Riaan Naudé, Director of Consulting, UK
11 mins read
So long as attackers have the motivation to conduct cyber attacks, phishing will continue. The technique of phishing cannot be eradicated for the same reason we cannot prevent theft or social engineering. Attackers are motivated, cunning, and for the most part, smart. Asking when phishing will end is like asking when people will stop picking locks; build a new lock and the motivated will find a new mechanism to break it.
Phishing is a versatile, low-cost, and highly-scalable tactic for cyber attacks. While attackers may need to develop new methods for delivering malware or instigating credential theft, they are ultimately leveraging user behavior as the entry point to reach valuable targets. For organizations, phishing presents a lasting challenge because attackers target human fallibility, and this cannot be eradicated.
To thwart a phishing attack, you need to consider all its components, not only the initial breach. Phishing controls often fall short because of their narrow focus on a single point in time: usually, the moment a user reads and reacts to a phishing email. For the attacker, however, phishing does not start and end with a single click. It is one tactic designed to either create an entry point in a sequenced attack or to steal information. By understanding the attacker’s objectives at each stage of the attack, organizations can build a multi-layered approach to defense.
Consider F-Secure’s adapted version of Lockheed Martin’s Cyber kill chain:
Fig. 1. F-Secure's adapted cyber kill chain
For an attacker to successfully reach their objective they need to perform activities in each phase of the kill chain. (The exception may be Persistence, as an attacker does not necessarily need to perform Persistence activities in order to reach their objective.) For a phishing attack to be successful, the attacker must complete at least the initial 4 steps. You, as the defender, only need to prevent, or detect and respond to one of the actions between the Delivery and C2 phases. For cyber security defenders, each phase of the kill chain provides an opportunity to reduce exposure and prevent or detect the attacker’s actions. Therefore, if you are looking to build resilience against phishing, it is important to consider more than the isolated act of phishing.
To reduce your business' exposure to phishing, here's what you can do:
Keep in mind that attackers have a finite number of techniques at their disposal. Once you understand which attacks are possible in your environment, you can prepare for them and defend your organization against them. Ask yourself the following questions:
Tackling these questions will build a list of actions an attacker could realistically perform. These are the actions you need to be able to effectively detect and respond to with a multi-layered approach to phishing.
Awareness programs typically consist of simulated phishing campaigns conducted alongside security awareness training for employees which explains the risks of phishing. At first glance, awareness might seem like a non-technical, compliance-driven exercise. It’s not. Certain security professionals may even consider phishing awareness training as a pointless effort. That is only true when it is used in isolation.
Certain security professionals may consider phishing awareness training as a pointless effort. That is only true when it is used in isolation.
If your phishing awareness program is focused on reducing click-rate, then it will never be effective at protecting your organization against cyber attacks. The primary goal of an awareness program is to ensure that people report suspicious emails quickly to the appropriate team, who can triage rapid response activities. The role of the Security Operations Center (SOC) is to detect and respond to attacks. They can only respond to phishing attacks that they are aware of, and the fastest way for them to do so is for users to report phishing emails. Reporting of phishing emails is a detection function, which, if done correctly, is highly valuable in the detection and mitigation of cyber attacks.
Awareness programs are an important component of any phishing risk mitigation strategy. But having an effective awareness program in place, without building the vital response activities that should follow, would nullify all investments towards it.
In addition to your awareness program serving as the funnel into your detection and response team, it generates valuable data that can further augment your detection capability (I spoke about this last year in my presentation Security Awareness Data: a Goldmine). Simulated phishing campaigns and the data gathered on click-rate and report-rate help determine which users or teams are more likely to fall victim to phishing. Using this data to identify the most at-risk users and groups allows you to develop, targeted, specific interventions.
This information can improve your detection function in two ways. Knowledge of the most at-risk users can build an effective heatmap of the most likely targets. This will allow you to generate higher fidelity alerts and modify the risk scoring accordingly.
The most effective way to detect, prevent and mitigate the risks of a phishing attack is to build layered technical and non-technical controls across the first 4 phases of the kill chain.
Director of Consulting, UK
I am a London-based South African with a passion for people and security. I have been in the security industry since 2009, after starting my IT career as a desktop support technician. I like to share my thoughts and opinions to get people thinking, talking, and debating security.