Sophisticated, nation-state attacks on prominent federal agencies tend to capture the majority of cybersecurity headlines. But security pros know the greater risk to their organizations comes from a more mundane, but more prevalent threat: email phishing attacks.
In fact, in a September 2020 GreatHorn survey of 1,123 U.S. users, 38% of respondents reported that a co-worker or peer had fallen victim to phishing in the past year. And 53% said they had seen an increase in phishing since the start of the COVID-19 pandemic.
Phishing isn’t new. And its tactics, which are relatively straightforward, haven’t changed. So why haven’t deep-pocketed security vendors and the latest intelligent technologies been able to defeat it?
Because phishing hinges on human interaction, in all its infinite variety. And while technology-based solutions are necessary for reducing phishing-related breaches, they aren’t sufficient for enabling chief information security officers (CISOs) to finally gain the upper hand on phishing attacks.
What’s needed is a new way of thinking about and defending against phishing. That transformative approach involves understanding the phishing kill chain – and then implementing compensating controls to break that chain and protect your organization against phishing exploits.
The Three Phases of Phishing
A decade ago, Lockheed-Martin developed the concept of a cyber kill chain that divides attacks into distinct steps. For phishing, the cyber kill chain can be simplified to three phases: Vectors, Delivery and Exploitation:
The vectors phase involves threats inherent to email, such as malware, malicious links and unauthenticated mail.
Email is a finite-state system that hasn’t changed much in decades. Authentication protocols such as sender policy framework (SPF), domainkeys identified mail (DKIM) and domain-based message authentication, reporting and conformance (DMARC) have been bolted onto it. But they don’t change the fact that for email to be useful, it can’t be locked down and must remain open to the risk of attack.
In the vectors phase, attackers probe the target for vulnerabilities such as misconfigured SPF, DKIM or DMARC settings that won’t detect forged sender addresses or unauthorized email servers.
Those vector vulnerabilities create the opportunity for the Delivery phase, in which attackers deliver malware or malicious links, or engage in social engineering to gain user trust.
In spear phishing attacks, those attacks can be highly customized. Let’s say attackers impersonate your CEO to target your CFO. They might glean details about the CEO on LinkedIn, capture personally identifiable information (PII) from the dark web, and discover that she’s on vacation through Instagram.
That leads to the Exploitation phase, where attackers deceive users into taking an action such as downloading an attachment, clicking a link, sharing data or transferring funds.
In our example, the attackers might email your CFO from a Gmail account that uses your CEO’s maiden name. And they might instruct the CFO to transfer company funds to a bogus account. With a few keystrokes, the duped CFO can expose your enterprise to serious financial and legal hurt.
Where Traditional Email Security Falls Short
Understanding the phishing kill chain is important, because it exposes the limitations of traditional email security – and points to a much more effective solution.
The typical approach to email security has been detection-based. Security software looks for known bad things, such as a piece of malware or a link to a malicious website. But that’s useless against new malware or a site that currently appears to be legitimate but later is suited up with a credential-harvesting phishing kit.
Similarly, some security vendors apply machine learning (ML) and other forms of artificial intelligence (AI) that they claim can thwart phishing attacks. But no matter how sophisticated their algorithms, they’ll never stop a hoodwinked CFO from transferring funds to a fraudulent account.
A third traditional security tool is user training. But even the best training simply provides information to users at a fixed point in time, with the hope they remember and act on their knowledge when a threat appears. Training offers no protections at the specific moment users face a phishing attack.
The Power of Compensating Controls
Malware detection, ML and user training all have their place in email security. But they obviously come up short, or organizations wouldn’t still be falling victim to phishing.
The solution? Implement compensating controls that provide users with in-the-moment engagement and guidance to break the phishing kill chain.
The concept of compensating controls originates in accounting. The idea is that while certain activities can’t be rendered risk-free, compensating controls can reduce the risk to an acceptable level. For example, your CFO has to be able to transfer funds. But you might establish a compensating control that transferring more than $1 million at a time requires CEO approval.
For email security, compensating controls take a variety of forms. If the CFO is emailed a known malicious file, the email is automatically removed from his inbox. If the file is potentially malicious, it might be quarantined till the CFO asks for it to be released. If an embedded link leads to a data-input form, the CFO might be redirected to a safe page that asks him if he’s sure he wants to proceed.
If the sender’s domain name is similar to but not an exact match for a domain name the CFO typically interacts with, he might get a pop-up warning. If the sender is someone the CFO has never interacted with before, he might get a red alert. If it’s someone others in the organization have interacted with, he might get a yellow alert. If the CFO takes an unsafe action, he might automatically be enrolled in a security refresher course.
And so on. The compensating controls are effective, because they’re applied at every phase of the phishing kill chain. They also take a variety of forms, they’re specific to each user’s situation and they’re delivered at the moment of attack.
The goal is to break the kill chain as early in the process as possible. But, as long as you break the chain before the user takes action – downloading a file, clicking a link, sharing information or transferring funds – the phishing attack fails.
Bad actors will never give up on their phishing campaigns. And detection-based security, even those based on ML, will never defend against social engineering. But by understanding the phishing kill chain and implementing compensating controls, organizations can meaningfully reduce their email security risks and finally get a handle on phishing.