The Verizon 2015 DBIR (Data Breach Investigation Report) identifies phishing attacks as the most common route into the vulnerable innards of target organisations, and despite repeated warnings and attempts to educate users, the incidence of opening phishing emails and executing the payloads appears to be going up.
Phishing is a favourite tactic of state-sponsored threat actors and criminal organisations because of the “all but mandatory requirement to have email services open for all users”, Verizon said.
According to Ben Densham, CTO at Nettitude, “The stark reality of this report shows that phishing emails are a major factor in most organisations. Our email systems are by design set up to allow a broad range of inbound communications to enter our business.”
Densham advocates treating email and internet usage as high risk activities and believes that key assets within the organisation should be isolated from these systems. “Rather than see our internet connection itself as the place for defences, [security] needs to be constructed around our assets... within an internal secure enclave.”
Verizon analysed the demographics of its phishing attack data and concluded that departments such as legal, communications and customer services were far more likely to open these emails than other departments. However, in mitigation, it conceded that these departments might receive more unsolicited email which exposed them to greater risk and the incidence of clicking on the links and activating the payloads was no greater or lesser in these departments than in others.
Andrew Conway, a research analyst at Cloudmark, commented on these findings, observing that phishing attackers had been honing their attacks, even as their targets became more savvy in dodging them.
“The tricks used by spammers to disguise their attacks are getting ever more sophisticated,” said Conway. “In an attack we saw last year that appeared to be an offer for a free pizza, we saw an unusually large number of people who actually removed this spam message from their spam folder because they were convinced it was legitimate.”
In another attack, spammers disguised their emails as a funeral notice from a mortuary in Florida. “(In the US) There are many elderly people who may have relatives who have retired to Florida, and the emotional shock of seeing a notice of a funeral may be disturbing enough to make them forget all the warnings about clicking on links in unsolicited emails.”
Many of the experts SC spoke to recommended conducting phishing tests against your own staff. Scott MacKenzie, CISO at Logical Step, said it was an effective way of identifying staff who required additional security training.
Initial training should be provided to all staff in how to spot common traits of phishing emails. “Scenario-based training works for users more readily than dry charts and diagrams,” he said. “Some organisations provide regular training while others only give induction training and no follow-up which is not good enough.”
Testing should identify staff who haven't learned the phishing lesson so they can be given follow-up training.
The Verizon report identified several issues facing CISOs in the battle against phishing attacks, the speed of response being a key one.
“The speed at which organisations need to respond will only get shorter,” said Densham, echoing the findings of the report. “This is always an arms race and we need to be adapting and thinking of the bigger picture.”
He recommends accepting that some attacks will inevitably succeed. “Expecting phishing attacks to work means that we will then look for and hunt for the actions within our networks that demonstrate an attacker is in there and sniffing around. If we can't stop them getting in, let's make sure we can detect and respond effectively when they do – and ensure anything of value is not there waiting for them.”
One of the findings of the report was that state-sponsored attacks are moving slowly away from phishing attacks. MacKenzie speculates that this is because they are not as effective as they used to be. “The state-sponsored actors are targeting more savvy targets who are less likely to fall for the phishing attack,” he said. “I would guess that state actors would look for other methods of getting in.”
And Andrew Conway observed that the most effective defence is to ensure your organisation is faster and more agile than most. “One of the best things a CISO can do is make sure that his company is not the slowest zebra in the herd,” he said. “This is only part of the solution, of course. If an attacker is determined to break in they will. Kevin Mitnick claims a 100 percent success rate for his penetration testing service, and makes a point of delivering his report by leaving a copy on the desktop of the CISO's workstation. It's important to be prepared in advance of data breaches and make sure that the impact is limited by encrypting data, segregating systems and having detection systems in place.”