Around 269 billion emails are sent per day, and 150 million of those are phishing attempts. Also, 92 percent of malware comes through email as email attachments and downloaded files provide a highway for hackers directly into organizations’ networks.
With the increasing volume of these attacks, organizations have turned to strong security solutions, employee training, and prioritization policies and techniques to protect themselves, but 30 percent of phishing attacks are still successful, passing through these layers of protection.
The World Health Organization recently warned the public of attackers posing as WHO to steal personal and financial information. Additionally, Shark Tank host and New York real estate mogul Barbara Corcoran shared that she lost over $400,000 due to a phishing attack, while attackers attempted to steal more than $4 million from Puerto Rican government agencies. What’s missing from traditional approaches and how do we address the attacks that are slipping through the cracks?
Organizations are currently employing several techniques to prevent, detect, and mitigate phishing attempts. One of these methods is to implement layered detection solutions and network security controls. Resources such as anti-virus and endpoint detection and response (EDR) can be layered with SIEM and SOAR event orchestration for prioritized alerting.
Threat intelligence feeds can be added to deliver the latest threat data seen in the wild, email security gateways can block known malicious files and senders and prevent assets from leaving the network, and dynamic analysis systems (sandboxes) can also identify malware in attachments by executing suspicious files in controlled environments.
Using a layered detection approach creates a stronger perimeter protected by multiple defenses in the event that any one is bypassed.
Another important step is to provide end users with phishing simulation attack training. Introduce employees and users to phishing techniques by running attack simulations to increase their awareness of this type of attack. Enable them to avoid falling for the deception while encouraging users to report phishing threats.
Additionally, organizations should prioritize high-risk phishing targets. While the importance of protecting c-level executives from these phishing schemes has long been stressed, it is important to note that in reality, lower-level managers are among the most targeted personnel, with 67 percent of highly targeted malware and phishing attacks aiming for individual contributors and mid-level managers.
By using role and domain-based scoring to determine which individuals are truly at the highest risk, organizations can make the best use of their resources by focusing additional security measures on those particular employees or departments.
Despite these efforts, malware will still break through particularly as attack vectors increase with the rapid rise of digital transformation and as malware grows more complex. Key to stopping these threats is understanding them, and to do that, the security industry needs to overcome object complexity, black box verdicts, and limited analyst skills.
The complexity of files with their increased breadth of file formats and sizes, as well as their ability to be buried deep within a user’s system, has made it increasingly difficult to effectively detect and respond to advanced threats. Not only is it very difficult to understand if the threat exists in the first place, but if it is detected, analysts may have little to no idea how to address it as there’s no explanation of why and how the threat was detected in the first place.
Existing machine learning solutions expect analysts to simply trust the solution’s rulings and recommendations, acting as a “black box” that gives instructions with no background when analysts need to act quickly and with certainty.
The missing piece? Employ static file analysis and “glass box” explainable machine learning solutions. Analysts require a way to ingest and unpack complex objects at speed, and they need to trust, and have the context into, their security solution’s verdicts to take immediate action. Static analysis and explainable machine learning provide real-time detection and automate time-consuming processes while also providing alert verification methods and remediation that can be trusted.
In addition to supplying employees and end users with security training, training and reskilling analysts and threat hunters with the contextual explanation available for each threat can advance both phishing protection and also the analysts’ ability to mitigate other forms of cyber attacks.
Over time this gradually reduces skill gaps prevalent within the SOC, improves employee satisfaction, and alleviates CISO’s pressure to hire more skilled employees.
When combined with layered security, employee training, and prioritization of high-risk targets, static file analysis and explainable machine learning can form a stronger defense against phishing attacks, giving power back to SOCs and the organizations they protect.