By Travis Rosiek, CTO, Tychon
It’s an old trick in the physical world. Getting into a secured building is easiest if an infiltrator can get an authorized person to open the door for them. No need to pick locks or smash windows. Just dress like a workman or hold a big bag of groceries and some unsuspecting person will helpfully hold the door. It’s little different in network security these days. With potentially thousands of legitimate users accessing secure networks every day, the new trick is to get one of them to unknowingly crack open the defenses.
The technique used to do this is called phishing, and it’s constantly found to be one of the top ways networks get compromised. Sometimes called spear-phishing if it’s especially targeted, phishing is almost always delivered as an email that either looks to be from inside the company or from a trusted or innocuous source. It invites users to either click on a malicious link, open an infected attachment or to provide some type of security or personal information like their password. Sadly, even among a well-trained workforce, it’s surprisingly successful. The best attackers know how to manipulate people, and then use social engineering and research through social media and other sources to up their odds.
In fact, at a recent cyber-terrorism summit in New York, Homeland Security Secretary Jeh Johnson called it out, saying that “The most devastating attacks by the most sophisticated attackers almost always begin with the simple act of spear-phishing.” But as prolific as they are, phishing attacks are not invincible. With the proper planning and tools, they can be defeated just like any other type of attack.
1) Plan for a Phishing Trip
The best time to defeat a phishing attack is before it begins. It’s a great idea to train users to try to make them aware of the dangers, but you can never rely on that. The best attackers can mimic an email from the CEO, or human resources, or even colleagues. You can ask users to report suspected phishing emails – though according to the 2016 Verizon Data Breach Report this is seldom done – so that even if someone clicks on it, others may at least bring it to the attention of IT. But someone will almost always take the bait.
By assuming that some users will eventually fall for a phishing attack, IT teams can plan how they will respond from the perspective of knowing that it will happen, not that it’s just a possibility. Security Operations Center (SOC) teams can thus plan how to diagnose and triage an attack by putting tools in place to do things like analyzing who is sending and receiving emails at scale. Incorporate all network security tools into that plan, so that any threat, no matter how initially triggered, can be contained and mitigated.
2) Phishing Post Mortem
Organizations should leverage a next-generation email security platform along with a capability that allows for retrospective analysis of phishing emails after an attack. This will allow the ability to create a repository of captured phishing mails so that the tactics and techniques of the adversary can be learned. Things like who is being targeted by the emails, what personal or confidential information was used for social engineering and what actions the email wanted a user to take can all be used to train SOC teams what to expect in the next wave.
Once a sufficient quantity of phishing emails has been collected, they can be used as a training tool, not so much for users who may be a lost cause, but for the SOC teams who need to respond to the threats phishing enables. The one good thing about phishing attacks is that they leave behind a lot of data, and sometimes actual program code that can be analyzed and defended against in the future – if you have the right tools to capture and study that information.
3) Know Where the Phish are Biting
All that data collected in step two can be used for another valuable purpose: predictive analysis. While you may not be able to train every user to defeat every phishing attack, you can selectively warn certain groups who are being targeted. Perhaps your finance group is being targeted by a phishing email that appears to come from the CFO. Or your human resources employees are being sent malicious email packages from fake prospective new employees. Knowing that can be a huge advantage. Being able to collect and analyze phishing emails can unmask trends and active ongoing campaigns against your organization. In that case, giving a specific warning to targeted employees or groups can be highly successful, and might just stave off your next unexpected phishing trip.
About the Author
Travis Rosiek serves as the Chief Technology Officer (CTO) of Tychon, where he is responsible for product innovation and professional services. With nearly 20 years of experience in the security industry, Travis is a highly accomplished cyber defense leader having led several Commercial and U.S. Government programs. He is known for developing and executing strategic plans to build the technical capacity of a company across product development, quality assurance, technical marketing, professional services, and sales engineering.
Prior to his work with Tychon, Travis held several senior roles with prominent security companies including CloudHASH Security, McAfee, and Defense Information Systems Agency (DISA). He also served as the Federal CTO at FireEye. A proud graduate from West Virginia University, receiving his M.S. in Electrical Engineering and dual B.S. in Computer and Electrical Engineering, Travis is also an ISC2 Certified Information Systems Security Professional (CISSP) and a member of multiple task forces and advisory committees.
Travis can be reached via LinkedIn and at our company website: Tychon.io