Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/7/2021
10:00 AM
Kevin O'Brien
Kevin O'Brien
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

5 Ways to Transform Your Phishing Defenses Right Now

By transforming how you approach phishing, you can break the phishing kill chain and meaningfully reduce your business risk.

When I talk with chief information security officers (CISOs) about email security, I often hear something like this:

They have a problem with phishing attacks. So, they buy new security software. But the CEO continues receiving phishing emails, which he forwards to the CISO, demanding to know why they're still experiencing phishing attacks. Then they buy new security software. And so on.

Related Content:

6 Tips for Limiting Damage From Third-Party Attacks

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: A Day in the Life of a DevSecOps Manager

What's that expression about insanity being defined as doing the same thing over and over and expecting different results?

Phishing continues to be a serious business risk. Yet one-third of IT and cybersecurity pros aren't confident employees can spot and avoid phishing attacks in real time, according to a GreatHorn survey. Worse, users fail to identify nearly half of phishing attacks, another study finds.

Traditional email security approaches are ineffective against phishing because it relies on social engineering, personal interactions, and human decisions that even the most sophisticated artificial intelligence (AI) can't circumvent.

What's needed is a new approach to protecting against phishing — one that actually lowers the likelihood users will fall victim to phishing attacks and reduces phishing-related business risk. To achieve this, follow these five steps to transform your phishing defenses. 

1. Understand the phishing kill chain.
A kill chain is a military concept for understanding enemy attacks. It divides attacks into distinct phases such as locating, tracking, and engaging with a target.

Like all cyberattacks, phishing involves a kill chain. The phishing kill chain is a three-phase process:

  • Vectors: The Vectors phase concerns the threats that are inherent to email, such as malware, malicious links, and unauthenticated mail. Attackers continuously conduct reconnaissance to find ways to leverage these vectors.
  • Delivery: In the Delivery phase, bad actors deliver malware or malicious links, or engage in the targeted social engineering of spear-phishing to gain user trust.
  • Exploitation: In the final phase of the phishing kill chain, attackers convince targets to take actions such as downloading attachments, clicking links, sharing sensitive data, or transferring money.

By understanding the phishing kill chain, you can defend against attacks more effectively. Breaking the chain at any phase successfully thwarts the attack.

2. Recognize why "caught vs. missed" is a flawed approach.
Traditional email security products are designed to identify problems such as malicious attachments and links, which can offer protection against known issues. But they are less useful against zero-day malware or websites that appeared safe when the email was sent but were later weaponized with credential-harvesting forms. 

While newer security products built around machine-learning (ML) algorithms might appear to be more sophisticated, they still rely on this detection-based approach. Even the best AI can't prevent a member of your finance department from being social-engineered into transferring funds to a fraudulent account. You can continually upgrade to the latest detection software. But the "caught vs. missed" mindset won't improve your resilience against phishing.

3. Focus on the kill chain, not detectors.
Email security's purpose isn't merely to inform you of known bad things. It's to make your organization resilient against security breaches.

Phishing-related security breaches aren't mystical things that just somehow happen. They occur because attackers identify a vector through which they can deliver an attack that drives a user to take an unsafe action.

Phishing involves three elements: attachments, links, and email text. Attachments are binary, either safe or malicious. Links are more pernicious because they could be safe one moment but malicious the next. Email text is the most nefarious because attackers can use it to build trust with users over time and then trick them into taking an action that results in a security breach. You need to build resilience around all three elements.

So, don't concentrate on detectors. Instead, look at each phase of the kill chain, from identifying how attackers can get into your organization to preventing those attackers from reaching their goal.

4. Pay attention to deviations from the norm.
There's an old saying that there are only two types of organizations: those that have been hacked, and those that don't know they've been hacked. Similarly, there are only two types of email messages: those that are malicious, and those that might be malicious.

In analyzing hundreds of millions of emails for large enterprises, we've found that typically, 0.1% are definitely malicious, while another 0.8% are statistically anomalous and, therefore, potentially malicious. You can apply technology controls to remove the known bad 0.1%. But you don't know which of the remaining 99.9% contains the risky 0.8%. In even a midsize enterprise, that could involve thousands of emails per day.

Therefore, home in on the anomalies: a statistically unusual URL, a misspelled email display name, a sender the user hasn't communicated with before, or email text that refers to account information or money transfers. Then provide users with context-specific banner alerts and stoplight visuals advising them to exercise caution.

5. Implement phishing defenses that actually work.
First, get the email-security basics right. Turn on your email platform's built-in data-loss protections. Make sure you've properly configured authentication protocols such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC).

Then, implement layers of compensating controls that will move beyond detection mode to truly resilient email security. This concept comes from the world of financial accounting and risk. In situations where you can't completely lock down a process, compensating controls mitigate risk to an acceptable level.

For example, your finance department needs to be able to transfer funds. A compensating control would require that if the amount reaches a certain threshold, a red flag is raised, and the CFO needs to approve the transfer.

You can apply compensating controls at every phase of the phishing kill chain. In the Vectors phase, implement controls around unknown senders, anomalous relationships, unusual header data, and so on. In the Delivery phase, take actions such as user quarantine, link rewriting, file removal, and dynamic user alerts. In the Exploitation phase, implement measures like mailbox intelligence, phish reporting, and keystroke biometrics.

There's no way to stop attackers from waging phishing campaigns, any more than you can prevent hackers from writing malware. But you don't have to be at the mercy of phishing. By transforming how you approach phishing, and by implementing a robust, layered set of compensating controls, you can break the phishing kill chain — and meaningfully reduce your business risk.

Kevin is GreatHorn's CEO and Co-Founder. With a background in the cybersecurity industry that began in the late 1990s with the seminal security firm @stake (now Symantec), Kevin has held multiple senior executive roles in Boston-area startups, and is a frequent speaker and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21742
PUBLISHED: 2021-09-25
There is an information leak vulnerability in the message service app of a ZTE mobile phone. Due to improper parameter settings, attackers could use this vulnerability to obtain some sensitive information of users by accessing specific pages.
CVE-2020-20508
PUBLISHED: 2021-09-24
Shopkit v2.7 contains a reflective cross-site scripting (XSS) vulnerability in the /account/register component, which allows attackers to hijack user credentials via a crafted payload in the E-Mail text field.
CVE-2020-20514
PUBLISHED: 2021-09-24
A Cross-Site Request Forgery (CSRF) in Maccms v10 via admin.php/admin/admin/del/ids/<id>.html allows authenticated attackers to delete all users.
CVE-2016-6555
PUBLISHED: 2021-09-24
OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP trap supplied data. By creating a malicious SNMP trap, an attacker can store an XSS payload which will trigger when a user of the web UI views the events list page. This issue was fixed in ver...
CVE-2016-6556
PUBLISHED: 2021-09-24
OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP agent supplied data. By creating a malicious SNMP 'sysName' or 'sysContact' response, an attacker can store an XSS payload which will trigger when a user of the web UI views the data. This iss...