Attack Phishing from a Different Angle

Gary Southwell, Founder, Seceon

Gary Southwell, Founder, Seceon

It should come as no surprise that phishing attacks—those that attempt to obtain sensitive information such as usernames, passwords, and credit card details, often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication—have grown in depth, number and sophistication of approach, and deceptive techniques used. According to the SANS Institute, a staggering 95 percent of all enterprise attacks last year started as a result of spear phishing, or had it as a component part. And, in fact, the Anti-Phishing Working Group (APWG) observed more phishing attacks in the first quarter of 2016 than in any other three-month span since it began tracking data in 2004, according to the anti-cybercrime coalition's Q1 Phishing Activity Trends Report. In keeping with those findings, the APWG reported that the number of phishing websites it detected jumped a startling 250 percent between October 2015 and March 2016. These types of attacks are on the rise and constantly evolving with new technical elements. Increasingly, as a user clicks the links, attackers not only try to grab credentials to their organization’s systems via the deceptive login page, but also attempt to install malware or ransomware that could lead to breaches or encryption of critical data. That said, the basic attack delivery technique has remained unchanged through the years: Attackers send a message that looks like it is from a legitimate business and the user is tricked into clicking the embedded link. Even some of the world’s biggest and best-secured enterprises struggle with phishing. In one exercise, JPMorgan was able to dupe 20 percent of its trained staff into clicking upon a fake phishing email, demonstrating how challenging it is to defend against these types of attacks.

  ‚ÄčAn ounce of prevention can longer provide a pound of cure… 

If users and corporations have been warned of the dangers for years, why is phishing still such a successful attack method? Why are people still falling victim to such a simple scam? Why are you at risk?

The answer is simple:

We have primarily focused on a preventive approach using legacy technology. It’s time for a different approach.

An ounce of prevention can longer provide a pound of cure…

Phishing and other email-related attacks exploit either technical vulnerabilities or leverage social engineering to take advantage of human weakness. Exploiting human weakness has nothing to do with the digital era. Deceptive actors impersonating legitimate parties have been conning people since the dawn of civilization. Realistically, enterprise security teams can’t expect to change human nature.

Technologically, phishing continues to be an effective method of attack because anti-phishing technologies are often designed to fight the advance by executing signature-based technologies rather than addressing the problem from a behavioral angle. Technical countermeasures such as email sand-boxes, which check attached URLs against known bad sites before delivery can be circumvented with sophisticated attacks that continuously generate new URLs, and if a human target is not otherwise protected, a users credential’s can be stolen within seconds of that message being accessed and acted upon. Technology that attempts to block or erase phishing emails before a user reads them does nothing if a user has separate private email system. This is particularly vexing as these email systems are typically encrypted until delivery. In this case there is no system that can check an email before it is opened by the user’s browser. Moreover, attacks that leverage links in text messages or within social media applications that direct users to a rogue website also sidestep such protections. The challenge has actually become two-fold: when protective measures are known to be deployed – users who believe they are protected tend to let their guard down. In this case when a cleverly constructed email does reach the user, the recipient thinks that all fictitious emails are blocked, and, therefore, grants unwarranted trust to messages that they do receive.

Shift attack angle from prevention to rapid detection and remediation

With the risks for an inevitable breach so high, it’s clear that companies need to take more active measures in preparing for the inevitable moment when a phishing, spear-phishing or whaling attack is successful. To accomplish this the enterprise should shift is strategy and focus from solely focusing on prevention to the rapid detection and blocking of successful attempts. Ideally the detection and response will be fast enough to minimize and/or avoid any significant high value data access or loss.

While many technologies exist today that tackle elements of threat detection, including machine learning, user behavior and entity analytics, threat modeling, etc., the most effective solutions are those that combine the best of these capabilities to deliver rapid, real-time detection and response. Solutions effective at stopping these threats within minutes exist today, including Seceon’s own Open Threat Management (OTM) platform. By providing visibility and fully automating the immediate analysis, detection and elimination of threats, these solutions can finally give the enterprise a leg up in defending against any successful phishing attack.

Evaluate possible solutions asking these questions:

• Can it detect abnormal use of credentials from that of normal usage?
• Does it avoid false positives by leveraging a combination of data collection and analysis, machine learning, predictive and behavioral analytics and then correlate findings to surface legitimate threats?
• Can its architecture scale to process billions of inputs and generate correlated outputs of all related threat behavior in seconds so that it can detect such threats accurately in minutes after compromise.
• Is it fully automated, including rule sets, analysis, alerts, remediation and reports – so that it works 24x7x365 without need for human involvement?
• Most importantly, has it been proven to be effective in stop the threat and block the exfiltration and/or damage of critical data?

Cybersecurity is about keeping people safeguarded in an increasingly advanced level of sophistication of attacks. In order to protect the enterprise from mistakes users are bound to make, security experts must focus on the combined application of education and technology—prevention and detection and response—as the best-continued defense against phishing. The enterprise must remain vigilant about prevention—educating employees and customers about how to spot uncharacteristic emails and the unseen dangers associated with clicking embedded URLs, and deploying technologies such as next generation email or social media filtering software to block attacks—yet, simultaneously, prepare for the imminent successful attack. Augmenting preventative measures with threat detection and response that leverages correlated information and analytics from all possible attack vectors provides the enterprise with unprecedented protection and assurance against the inevitable successful phishing ruse.

Read Also

The Realities of Cybersecurity

Doug Mullarkey, CIO, First Choice Loan Services Inc.

The Critical Future of Identity and ACCESS MANAGEMENT

Joseph Carson, Head of Global Strategic Alliances, Thycotic

3 things CIOs and CISOs Need to Know to Keep their Company Secure

Malcolm Harkins, Chief Security and Trust Officer, Cylance