If there is a data breach or some other cybersecurity incident, a phishing attack was probably involved. Over 90 percent of incidents begin with a phishing email. One of the more infamous hacks in recent years, the DNC data breach, was the result of a phishing attack.
Phishing is the number one way organizations are breached, Aaron Higbee, CTO and co-founder of Cofense, told me at Black Hat USA 2018 in Las Vegas. Even though phishing has been a problem for years and most people are aware of what a phishing email looks like, we still fall for them.
Higbee and I discussed why phishing remains so effective and how organizations can improve their anti-phishing defenses. For a full run-through of our conversation, please listen to the accompanying podcast. Here are a few major takeaways:
Targeting the DNC
The Democratic National Committee is like other grassroot organizations. While there are some professional staff at the top, most of the organization is made up by volunteers, juggling their time doing committee work with their day jobs. Most of them are using their own smartphones, tablets and laptops. These organizations don’t operate under IT security controls you find in enterprise.
Yet, Higbee points out, the DNC was following at least one recommended security protocol: Multi-factor authentication (MFA) was enabled through Office 365. Instead, the hack happened because someone sent a document that prompted them to give permissions to their email.
“Once they did that, that’s all the attackers needed,” Higbee explains. “They didn’t need to be in forever; they just needed the email messages in order to be disruptive.”
Phishing attempts are successful because hackers do a lot of legwork to ensure they are hitting the right targets. Before that first phishing email is sent, hackers already mapped out who are the key players, who are the key fundraisers, the organizations that will be involved.
In our social media-infused environment all it takes is simple diligence to gather plenty of intelligence to impersonate people in positions of power and influence to trick others within the organization to follow the email’s orders. “They’re going to come armed with names, email addresses, time zones, to put together the most compelling phishing messages they can use,” Higbee says.
Like all cyberattacks, phishing has evolved over the years. Two years, for example, it was very common to get zip files with passwords. Today, the most common way to utilize attachments is via regular encrypted and encoded scripting in Office documents.
“The other technique that caught people off guard the past two or three years is something known as business email compromise (BEC),” explains Higbee. “What I love about that attack is that there is no attachment or links, so when the security community is zigging the attackers are zagging.”
Using BEC, hackers figured out a clever way to impersonate some high-ranking officer inside an organization and convince their finance team to wire out tens of thousands of dollars. This tactic has resulted in $12 billion stolen from companies.
With BEC attacks, hackers are skipping over the “click the malicious link” step and instead are taking advantage of poor business practices. However, you don’t know you’re being attacked until the email comes in and opened. So how do you fight against this?
For Cofense, the solution goes beyond security training but to fruitful immersion. The goal is to inspire human intuition to spot something that’s different about an email.
“Our prime business is sending simulated phishing emails so employees aren’t caught off guard when they get a real one,” says Higbee. “What we feel like is we need to get people in the moment, show them what a real phishing email looks like inside their inbox and get their mind ready to make split second decisions in the future. It is a surprise test scenario that could come any time during the day.”
With goal is to get people to recognize and then report those phishing attempts. What’s lacking are the tools to catch phishing in real time and keep them from bypassing security filters.
“For so many years security practitioners believed that humans were the weakest link,” says Higbee, “but now they’re seeing they get the best information from people, but they don’t have the tools to respond. That’s the next journey for us, coming up with those tools to work with a real phish in progress.”
–LW’s Sue Poremba contributed to this report.
(Editor’s note: LW has supplied consulting services to Denim Group.)
*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/my-take-as-phishers-take-aim-at-elections-why-not-train-employees-to-serve-as-phishing-police/