by Wesley Hamrick
Verizon Enterprise Solutions
The Verizon Data Breach Investigations Report (DBIR) has consistently shown that the number one threat to companies– is malicious code injected via successful phishing attacks. It’s number one in 2016. It was number one in 2015. It was number one in 2014. And so on, and so on. So if a company were to target one vector and one solution to fix above all others, it would be phishing.
Easier said than done.
Successful phishing attacks exploit vulnerabilities and weaknesses in hardware, software, people and processes. At the outset, they use data acquired through other means to engage in social engineering attacks against authorized users. They use “legitimate” channels of communication – email, text, etc. to further their objectives. They can use stolen or compromised accounts or credentials, spoofed or faked email addresses, or other indications of validity to trick users into clicking on or otherwise taking action in response to the communication.
The fraudsters lie, cheat, steal, cajole, and hack to get in and to get the user to click a link, go to a website, install software, provide information or otherwise respond. These attacks can be as simple as installing clickbait, or as targeted and sophisticated as spear phishing (email that appears to come from someone you know) or whale phishing (emails targeted at company executives). Just as the attacks are layered and sophisticated, the defenses need to be as well.
Many phishing defenses rely on technology. They block email from known spammers or known “bad” email addresses. They filter, block and quarantine communications from suspicious sites, or which contain suspicious content or links. E-mail links are disabled by default, executables are not supposed to run on the clean system, and known bad IP addresses are not supposed to be resolved.
But much of that is in theory. You see, phishing attacks are dynamic and ever-changing. The goal of the phisher is to get in without being noticed. The phisher takes into account these known technology defenses. Phishing mail will originate from a trusted IP address and email account, with a compelling subject line, and the link will not self-execute. The malware will approximate “normal” behavior to avoid detection. The IP address may be spoofed, proxied or from an anonymous source.
At heart, phishing is a human problem exacerbated by and potentially solved by humans. Humans presented with phishing attacks often are easily deceived. And the phishing attacks come back and in greater numbers. The problem is that users who are the primary vehicle for phishing are poorly trained. By that, I mean that we “check the box” that the user sat through a 15 to 50 minute slide show or video extolling the harms of phishing, and then answered a few random multiple choice questions about the problem. Even when effective, such training, has a shelf-life of maybe a few weeks.
Anti-phishing awareness is best when coupled with a bit of “light touch” testing. A corporate-sponsored phishing attempt can redirect those who click links back to the training program as a refresher. If it is not reinforced, it won’t be remembered.
Like everything else in security, it’s a matter of people, processes, technology, and policy. But don’t forget the people because if you forget to teach the people security, they will forget to secure the network.