It’s time to challenge conventional thinking about phishing defence and recognise that traditional approaches are not enabling us to better defend against the real threats.
The threat posed by phishing is not new. For many years, the media and research papers have been littered with examples of data breaches that have been traced back to phishing attacks. Organisations have attempted to tackle the threat through investments in next-gen technologies and increased employee awareness training.
Despite these efforts, the threat has not receded – in fact, it’s become more sophisticated and more effective. It’s time for organisations to accept some uncomfortable truths about routine approaches to phishing defence and think differently, understanding that real phish are the real problem.
Uncomfortable truth #1: no matter how good your perimeter defences, phishing emails are still reaching your inbox
Technology does not, and cannot, stop all phishing emails. Email gateway technologies do a good job stopping known threats, but as defensive technologies become more pervasive, threat actors simply evolve their tactics and techniques to neutralise them.
While some of these tactics and techniques pit technology against technology – such as sandbox evasion or IP or geolocation-aware malware – many are surprisingly low tech. Some of the more prevalent tactics include the abuse of cloud file-sharing services, such as Dropbox, and content delivery networks to host or redirect to malicious content. This is done in the knowledge that these services cannot be routinely blocked as they are often used for legitimate business purposes and that malicious content hosted within them cannot be easily analysed or detected by inline security technologies. One in seven emails reported to the Cofense Phishing Defence Centre by two million end-users contains some form of malicious content. Every one of these emails have bypassed one or more layers of perimeter controls and been delivered to a user’s inbox.
Uncomfortable truth #2: you cannot defend against attacks you cannot see
Security technologies do a great job of telling us about the threats that they have stopped. Unfortunately, they do a poor job of alerting us to the threats that they let through. For any Operational Security team, visibility is key. To be able to mitigate an attack, they must be able to see it and understand it.
Uncomfortable truth #3: the best security awareness programme in the world will never deliver a zero click-rate
Organisations are beginning to accept that phishing threats reach user inboxes and that these users will be tempted to click on them. To address this, significant investments are made in awareness activities, including phishing simulation, with the primary goal or success metric being a reduction in susceptibility, or click-rate.
But while reduction in overall click-rate is a desirable benefit of phishing awareness and simulation activity, it should not be considered the primary objective. When reviewing data based on more than 2,000 enterprise customers using the Cofense PhishMeTM phishing simulation platform, average susceptibility or click-rate over the last two years has flattened at about 11.5 per cent.
Imagine a phishing attack that targets 1,000 employees in the same organisation (attacks such as this are common). With an average susceptibility rate of 11.5 per cent, this attack likely results in 115 sets of compromised credentials or 115 endpoints infected with malware. Even an industry-leading susceptibility rate of 3 per cent results in 30 sets of compromised credentials or infected endpoints – more than enough to cause significant disruption and damage. And if security teams are not aware of the attack, they cannot stop it. Is this acceptable?
Uncomfortable truth #4: users are NOT the problem.
It’s long been said that IT problems are a result of ID10T – or that the Problem Exists Between Keyboard and Chair (PEBKAC). As Alexander Pope once wrote, “To err is human.” It’s true, we do make mistakes. However, we also have an innate sense when things just don’t seem right.
So rather than try to cut our users out of the loop and attempt to use technology to keep us safe from phishing threats, we must exploit this natural intuition or gut feeling. We have to recruit our users into an army of human sensors to provide visibility to phishing attacks that have made it to the inbox. After all, if the user doesn’t tell us, nothing will.
In a phishing defence context, phishing simulations should never be used to test our users – phish testing is a red team activity. Phishing simulation must be used to keep the threat of phishing front and centre in users’ minds and keep them conditioned to constantly evolving threat actor tactics and techniques – particularly those that we see being used against our organisations. When a user recognises something as suspicious, we must make it easy for them to report it. A single click of a button within the email client ensures that there is no process to forget, and it makes it clear that we want our users to report.
Uncomfortable truth #5: most organisations are unable to effectively respond to phishing attacks.
The continually evolving phishing threat landscape and the volume of unsolicited spam email makes analysis of user-reported phishing emails hard. It is difficult for already stretched SOC teams to maintain an up-to-date depth of knowledge to enable effective threat analysis.
Simply sending a file to a sandbox or checking online threat-analysis tools and databases is not good enough. SOC teams and threat analysts must be able to consume reports of suspicious emails from users and turn them into actionable intelligence quickly.
This means they must be able to prioritise what is being reported to cut through the noise of false positives, such as legitimate marketing or internal emails, and automatically be given guidance of risk based on the attributes of the email content and any attachments, the status of the user reporting the email (are they high-risk employees with access to sensitive information or processes), the reputation of the user (have they demonstrated an ability to identify and report suspicious emails in the past, essential to help prioritise zero-day threats), and information from any threat-analysis integrations such as VirusTotal or sandboxes.
Once a threat is analysed and understood, SOC teams need to be able to quickly hunt for the threat within all user mailboxes and quarantine it when found. In addition, they must be able to communicate IOCs to other teams, such as those responsible for proxies, mail gateways and endpoint security tools, to take further defensive or mitigating actions, and they must close the loop by providing timely feedback to users to encourage further reporting behaviour, thus supporting awareness activities.
Cofense is focused on enabling organisations to stop phishing attacks in their tracks. For an example of how Cofense helped stop a real phishing attack, download our e-book 19 Minutes
by David Mount, Director – Sales Engineering, Europe, Cofense