|
|
 |
|
 |
|
Thursday, February 21st, 2013
There’s no shortage of interesting points to take away from the Mandiant® report about the Chinese hacking group APT1 released Tuesday, with many of Mandiant’s findings confirming the threat organized attacker teams pose to enterprises.
First and foremost, the report states, “the most commonly observed method of initial compromise is spear phishing.” This backs up our main message for organizations – to remain focused on the core problem of people being the main vulnerability. Organizations need to proactively address this by developing a user base that is resilient to spear phishing attacks. This doesn’t discount the importance of technology (see our blog post about the NY Times breach), but security behavior management can’t be ignored.
Prior to co-founding PhishMe®, I served as the Managing Director of Mandiant’s New York office; and our Executive Vice President, Jim Hansen, served as the Chief Operating Officer at Mandiant. The trends we observed during our time at Mandiant and in the field helped form the basis for PhishMe, and have positioned us to offer numerous features that address many of the tactics discussed in Mandiant’s report.
The report notes that spear phishing emails often deliver malware in the form of zip files attached to the email. This echoes the TrendMicro® report from late 2012, which concluded that 94% of targeted emails use malicious file attachments. Applying our experience in the field, PhishMe has provided our customers the ability to send employees mock phishing emails with zip attachments for years.
Another phishing tactic PhishMe simulates is luring users to enter sensitive data through seemingly genuine webpages. The bottom of page 48 of Mandiant’s report described an example of APT1 creating a false domain designed to mimic a Yahoo! site, with the goal of collecting user login credentials. Traditionally, this type of phishing has been more of a problem for colleges and universities, but clearly the use of stolen credentials is part of the APT game plan and remains a threat to enterprise security. It took our development team quite a bit of engineering to safely simulate this attack vector without executing code and ensuring that we don’t collect the sensitive data.
While PhishMe has offered the above-mentioned features to our customers for some time, we continue to roll out new features based on patent-pending technologies to address tactics used by groups such as APT1. Page 29 of the Mandiant report cited an example of the recipient of a phishing email interacting with APT1 in a conversational manner, with the APT1 attackers establishing both authenticity and trustworthiness by sending a benign email encouraging the recipient to interact with another email containing the malware. PhishMe recently rolled out a feature, called Double Barrel, which allows our customers to immerse their employees in this experience; something we’ll discuss in greater detail in an upcoming blog post.
In describing the nature of phishing emails, Mandiant noted that they often contain information relevant to the recipient found via Internet searches, such as a name of a colleague (the report described an email sent to Mandiant employees under CEO Kevin Mandia’s name, but from a free webmail account, a tactic we discussed in a previous blog). TrendMicro’s report echoed this finding. With PhishMe’s new Highly Visible Target Identifier, customers can scour such data with the click of a few buttons to find which of their employees have highly visible online presences, and are thus more likely to be sent targeted phishing emails.
Mandiant’s report also described the high costs of launching a phishing campaign, noting that APT1 controlled a large infrastructure of physical systems and hundreds of domains. The large investment required to carry out attacks means that attackers are trying to maximize the use of those resources by sending large batches of emails rather than targeting 1 or 2 users. This is consistent with trends our customers have reported to us, and underscores the need to train your entire user base, as hundreds of employees may receive a phishing email at once.
Mandiant’s findings are fascinating, and can’t be addressed in one blog post. However, from the spear phishing standpoint, the report provides confirmation of what PhishMe has known for a while: APT will try to gain a foothold in enterprise systems through the employees. By focusing on improving employee resilience to spear phishing attacks, enterprises can greatly reduce susceptibility to a breach. In fact, attack detection windows can be reduced when trained employees call these attacks in. Our history in this space helped make PhishMe an industry-leading, world-class product; and we will continue to rely on our industry connections and reports from our customers to make sure we stay ahead of the curve.
–Rohyt Belani
|
|
 |
|
 |
|
|
|
|
Thursday, November 29th, 2012
Trend Micro has just published research confirming what we at PhishMe already knew – spear phishing is the top threat to enterprise security. Trend Micro’s report estimates that spear phishing accounts for 91% of targeted attacks, making it the most prevalent method of introducing APT to corporate and government networks. Industry recognition of the severity of the dangers posed by spear phishing is always a positive development, but merely acknowledging the problem doesn’t provide a solution.
Fortunately, many of the underlying issues Trend Micro identifies are problems PhishMe is already helping our customers address.
One interesting point made in the report was that of the users Trend Micro monitored, nearly half of the recipients of spear phishing emails had email addresses easily accessible through Google. While it may be impossible to keep your employees’ email addresses secret, it’s not impossible to identify the most vulnerable users in your enterprise and deliver training targeted to them. PhishMe recently added a feature that allows administrators to search the Internet to find which users’ email addresses are easily discovered through a search engine, and develop a distribution list of those users. This allows our customers to pinpoint which of their users is most likely to receive a phishing email, and provide targeted training as appropriate.
