Why is phishing still a problem?

Why is phishing such a persistent attack method?

So long as attackers have the motivation to conduct cyber attacks, phishing will continue. The technique of phishing cannot be eradicated for the same reason we cannot prevent theft or social engineering. Attackers are motivated, cunning, and for the most part, smart. Asking when phishing will end is like asking when people will stop picking locks; build a new lock and the motivated will find a new mechanism to break it.

Phishing is a versatile, low-cost, and highly-scalable tactic for cyber attacks. While attackers may need to develop new methods for delivering malware or instigating credential theft, they are ultimately leveraging user behavior as the entry point to reach valuable targets. For organizations, phishing presents a lasting challenge because attackers target human fallibility, and this cannot be eradicated.

To thwart a phishing attack, you need to consider all its components, not only the initial breach. Phishing controls often fall short because of their narrow focus on a single point in time: usually, the moment a user reads and reacts to a phishing email. For the attacker, however, phishing does not start and end with a single click.  It is one tactic designed to either create an entry point in a sequenced attack or to steal information. By understanding the attacker’s objectives at each stage of the attack, organizations can build a multi-layered approach to defense. 

Consider F-Secure’s adapted version of Lockheed Martin’s Cyber kill chain:

For an attacker to successfully reach their objective they need to perform activities in each phase of the kill chain. (The exception may be Persistence, as an attacker does not necessarily need to perform Persistence activities in order to reach their objective.) For a phishing attack to be successful, the attacker must complete at least the initial 4 steps. You, as the defender, only need to prevent, or detect and respond to one of the actions between the Delivery and C2 phases. For cyber security defenders, each phase of the kill chain provides an opportunity to reduce exposure and prevent or detect the attacker’s actions. Therefore, if you are looking to build resilience against phishing, it is important to consider more than the isolated act of phishing.

If we can’t prevent phishing, how do we mitigate the risks?

To reduce your business' exposure to phishing, here's what you can do:

1. Technical Exercise: understand exactly which specific phishing techniques are available to an attacker against your environment.
2. User Awareness Exercise: increase the likelihood that a user will spot and report a phishing email and reduce the likelihood that said user will fall victim. The success of user awareness exercises is typically measured in click rate and report rate. It is unrealistic to aim for a click-rate of zero, but as fewer people click, fewer endpoints will be compromised, limiting the level of response required to counteract an attack. The emphasis however should be on increasing the report rate of real phishing emails. 
3. Combined Technical and Procedural Exercise: assume people will fall victim—because they will—and ensure that you can detect and respond to the attack at the earliest opportunity when the risk of damage is at its lowest. 
4. Combined Technical and Procedural Exercise: even if an attack was prevented, you want to know exactly when an attacker failed in their attempt. Attackers make mistakes too, but just because an attacker has failed once does not mean they will be giving up.

Keep in mind that attackers have a finite number of techniques at their disposal. Once you understand which attacks are possible in your environment, you can prepare for them and defend your organization against them. Ask yourself the following questions:

1. Should an attacker target my business, what would their likely motives be and who would they choose to target as a result? How susceptible are those individuals to social engineering?;(External Reconnaissance (Recon))
2. Should an attacker successfully deliver a phishing email, how would they disguise their phishing email so that it is credible and impels users to engage with it? (Delivery)
   1. Can emails containing malicious URLs be delivered to your environment? If so, which kinds of URLs? Do you only block known-bad payloads?
   2. Can an attacker deliver an attachment, such as a document or spreadsheet? Could that attachment contain macros? Which other kinds of payloads can be delivered?
3. From this list of possibilities, which kinds of URL can successfully be reached? Which payloads can successfully be executed? (Code Execution/C2)

Tackling these questions will build a list of actions an attacker could realistically perform. These are the actions you need to be able to effectively detect and respond to with a multi-layered approach to phishing.

“But I already have a phishing awareness program”

Awareness programs typically consist of simulated phishing campaigns conducted alongside security awareness training for employees which explains the risks of phishing. At first glance, awareness might seem like a non-technical, compliance-driven exercise. It’s not. Certain security professionals may even consider phishing awareness training as a pointless effort. That is only true when it is used in isolation.

Certain security professionals may consider phishing awareness training as a pointless effort. That is only true when it is used in isolation.

If your phishing awareness program is focused on reducing click-rate, then it will never be effective at protecting your organization against cyber attacks. The primary goal of an awareness program is to ensure that people report suspicious emails quickly to the appropriate team, who can triage rapid response activities. The role of the Security Operations Center (SOC) is to detect and respond to attacks. They can only respond to phishing attacks that they are aware of, and the fastest way for them to do so is for users to report phishing emails. Reporting of phishing emails is a detection function, which, if done correctly, is highly valuable in the detection and mitigation of cyber attacks.

Awareness programs are an important component of any phishing risk mitigation strategy. But having an effective awareness program in place, without building the vital response activities that should follow, would nullify all investments towards it.

How does awareness feed into detection and response?

In addition to your awareness program serving as the funnel into your detection and response team, it generates valuable data that can further augment your detection capability (I spoke about this last year in my presentation Security Awareness Data: a Goldmine). Simulated phishing campaigns and the data gathered on click-rate and report-rate help determine which users or teams are more likely to fall victim to phishing. Using this data to identify the most at-risk users and groups allows you to develop, targeted, specific interventions.

This information can improve your detection function in two ways. Knowledge of the most at-risk users can build an effective heatmap of the most likely targets. This will allow you to generate higher fidelity alerts and modify the risk scoring accordingly.

In summary

• Find out where you are exposed and which actions an attacker is likely to perform
• Build your detection capability to match your exposure
• Focus phishing awareness programs on reporting suspicious emails
• Ensure you have an effective response function
• Use awareness training data effectively to identify at-risk users and augment detection accordingly

The most effective way to detect, prevent and mitigate the risks of a phishing attack is to build layered technical and non-technical controls across the first 4 phases of the kill chain. READ a step-by-step guide on implementing this approach.

Riaan Naudé
Director of Consulting, UK

I am a London-based South African with a passion for people and security. I have been in the security industry since 2009, after starting my IT career as a desktop support technician. I like to share my thoughts and opinions to get people thinking, talking, and debating security.