As the news of yet another celebrity photo leak hits the headlines, the suspicion is that it’s the result of a phishing attack. While some individuals may be practicing cyber safety online, phishing is still one of the most powerful and persistent forms of cyber-attack going.
Some of the past year’s largest cybersecurity hacks were attributed to phishing. From the DNC hack to the World Anti-Doping Agency hack, there is a clear indication that these attempts are getting increasingly more sophisticated in their design and targeting.
While many individuals have wised up to the cruder attempt on their bank details via email, there is still an education to be had for those clicking through. People are still responding to the humble phish, and would-be hackers are still profiting from it on a massive scale. Kaspersky highlights that almost half of 2016’s phishing attack were designed to steal money.
While phishing attacks may target individuals, the ultimate target is just as likely to be an organization. The MH17 shoot-down over eastern Ukraine was investigated by Bellingcat, an independent journalism group. The group published evidence claiming the Kremlin was behind the attack. In the weeks that followed, Bellingcat was targeted by hackers running a targeted campaign, with carefully-drafted phishing emails designed to look like Google password resets.
These were not random appeals to their targets’ hoped-for ignorance, but – some might say –expertly designed emails that the average person automatically obeys. They played off the brand equity of Google and, perversely, its reputation for security to try and win the trust of the journalists. They were precision instruments for a specific task.
Recognizing this next level of phishing
With the scale of the phishing ‘industry’ today, everyone is likely to come under the crosshairs of a hacker at some point, and if you’re a business, a slip-up is likely to be expensive – not only for the bottom line, but for reputation also. In order to better defend your business and yourself, the best approach is to be armed with the knowledge of who’s attacking you in real-time.
If you have a Facebook account, it’s likely that you’ve seen chain posts that sometimes do the rounds after a particularly nasty phishing attack. ‘Warning,’ they usually say, ‘Do not click on this email – it’s not really from the President of Burundi!’
It’s often quite hard to know whether to trust them, but the concept is a good one – essentially, it’s crowdsourcing security advice. As soon as one person comes under attack, they can alert the rest of their social circle to the style, tactics and aims of the attack, making it that much less likely to succeed in the future.
Businesses need their own version of this - an accredited, regulated, and crowdsourced intelligence system.
By tapping into the collective experience and insights of an industry group, each member gets access to a constant stream of useful information, bolstering their own defenses and helping the others do the same. This means that new forms of phishing can be quickly identified, classified and flagged to security teams, enabling a quick and targeted response. These security sharing communities can also track instances of a particular phish, helping to determine patterns in the attacker’s behavior and, with analytics tools in place, predict which sorts of targets they are most likely to try next.
Businesses should break with the tradition of isolated defense, make use of information from their peers, and contribute to a wider industry effort to reduce the power of phishing.
Is your system set up for monitoring a phishing threat?
Even with a strong information-sharing community in place, there’s always one phish that’s going to slip through the net. When you’re dealing with the engineering of human behavior, it’s probably going to happen. In the case of business attacks, phishing emails are often designed to collect login details from employees. Once these logins are surrendered, the hacker is a step closer to accessing multiple company systems.
With the prevalence of poor password hygiene to boot, there’s an added possibility that credentials have been reused across multiple other platforms. A single successful phish can open up the whole enterprise to attack.
As a security professional, you’re going to want a system in place to monitor activity across all security channels and infrastructure. Firewalls and anti-virus can only get you so far. Instead, companies need to collect information and analyze it for potentially dangerous activity.
It may be a few hours before a phishing-related breach is reported, but in that time, a fully automated threat intelligence system can gather and assess indicators of unusual activity, alert the security team and initiate a response.
Phishing can unlock a considerable amount of resources to a hacker. Businesses must have a complete and automated view of everything in their system, or they could be gutted before they’ve had time to think.
The future of phishing
Now you’re sharing and discussing attacker information with your peers through a dedicated network. You’re making use of automated threat intelligence to monitor your network and flag up potential dangers before they can take hold. Yet continue to proceed with caution: if there’s one truism about cybersecurity we can believe in, it’s that there’s always a bigger fish (pun intended). As soon as you formulate a defense, your adversaries set about creating a way to get around it.
In the coming months, we’re going to see increasingly intelligent phishing attacks targeting specific organizations, both for financial and political reasons. In late 2016, for example, a European technology company and a US subsidiary of a French energy management company working for the S. Department of Defence were targeted by Chinese hackers.
The first was for financial purposes (disrupting a market competitor) and the second for political reasons (potential access to military information). That kind of deliberate targeting, with a pre-defined goal, will most likely rolled out to a wider target set in the next year as would-be hackers attempt to break through stronger defenses. We’re also going to see more long-game tactics - companies need to be ready for sustained campaigns, with attackers learning from their mistakes and redoubling their efforts.
Phishing is going to continue because it’s effective. CISOs and their teams need to equip themselves to handle it. Training is a good starting point, and employees can always be better at avoiding phishing attacks - but businesses must have the right threat intelligence tools in place to back them up. Know your adversary, collaborate with your peers, automate your response - or be ready to start wiring funds to that distant cousin in the Philippines.