The report also found that 94% of all targeted emails use malicious attachments, in a variety of file formats. PhishMe’s functionality allows customers to send users emails with attachments in formats such as .XLS, .DOC, and .ZIP. Trend Micro notes that, “Spear-phishing email attachments are difficult to spot from normal document attachments passed on from user to user each day in a corporate environment,” but using PhishMe allows enterprises to train users to recognize a bogus attachment, as well as raise general awareness about the threat of malicious attachments.
The reality of these findings is that technology alone won’t prevent spear phishing; it’s up to an organization to ensure its employees are prepared when a phishing email arrives.
|
|
|
|
|
|
|
|
|
Monday, October 1st, 2012
Last week, a Washington Post article by Robert O’Harrow offered an interesting look at the most common attack vector used by cybercriminals to penetrate enterprises today: spear phishing. While we applaud (loudly) the thrust of the article – that enterprises need to educate users on the dangers of spear phishing – there are some very real challenges in user education that the article does not address.
First, there is a very common misperception (promulgated by the article) that the only goal of spear phishing is to deliver a payload of malware to a specific employee of an organization. While malware delivery is still a frequent tactic in spear phishing campaigns, as we saw with the RSA breach and others, today’s spear phishers do continue using low-tech social engineering techniques to solicit user credentials through sophisticated imitations of their corporate web pages. In fact, they are using what we call a data entry phishing attack, where malware isn’t even involved, thus making them very difficult to detect.
Second, and even more importantly, there is a common misconception that simply making employees more aware of potential phishing attacks will lead to their prevention. In many enterprises, employees must complete annual security awareness programs – but they still go on to do all of the things they have been told not to do, including opening attachments from those whom they don’t know and clicking on links from untrusted sources. This type of passive awareness – doing a once a year security training seminar, putting a poster up in the break room, or giving employees screensaver reminders to change their passwords – simply will not work. My company, PhishMe, has trained more than 3.5 million employees at universities, government agencies, and large enterprises, and we have found that many user awareness programs are largely ineffective in preventing spear phishing attacks. To be successful in user training, you have to be proactive and immerse employees in a true-to-life experience that will stick and actually change user behavior.
Penetration testing kits, which also are described at length in the article, do little to change this behavior. Pen testing, usually conducted by a benign white hat hacker, may expose vulnerabilities in enterprise infrastructure or demonstrate weaknesses in cyber defense. But, most users never see the penetration test, nor are its results shared with them. Penetration tests are designed to help the IT organization find the flaws in its defenses – they do nothing to educate the end user. In fact they have the opposite effect of generating employee backlash and mistrust, with no positive behavior modification.
In the end, there is only one proven way to affect change in end user behavior: hit them with a benign version of the actual phishing attack that they might see in their email. If a user sees a particular attack, and takes the wrong action by clicking on an attachment or a link, there is no more effective way of teaching them a lesson than to warn them, on screen, that they have made a wrong move. It’s that very moment that makes the most impact.
We have found that immersing people in the experience through mock phishing exercises, and presenting immediate, bite-sized education to those who are susceptible has had the desired effect of reducing employee vulnerability to these attacks. PhishMe’s training has proven to modify employee behavior over time and allow organizations not just to be aware of their employee’s behavior, but to help them take a safer and more positive course of action when it comes to phishing attacks.
The Washington Post article does a service to its audience by raising the importance of spear phishing and social engineering attacks. It rightly points out that humans are the weak spot in any enterprise defense, and that even the most well-schooled employees may be fooled by a new, convincing form of attack.
However, the Post article does not offer enough information on the tools and methods that can be used to prevent users from making these sorts of “human” mistakes. PhishMe’s methods have increased human resiliency by reducing the frequency that employees fall prey to phishing attempts – from more than 75 percent to fewer than 5 percent in some cases. While the Post article seems to indicate that social engineering is a human flaw and cannot be stopped, PhishMe has proven – repeatedly – that the right type of training and behavior modification can make a huge impact on the incidence of phishing infections in the enterprise.
Yes, social engineering takes advantage of human flaws, and humans are invariably flawed. But the article fails to add that humans can learn not to behave in ways that put enterprise data at risk. The weak link in the chain can be significantly strengthened – effectively making the whole chain much stronger.
|
|
|
|
|
|
|
|
|
Thursday, June 9th, 2011
As the barrage of security breaches continues, Citigroup is the latest victim. This eWeek article: http://www.eweek.com/c/a/Security/Citigroup-Credit-Card-Portal-Breach-Compromises-200000-Customers-461930/ discusses the potential impact of this attack. One of the commentators brings up the topic of phishing Hannigan, the CEO of Q1 labs, rightly points out that “Security trust means more than just making sure you’re in compliance with regulations,”. On the other hand, some of the quotes, like that from Anup Ghosh, co-founder of Invincea has a blatant technology solution vendor bias. He discounts human intelligence when referring to customers in this quote – “it’s not reasonable to expect them to differentiate spear phishing attacks”. So technology can differentiate these attacks but humans can’t? The claim is baseless.
