Email Phishing attacks continue to provide hackers with an entry point into organisations.
In last month’s SECURITY.FYI article, I highlighted how application security vulnerabilities have become an increasingly popular attack vector for breaching cyber security defences. This month I’ll be focusing on an attack vector that we are all more familiar with, yet continue to struggle to defend against.
A Phishing email intends to trick a user into believing that the email is legitimate while attempting to perform an action that can be used to compromise the user or computer. I’m sure at some point we’ve all received an email advising us of a long-lost inheritance, lottery win or friendly Nigerian Prince! These emails often contain malware infused attachments or URLs, but sometimes it is simply an information exchange the attacker is trying to coax out of the recipient.
An excellent source of information relating to Phishing is the Quarterly Malware Review Report produced by PhishMe. The trends and attack patterns in this report can be used to help condition email users against the most likely threats.
Malware that is delivered in an email attachment or URL within the message body can serve many purposes depending on the attacker’s intent. Banking malware often focuses on stealing login credentials whereas remote access trojans may try to exfiltrate data or snoop on the user by enabling the camera or microphone. During the past few years we have seen a dramatic increase in ransomware attacks and many of these were delivered through Phishing emails.
We are seeing attackers resorting to trickery and trying to invoke an emotional response when attempting to coerce users into opening emails. An example of this is provided by LinkedIn user Andy Cuff who received an email which appeared to be from Office 365, notifying him that his email was scheduled for deletion.
The threat of phishing attacks has gained wide-spread coverage which has resulted in most email users having some level of awareness of the threat. However, when we discuss email protection in the security industry there is often an assumption that we are referring to secure email gateways or some other form of technology control. In last months article, I referred to the adage of “People, Process and Technology” and when we consider the implementation of security controls for email the same principle applies.
We should be striving for real intelligence and human learning by educating our users…
When an email passes through our technology stack on the way to the recipient, the last control point before that email is opened is the user. There is no silver bullet product for sale that will protect us against every threat out there so we need to stop trying to rely on technology like Artificial Intelligence and Machine Learning to defend against attacks. We should be striving for real intelligence and human learning by educating our users to recognise the signs of a phishing email because a well educated user is our best for of defence against Phishing attacks.
Of course, I’m not suggesting that we abandon technology controls and rely solely on our users. Instead, we should be leveraging our users intelligence by educating them and building that into a defence-in-depth strategy. The proverb in the headline of this article, “Give a man a fish and you feed him for a day; teach a man to fish and you feed him for a lifetime.”
Educating your users will help create another strong defensive control in your security posture. Unfortunately, I often hear IT staff lament their user’s inability to spot the tell-tale signs of a Phishing attack but when I ask about the training provided it is either absent or minimal. One of the services we offer at Barrier Networks is a Phishing service that delivers coordinated Phishing simulations against a client’s user base and integrates user training into the scenario. These Phishing campaigns help sharpen awareness of the risk of inbound emails because we advise IT departments to publicise the campaign to their user base.
Publicising the campaign gives people the opportunity to be vigilant which immediately helps because they don’t want to be caught out by an IT Phishing test, so they pay more attention to the emails they open. If a user clicks on one of the Phishing campaign emails then they are provided with a short educational video on how Phishing attacks work and how to identify them.
We run different campaigns throughout the year and in my experience of email security, technical and non-technical, Phishing awareness and user training is by far the most effective way to combat email-based threats. It’s easy to become exasperated by non-technically minded members of staff but it is pleasantly surprising to watch them learn and become part of the solution instead of the problem.
It’s not uncommon to hear users referred to as the weakest link in a security posture and if that is your view I would urge you to consider the education provided to those users. Education enables us to perform at our best and it is no different when it comes to the topic of email security. Step back from the problem and look at your approach, then consider if you could help your users to help you because after all, it’s better to teach someone to Phish!