James Moore, Security Consultant
10 mins read
Phishing attacks are designed to deceive individuals into providing sensitive information such as passwords to a malicious third-party, or into performing actions such as downloading malware designed to give an attacker remote control over the victim’s computer. Worryingly, these attacks are becoming increasingly sophisticated, to the extent that often neither the individual nor the organization to which they belong is even aware that an incident has occurred until it is too late.
Typically, these attacks take the form of an email that appears to come from a legitimate entity (for example, an online bank or email account), in order to gain the individual’s confidence, so that they then follow a link and divulge sensitive information. As an Information Security company, we have witnessed these types of breaches occurring ever more frequently, in line with the growth of online services, such as banking and social media. Certainly the kind of information that it is now possible for attackers to intercept over the internet and company intranets makes these attacks very lucrative. Additionally, there is a low barrier to entry as phishing attacks such as this are relatively straightforward to implement and difficult to track and prevent.
If a phishing attack were launched against your organization today, would your employees be susceptible?
Within many organizations, the susceptibility of employees to phishing attacks is largely unknown. Whilst security testing is now commonplace within organizations and the adoption of common security controls is widespread, there is not a widely-adopted approach to sustainably reducing the risks from phishing threats over the long-term. Whilst policies and processes are often in place to help an organization react to a phishing attack, the effectiveness of any internal reaction to a legitimate attack is often unmeasured, especially if the occurrence of the attack itself has remained undiscovered.
The financial cost of phishing attacks to UK-based organizations, on the other hand, is well known. In 2012, the UK economy lost £405.8m to phishing attacks, an increase of 25% over the £304.4m lost in 2011. RSA reported that in 2012 there were, on average, more than 37,000 unique phishing attacks globally each month, compared with 21,500 per month in 2011. Phishing attacks against organizations are rising in both number and sophistication, and as the quantity, diversity and confidentiality of data stored electronically increases, so does the risk presented by the phishing threat.
The primary issues faced by organizations include how to measure organizational susceptibility to phishing attacks, and how sustainably to reduce the risk posed by such attacks, given that they are increasing in both frequency and sophistication.
Whilst a growing number of organizations now have stringent security controls, policies and procedures in place and frequently perform security assessments, these assessments often do not provide any insight into the susceptibility of an organization or its employees to phishing attacks. Instead, security assessments usually focus on more ‘tangible’ vulnerabilities, such as security flaws within software or the insecure misconfiguration of network infrastructure.
To gauge your current security posture in terms of the risk posed by phishing attacks, ask yourself the following questions:
If you were unable to answer any of the above questions, or if you answered any with uncertainty, then your organization’s security posture could certainly be improved. The susceptibility of an organization, and as such the risk associated with phishing attacks, is widely considered to be difficult to measure. *
In some cases, phishing attacks, as an attack vector, are even overlooked entirely. In rare cases, where controlled phishing assessments are performed to measure risk, these are performed as one-time exercises and do not provide sufficient metrics to identify weak areas of an organization. In these cases, the assessment does not have a sustained preventive effect: employees are still likely to click malicious links within emails only a few months after the engagement. Such engagements offer little to no value.
Executed well, a phishing attack can extract far more than domain credentials from your organization. An attacker can use phishing attacks as a base to trick employees into downloading and running malicious software, in turn providing an attacker with a long-term, often undetected foothold inside the network, side stepping traditional security controls. Such a foothold is then often used to gain further access to corporate resources, such as file shares, from which assets can then be extracted.
A more determined attacker can go a stage further still. By enumerating the versions of client-side software, including the browser and plug-ins (in Java for example), as soon as an employee browses a malicious website after clicking a link in a phishing email, the attacker is able to identify and attempt to exploit any vulnerable client-side software accessible via the web-browser. If successful, the attacker would obtain a foothold within your network without the need even to prompt for the download of malicious software.
Once a foothold is obtained, an attacker can attempt to elevate their privilege level and begin to extract confidential data from the corporate network. Such data often includes financial information, such as payroll, client information or sales figures and projections. In many cases, it would also be possible for the attacker to modify data, thus affecting its integrity. Ultimately, the real risk to a business from a successful phishing attack is loss of both money and reputation.
The first stage of any plan to mitigate the risk posed to an organization by phishing attacks is to measure the current level of susceptibility by performing a controlled attack against employees. Such an attack would ideally target a subset of employees from each department within the organization. If appropriate, employees and departments from different offices should also be included within the test, in order to allow for the identification of any trends across the entire organization. The data returned by such an assessment is invaluable in gauging current levels of susceptibility and providing information such as:
Once a baseline has been established, strategies for mitigating risk should be investigated and implemented. There are a number of approaches that, when combined, are extremely effective in dramatically cutting the overall level of susceptibility:
Generally, the advantages of regular controlled phishing attacks will be well understood within the technical areas of an organization; however, there are various challenges that must be faced before such assessments are authorized and commissioned. Often, the most significant hurdle is mitigating the risk of upsetting or embarrassing employees. Ensure that any employees who do click malicious links are not reprimanded or patronized, by ensuring that there is a strategy in place to explain the risks posed by phishing attacks and that formal training is provided where appropriate to help employees identify threats going forward.
Another issue is the fact that the assessment may have a detrimental effect on the corporate environment or network. Ensure that your supplier does not use any ‘payload’ for regular phishing assessments, i.e. employees’ attempts to download malicious software are recorded, but no malicious software is actually supplied. Once regular assessments are commissioned, ensure that the key personnel within the organization are aware of the assessment and know how to react, but do this on a need-to-know basis only. Generally, the heads of security and IT should be aware of the assessments, and should be prepared to intervene prior to any unnecessary actions being taken (such as replacing employee workstations). For the first few controlled phishing attacks, expect large numbers of employees to be susceptible. It is not uncommon for 60-70% of employees targeted to click on the malicious links. Generally, there is a small drop-off (typically 5-10%) in employees who supply domain credentials and a further small drop-off (typically 2-4%) in those who then proceed to attempt to download a malicious executable.
In terms of internal response, anticipate some minor chaos for the first assessment. As security policies and procedures relevant to phishing attacks are tested for the first time, there are generally opportunities for improvement going forward. As long as procedures are in place to identify and document these opportunities, then progress can be made going forward, and, with each assessment, the internal response should become more efficient and streamlined. In the event of a real-world phishing attack, the internal response should have progressed to a stage where it is not only efficient but wholly effective.
From a return on investment perspective, the number of employees susceptible to phishing attacks can typically be expected to decrease by upwards of 25% per assessment, with most organizations seeing an overall susceptibility reduction of at least 90% after one year of quarterly controlled phishing assessments.
Despite being a long-established attack vector, phishing is a growing threat to organizations who, with the increasing amount of confidential data being stored electronically, have more to lose now than ever. It is common for organizations to struggle to measure their susceptibility to phishing attacks, with common security controls proving ineffective against the threat, and security assessments often overlooking phishing as a potential attack vector.
Regular phishing assessments performed in a structured, controlled manner provide a means to benchmark decreasing susceptibility over time. They can map out trends within your organization, highlighting patterns in areas of the business that are most vulnerable. In addition to providing accurate metrics that allow the calculation of risk posed to your organization, conducting quarterly or bi-annual phishing attacks helps to maintain a heightened awareness. This will decrease the risk posed to your organization of a real-world attack, typically by upwards of 90%.