The long tail of phishing attacks

Post a Fraud Alert:

Targeted phishing has become the single most effective attack type in the world today. Phishing attacks have been the root cause of the majority of the large-scale data breaches that compromised the sensitive information of millions of individuals and extracted financial gains from some of the world’s largest companies.

In March, a spear-phishing scam that used the cover of the tax season and W-2 filings tricked more than 120,000 people into sharing their personal data. Just one month later, Google and Facebook were the victims of an elaborate $100 million phishing attack when employees at both companies unwittingly sent money to overseas bank accounts. In the month following, a highly sophisticated Google Docs attack compromised over a million Gmail accounts in just one hour.

These targeted phishing attacks are just a handful of the most notable attacks that occurred during this year alone, and show that cybercriminals are becoming increasingly sophisticated and are bypassing secure email gateways (SEGs) without detection for weeks or months at a time. Now for the even worse news: the full effect of these attacks has yet to be realized.

The problem with legacy email security systems

From the data compromised in the Equifax and EDGAR breaches alone, criminals can now easily find out where you live, where you work and even what kind of car you drive. Identity theft – both in the short and long-term – will be a key concern for everyone, and executives at large, high-profile organizations can and should expect the volume of hyper-targeted phishing attacks to increase as cybercriminals turn available personal data into actionable intelligence. In order to effectively protect against these threats, enterprise security initiatives must start at the inbox.

Traditionally, organizations have relied on technologies like SEGs to protect email. SEGs take a perimeter-blocking approach to threats, attempting to prevent malicious emails from entering the corporate infrastructure at a single point in time. However, these gateway-based tools are exceedingly limited when dealing with non-payload based attacks that rely on social engineering tactics to fool employees. This is because SEGs are built on classification systems — text-based rules that work really well for identifying spam, but are inadequate for detecting grammatically correct, payload-free phish.

Another major drawback to the perimeter-blocking approach is that it provides security teams with no visibility, control or management over threats that successfully bypass the SEG and make their way into a recipient’s inbox. As evidenced by the aforementioned attacks, phishing scams regularly do bypass the perimeter unnoticed — and phishing attacks are viable for as long as they remain in a corporate inbox, so this is the security equivalent of a ticking time bomb.

Just because a phishing email wasn’t read immediately doesn’t mean that the recipient won’t read it later and be deceived into divulging data that compromises their organization. Any organization that relies on legacy email security systems is leaving its employees vulnerable to the most difficult-to-detect types of threats, thus contributing to the prevalence of phishing attacks.

Gaining visibility is key

Employee security awareness training programs are the most common tactic that organizations take in an effort to protect against social engineering attacks, but the simple fact is that these trainings are far from bulletproof. The pervasiveness of email, the always-on-nature of modern work and the increasing sophistication of targeted attacks make it impossible for employees to be constantly vigilant as watchdogs over their inboxes, capable of making the right decisions every time they’re exposed to a different cyber risk. Proper training can help, but not prevent, users from falling prey to social engineering schemes or legitimate-looking attack emails.

Rather than shifting the burden of staying secure to individual employees, organizations should bolster employee awareness trainings with IT and security teams who have post-delivery visibility into, and control over, messages that have already landed in employee inboxes.

Unfortunately, many security teams are unable to keep up with the sheer volume of email threats that require review and remediation on a daily basis, due to a shortage of qualified security professionals. ISACA, a non-profit information security advocacy group, predicts there will be a global shortage of two million cyber security professionals by 2019. This cybersecurity skills gap means security teams are unable to detect, analyze and respond to the high volume of potential phishing emails their organizations receive – which, according to GreatHorn’s research, is over 3,680 emails per week.

Automation’s role in defending the enterprise

For an organization facing tens of thousands of malicious emails on a monthly basis, keeping up with potential threats is impossible to do manually. Automated security tools act as a force multiplier for security teams with limited time and resources, helping overloaded admins better manage potential phishing threats. Through the use of automation, security leaders can help their teams more efficiently manage the overwhelming number of potential vulnerabilities they face by programmatically identifying and addressing threats based on preset policies.

Automation also increases threat detection accuracy, leveraging machine learning to determine whether an individual message is an attempt to deceive or phish an organization’s employees by analyzing metadata such as geolocation data, relationship strength between sender and recipient, organizational who-knows-whom information and frequency of contact. This data increases the visibility of phishing threats, reduces the time it takes for security teams to respond to threats, and can detect patterns that a human might otherwise miss.

Today’s SEG-reliant security posture is not enough to overcome the advanced types of phishing threats that we see today — and that we will continue to see evolve in the future. Protecting against social engineering and phishing attacks requires automated, comprehensive and post-delivery response capabilities that act in real-time to proactively identify threats and programmatically address them through automation before they can result in breaches.