Phishing attacks have become pervasive, sophisticated, insidious, and more complicated. Unfortunately, these increasingly dangerous attacks are targeting some supposedly hapless chumps collectively known as users (in the eyes of some IT and security folks). I think that security awareness training has been the only game in town, for the most part. The most recent Verizon DBIR revealed that phishing campaigns are effective within two minutes of being launched. One has to ask if increased security awareness for staffers is the cure for phishing attacks.
One intention of the last post, “Fool me once is still … all it takes“, was to point out something people forget while pointing the finger of blame, and that is, everyone is a user, who can potentially make a mistake. Also, such training is hard because it’s hard to change human behaviour and sustain it over time.
J. Peter Bruzzese defends users “Ransomware takes malware from bad to worse”, saying,
“The weakest link of any network is the user. But it’s not always their fault. If a person receives an email from a real co-worker with a link, how can that person know the link will send them to a zero-day threat or that the attachment is a CryptoLocker attack?”
As I mentioned, Anup Ghosh addressed this in a nice post, here. It helps one realizes that short of training users to never again click on a link, open an attachment or visit any site on the internet, (in other words, get users to stop doing what they normally do), it’s hard to see how such security awareness could make a sustainable difference, without impeding business activity. That post featured a graph that illustrated that it takes an average of 17 attempted phishing emails for the attacker to be successful. His last point is worth repeating again;
“You must find a security solution that accounts for the fact that users will click on links and open attachments, because they will.”
The best one can hope for with security awareness training is to postpone, defer, or delay a phishing attack from being successful. So maybe more training will mean that it will take on average 26, 33 or whatever, phishing attempts rather than 17 before the attack is successful, but it will only be a matter of time. In an enterprise with hundreds or thousand of users, for every 100 staff that avoids clicking on a malicious link the first 200 times, there may have a co-worker who is fooled in only a few attempts. And when that phishing email is successful, the enterprise is in trouble, because an adversary is now in the network, and the network is where the credentials are.
At that point, the enterprise no longer has just a phishing problem; it probably now has an APT problem as well. The attacker is off to the races, and the enterprise now has the associated issues of the insider threat. The article “Insider threats still pose major problems for enterprises” states that,
“the majority of enterprises can neither detect nor deter insider threats, making them especially vulnerable…”
Detection of lateral movement is difficult due to a lack of context-awareness and visibility in network security as pointed out by a great article, “Context-aware security: Big benefits for networks, but no shortcut.”
The Insider Threat Prospective
People have been thinking about phishing in terms of staffers who make mistakes and are fooled, maybe even by legitimate looking emails from someone spoofing the identity of someone they know from in the organization. At Trustifier we look at everything from the potential insider threat point of view. Consider security awareness training in light of a staffer who deliberately opens an attachment or clicks on that evil link. That person might be angry and vengeful, threatened or compromised, plain greedy or an inside plant. What if an insider is colluding with an external adversary? He will then know which malicious link or attachment to hit and pretend to open accidentally. It also came up in the recent Verizon DBIR that only 3% of bad clicks were even reported to IT. So who would know if one deliberately clicked? The point is, this outcome is exactly the same situation the enterprise ends up in when a user accidentally clicks on a bad link or opens an evil attachment.
This might be an extreme case, but it’s just to make a point. Will security awareness stop an attack in this case? It might? No one is suggesting that awareness training won’t help some of the time. It just may be a mistake to put all of one’s prevention eggs into this basket. If the likelihood of that click is almost definite, what’s going to actually protect the enterprise? Wouldn’t more layers of security be needed?
The Need for Technical Controls
If not more security awareness training, then what? A while ago, Jerry Bell (@Maliciouslink) said in his post, “I Think I Was Wrong About Security Awareness Training“,
“…attackers are becoming so sophisticated, that it isn’t practical to expect a lay person to be able to identify these attacks – technical controls are really the only thing that is going to be effective…. it seems that focusing on hard controls rather than awareness education would be a better investment.”
I think reality supports this view. What exactly should those hard, technical controls going to look like? We know that some endpoint protection is coming along nicely. But is phishing success generally connected to the fact that certain internal kernel controls are currently missing in action? If security awareness training increases the average number of phishing attempts required for success over time, but it is still only a matter of time until someone gets fooled and clicks, does it really constitute an effective control? The attacker only has to increase the volume and variety of attacks, which can be automated easily.
I’ve tweeted that,
Security is not postponing, or deferring an event when users click on a malicious link. Security is what protects you WHEN users click on that link.
Did you know that currently, Trustifier trustworthy computing defensive solutions are being challenged by 15 Red Team simultaneously. The interesting thing is, that interns role-playing as staff have been instructed to deliberately click on phishing links. Some of my other posts discuss how the KSE trusted computing model helps defend against such attacks. TUX AI further enables defence against phishing attacks, even for small businesses, and I’ll be explaining more about how it does so, going forward.