Stop the Phishing Frenzy; Arm Against the Danger with Detection and Response

Friday, December 23, 2016

Gary Southwell

D99975c323ad3ec7e199a4b5b1c374d7

Phishing is now the No. 1 delivery vehicle for ransomware and other malware. Even with all the phishing prevention solutions available for several years, it’s clear that phishing continues to pose serious risk for today’s businesses that face significant financial loss, exfiltration of data, compromised credentials, loss of productivity and damaged reputations. Consider the following facts:

  • 85 percent of organizations have suffered phishing attacks in the last 12 months.(Wombat Security’s 2016 State of the Phish report) The number and sophistication level of phishing attacks organizations experience has gone up. Two-thirds of the organizations in the study reported attacks that were targeted and personalized, up 22 percent from the year prior. 
  • 30 percent of phishing emails get opened. (Verizon’s DBIR 2016) It’s a delivery tactic that works—zero day attacks are proven to defeat prevention systems—so there is no need for attackers to develop anything more sophisticated to scam money or information from their victims.
  • No. 1 delivery vehicle for malware is email attachments. (Verizon’s DBIR 2016) Despite email filtering and user education, well-disguised content influences the user to click and download.
  • $1.6 million is the average cost of a spear phishing attack. (Cloudmark) Companies hit by a successful spear phishing attack in the past 12 months suffered an average financial cost of $1.6 million.

The evidence is clear, phishing and other email-related attacks exploit either technical vulnerabilities or leverage social engineering to take advantage of human weakness.

With the risks for an inevitable breach so high, it’s clear that companies need to take more active measures in preparing for the inevitable moment when a phishing, spear-phishing or whaling attack is successful. User awareness education, signature-based technologies and email filtering is not enough, especially where zero-day attacks are concerned. To accomplish this, the enterprise must direct its efforts at rapid detection and blocking of successful attempts at a speed fast enough to minimize and/or avoid any significant high value data access or loss.

While many technologies exist today that tackle elements of threat detection, including machine learning, user behavior and entity analytics, threat modeling, etc., the most effective solutions are those that combine the best of these capabilities to deliver rapid, real-time detection and response. Consider techniques and solutions that correlate machine learning, feature, device and user behavior analytics to derive insight, detect legitimate threats and create prioritized alerts that allow enterprise systems to direct or take prescript action immediately, shutting down invasive threats before humans even realize they are there. Automated solutions effective at stopping these threats within minutes exist today. By providing visibility and fully automating the immediate analysis, detection and elimination of threats, these solutions can finally give the enterprise a leg up in defending against any successful phishing attack.

When evaluating solutions to compliment your existing cybersecurity posture around phishing, consider the following questions:

  • Can it detect abnormal use of credentials from that of normal usage?  Can it detect abnormal activity from both north-south through the firewall, and east-west activity within the organization to verify credentials have been lost? Can it monitor credential usage and detect abnormal usage behavior from that of normal usage?
  • Does it avoid false positives by leveraging a combination of data collection and analysis, machine learning, predictive and behavioral analytics and then correlate findings to surface legitimate threats?

False positives can lead to needlessly generating too many incidents that need looking into, and unnecessary remediation. The ideal solution should correlate and verify threat behavior from various sources in real-time so that an accurate depiction of the threat can be detailed and enough information can be correlated together to corroborate the threat is real.

  • Can its architecture scale to process billions of inputs and generate correlated outputs of all related threat behavior in seconds so that it can detect such threats accurately in minutes after compromise?

Knowing the volume and complexity of phishing threats are on the rise, consider systems that can scale to meet even the largest enterprise need.

  • Can it be set-up to be fully automated, including rule sets, analysis, alerts, remediation and reports – so that it works 24x7x365 without need for human involvement?

Automation saves time, which is critical to mitigating the damage of such attacks, while also saving on dedicated 24x7 monitoring resources.

  • Most importantly, has it been proven to be effective in stopping the threat and blocking the exfiltration and/or damage of critical data?
  • Can it write rules to a firewall to block command and control communication? Can it isolate devices that have been infected? Can it write policy to directory services to disable compromised users credentials?  Can all this be done with a single click from the detection application or be fully automated to speed the time to stopping the threat once detected to seconds?

Threat actors will assuredly continue to employ phishing techniques to tempt users with appealing documents and links, but next-generation threat detection and elimination technologies arm today’s organizations with greater capability than ever to catch and eliminate phishing threats before they do damage.

About the author: Gary Southwell is co-founder and chief strategy officer for Seceon, a cyber security startup offering the first-fully automated threat detection and remediation system to detect, analyze and eliminate all cyber-threats in minutes.

29308
Enterprise Security Security Awareness Phishing
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.