It Started with a Phish

Written by

It is no secret that humans are the weakest link in any security program, but the extent of the problem can be underestimated. In the most recent Verizon Data Breaches Investigations Report, it suggests that some 90% of breaches start with a phishing or social engineering attack. 

This is not a new phenomenon, yet most of the investment in cybersecurity over the last 10 years has been focused on securing computers and networks through technical defenses. But the fact that our IT systems are more secure and companies like Microsoft have got better at patching and preventing physical vulnerabilities has made it even more attractive to exploit human weaknesses. 

It’s time that the focus of security programs shifted. By making employees smarter about different types of attacks, they can be transformed from a weak link into one of your biggest assets – a human firewall. You can do this by building a comprehensive phishing protection program that intrinsically links technical controls with human behavior and interaction.

It has been shown that good phishing education programs can reduce click rates on malicious links from 40-50% down to below 10%. These programs don’t need to be built around sophisticated and costly tools but they should always comprise four key components: protection, education, evaluation and reporting. 

Preventing the phishing cycle must start with protection as click rates continue to be so high. This means getting in-between the attacker and the victim to remove or neutralize the malicious links before they can do any damage. But to simply stop the attack is a wasted opportunity.

By automatically detecting and blocking rogue DNS requests, users who choose to click on a fake Office 365 or Dropbox link, for example, can be redirected to a safe page instead of where the attacker wants them to go. This means that the employee is protected but is also given a dose of education after they’ve clicked.

It’s a bit like going on a safe driving course after been caught speeding! Once bitten, users are more inclined to listen and learn from their mistakes, so they can stay safe in the future. This could simply be a conversation about the serious implications of clicking on a malicious link and how to spot them. 

Education is the kernel of any anti-phishing program, so as well as reacting to user actions, it is also important to be proactive. This could involve sharing education materials with your co-workers and/or sending out fake phishing emails to see which ones users recognize and avoid, and which ones drive the most clicks.

Evaluation focuses on sending these fake phishes and counting the clicks. Based on the results, IT managers can better understand the click rates for different types of user and attack, to more accurately target education and resources. 

No one is suggesting it is easy to spot a dodgy link; after all, the level of phishing and social engineering is getting ever more sophisticated. Attackers are gathering more intelligence on their victims, friends and colleagues and interact with them.

In one recent phish, the email appeared to come from a co-worker in the same office. There is also an increase in so-called CEO fraud where the attacker impersonates senior management.
Fundamentally, we need to change the culture in organizations around phishing. We need to move away from the blame culture, so it is OK to make a mistake and learn from it. If people are more aware of the risks and implications, they will start to have more conversations and ask questions, be it with an IT person or work colleague at the water cooler. These conversations with one another are a key element to any good anti-phishing program.

These conversations drive the final stage of the model - reporting. This encourages people to say something either to their peers or their IT helpdesk if they feel that a message is suspicious. We recommend setting up a shared phishing reporting email box or you can use one of the paid services such as KnowBe4’s phish alert button. And simply encourage people to talk to one another.

These phishes are ‘gold’ for linking the reporting and protection steps in the cycle. By taking indicators out of the phishes such as URLs and malicious files, you can feed these back into your defensive mechanisms. It only takes one user to spot and report a phishing email to protect other users in the company. Any employee can go from ‘zero to hero’!

Reporting phishes also enables you to understand attacker trends. When users report phishes, pay attention to which parts of your company are getting targeted. What are the attackers after? Are they trying to steal passwords? Are they sending you malicious files? Whatever they are doing, focus your security program there.

With cyber-attacks on the increase, everyone needs to play their part to protect themselves and their employers. It’s a bit like a Neighbourhood Watch scheme for the cyber world. Protection, education, evaluation and reporting all contribute to an effective anti-phishing program; but it is when they all work together with technology that makes the outcome greater than the sum of the parts. 

What’s hot on Infosecurity Magazine?