This May saw one of the most damaging cyber attacks in history, when the WannaCry ransomware infected hundreds of organisations across the world, including the NHS. Where most attacks have effects on finance or data privacy, the WannaCry incident brought real-world services to a standstill, with patients turned away from hospitals and operations cancelled. We often hear that in the future, warfare will be conducted online, with hackers bringing down essential systems at the push of a button and holding countries to ransom – this month, we saw what that might look like.
At the heart of it all were simple phishing attacks. These are the easiest to pull off, and oftentimes a major force to be reckoned with. Some of the past year’s largest political hacks were also attributed to phishing. From the DNC to the World Anti-Doping Agency, there is a clear indication that these attempts are getting increasingly more sophisticated in their design and targeting. People are still responding to the humble phish, and would-be hackers are still profiting from it on a massive scale. Kaspersky highlights that almost half of 2016’s phishing attacks were designed to steal money.
Why is this still such a dominant issue? While many individuals have wised up to the cruder attempt on their bank details via email, more education is clearly needed for the many still clicking through.
Essential characteristics
Though phishing attacks may target individuals, the ultimate target is just as likely to be an organisation. The MH17 shoot-down over eastern Ukraine was investigated by Bellingcat, an independent journalism group. The group published evidence claiming the Kremlin was behind the attack. In the weeks that followed, Bellingcat was targeted by hackers running a targeted campaign, with carefully-drafted phishing emails designed to look like Google password resets.
These were not random appeals to their targets’ hoped-for ignorance, but – some might say –expertly designed emails that the average person automatically obeys. They played off the brand equity of Google and, perversely, its reputation for security to try and win the trust of the journalists. They were precision instruments for a specific task.
Recognising a phish
With the scale of the phishing ‘industry’ today, everyone is likely to come under the crosshairs of a hacker at some point, and if you’re a business, a slip-up is likely to be expensive – not only for the bottom line, but for reputation also. In order to better defend your business and yourself, the best approach is to be armed with the knowledge of who’s attacking you in real-time.
If you have a Facebook account, it’s likely that you’ve seen chain posts that sometimes do the rounds after a particularly nasty phishing attack. It’s often quite hard to know whether to trust them, but the concept is a good one – essentially, it’s crowdsourcing security advice. As soon as one person comes under attack, they can alert the rest of their social circle to the style, tactics and aims of the attack, making it that much less likely to succeed in the future.
Businesses need their own version of this – an accredited, regulated, and crowdsourced intelligence system.
By tapping into the collective experience and insights of an industry group, each member gets access to a constant stream of useful information, bolstering their own defences and helping the others do the same. This means that new forms of phishing can be quickly identified, classified and flagged to security teams, enabling a quick and targeted response. These security sharing communities can also track instances of a particular phish, helping to determine patterns in the attacker’s behaviour and, with analytics tools in place, predict which sorts of targets they are most likely to try next.
Businesses should break with the tradition of isolated defence, make use of information from their peers, and contribute to a wider industry effort to reduce the power of phishing.
Are you on the lookout?
Even with a strong information-sharing community in place, there’s always one phish that’s going to slip through the net. When you’re dealing with the engineering of human behaviour, it’s probably going to happen. In the case of business attacks, phishing emails are often designed to collect login details from employees. Once these logins are surrendered, the hacker is a step closer to accessing multiple company systems. With the prevalence of poor password hygiene to boot, there’s an added possibility that credentials have been reused across multiple other platforms. A single successful phish can open up the whole enterprise to attack.
As a security professional, you’re going to want a system in place to monitor activity across all security channels and infrastructure. Firewalls and antivirus can only get you so far. Instead, companies need to collect information and analyse it for potentially dangerous activity. It may be a few hours before a phishing-related breach is reported, but in that time, a fully automated threat intelligence system can gather and assess indicators of unusual activity, alert the security team and initiate a response.
Phishing can unlock a considerable amount of resources to a hacker. Businesses must have a complete and automated view of everything in their system, or they could be gutted before they’ve had time to think.
Future phish
Now you’re sharing and discussing attacker information with your peers through a dedicated network. You’re making use of automated threat intelligence to monitor your network and flag up potential dangers before they can take hold. Yet continue to proceed with caution: if there’s one truism about cybersecurity we can believe in, it’s that there’s always a bigger fish (pun intended). As soon as you formulate a defence, your adversaries set about creating a way to get around it.
In the coming months, we’re going to see increasingly intelligent phishing attacks targeting specific organisations, both for financial and political reasons. In late 2016, for example, a European technology company and a U.S. subsidiary of a French energy management company working for the U.S. Department of Defence were targeted by Chinese hackers. The first was for financial purposes (disrupting a market competitor) and the second for political reasons (potential access to military information). That kind of deliberate targeting, with a pre-defined goal, will most likely rolled out to a wider target set in the next year as would-be hackers attempt to break through stronger defences. We’re also going to see more long-game tactics – companies need to be ready for sustained campaigns, with attackers learning from their mistakes and redoubling their efforts.
Phishing is going to continue because it’s effective. CISOs and their teams need to equip themselves to handle it. Training is a good starting point, and employees can always be better at avoiding phishing attacks – but businesses must have the right threat intelligence tools in place to back them up. Know your adversary, collaborate with your peers, automate your response – or be ready to start wiring funds to that distant cousin in the Philippines.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.