Here we are, in 2017, and phishing is still one of the most powerful and persistent forms of cyber-attack going. The greatest cyber-hits of 2016's press headlines were phishing-related: the DNC hack; the MH17 journalism hack; the World Anti-Doping Agency hack. Notice a pattern? You probably get at least one shoddy attempt on your bank details a week into your own personal inbox – maybe you've even clicked through. No matter how silly it seems, people still respond to the humble phish, and would-be hackers are still profiting from it on a massive scale. Indeed, Kaspersky recently discovered that almost half of 2016's phishing attacks were designed to steal money.
As the MH17 journalist attack proves, it's not just random phish emails that are making headway these days (you know, those mysterious revelations of long-lost blood relatives in darkest Peru - who falls for those, incidentally?). And, it also proves that while phish attacks may target individuals, the ultimate target may be an organisation. In case you missed it, the MH17 shoot-down over eastern Ukraine was investigated by Bellingcat, an independent journalism group. It published evidence pointing the finger at a certain red-walled building in Moscow. Apparently in retaliation, a group of hackers ran a targeted campaign against Bellingcat, with carefully-drafted phishing emails designed to look like Google password resets.
These were not random appeals to their targets' hoped-for ignorance – they were in reality impressive facsimiles of the kind of email that average humans automatically obey. They played off the brand equity of Google and, perversely, its reputation for security to try and win the trust of the journalists. They were precision instruments for a specific task.
Clearly, it's not as simple as you might think to avoid falling victim to “phishermen”. Everyone's going to face them sooner or later, and if you're a business, a slip-up is likely to be painfully expensive. The best place to start with defending yourself is knowing what sort of phishing you're up against.
I'm not going to explain the rudiments of a phishing attack here – broadly, they're carried out by criminals, private interests, and state spies, either to steal money or to extract valuable information. What I am going to do, however, is explain the best way to find out who's attacking you in real-time, which is much more useful.
You've probably seen the chain posts on Facebook that sometimes do the rounds after a particularly nasty phishing attack. “WARNING”, they usually say, “DO NOT CLICK ON THIS EMAIL – IT'S NOT REALLY FROM THE PRESIDENT OF BURUNDI”. It's often quite hard to know whether to trust them, but the concept is a good one – essentially, it's crowdsourcing security advice. As soon as one person comes under attack, they can alert the rest of their social circle to the style, tactics and aims of the attack, making it that much less likely to succeed in future.
Businesses need their own version of this – an accredited, regulated and crowdsourced intelligence system.
By tapping into the collective experience and insights of an industry group, each member gets access to a constant stream of useful information, bolstering their own defences and helping the others do the same. This means that new forms of phishing can be quickly identified, classified and flagged to security teams, enabling a quick and targeted response. These security-sharing communities can also track instances of a particular phish, helping to determine patterns in the attacker's behaviour and, with analytics tools in place, predict which sorts of targets they are most likely to try next.
Businesses should break with the tradition of isolated defence, make use of information from their peers and contribute to a wider industry effort to reduce the power of phishing.
Know your system
Even with a strong information-sharing community in place, there's always one tired employee who's going to fall for the carefully-made phish. It happens. And in the case of business attacks, phishing emails are often designed to collect login details from employees. Once these logins are surrendered, the hacker may be able to gain access to all sorts of company systems – and that's not to mention the possibility that the password is reused across multiple other platforms (we've all done it). A single successful phish can open up the whole enterprise to attack.
So, how do you deal with that as a security professional? Firewalls and antivirus can only get you so far, and even the most advanced systems are helpless when your own employees have granted access to the attacker. Instead, companies need to have systems in place to monitor activity across all their security systems and infrastructure, collecting information and analysing it for potentially dangerous activity. It may be a few hours before a phishing-related breach is reported, but in that time, a fully automated threat intelligence system can gather and assess indicators of unusual activity, alert the security team and initiate a response.
Phishing can help a hacker gain access to all sorts of resources. Businesses must have a complete and automated view of everything in their system, or they could be gutted before they've had time to think.
Gone phishing: phishing in the future
Now you're chatting to your peers and swapping attacker information through a dedicated network. You're making use of automated threat intelligence to monitor your network and flag up potential dangers before they can take hold. It's looking good. But if there's one truism about cyber-security we can believe in, it's that there's always a bigger fish (pun intended). As soon as you formulate a defence, your adversaries set about creating a way to get around it.
Over the next twelve months, we're going to see increasingly intelligent phishing attacks targeting specific organisations, both for financial and political reasons. In late 2016, for example, a European technology company and a US subsidiary of a French energy management company working for the US Department of Defence were targeted by Chinese hackers. The first was for financial purposes (disrupting a market competitor) and the second for political reasons (potential access to military information). That kind of deliberate targeting, with a pre-defined goal, will be rolled out to a wider target set in the next year as would-be hackers attempt to break through stronger defences. We're also going to see more long-game tactics – companies need to be ready for sustained campaigns, with attackers learning from their mistakes and redoubling their efforts.
Phishing is going to continue because it's effective. CISOs and their teams need to equip themselves to handle it. Training is a good starting point, and employees can always be better at avoiding phishing attacks – but businesses must have the right threat intelligence tools in place to back them up. Know your adversary, collaborate with your peers, automate your response – or be ready to start cutting cheques to that long-lost uncle in Peru.
Contributed by Adam Vincent, CEO, ThreatConnect
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.