(Editor’s Note: This blog originally appeared on redcanary.com)
Phishing remains one of the most common and effective means for an attacker to gain initial access to their victims’ environments. Verizon’s 2017 Data Breach Investigation Report (DBIR) indicated that for two years running, phishing was the top variety of social attack, used in more than 90% of incidents and breaches. A more focused variant is “spearfishing,” which differs in that the email is highly targeted to one specific individual target or a group of targets.
Phishing is pervasive for one simple reason: It works. The vulnerability that makes an organization susceptible to phishing is its human users—which are also among the more difficult pieces in the security apparatus to “patch.” The Verizon report found that about 7.3% of users across multiple data contributors were successfully phished, whether via a link or an opened attachment. And in a typical company, about 15% of all unique users who fell victim once, also took the bait a second time… Not a good track record at all.
Since it is not feasible to stop these attacks by technical means, we must rely on the targets themselves—humans—to mitigate their effectiveness. As long as an attacker can get a single human to do something as simple and common as opening an attachment or clicking on a link, the victim organization’s array of security technology has already failed. Attackers rapidly change tactics such as specific URLs, phishing ruses, and individual targets very easily—often dozens or hundreds of times per day. This makes technologies that seek to straight-out “prevent” phishing attacks woefully ineffective, as updating signatures simply can’t keep pace with the attackers.
So where does this leave us? The answer lies in minimizing the chances a threat will be realized and maximizing the quality of response when the threat is eventually realized. In the case of phishing, this includes ongoing user education/awareness, application control, and fast/effective detection.
Following are 3 ways to mitigate your phishing risk
1: Train Your Employees. Then Train Them Again.
It bears repetition that users are the key means to defeat phishing. When they can quickly and accurately identify a phishing email versus a legitimate message, the attacker loses outright. Services such as PhishMe seek to educate users and give them tools to report suspected phishing emails, allowing the victim organization’s security team to respond as needed to true phishing messages.
2: Limit The Execution, Limit The Risk.
From a technical perspective, application control solutions like that offered by our partner Carbon Black are absolutely the single most meaningful step toward prevention that an organization can take. This methodology ensures that only a list of approved binaries can run on the systems within an enterprise. Whether the phishing payload is garden-variety ransomware or highly-targeted custom malware, the price of becoming a victim generally reaches far beyond that of deploying and maintaining a whitelisting solution.
3: Deploy Continuous Monitoring, Detection, and Response
No solution is 100% effective. Organizations that regularly educate employees and run application control in their environment are still susceptible to threats. For these organizations (or really any organization), the best way to improve your overall IR game is to take decisive action as soon after the event as possible. In the phishing game, this means quickly and accurately detecting malicious links visited, attachments opened, and the downloads that result. We built Red Canary Managed Endpoint Detection and Response to make enterprise level security available to organizations of any size. When a user does click on a phishing email, we exist to quickly detect the resultant activity and support our customers with the intelligence and tooling they need to conduct a solid cleanup without delay.
Phishing isn’t going away. And no company is too small, nor are there any insulators based on industry or geography. Ensure that your organization has a clearly defined strategy including training, prevention, detection and response. It is through this type of awareness and planning that we will mature our defenses against phishing attacks and slash the effectiveness of future campaigns.