Having trained in excess of 1.8 million people using PhishMe, I can confidently say that training works! It’s how you train people that matters. Invincea has a solution to protect against malicious PDFs and one to isolate the browser to protect against malware, I guess. Even if we assume that they provide 100% protection in these domains, what about malicious files in other formats – .docx, .xlsx, .chm (and the list goes on)? How long do you think it would take one of my Intrepidus Group consultants to craft an attachment that would squeak past Invincea’s solution? (hint: not very long)
What about targeted attacks that solicit sensitive information? Sweeping claims by vendors are a disservice to our industry. The false sense of security they create by offering a solution that relies on a single approach or technology do more harm than good. Their customers feel at ease and think that the targeted phishing problem is solved by that shiny box with blinky lights. There is no panacea – defending against spear phishing needs a multi-pronged approach – education/training, technology at the mail server, technology at the end point…and even then the bad guys may succeed; but you’ve raised the bar!
|
|
|
|
|
|
|
|
|
Monday, April 18th, 2011
Most of you have probably heard about the “RSA hack” by now. It was hot news three weeks ago when an employee at RSA fell prey to a targeted phishing attack as explained in this blog post: http://blogs.rsa.com/rivner/anatomy-of-an-attack/ . A couple of issues highlighted in this article really caught my attention.
The article states – “These companies deploy any imaginable combination of state-of-the-art perimeter and end-point security controls, and use all imaginable combinations of security operations and security controls. Yet still the determined attackers find their way in. What does that tell you?“. That tells me that technology by-itself is not the answer to combating spear phishing attacks, it’s also about training the end user to get better at how to be suspicious. Don’t get me wrong, I don’t think education is a silver bullet, but it’s more effective than filters and shiny, blinking boxes. I like technologies that give the human another piece of trusted information they can use to evaluate the authenticity of an email. One example is Iconix’s SP Guard. We trained over 1.5 million (using PhishMe). The results show that perioidic training that immersed the subjects in the concept through mock phishing was successful in bringing down susceptibility rates in excess of 60% on average within a few months.
The article aslo discussed how the attackers targeted employees that “ you wouldn’t consider…particularly high profile or high value targets.” There’s a lesson here; security awareness programs should not focus only on executives and systems administrators, but on the entire organization. “Low profile” employees can severely undermine the organization’s assets too, just through a couple of clicks.
Oh yes, and finally, the phishing email was caught by the email client’s junk filter; the victim went out of their way to retrieve the email into the inbox and act on it.
IMHO, end-point security technologies are to phishing attacks (or *APTs) what radars are to a stealth bomber.
Rohyt Belani
*APT term used facetiously 
|
|
|
|
|
|
|
|
|
Wednesday, April 16th, 2008
In past years I never attended the RSA conference; it always came across as too much of a vendor show to me. This year I didn’t think I would go, until rsnake convinced me otherwise. So I bought myself an Expo Only pass. I had a lot of fun, meeting old time buddies from Foundstone and Mandiant, a bunch of clients, and partners. But I had the most fun just watching the show on the Expo floor. Must have been 300 booths and a gazillion sales people swarming them with those annoying mics trying to outspeak each other like barkers outside a souvenir store at a tourist destination. Companies doing raffles at their booths – I’ve seen that, but arcade car racing games like those at Dave & Busters, security “Jeopardy” shows every hour being hosted by ”slick” sales people, cheesy whack-a-fraudster, wannabe Houdinis showing off card tricks and free beer made the cut too. I wondered, do clients actually walk the floor to learn about new products? I think not. They do so for the free entertainment, adulation, and giveaways. Makes one wonder, are the RSA booths worth their price tag? The smallest, and furthest ones, which you would see if you were really looking for, are worth an arm and leg. VC money well spent? Oh what a circus it was!
- Rohyt
|
|
|
|
|
|
|
|
|
Tuesday, December 18th, 2007
Carnegie Mellon researchers presented a paper at the Anti-Phishing Work Group’s E-Crime Researchers Summit in October 2007. The results of the study indicated the following:
- Users learned more effectively when the training materials were presented after they fell for a phishing attack (embedded training), rather than when the training materials were simply emailed
- Users also retained more knowledge and transfered more knowledge about how to avoid phishing attacks when trained with embedded training
These are the underlying principles of PhishMe.com – Phish n’ Educate. PhishMe.com will facilitate the execution of mock phishing attacks against employees. Those that fall “victim” will be presented appropriate training materials.
-Rohyt
|
|
|
|
|
|
Phishing is now recognized as a 
