams is one businesses are losing right now.
In many ways, email attacks have never been easier. Anyone in control of an email server can effectively dupe an individual into thinking a fraudulent email is legitimate and easily bypass secure email gateways (SEGs) and security protocols.
Often, we hear the solution to mitigating this persistent threat is to provide more training. Businesses are encouraged to teach employees about the cues that signal a malicious email – checking the sender’s address, looking out for a payload link or spotting poor grammar, for example. Then, they test staff to spot the ‘good’ from the ‘bad’ emails.
However, while training is important in raising awareness, it alone is not effective enough to stop people falling for the scams we see today. Firstly, it is not resonating. In a recent report, we found that just one in five employees remembers and actions all the training they receive, meaning four in five aren’t demonstrating perfect cybersecurity practices 100% of the time.
"In many ways, email attacks have never been easier"
Secondly, the phishing threat is constantly evolving. Hackers are continually finding ways to reverse-engineer the rules that are in place to stop malicious messages landing in inboxes. As such, the over-simplified examples of phishing used in training exercises quickly become outdated.
We see techniques such as display name impersonations, for example, in which the attacker sets deceptive display names on their email accounts in order to mislead recipients. Hackers can combine this with domain impersonation to execute sophisticated impersonation attacks, which use social engineering to threaten organizations’ most sensitive data and systems.
In addition, attackers have also realized that by not including malicious links or attachments, they can avoid payload inspection. Instead, they favor zero-payload attacks which rely on social engineering techniques to bypass defenses and persuade targets to comply with their requests. In fact, research shows that 25% of phishing emails now bypass SEGs.
With techniques continually changing, and phishing attacks growing in severity and sophistication, simply telling employees what to ‘look out for’ in one-off training sessions is not enough. In many cases, the cues that signal a threat aren’t even noticeable to the naked eye, so it’s unrealistic to expect staff to be able to spot every ‘bad’ email 100% of the time. People make mistakes and they can be deceived.
Businesses need to add another layer to protect their people. For the first time, we can use machine learning to understand people’s behaviors online, in order to automatically detect suspicious emails and alert individuals to a potential threat. By providing employees with an explanation as to why the email looks suspicious and advising them on what to do next, this real-time intervention and education will not only prevent people falling for the scams but it will also reinforce secure behavior. Over time, this will help mitigate the persistent phishing threat.
Kowsik Guruswamy, Chief Technology Officer, Menlo Security
From a bad actor perspective, phishing is the cheapest and easiest way to infiltrate organizations and personal information to make a profit. By nature, humans are curious and are often overconfident when it comes to security. Phishing is an even greater threat for mobile users, too. Without key visual cues, like the ability to hover over a link to determine its destination, it is much easier for a user to make the simple mistake of clicking a bad link and falling victim to a phishing attempt. The popularity of social media has also made it much easier for hackers to find valid email addresses and research users’ life activities to create sophisticated, tailored phishing attacks.
From a security perspective, there are typically three approaches to solving the phishing problem – email security gateways, web proxies and security training awareness – but each has its own limitations.
Email security gateways look at all emails coming in and have information on spam and reputation. However, when a click actually occurs, their primary defense is prior knowledge of the website obtained through crowdsourcing, resulting in a ‘patient zero problem.’ In other words, the first few users are allowed to access the potentially malicious website until there’s a verdict available regarding the website rating.
"Simply put, phishing is a social engineering problem that puts everyone at risk"
Web proxies, on the other hand, know almost everything there is to know about HTTP, but are clueless when it comes to email. More importantly, they lack the important context of a website visit originating from an email click, as opposed to a user typing in the URL bar on their browser. Security awareness training may help mitigate the risk, but training is never enough because any software used to train the user is largely out of the picture when a real phishing email link is clicked. Often times, bad actors are taking the time to classify websites as ‘good’ so they can bypass all of these defenses.
Simply put, phishing is a social engineering problem that puts everyone at risk. Fortunately, an easy fix to this problem is to move to a strategy of isolation, one that offers organizations a safe-allow option. Hackers have become so creative because companies are still trying to figure out if websites are ‘good’ or ‘bad,’ but after shifting to isolation, the only thing that matters is access, or the lack thereof.
Even if isolation services are unavailable, there are still a number of ways to combat phishing. The first is by practicing simple email hygiene. Ignoring and deleting emails that reference free rewards, vouchers or social media posts is always the best policy. Another is to always go directly to the source. Instead of following embedded links found within emails, users should access the website they want to visit directly from the URL bar.
Finally, avoiding open authentication programs by creating new, separate accounts – or even using fake email addresses to sign up for these accounts – is recommended, as they’re less likely to be phished. By following these simple steps, or adopting isolation, users and organizations can keep ‘off the hook’ and avoid falling victim to email phishing attacks.
James Chappell, Co-Founder & Chief Innovation Officer, Digital Shadows
Phishing – a topic almost as old as our industry itself, yet one that keeps on growing and evolving. Phishing is still the number one method employed by any actor seeking to gain access to the interior of an organization.
Work by the MITRE organization under their ATT&CK framework shows a heat map of attacker techniques – and phishing is the number one observed technique for initial access across all of the intelligence that we gather.
Add to this the fast growing and, according to the FBI, multi-billion dollar criminal industry of Business Email Compromise (BEC), and it’s easy to see why account takeover, phishing toolkits, how-to guides and capabilities are constantly evolving across the forums that fraudsters and criminals frequent to learn how to exploit their targets through a whole range of popular techniques.
However, email, for better or worse, is still the number one communication method used to conduct business, and whilst security practitioners would likely welcome the opportunity to eliminate the risk, email is the one place where all organizations must strike a healthy balance between risk reduction and business enablement. So how would I advise information security professionals to approach this?
"Phishing will continue to evolve as our awareness and defenses do"
The good news is that organizations can still employ a wide variety of measures that can help them stay afloat and clear of phishing threats.
First, train employees in how to spot phishing emails. More importantly, they need a clear and recognized reporting method to alert security teams to suspected phishing attempts. Employees need to know how to react to these quickly and should not fear any repercussions of being the victim of a social engineering attack. Give them ‘spidey-senses.’
Also, monitor for registrations of typo- or domain-squats that can be used by attackers to impersonate your brand, send spoof emails and host phishing pages. We’ve recently combined this capability with the defensive email service Mimecast, helping customers keep one step ahead of this issue.
Maintain an email protection system that can uphold policies, track URLs, attachments and maintain blocklists across your organization – this can be a very cost-effective defense.
Then, limit what information your organization and its employees share online, or adopt an awareness of the risks this brings. The most successful phishers will perform detailed reconnaissance on targets, so they can craft the most effective emails and social engineering lures.
Look to implement additional security measures such as Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC) and DomainKeys Identified Mail (DKIM). These can make the spoofing of your domain more difficult.
Lastly, protect your accounts in case phishers do manage to steal user email credentials. Two-factor authentication measures should be mandated across the organization and implemented wherever possible.
Phishing will continue to evolve as our awareness and defenses do, the good news is that we can continue to evolve our responses to this ever-changing topic.
A sound working knowledge of both attacker techniques for targeted and opportunistic attacks is a good way of keeping one step ahead of those targeting organizations.