4 Phishing Protection Gaps that SEGs Cannot Address

A Markets Insider article cited a Cofense report (2019 Phishing Threats and Malware Review) that highlighted some interesting, though not surprising, findings. Some of the key takeaways from the Cofense report:

  • Between October 2018 and March 2019, 31,429 total threats were reported by end users after delivery to the inbox, which included 23,195 via credential phishing; 2,681 via business email compromise (BEC); 4,835 via malware delivery; and 718 via other scams.
  • Ninety percent of the malicious emails verified by the Cofense PDC during this period were found in environments running one or more SEG (Secure Email Gateways).
  • Threat actors are innovating relentlessly and are constantly refining their tactics, techniques, and procedures (TTP’s) as they develop new delivery mechanisms, phishing techniques, and ways to get around network defense technologies.
  • Technologies like email gateways can’t keep pace with the speed of threat actors’ “product development”. SEG’s play a key role in phishing defense, but they are not infallible. The report identifies SharePoint, OneDrive and ShareFile as some of the most abused cloud providers, and also states that threat actors use geo-location to help prevent analysis by security tools or human researchers, enabling malware to slip through a SEG’s defenses.
  • When the phishing threats analyzed in this report land in users’ inboxes, the human factor becomes decisive. It’s imperative to educate users through on-going phishing awareness programs and encourage them to report suspicious emails to their security team.

The third and fourth of these key findings point directly to the fact that threat actors are getting much more sophisticated and finding new TTPs that enable them to evade SEG detection. They are also bypassing SEGs altogether by using attack vectors beyond email. While SEG’s play a key role in any multi-layer phishing defense strategy (as mentioned) they cannot catch all threats and they are not designed to prevent threats from attack vectors they can’t even see, including:

  1. Phishing attacks outside the corporate inbox. The classical paradigm has been an email with a link to a fake log-in page. But what if that email is in their personal email? Also, there’s many new digital communication channels available, providing new attack vectors out of reach of the SEG. Phishing has spread beyond email to social media, SMiShing (text), advertisements, messaging apps, and search results.

Fake log-in pages are no longer the only game in town. HTML phishing can be delivered straight into browsers and apps, bypassing infrastructure (SEG, NGAV, AEP), evading URL filtering, and domain reputation analysis methods. Bad actors have become sophisticated, and despite all the user training, employees have difficulty spotting fakes most of the time.

  1. There’s little or no zero-hour (previously unknown) phishing site detection capabilities. Phishing emails today look harmless and often piggyback on existing reputable brands. The links look legitimate, but often follow a series of web redirection before the final phishing page is revealed to the user. The amount of damage that a sophisticated phishing attack can inflict before it ends up on a blacklist or known threat database is enormous. By the time traditional threat blacklists are updated, the bad actors have likely moved on and changed tactics. Simply put, anything short of real-time phishing protection is simply not enough in today’s fast-moving threat landscape.
  2. SEGs can’t protect against multi-stage phishing attacks. In this type of phishing attack, the bad guys lead a user through multiple steps that require human interaction such as pop-ups. These block SEGs from detecting the ultimate threat. At SlashNext, we have uncovered this and identified quite a few complex (but not uncommon) evolving patterns that our anti-phishing solutions can detect but a SEG and other phishing site detection technologies can’t see.
  3. SEGs can’t prevent users from downloading rogue browser extensions or apps. Rogue browser extensions often deliver promised functionality, but also serve as keyloggers and surveillanceware. They are often promoted through ads, thus bypassing detection by SEGs. And as part of a trusted application (the browser) and running entirely in memory, rogue browser extensions typically evade detection by NGAV.

The final key takeaway from the Cofense report touches on the need for human (employee) intelligence. An Osterman Research report we commissioned found that humans are the weak link in the security chain. The survey found that three percent of users are never trained on detecting phishing and security threats, 30 percent receive training only once per year, and another 21 percent are trained only twice per year. Overall, more than half of users receive minimal or no training on how to deal with the myriad of security threats they encounter very regularly. While we certainly recommend employee training, it simply isn’t enough!

SlashNext helps organizations close the gaps in their existing defenses against today’s—and tomorrow’s—more advanced phishing and social engineering threats. SlashNext provides IT security teams with a range of anti-phishing technologies, including remote user phishing protection, phishing incident response, and threat hunting solutions to protect users, both inside and outside network perimeter protections.

Our Agentless Phishing Defense is the industry’s broadest, most up-to-the-minute intelligence on phishing threats. It is powered by our patented SEERTM threat detection technology, which uses virtual browsers in a purpose-built cloud to dynamically inspect site contents and behavior. Machine learning enables definitive verdicts—malicious or benign—with exceptional accuracy and near-zero false positives. Not limited to detection of fake log-in pages, SlashNext covers all six major categories of phishing and social engineering threats–credential stealing, scareware, rogue software, phishing exploits, social engineering scams, and phishing callbacks (C2s).

See for yourself. We encourage you to request a demo to learn more about how SlashNext can protect your employees from phishing attacks that make it through, or bypass, you SEG.


*** This is a Security Bloggers Network syndicated blog from SlashNext authored by Lisa O'Reilly. Read the original post at: https://www.slashnext.com/blog/4-phishing-protection-gaps-that-segs-cannot-address/