Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

// // //
10:00 AM
Kevin O'Brien
Kevin O'Brien
Connect Directly
E-Mail vvv

5 Ways to Transform Your Phishing Defenses Right Now

By transforming how you approach phishing, you can break the phishing kill chain and meaningfully reduce your business risk.

When I talk with chief information security officers (CISOs) about email security, I often hear something like this:

They have a problem with phishing attacks. So, they buy new security software. But the CEO continues receiving phishing emails, which he forwards to the CISO, demanding to know why they're still experiencing phishing attacks. Then they buy new security software. And so on.

Related Content:

6 Tips for Limiting Damage From Third-Party Attacks

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: A Day in the Life of a DevSecOps Manager

What's that expression about insanity being defined as doing the same thing over and over and expecting different results?

Phishing continues to be a serious business risk. Yet one-third of IT and cybersecurity pros aren't confident employees can spot and avoid phishing attacks in real time, according to a GreatHorn survey. Worse, users fail to identify nearly half of phishing attacks, another study finds.

Traditional email security approaches are ineffective against phishing because it relies on social engineering, personal interactions, and human decisions that even the most sophisticated artificial intelligence (AI) can't circumvent.

What's needed is a new approach to protecting against phishing — one that actually lowers the likelihood users will fall victim to phishing attacks and reduces phishing-related business risk. To achieve this, follow these five steps to transform your phishing defenses. 

1. Understand the phishing kill chain.
A kill chain is a military concept for understanding enemy attacks. It divides attacks into distinct phases such as locating, tracking, and engaging with a target.

Like all cyberattacks, phishing involves a kill chain. The phishing kill chain is a three-phase process:

  • Vectors: The Vectors phase concerns the threats that are inherent to email, such as malware, malicious links, and unauthenticated mail. Attackers continuously conduct reconnaissance to find ways to leverage these vectors.
  • Delivery: In the Delivery phase, bad actors deliver malware or malicious links, or engage in the targeted social engineering of spear-phishing to gain user trust.
  • Exploitation: In the final phase of the phishing kill chain, attackers convince targets to take actions such as downloading attachments, clicking links, sharing sensitive data, or transferring money.

By understanding the phishing kill chain, you can defend against attacks more effectively. Breaking the chain at any phase successfully thwarts the attack.

2. Recognize why "caught vs. missed" is a flawed approach.
Traditional email security products are designed to identify problems such as malicious attachments and links, which can offer protection against known issues. But they are less useful against zero-day malware or websites that appeared safe when the email was sent but were later weaponized with credential-harvesting forms. 

While newer security products built around machine-learning (ML) algorithms might appear to be more sophisticated, they still rely on this detection-based approach. Even the best AI can't prevent a member of your finance department from being social-engineered into transferring funds to a fraudulent account. You can continually upgrade to the latest detection software. But the "caught vs. missed" mindset won't improve your resilience against phishing.

3. Focus on the kill chain, not detectors.
Email security's purpose isn't merely to inform you of known bad things. It's to make your organization resilient against security breaches.

Phishing-related security breaches aren't mystical things that just somehow happen. They occur because attackers identify a vector through which they can deliver an attack that drives a user to take an unsafe action.

Phishing involves three elements: attachments, links, and email text. Attachments are binary, either safe or malicious. Links are more pernicious because they could be safe one moment but malicious the next. Email text is the most nefarious because attackers can use it to build trust with users over time and then trick them into taking an action that results in a security breach. You need to build resilience around all three elements.

So, don't concentrate on detectors. Instead, look at each phase of the kill chain, from identifying how attackers can get into your organization to preventing those attackers from reaching their goal.

4. Pay attention to deviations from the norm.
There's an old saying that there are only two types of organizations: those that have been hacked, and those that don't know they've been hacked. Similarly, there are only two types of email messages: those that are malicious, and those that might be malicious.

In analyzing hundreds of millions of emails for large enterprises, we've found that typically, 0.1% are definitely malicious, while another 0.8% are statistically anomalous and, therefore, potentially malicious. You can apply technology controls to remove the known bad 0.1%. But you don't know which of the remaining 99.9% contains the risky 0.8%. In even a midsize enterprise, that could involve thousands of emails per day.

Therefore, home in on the anomalies: a statistically unusual URL, a misspelled email display name, a sender the user hasn't communicated with before, or email text that refers to account information or money transfers. Then provide users with context-specific banner alerts and stoplight visuals advising them to exercise caution.

5. Implement phishing defenses that actually work.
First, get the email-security basics right. Turn on your email platform's built-in data-loss protections. Make sure you've properly configured authentication protocols such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC).

Then, implement layers of compensating controls that will move beyond detection mode to truly resilient email security. This concept comes from the world of financial accounting and risk. In situations where you can't completely lock down a process, compensating controls mitigate risk to an acceptable level.

For example, your finance department needs to be able to transfer funds. A compensating control would require that if the amount reaches a certain threshold, a red flag is raised, and the CFO needs to approve the transfer.

You can apply compensating controls at every phase of the phishing kill chain. In the Vectors phase, implement controls around unknown senders, anomalous relationships, unusual header data, and so on. In the Delivery phase, take actions such as user quarantine, link rewriting, file removal, and dynamic user alerts. In the Exploitation phase, implement measures like mailbox intelligence, phish reporting, and keystroke biometrics.

There's no way to stop attackers from waging phishing campaigns, any more than you can prevent hackers from writing malware. But you don't have to be at the mercy of phishing. By transforming how you approach phishing, and by implementing a robust, layered set of compensating controls, you can break the phishing kill chain — and meaningfully reduce your business risk.

Kevin is GreatHorn's CEO and Co-Founder. With a background in the cybersecurity industry that began in the late 1990s with the seminal security firm @stake (now Symantec), Kevin has held multiple senior executive roles in Boston-area startups, and is a frequent speaker and ... View Full Bio
Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file