Phishing tactics have steadily evolved, either in response to new defensive measures from security companies, increased awareness among users or a change in attackers’ priorities.
For example, 10 years ago, a common tactic was to send a phishing email with a malicious attachment that, if opened, would install malware on a victim’s computer, said Aaron Higbee, Cofounder of and Chief Technology Officer at Cofense.
“What’s changed significantly over the last few years is the tactic has shifted more to credential theft,” Higbee said. There are various ways of trying to trick a user into disclosing a username and password. As a result, credential theft has become phishing’s No. 1 objective, he said, a conclusion supported by Symantec’s 2019 Internet Security Threat Report.
But although cyber attackers will adapt and evolve in response to new defenses, they won’t change if they don’t have to. Attackers using machine learning and artificial intelligence (AI), for instance, can turbocharge highly targeted spear-phishing attacks, culling information from social media and other sources to use in a phishing attack. Security researchers have demonstrated that advanced algorithms are effective at profiling targeted users, and that users are more likely to click on a link in those personalized emails. So, AI-generated phishing attacks would seem likely to be widely used.
“In practice, we’re not seeing the adoption of those techniques at all,” Higbee said. Email gateway security has been stagnant, with no third-party labs or research agencies currently testing it even though that typically leads to improvements. This “complete drought of innovation” has allowed attackers to rely on current tactics, without having to use new techniques. “We’re not seeing attackers using advanced algorithms or machine learning in order to boost their efficacy because they’re doing fine right now,” he said.
Regardless of tactics and techniques, the one constant in phishing’s evolution has been the users, who have been widely saddled with the designation of being the weakest link in any security chain. No matter how many layers of security an organization has in place, a user who is duped into sharing a password or other sensitive information puts the organization’s data at risk. A comprehensive anti-phishing solution needs to start with them.
SOLUTION: THE STRENGTH OF THE ‘WEAKEST LINK’
Interactive simulation programs that engage users with the look and feel of actual phishing emails condition them to be an active part of phishing defense.
Government agencies have been slow to use simulations, often using them somewhat passively, as only a facet of user education. Many agencies ran simulations on their internal network, which couldn’t match the realism of simulations coming almost directly from the internet. And users weren’t an active part of the defense.
But users who are conditioned by doing up-to-date simulations to spot a suspicious email and report it quickly can give agencies a jump on stopping attacks. For example, they can quickly collect and analyze data on potentially harmful emails and initiate an effective response.
Private organizations have seen the results of that approach. Users trained with phishing simulations that accurately reflect the current state of actual phishes — and who have a visible “report phishing” button on their email screens — can become adept at recognizing and reporting suspicious emails. Combined with threat intelligence, real-time analysis and incident response, simulations can form an essential component of comprehensive phishing defense.
This article is an excerpt from GovLoop’s recent report, “An End-to-End Strategy for Taking Phishing Off-Line.” Download the full report here.