The phishing lifecycle - before, during and after an attack
The phishing lifecycle - before, during and after an attack
Just as phishing has evolved, the way organisations detect and deflect these malicious messages must also change, looking at each distinct stages to a phishing attack - before, during and after.
Phishing remains rampant with many organisations struggling to deflect these poisoned communications from arriving into users' mailboxes. However, the email delivered to the inbox is just one physical outcome from the various stages that make up the phishing lifecycle. In fact, there are three stages this threat evolves through – Before, During and After.
By understanding each, organisations can strengthen their response to this attack vector.
Why is phishing still a problem?
Today, phishing has reached epidemic levels as, according to statistics published by The Anti-Phishing Working Group (APWG,) there were at least 592,335 unique phishing attacks in the first half of 2017. It is thought that phishing now accounts for 90 to 95 percent of all successful cyber-attacks worldwide.
Current defences are failing to stop a threat that has existed for more than 20 years because they are still using the same techniques and technology as they did in the 90s. The result is that malicious emails continue to easily bypass legacy SPAM filters, firewalls and secure email gateways as they still rely on known attacks or signatures.
Although there is almost universal agreement amongst malware researchers to ditch YARA Rules and regular expressions, many email security solutions are still heavily reliant on this method.
Just as phishing has evolved, the way organisations detect and deflect these malicious messages must also change.
The phishing lifecycle
Today, there are three distinct stages to a phishing attack – before, during and after. Let's look at each:
Before - The awareness stage:
From an organisation's perspective, this is the education phase. It goes without saying that users must be made aware of the risks and reminded that they should never click a link in an email they believe could be illegitimate.
However, while educating users to spot the phisher's lure is commendable, due to human nature it alone is not enough. Fraudsters are frequently adopting spoofing and impersonation techniques in a quick, easy, and incredibly successful way to lure their potential victims into a false sense of security.
During - The detection stage:
This covers the phase where the object – ie the phishing message, is received by the organisation's email system. Phishing detection tends to focus on messages as they pass through the gateway which is proving ineffective. Instead, applying controls at the mailbox itself that are less focused on content but instead take into consideration the context of the message - such as metadata associated with every email, true sender indicators and sender reputation score through mailbox behaviour analysis, will help identify rogue or altered messages.
From the users' perspective, it is virtually impossible to identify every phishing email that lands in inboxes across the workforce. Unaware or preoccupied users, even those actively engaged in an awareness training programme, could inadvertently detonate the malware contained. Even if they do correctly identify the offending message, there needs to be a process to flag it and for the organisation to respond to these reports in a timely fashion.
Employees must have tools to help them make smarter and quick decisions regarding emails in their mailbox in order to help protect the organisation's network by initiating automated forensics and response and in parallel alerting the Security Operations Centre (SOC) team.
This can be done by augmenting the sender's information and reputation into the process through visual cues inside the email client itself.
After - The response stage:
This covers everything from the point where a user interacts with the phishing message – either detonating the malicious payload or flagging for investigation. How the organisation responds to either action will determine how successfully the attack is deflected.
If an employee is savvy enough to identify a phishing attempt and immediately report it to the SOC team, all too often it simply goes into a pile, waiting for the SOC team who must manually tend to each report as it's received, regardless of its severity, which means it could take days or even weeks for a SOC team to get to an incident, and even longer to mitigate it.
The forensics process also often stalls significantly, especially for companies that rely on SOC teams for analysis and remediation. In fact, the average time for phishing attack identification to remediation is an astounding 146 days [Source: FireEye].
In the meantime, the vigilant employee's less-savvy colleagues may also receive the email, open it, download the malicious software attached, and allow the hacker to infiltrate the network, steal sensitive information, and hold the computers hostage for millions of dollars.
When a new attack is detected or reported there needs to be an automatic remediation of all infected inboxes in real-time and orchestration with other network and endpoints' to make sure the attack is contained on all levels within the network.
A further element of this stage is one of intelligence sharing and collaboration between businesses, so that event information is shared freely, to prevent more than one organisation being hit by the same cyber-attack. If organisations act proactively, they can defend their network gateways and endpoints from increasingly frequent and sophisticated threats, such as the Scarab malware that hit in 2017.
It's more than just not clicking
While nearly everyone is familiar with phishing attacks, this only really helps with the ‘before' stage of the phishing lifecycle. The issue is that it is the ‘during' and ‘after' stages where the damage is often inflicted as many organisations lack the required capabilities to successfully detect and respond to a phishing attack.
Organisations need to accept that employees are going to be presented with volatile messages and preventing them being detonated is where efforts should be channelled. This involves a multi-layered and dimensional approach, that incorporates both humans and technology, to better detect and respond to each stage of the phishing lifecycle.
While employee training still plays a role in phishing mitigation, recent events have proven it's not an effective solution on its own. Anti-phishing policies that emphasise human intelligence without a real-time automated response are insufficient at best, as humans don't have the capacity to automatically respond to and remember each phishing attempt across an entire enterprise. Therefore, anti-phishing policies must incorporate machine learning to not only trigger an automatic response, but also prevent the same scam from affecting others now and in the future.
Machine learning continuously accumulates information about new attacks, ultimately strengthening an organisation's phishing mitigation strategy:
With each attack, the machine becomes more intelligent – remembering each attack's techniques and characteristics, thereby anticipating, and not reacting to, future attacks with similar signatures.
Due to its intelligence gathering and processing of information, machine learning can help predict unknown attacks (zero days) based on educated predictions that are deduced from attacks that have been identified.
Machine learning can perform anomaly detection based on an established baseline that is built up through continuous learning of normal and abnormal behaviour.
Email security solutions that live on the ISP and/or gateways and employee education and awareness training on its own, are simply not working.
Attackers are too smart; too patient and too determined to defeat the cyber-security status quo.
To thwart phishing once and for all isn't just a single action. Organisations need to address each of the stages of the phishing lifecyle to neutralise the threat from beginning to end.
Contributed by Eyal Benishti - CEO and founder of Ironscales
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.