Phishing has been a threat to organisations for years now. But while historically it has been aimed at your customers, one of the worrying trends we can pick out of 2017 is that it’s now one of the primary means to compromise internal and privileged accounts. The UK and US governments are looking to combat this modern scourge through use of DMARC. But although it’s an important tool in the fight against the phishers, the protocol is not a silver bullet.
To stand any chance of getting to grips with one of the number one causes of data breaches, organisations must look at a range of tactics, including better user education.
The problem with phishing
Phishing is designed to exploit what could still be described as the weakest link when it comes to cybersecurity: the user. Using a combination of attention-grabbing email content, a sense of urgency for the recipient to act without delay, and impersonation of a trusted sender, attackers are able to socially engineer the victim into doing their bidding — whether that’s clicking on a malicious link or opening a malware-laden attachment.
The major browser makers and social sites have built-in protections for their customers, but the phishers are also upping their game. The tell-tale signs of poor spelling and grammar are beginning to disappear and the ubiquity of free SSL certificates means cybercriminals are increasingly hosting phishing pages on HTTPS. Some estimates claim that nearly a quarter of phishing sites are now hosted on such sites, giving netizens a dangerously false sense of security. The Anti-Phishing Working Group (APWG) estimates there were over half a million unique phishing attacks in the first six months of 2017 alone.
Organisations have even more to fear when it comes to highly targeted phishing attacks designed to harvest privileged credentials en route to your most sensitive customer data and IP. Even time-poor IT professionals are known to fall for such tricks, with attackers adding authenticity to some campaigns by sending the phishing email from a hacked or cracked colleague’s account. Once those privileged credentials are lost, the bad guys have the virtual keys to the kingdom. It’s no surprise that 21% of security incidents featured phishing in 2016, according to Verizon — up from just 8% the previous year. Even more noteworthy: the firm claimed phishing was present in the vast majority (93%) of “social attacks”, which were themselves used in over a fifth (43%) of breaches.
DMARC leads the fightback
It’s good to see that the UK and US governments have been taking steps to make their domains more resilient to phishing attacks against citizens. The DMARC protocol can be used by any organisation to make email spoofing much harder. It does this by allowing a sender to indicate whether their email domain is protected by SPF and/or DKIM authentication, telling the receiver what to do if it’s not, ie send to junk or reject outright.
The US government issued a binding directive in October last year mandating departments use DMARC with the strongest policy of “reject” to ensure unauthenticated messages are rejected at the mail server, before even being delivered. It’s now claimed that nearly half (47%) have implemented it. But Fortune 500 DMARC adoption apparently remains at just 33%, while in the UK, 98% of healthcare organizations and over 100 English local authorities are said to be unprotected. This is despite an order from the Cabinet Office requiring all service.gov.uk domains to adopt DMARC and HTTPS/HSTS by 1 October 2016.
The truth is that implementation of DMARC can be a time consuming and resource-intensive process, and even then it will only guard against direct domain spoofing. It won’t mitigate the risk of attackers sending phishing emails from hacked accounts or of “cousin domain attacks”, where emails are sent from a domain that looks like the one being abused.
Defence in depth
The discovery of 1.4 billion breached credentials on a dark website last December should be a wake-up call for industry stakeholders everywhere that passwords are no longer fit-for-purpose. In an ideal world, every organisation would switch to multi-factor authentication (MFA) for all privileged accounts — in one swoop, neutering a large majority of phishing attacks which seek to harvest static credentials.
We don’t live in such a world, however, so organisations must look to layer up phishing defences one on top of another to reduce risk. DMARC has its place, as do built-in anti-phishing tools in AV products, browsers and the like that prevent users visiting phishing sites or opening malware. But user awareness and education remains a vital measure which few organisations are getting right. Policies can be opaque and poorly communicated while training for many falls wide of the mark.
That’s why IT security leaders should redouble their efforts this year to find better, more inspiring ways to change user behaviour. The best tools will offer users real-world simulations in bite-sized chunks. These will be served up at regular intervals throughout the year and constantly evolve to take account of the ever-changing threat landscape. Perhaps most importantly, they will also provide detailed feedback and reporting so managers can assess the effectiveness of risk reduction efforts.
This kind of multi-layered approach will help turn that weakest link into a formidable first line of defence, backed up by a raft of other tools to help stop attackers in their tracks.
Phil Muncaster is a technology writer and editor with over 12 years’ experience working on some of the biggest technology titles around, including Computing, The Register, V3 and MIT Technology Review. He spent over two years in Hong Kong immersed in the Asian tech scene and is now back in London where information security has become a major focus for his work.