By Alan Zeichick
Ping! chimes the email software. There are 15 new messages. One is from your boss, calling you by name, and telling him to give you feedback ASAP on a new budget for your department. There’s an attachment. You click on it. Hmm, the file appears to be corrupted. That’s weird. An email from the CEO suggests you read a newspaper article. You click the link, the browser seems to go somewhere else, and then redirects to the newspaper. You think nothing of it. However, you’ve been spearphished. Your computer is now infected by malware. And you have no idea that it even happened.
That’s the reality today: Innocent and unsuspecting people are being fooled by malicious emails. Some of them are obvious spammy-sorts of messages that nearly people would delete — but a few folks will click the link or open the attachment anyway. That’s phishing. More dangerous are spearphishing message targeting individuals in your organization, customized to make the email look legitimate. It’s crafted from a real executive’s name and forged return address, with details that match your company, your family, your job, your personal interests. There’s the hook… there’s the worm… got you! And another computer is infected with malware, or another user was tricked into providing account names, passwords, bank account information or worse.
Phishing and spearphishing are huge problems, and are the delivery method of choice for identity theft and corporate espionage. If the user falls for the malicious message, the user’s computer is potentially compromised – and can be encrypted and held for ransom (ransomware), turned into a member of a botnet, or used to gain a foothold on a corporate network to steal intellectual property.
Yet we’ve had email for decades. Why is phishing still a problem?
It’s a Matter of Trust
“Phishing is a problem because people trust email, and they should trust email,” said Ed Amoroso, CEO of TAG Cyber, a global security consultancy. “We love email. Email is an important part of our communications in business.”
Roark Pollock, Senior Vice President of endpoint security company Ziften Technologies, agreed, “Phishing’s still a problem because we’re a problem. Humans are the weak part, the weak piece in the chain of security in a lot of instances. And so it comes down to education. There’s new people in the environment every day that haven’t been trained on security. They don’t understand what to look for. And even if you know what to look for, phishing attacks have become very sophisticated. They’re very tricky. Even some of the security experts fall for them every once in a while. Even if you know what you’re looking for. I mean, humans aren’t perfect. We’re bound to make mistakes and fall for those types of tricks.”
That’s particularly true with spearphishing, because it’s easy to learn all about the intended victim, explained John Weinschenk, General Manager of Enterprise Network and Application Security at test company Spirent Communications. “People are gather information on social media, so when they’re sending these spearphishing attacks at you, it’s very targeted. And it might come from someone you believe you know, but it’s really not from them because they fake the headers. Your perception is that it’s from someone that’s trusted. We’re seeing more and more attacks take place like that.”
Corporate information is another source for hackers using spearphishing, added Kowsik Guruswamy, Chief Technology Officer at Menlo Security. “Spearphishing is really about knowing some information that I am privileged to know, based on my role in an organization. So when I get an email that’s coming from, let’s say, my CEO or my CFO, and it’s got certain words or certain terms that only I’m familiar with, I tend to believe in that a lot more than some generic email that’s coming to me. So that’s why it’s very, very sophisticated and very targeted to specific individuals. Hence the term spearphishing, because it’s very pointed.”
Imagine the Worst Case Scenario
You’ve clicked the spearphishing email. Or your CFO has, and her laptop contains business plans, contracts and draft financial statements. Maybe your top IT administrator clicked the email, and he has full security privileges across the whole enterprise network and data center. Now what? Usually, it’s bad. Worst case, it’s very bad.
How bad? “Worst case, typically ransomware turns up, because it’s so immediate in terms of the effect,” said Frank Wiener, Vice President of Wedge Networks, a security company. “The worst case is anything from disrupting the business to really impacting their reputation, where people stop doing business with them. The more likely scenario is, somebody comes under attack, and they have a specific localized event that causes a disruption.”
