When I talk with chief information security officers (CISOs) about email security, I often hear something like this:
They have a problem with phishing attacks. So, they buy new security software. But the CEO continues receiving phishing emails, which he forwards to the CISO, demanding to know why they're still experiencing phishing attacks. Then they buy new security software. And so on.
What's that expression about insanity being defined as doing the same thing over and over and expecting different results?
Phishing continues to be a serious business risk. Yet one-third of IT and cybersecurity pros aren't confident employees can spot and avoid phishing attacks in real time, according to a GreatHorn survey. Worse, users fail to identify nearly half of phishing attacks, another study finds.
Traditional email security approaches are ineffective against phishing because it relies on social engineering, personal interactions, and human decisions that even the most sophisticated artificial intelligence (AI) can't circumvent.
What's needed is a new approach to protecting against phishing — one that actually lowers the likelihood users will fall victim to phishing attacks and reduces phishing-related business risk. To achieve this, follow these five steps to transform your phishing defenses.
1. Understand the phishing kill chain.
A kill chain is a military concept for understanding enemy attacks. It divides attacks into distinct phases such as locating, tracking, and engaging with a target.
Like all cyberattacks, phishing involves a kill chain. The phishing kill chain is a three-phase process:
- Vectors: The Vectors phase concerns the threats that are inherent to email, such as malware, malicious links, and unauthenticated mail. Attackers continuously conduct reconnaissance to find ways to leverage these vectors.
- Delivery: In the Delivery phase, bad actors deliver malware or malicious links, or engage in the targeted social engineering of spear-phishing to gain user trust.
- Exploitation: In the final phase of the phishing kill chain, attackers convince targets to take actions such as downloading attachments, clicking links, sharing sensitive data, or transferring money.
By understanding the phishing kill chain, you can defend against attacks more effectively. Breaking the chain at any phase successfully thwarts the attack.
2. Recognize why "caught vs. missed" is a flawed approach.
Traditional email security products are designed to identify problems such as malicious attachments and links, which can offer protection against known issues. But they are less useful against zero-day malware or websites that appeared safe when the email was sent but were later weaponized with credential-harvesting forms.
While newer security products built around machine-learning (ML) algorithms might appear to be more sophisticated, they still rely on this detection-based approach. Even the best AI can't prevent a member of your finance department from being social-engineered into transferring funds to a fraudulent account. You can continually upgrade to the latest detection software. But the "caught vs. missed" mindset won't improve your resilience against phishing.
3. Focus on the kill chain, not detectors.
Email security's purpose isn't merely to inform you of known bad things. It's to make your organization resilient against security breaches.
Phishing-related security breaches aren't mystical things that just somehow happen. They occur because attackers identify a vector through which they can deliver an attack that drives a user to take an unsafe action.
Phishing involves three elements: attachments, links, and email text. Attachments are binary, either safe or malicious. Links are more pernicious because they could be safe one moment but malicious the next. Email text is the most nefarious because attackers can use it to build trust with users over time and then trick them into taking an action that results in a security breach. You need to build resilience around all three elements.
So, don't concentrate on detectors. Instead, look at each phase of the kill chain, from identifying how attackers can get into your organization to preventing those attackers from reaching their goal.
4. Pay attention to deviations from the norm.
There's an old saying that there are only two types of organizations: those that have been hacked, and those that don't know they've been hacked. Similarly, there are only two types of email messages: those that are malicious, and those that might be malicious.
In analyzing hundreds of millions of emails for large enterprises, we've found that typically, 0.1% are definitely malicious, while another 0.8% are statistically anomalous and, therefore, potentially malicious. You can apply technology controls to remove the known bad 0.1%. But you don't know which of the remaining 99.9% contains the risky 0.8%. In even a midsize enterprise, that could involve thousands of emails per day.
Therefore, home in on the anomalies: a statistically unusual URL, a misspelled email display name, a sender the user hasn't communicated with before, or email text that refers to account information or money transfers. Then provide users with context-specific banner alerts and stoplight visuals advising them to exercise caution.
5. Implement phishing defenses that actually work.
First, get the email-security basics right. Turn on your email platform's built-in data-loss protections. Make sure you've properly configured authentication protocols such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC).
Then, implement layers of compensating controls that will move beyond detection mode to truly resilient email security. This concept comes from the world of financial accounting and risk. In situations where you can't completely lock down a process, compensating controls mitigate risk to an acceptable level.
For example, your finance department needs to be able to transfer funds. A compensating control would require that if the amount reaches a certain threshold, a red flag is raised, and the CFO needs to approve the transfer.
You can apply compensating controls at every phase of the phishing kill chain. In the Vectors phase, implement controls around unknown senders, anomalous relationships, unusual header data, and so on. In the Delivery phase, take actions such as user quarantine, link rewriting, file removal, and dynamic user alerts. In the Exploitation phase, implement measures like mailbox intelligence, phish reporting, and keystroke biometrics.
There's no way to stop attackers from waging phishing campaigns, any more than you can prevent hackers from writing malware. But you don't have to be at the mercy of phishing. By transforming how you approach phishing, and by implementing a robust, layered set of compensating controls, you can break the phishing kill chain — and meaningfully reduce your business risk.