Reading through the Verizon Data Breach Investigations Report (aka DBIR), the amount of information about last year's breaches is daunting. Let's look at one category of the report—Phishing.
Teach a man to phish?
Why did I focus on phishing? Because it is on the mind of a lot of CISOs these days. As we know, quite a few high-profile breaches have come about because of successful phishing attacks. We've also seen a huge increase in attempted wire fraud through convincing, fabricated emails targeted at company executives. What does the DBIR tell us about phishing this year?
"23% of recipients now open phishing messages and 11% click on attachments." "Nearly 50% open emails and click on phishing links within the first hour."
Depending on how you read these quotes, you might come away as optimistic. After all, things don't seem that bad when only 23% of your workforce are opening phishing emails and clicking on things, and only half of those do it within the first hour.
Good news? Not so fast...
Things sound much worse when you consider two things:
- First, that 23% who open the messages represents an increase over the 10-20% seen in prior years.
- Second, the impact of that clicking is a big deal:
"For two years, more than 2/3 of incidents that comprise the Cyber-Espionage pattern have featured phishing."
I guess you could say this is a very ephishent attack vector, after all (yes, I know – trust me, there are much better phishing puns in the DBIR). Many organizations have spent a lot of time and money on "securing the human" with just these sorts of attacks in mind, yet the problem is getting worse. And we're not just talking about harvesting information from you employees – this is a common vector for malware payloads that allow remote access to your network, or exfiltrate valuable data to your attackers.
You can't cut bait.
A big part of this problem is that phishing techniques are becoming both more sophisticated and more overwhelming. For example, successful phishing emails are more like campaigns, in which a user is hit with numerous emails come in over a short period of time. This is part of the increased efficiency of these campaigns – they sneak through by flooding users with more emails, hoping they will drop their guard and click the link. According to the DBIR:
"The numbers again show that a campaign of just 10 e-mails yields a greater than 90% chance that at least one person will become the criminal’s prey, and it’s bag it, tag it, sell it to the butcher (or phishmonger) in the store."
You can't turn off email, and you have to have users in your environment, so this is not something that will just go away. Fortunately, there are some things you can do.
Try to get ahead of the problem.
If you are able to catch phishing email before it gets to users, such as with gateway detection schemes, you can take the user out of the equation. This is another area in which attacker sophistication/obfuscation is improving, so you won't catch it all.
Where possible, quarantine or delete the message – don't just file it in a spam folder. We've seen breaches that came about after someone diligently retrieved a malicious message from their spam folder and clicked a link or opened a malicious attachment.
Run phishing awareness training with a chance to practice.
If you want to prepare your users to be more effective in phishing attempts, why not let them practice in a safe environment? There are quite a few options offered by security training providers, but if you want to do something free, there is a very good phishing quiz from OpenDNS. I found out about this because I’m an OpenDNS customer at home, and they sent this quiz out to their customers to help us improve our “phish spotting” skills.
Granted, this quiz focuses on phishing websites and not spearphishing emails but it’s still a great resource. I’ve seen some good write-ups on how to spot phishing emails, as well – for example, Microsoft has a great guide in their Safety & Security Center, and Apple has some useful info in their support forums.
Focus on likely offenders.
According to the DBIR, some parts of your user population are more likely to open phishing emails:
"Departments such as Communications, Legal, and Customer Service were far more likely to actually open an e-mail than all other departments."
Of course, they found that once people opened the email any department was just as likely to click on a link but if you play the numbers and focus on departments where it's a person's job to open email and respond to it, your time will be well spent. By the way, I'd add executives to that list – we've seen a lot of phishing emails targeting CEOs and CFOs.
Mitigate the risk once malware gets through.
In the likely event that something gets through, make sure your detection and response processes are in place and effective. However, that is often easier said than done.
Looking for a relatively simple fix with a great payoff? You can greatly reduce the likelihood of a rampant malware outbreak by making sure your users aren't running as local Admins on their systems – more on that in my post, "This One Weird Security Fix Makes the World Safer." You may not be the most popular person around, but at least you're less likely to be pwned.
This is just one aspect of the DBIR, but I think it bears focus due to the huge attack surface our users represent. It's true that people are the problem, but they are also our best hope in solving it.