Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

// // //
10:00 AM
Kevin O'Brien
Kevin O'Brien
Connect Directly
E-Mail vvv

5 Ways to Transform Your Phishing Defenses Right Now

By transforming how you approach phishing, you can break the phishing kill chain and meaningfully reduce your business risk.

When I talk with chief information security officers (CISOs) about email security, I often hear something like this:

They have a problem with phishing attacks. So, they buy new security software. But the CEO continues receiving phishing emails, which he forwards to the CISO, demanding to know why they're still experiencing phishing attacks. Then they buy new security software. And so on.

Related Content:

6 Tips for Limiting Damage From Third-Party Attacks

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: A Day in the Life of a DevSecOps Manager

What's that expression about insanity being defined as doing the same thing over and over and expecting different results?

Phishing continues to be a serious business risk. Yet one-third of IT and cybersecurity pros aren't confident employees can spot and avoid phishing attacks in real time, according to a GreatHorn survey. Worse, users fail to identify nearly half of phishing attacks, another study finds.

Traditional email security approaches are ineffective against phishing because it relies on social engineering, personal interactions, and human decisions that even the most sophisticated artificial intelligence (AI) can't circumvent.

What's needed is a new approach to protecting against phishing — one that actually lowers the likelihood users will fall victim to phishing attacks and reduces phishing-related business risk. To achieve this, follow these five steps to transform your phishing defenses. 

1. Understand the phishing kill chain.
A kill chain is a military concept for understanding enemy attacks. It divides attacks into distinct phases such as locating, tracking, and engaging with a target.

Like all cyberattacks, phishing involves a kill chain. The phishing kill chain is a three-phase process:

  • Vectors: The Vectors phase concerns the threats that are inherent to email, such as malware, malicious links, and unauthenticated mail. Attackers continuously conduct reconnaissance to find ways to leverage these vectors.
  • Delivery: In the Delivery phase, bad actors deliver malware or malicious links, or engage in the targeted social engineering of spear-phishing to gain user trust.
  • Exploitation: In the final phase of the phishing kill chain, attackers convince targets to take actions such as downloading attachments, clicking links, sharing sensitive data, or transferring money.

By understanding the phishing kill chain, you can defend against attacks more effectively. Breaking the chain at any phase successfully thwarts the attack.

2. Recognize why "caught vs. missed" is a flawed approach.
Traditional email security products are designed to identify problems such as malicious attachments and links, which can offer protection against known issues. But they are less useful against zero-day malware or websites that appeared safe when the email was sent but were later weaponized with credential-harvesting forms. 

While newer security products built around machine-learning (ML) algorithms might appear to be more sophisticated, they still rely on this detection-based approach. Even the best AI can't prevent a member of your finance department from being social-engineered into transferring funds to a fraudulent account. You can continually upgrade to the latest detection software. But the "caught vs. missed" mindset won't improve your resilience against phishing.

3. Focus on the kill chain, not detectors.
Email security's purpose isn't merely to inform you of known bad things. It's to make your organization resilient against security breaches.

Phishing-related security breaches aren't mystical things that just somehow happen. They occur because attackers identify a vector through which they can deliver an attack that drives a user to take an unsafe action.

Phishing involves three elements: attachments, links, and email text. Attachments are binary, either safe or malicious. Links are more pernicious because they could be safe one moment but malicious the next. Email text is the most nefarious because attackers can use it to build trust with users over time and then trick them into taking an action that results in a security breach. You need to build resilience around all three elements.

So, don't concentrate on detectors. Instead, look at each phase of the kill chain, from identifying how attackers can get into your organization to preventing those attackers from reaching their goal.

4. Pay attention to deviations from the norm.
There's an old saying that there are only two types of organizations: those that have been hacked, and those that don't know they've been hacked. Similarly, there are only two types of email messages: those that are malicious, and those that might be malicious.

In analyzing hundreds of millions of emails for large enterprises, we've found that typically, 0.1% are definitely malicious, while another 0.8% are statistically anomalous and, therefore, potentially malicious. You can apply technology controls to remove the known bad 0.1%. But you don't know which of the remaining 99.9% contains the risky 0.8%. In even a midsize enterprise, that could involve thousands of emails per day.

Therefore, home in on the anomalies: a statistically unusual URL, a misspelled email display name, a sender the user hasn't communicated with before, or email text that refers to account information or money transfers. Then provide users with context-specific banner alerts and stoplight visuals advising them to exercise caution.

5. Implement phishing defenses that actually work.
First, get the email-security basics right. Turn on your email platform's built-in data-loss protections. Make sure you've properly configured authentication protocols such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC).

Then, implement layers of compensating controls that will move beyond detection mode to truly resilient email security. This concept comes from the world of financial accounting and risk. In situations where you can't completely lock down a process, compensating controls mitigate risk to an acceptable level.

For example, your finance department needs to be able to transfer funds. A compensating control would require that if the amount reaches a certain threshold, a red flag is raised, and the CFO needs to approve the transfer.

You can apply compensating controls at every phase of the phishing kill chain. In the Vectors phase, implement controls around unknown senders, anomalous relationships, unusual header data, and so on. In the Delivery phase, take actions such as user quarantine, link rewriting, file removal, and dynamic user alerts. In the Exploitation phase, implement measures like mailbox intelligence, phish reporting, and keystroke biometrics.

There's no way to stop attackers from waging phishing campaigns, any more than you can prevent hackers from writing malware. But you don't have to be at the mercy of phishing. By transforming how you approach phishing, and by implementing a robust, layered set of compensating controls, you can break the phishing kill chain — and meaningfully reduce your business risk.

Kevin is GreatHorn's CEO and Co-Founder. With a background in the cybersecurity industry that began in the late 1990s with the seminal security firm @stake (now Symantec), Kevin has held multiple senior executive roles in Boston-area startups, and is a frequent speaker and ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-02-01
An issue was discovered in Joomla! 4.0.0 through 4.2.6. A missing token check causes a CSRF vulnerability in the handling of post-installation messages.
PUBLISHED: 2023-02-01
An issue was discovered in Joomla! 4.0.0 through 4.2.4. A missing ACL check allows non super-admin users to access com_actionlogs.
PUBLISHED: 2023-02-01
In dotCMS 5.x-22.06, TempFileAPI allows a user to create a temporary file based on a passed in URL, while attempting to block any SSRF access to local IP addresses or private subnets. In resolving this URL, the TempFileAPI follows any 302 redirects that the remote URL returns. Because there is no re...
PUBLISHED: 2023-02-01
Rapid7 Nexpose and InsightVM versions 6.6.82 through 6.6.177 fail to validate the certificate of the update server when downloading updates. This failure could allow an attacker in a privileged position on the network to provide their own HTTPS endpoint, or intercept communications to the legitimate...
PUBLISHED: 2023-02-01
An issue was discovered in dotCMS core through and 21.03 through 22.10.1. A cryptographically insecure random generation algorithm for password-reset token generation leads to account takeover.