Spirent’s Weinschenk thought about malware: “The worst that could happen is there’s executable code that could take place. The system could be compromised in the future, so everything that’s done on that system is a vector for someone to get information like credit cards, or passwords, or usernames. It could even tie into your internal systems. So if the system gets compromised as they start logging onto your internal systems securely, those systems could be compromised because it will come through those channels.”
Mike Spanbauer, Vice President of Security at consultancy NSS Labs, said, “It really depends on exactly how good the protection on the machine is at that point, because it comes down to whether you have a control in place that can intercept what the ultimate phishing link or the package on the other end is going to try to do.”
“If it is effective at bypassing whatever controls you have,” he continued, “it’s going to be a — not necessarily a game over scenario — but you’re now in the hands of the attacker. And depending on if they’re going to take immediate action, or, ultimately, longer-term action they can compromise local assets, files, data. Worst case scenario, well, you don’t want to find out the next day that your accounts have been emptied.”
Or your data stolen, said Scott Scheferman, Director of Consulting at Cylance, an endpoint security company, especially if the company uses a Windows domain network that relies upon Active Directory to manage network assets. “Worst that can happen is an immediate pivot to compromise Active Directory. Attackers can do a lot of things at that point. They can exfiltrate data, they can grab the credentials and run, and come back later through other things like VPN connections and remote connections, and not use any malware. It’s a short path to getting the keys to the entire kingdom.”
“Well, it’s probably the worst thing you can imagine, because anything can happen, warned Stefan Lager, Vice President of Service at SecureLink Group, a leading European managed security services provider (MSSP). “You can get infected with some malware that can steal all your reports before they are posted. It can steal investor property. They can encrypt all your critical data without having no ability to restore them. Anything can basically happen. [Phishing] is the most common way for an attacker to get in today.”
Can You Fight Phishing at the Email Server?
Phishing and spearphishing are most often delivered by email. It seems the email server, such as Microsoft Exchange Server or Google’s Gmail, would be the obvious place to detect and block those malicious message. It’s not so easy, said Roy Abutbul, Co-Founder and CEO of Javelin Networks, a security startup. “Even if you will secure the email gateway server, at the end of the day [hackers] will always find a way to trick you. There is not any technology that can literally say that it can prevent all malicious emails from come to your inbox.”
That’s especially true if the email itself doesn’t contain an attachment that contains malware, since network security and endpoint products can scan for that type of malware. But an email that will trick you into going to a website and entering credentials? Not easy to block.
“The reason why stopping emails at the email server, at the gateway, is not effective, is because a lot of times, those gateways, they don’t have the full visibility and they’re still largely signature-based in their methodology,” said Cylance’s Scheferman. “There are some newer ones that are using isolation and other things to try to overcome the problem with signatures, but at the end of the day, malware’s going to end up on the end point.”
SecureLink’s Lager agreed. “If you do a well written phishing email, it’s very hard to distinguish that from a normal, valid email. So that’s why it’s so important that you have methods to limit the impact when somebody clicks on the link, and also have the ability to detect and mitigate the follow-up effects from that.”
Indeed, said Menlo Security’s Guruswamy, if you look at the last 20 years of security, phishing or otherwise, everything boils down to some technology figuring out whether the link is good or bad, or the attachment is good or bad, or the website is good or bad. If somebody deems it’s good, we get to interact with the website or attachment? If it’s bad, we block it. The problem is, 20 years later we don’t have technology that can conclusively prove that something is good or bad. That’s why it can’t be stopped or detected on the email server, because sometimes when the links come in, they seem okay.”
Proactive Response: Training Is Not Enough
Certainly end users need to be training, retrained, and retrained again, not to click on suspicious links or open untrusted documents. However, it’s clear that they can and will be fooled by a sufficiently realistic attack, said Javelin Networks’ Abutbul. The company offers technology that can mitigate the impact of a compromised endpoint on a Windows domain network by protecting Active Directory.
