For the uninitiated, the term “phishing” refers to an attack methodology that uses email to trick victims into eventually giving up sensitive information through what appears to be legitimate content such as an attachment or website link. A more focused variant is “spearfishing,” which differs in that the email is highly targeted to the one specific individual target or group of targets.(In this post, I will use “phishing” to mean any variant of this kind of attack.) The vulnerability that makes an organization susceptible to phishing is its human users – which are also among the more difficult pieces in the security apparatus to “patch.”
Phishing remains one of the most common and effective means for an attacker to gain initial access to their victims’ environments. Verizon’s 2015 Data Breach Investigation Report (DBIR) indicated that for two years running, phishing was a component of more than 66% of espionage-related attacks and 95% of attacks attributed to nation-state actors.
Phishing is pervasive for one simple reason: It works. Again, referencing the Verizon report, 23% of phishing targets open the message, and 11% click the attachments… Not a good track record at all. Since it is not feasible to stop these attacks by technical means, we must rely on the the targets themselves – humans – to mitigate their effectiveness. As long as an attacker can get a single human to do something as simple and common as opening an attachment or clicking on a link, the victim organization’s array of security technology has already failed. Attackers rapidly change tactics such as specific URLs, phishing ruses, and individual targets very easily – often dozens or hundreds of times per day. This makes technologies that seek to straight-out “prevent” phishing attacks woefully ineffective, as updating signatures simply can’t keep pace with the attackers.
So where does this leave us? The answer, lies in minimizing the chances a threat will be realized and maximizing the quality of response when the threat is eventually realized. In the case of phishing, this includes ongoing user education/awareness, application control, and fast/effective detection.
Train Your Employees. Then Train Them Again.
It bears repetition that users are the key means to defeat phishing. When they can quickly and accurately identify a phishing email versus a legitimate message, the attacker loses outright. Services such as PhishMe seek to educate users and give them tools to report suspected phishing emails, allowing the victim organization’s security team to respond as needed to true phishing messages.
Limit The Execution, Limit The Risk
From a technical perspective, application control solutions like that offered by our partner Carbon Black are absolutely the single most meaningful step toward prevention that an organization can take. This methodology ensures that only a list of approved binaries can run on the systems within an enterprise. Whether the phishing payload is garden-variety ransomware or highly-targeted custom malware, the price of becoming a victim generally reaches far beyond that of deploying and maintaining a whitelisting solution.
Continuous Monitoring, Detection, and Response
No solution is 100% effective. Organizations that regularly educate employees and run application control in their environment are still susceptible to threats. For these organizations (or really any organization), the best way to improve your overall IR game is to take decisive action as soon after the event as possible. In the phishing game, this means quickly and accurately detecting malicious links visited, attachments opened, and the downloads that result. We built Red Canary as a high-value, low-cost solution that makes world-class endpoint detection and response technology available to organizations of any size. When a user does click on a phishing email, we exist to quickly detect the resultant activity and support our customers with the intelligence and tooling they need to conduct a solid cleanup without delay.
Phishing isn’t going away. And no company is too small, nor are there any insulators based on industry or geography. Ensure that your organization has a clearly defined strategy including training, prevention, detection and response. It is through this type of awareness and planning that we will mature our defenses against phishing attacks and slash the effectiveness of future campaigns.