When there are a variety of techniques criminals can use, why is phishing still so prevalent?
In their recent 2019 Phishing and Fraud Report, F5 Labs revealed that phishing was responsible for 21% of breaches reported by U.S. companies. It came in second only to “unauthorized access to email” – which, as the report notes – “phishing is also the cause of some of these breaches.”
And phishing is likely to continue as a top threat tactic in 2020 due to coronavirus-related cybersecurity attacks. In April 2020, Google saw 18 million daily COVID-19 phishing attacks and malware threats via email in one week alone.
In this collaboration with F5 Labs, we contributed threat research straight from the Critical Insight Security Operations Center. Critical Insight's Mike Simon shared what phishing attacks look like real-time when viewed by the analysts trained to catch them. He also recommended strategies companies need to defend against phishing campaigns.
“We’re still dealing with phishing”
The new report calls out that phishing, while around for 25+ years, is still showing up as the #1 tactic used by criminals.
Why? Because it’s a low-cost, low-lift tactic for threat actors.
Compared to other TTPs that require expertise of a zero-day exploit, or skills to hack through a firewall, as the report notes, “the hardest part [of a successful phishing campaign] is coming up with a good trick email pitch to get people to click on, and a fake site to land on.”
We sat down with Mike Simon to discuss the F5 Labs report findings, and get his insights on the state of phishing today, and what companies can do to stop phishing campaigns from turning into full-on cybersecurity breaches.
Q&A with CTO Mike Simon
In the F5 Labs report, you share research from the Critical Insight SOC that targeted phishing campaigns are usually attacking 15-20% of the organization’s users when a phishing campaign is underway. What does a targeted phishing campaign look like from inside the Critical Insight Security Operations Center?
Mike Simon: Since phishing doesn’t generally include malware payloads directly, just links and language intended to get the user to do something they should not, it can be quiet in the SOC – just some email coming in. We might see reputation hits from the email sources or from artifacts embedded in the email and investigate those. If someone sends us a known phishing email, we can dig in and see if any of the bad activities encouraged by the phisher have taken place.
What happens when the phishing attack is successful?
Mike Simon: It depends.
With managed detection and response (MDR) in place, we can often provide our customers with who was affected by the successful attack and what actions those users took once the phishing email arrived. In effect, Critical Insight MDR provides a clear definition of the scope of the attack and what a measured mitigation response should be.
Without a detection and response strategy in place, the attack may go undetected until compromised accounts or banking transactions bring the effects to your attention. Remember that it’s not about noisy delivery of malware to the desktop or user behavior, but seemingly normal activities, often cloaked in encryption.
Defend Against Phishing with Your Users
What can users do to stop phishing?
Mike Simon: Often, phishing emails come from the actual accounts of trusted business partners because those partners have been subject to an account compromise. In that case, you are receiving an email from the account of a person you probably know, possibly asking you to do something that might be within the purview of the business relationship. Be skeptical. If something sounds odd, verify the ask through another channel, not email. Your boss might want you to buy 100 Amazon gift cards to give to customers, but it can’t hurt to verify that on the phone.
Also, companies should consider NOT publishing company email addresses on their website (we’re talking to you, marketing people). Really, any item of information published about the structure and email standards (email@example.com vs. jsmith vs. js, etc.) allows phishing attackers to know who to send email to, and social media make it easy to know what position they may have (leadership, accounting, etc.)
The reality is that there are quite a few things security people can do, but the volume is unlikely to change much – phishing attacks are part of what we refer to as ‘background noise of the internet.’
Check out F5’s report for the full set of recommendations, including the obvious ones, like MFA, web filtering, anti-virus software, etc. Out of those tips, I think these are the three that, when correctly administered, are the hallmarks of a smart phishing strategy:
- Inspect internal encrypted traffic for malware. Most malware uses encrypted tunnels, so you need a decryption gateway to listen for any signals communicating with command and control (C&C) servers.
- Make it easy for users to report phishing. At Critical Insight, we have a phishing report mechanism in place, and users are trained to not respond to suspicious emails and send it to the SOC first for investigation. Without that reporting mechanism in place, phishing emails will likely go undetected until bad outcomes happen.
- When an active phishing campaign is underway, be proactive. Monitor systems and logs to see if users are clicking on malicious links, listen for malware signals on your network, and remediate any credentials that may have been compromised.
Change the Org Culture to Manage Phishing Risks
What can organizations do to stop phishing?
Mike Simon: You won’t stop criminals from sending emails to you, trying to fool you. If you can solve that problem, hats off to you.
Acknowledge that phishing happens, assume that it will not always be caught by technology, and put controls in place to mitigate the potentially larger impacts.
- Purchasing controls make it harder to make bad decisions at a financial scale that’s truly impactful.
- Wire transfer controls at your bank help in the same way.
- Promote a culture of open communication and transparency. Much phishing relies on hierarchical business communications – “Do what I tell you, I’m the boss!”
The Future of Phishing
How long do you think phishing will remain the top vector?
Mike Simon: Criminals use the tools that work. They prefer tools that are free, or tools they can steal and aren’t easily traced back to them. Phishing ticks all of these boxes. It will remain a vector until we can figure out how to reliably verify the actual identities of email senders. In cases of account compromise phishing email, even verification of account is really insufficient.
Tools that indicate where the email is coming from help. When someone is claiming to be a co-worker with a, “This email came from OUTSIDE the company” red flag—users become aware something isn’t right. Machine learning tools that look at the visible text of a link and compare that to the link destination (e.g., “microsoft.com” links to “totesphishing.ru”) can be some help, but all defeat-able through account and/or system compromise.
What other take-aways would you share with IT pros who want to be proactive on phishing? With executives?
Mike Simon: Most phishing depends on people doing what they are told by authority figures. Encourage employees to ask questions. When they do ask, thank them for their attention to detail and safety mindedness. Security awareness training can be helpful, but it’s not as effective as you might think.
Get the F5 Labs 2019 Phishing and Fraud Report Today
To get up-to-speed on the latest research on phishing, fraud, and how to develop a phishing strategy, visit the F5 Labs website for your free PDF copy of the F5 Labs 2019 Phishing and Fraud Report with contributions from Critical Insight.