“First, acknowledge that this is one of the biggest problems out there,” Abutbul continued. “I will assume that one of my employees will get hacked, will get a phishing email eventually, and he will click on those phishing emails and malicious emails. I need to focus on what I do next. What is my next step as a CISO? I need to protect the internal network in a way that, even if they do get email, even if they do get phishing email, I will be able to stop them in their next step.”
Wedge Networks’ Wiener is also dismissive of training. His company scans network traffic for malware and for phishing emails. “Everyone wants to try to change user behavior, and we all need to do that, but the best thing you can do is prevent the threats from entering the enterprise and infecting the computer. That’s where, Wedge is focused. It’s that network layer of security where we can stop the threats dead in the track, before they come in and expose the enterprise.”
“Cylance offers one primary solution when it comes to phishing: The ability to stop malware from running pre-execution,” said Cylance’s Scheferman. “We do not let any malicious file even run. So there’s nothing that happens afterwards, all these things we’ve been talking about, can happen.”
Spirent’s Weinschenk is more focused on process than on products within his security testing firm. “We have a hacking group, so we use phishing all the time to actually hack people. So we’re someone that uses phishing to actually show CISOs what the risk is to their enterprise. The best thing you can do is, we just have to keep talking about this and keep educating our employees. So, I really recommend that IT groups actually create phishing emails internally for themselves that aren’t hostile, but basically prove it out, and every quarter they should send these phishing emails out to their employees, and see how many people actually click on those emails. That’s the educational process.”
Many Options, Including Isolation
If you have questions about choosing security solutions, engage NSS Labs, said Spanbauer. “Well, it’s a complicated problem to solve for, and at NSS Labs of course, we guide enterprises to make intelligent choices. You’ve got secure email mechanics, whether cloud-based or appliance-based, that are often administered by the email team. You’ve, of course, local protection mechanics on the client itself on the end point. I’d encourage folks to take a look at the resources we have on our website or just to reach out, and we can talk you through it. There will be multiple options. It’s not going to be a single product. There is no silver bullet in security.”
Have a multi-layered approach, advised SecureLink’s Lager. “So, multiple things. So, one in terms of technology is providing good email security that will take away as much as possible of the threats. The next is to make sure, on the technology side, that you’ve got good end point protection. That’s going to be the second lever of defense. The third layer of defense is going to be educating end users, so they don’t click on everything. And then the fourth would be now, when all these three first failed, make sure that you have good security practices in place that can limit the damage if somebody actually clicked on that specific link.”
Isolation is a very, very simple concept that Javelin Networks uses: Essentially, open everything, from websites to attachments, in a secure, cloud-based environment which it can’t do any harm – and if it asks for user input, like credentials, warn the user if it seems suspicious, explained Guruswamy. “If you look at what about the web page that’s risky, it’s the active code and content. So instead of playing this game about whether it’s good or bad, we can take all of the active stuff, and move it up in the cloud somewhere.”
“So none of the code, none of the content ever came to me, to my browser, or to my end point, he continued. “That’s what makes isolation very special, because for the first time we can actually claim the promise of perfect security, because we’re not trying to play this game of good versus bad.”
TAG Cyber’s Amoroso agreed. “When people think about isolation, they try to find analogies that make sense. One of my favorites is, when you’re detonating a bomb, you don’t do it in a crowded area. You take it to a place, an isolated place, where it can be detonated and not cause problems. Ditto malware. So the idea that you can build a virtual isolated environment around computing makes good sense, because if there’s malware it hits that isolation boundary. You can do that on a container, on an end point, or you can push it off into the cloud. Either way, it’s an extremely effective way to make sure that malware doesn’t detonate and cause damage to real assets.”
Phishing: A Persistent but Solvable Problem
Phishing isn’t going anywhere, and every day new types of spearphishing are fooling individuals, business executives, even government officials. There is no easy cure, and no surefire way to guarantee that users won’t see malicious email. Fortunately, technology leaders do offer proven advice and solutions for what to do if the end users – like your CFO – does click that link or open that attachment. And they will.
Watch Zeichick’s full report here