This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
Anyone who has spent any amount of time trying to secure their organization’s endpoints or network would not be surprised to learn that phishing is now the #1 delivery vehicle for malware and ransomware.
According to Mandiant, phishing was used in about 95 percent of the cases of successful breaches where an attacker has been able to get into a target network and do something malicious. A phishing campaign is likely to have a 90 percent success rate—i.e., someone takes the bait—when the campaign is sent to 10 or more people.
+ Also on Network World: 7 steps to avoid getting hooked by phishing scams +
Wombat Security says 85 percent of organizations they surveyed reported being the victim of a phishing attack in 2015, and that figure increased 13 percent from the previous year. What’s more, two-thirds of the organizations they studied reported experiencing attacks that were targeted and personalized (i.e., spear phishing attacks), and that’s up 22 percent from the year before.
In short, phishing in all its forms is a dangerous and growing threat for every organization, regardless of size or industry.
Most of us tend to think of a phishing attack as a menacing email that harbors either a malicious file attachment or a link to a compromised website. While email is a primary means for distributing bait to potential victims, it’s not the only means. Often, legitimate websites are compromised so that when a person visits the website or clicks on a specific link, malware is downloaded automatically. Sometimes people who head to a particular URL are automatically redirected to a malicious website where malware is downloaded. Because of these varied delivery mechanisms, techniques such as educating users about not clicking suspicious links or opening unknown attachments, and screening incoming email messages, aren’t sufficient to fully protect an organization from infection.
Attackers who use phishing as the means to plant malware are often quite sophisticated. Not only do they target specific companies, but they target specific people within those companies because of the information they have access to. Social media makes it too easy to research who the CFO for a Fortune 500 company is and to learn personal things about him that can be used to gain the person’s confidence to open a spoofed email, click a weaponized link or visit a malicious “watering hole” website.
Block the phish at the source
Area 1 Security believes that the most effective way to prevent phishing attacks is to understand what is behind the phish and block it at the source. Most people think an attack begins when the attacker appears on their doorstep with a malicious attachment, link or website. In reality, that phishing campaign began days, weeks or months ago, when the attacker built the infrastructure to support the campaign. Area 1 Security focuses on discovering, and then blocking, that infrastructure so the phishing campaign never reaches its customers’ doorsteps.
Area 1 Security begins by locating attackers’ phishing infrastructure. Attackers don’t have their own data centers or servers from which they send their emails, host their malicious payloads or collect credentials from unwitting victims. Instead, they proxy through someone else’s infrastructure. Very often this “someone else” is a small business that has no clue its servers are being used to support these phishing campaigns.
It takes time for attackers to set up this proxy infrastructure. They have to find an ideal host for their infrastructure. Maybe it’s a doctor’s office, a franchised hotel or some other small business with weak security. If the attackers are going to spoof, say, Google Docs or PayPal in their phishing campaign, they need to create web pages that look very similar to those companies’ real web pages. The spoofed pages have to be good enough to fool at least some people to get them to give up their credentials to the attackers. Maybe the attackers set up a watering hole website where they plan to attract victims before inflicting their malware. Performing these tasks takes time, and Area 1 Security uses that time to its advantage.
How Area 1 Security finds phishing sources
Area 1 Security places physical sensors on internet infrastructure proxy points that attackers use as campaign launching vehicles. The security vendor has relationships with numerous internet providers and businesses that have been compromised by attackers. Area 1 Security helps these companies harden their environments to protect them from harm in exchange for allowing Area 1 Security to install its sensors. This enables Area 1 Security to look at deep context on how these phishing attacks manifest themselves and what other infrastructure might be involved.
Area 1 Security does this by crawling the web—the entire internet! —to look for markers of the phishing campaigns. For example, attackers have to use an IP address, a domain and a URL to even create a campaign. They might also use the spoofed web pages and crafted email messages. Area 1 Security crawls the web to look for patterns they uncovered via the physical sensors to search for similar campaign staging grounds.
Area 1 Security says it constantly crawls the Internet—which is huge, but finite—at a speed they believe is second only to Google’s web crawlers. The company can scrutinize 6 billion URLs and 4.8 billion IP addresses every couple of weeks. The result is a pretty thorough global map of where the attack infrastructure is located.
All this information comes together in a massive data warehouse in the cloud where it feeds Area 1 Security’s services. The vendor has a cloud-based service called Area 1 Horizon that comes in three modules:
Horizon View provides a visualization of these campaigns and the tools, techniques and procedures they use. It gives organizations a sense of what actors are out there creating these campaigns and causing havoc. It’s a “heads-up” view that allows subscribers to see global campaign activity across actors and industries long before the threats reach their doorstep. This provides the time and information needed to batten down the hatches before the storm hits.
Horizon Fortify enables organizations to take specific defensive actions across the edge of their infrastructure. Through connectors and APIs, Area 1 Security can integrate with its customers’ web proxies, email devices, intrusion prevention systems, firewalls and so on to push out rule sets and orchestrate measures to block these campaigns from getting anywhere close to customers’ environments.
Horizon Extend neutralizes threats by taking pre-emptive action in the cloud or in the wild at the attacker’s edge. For example, Area 1 Security has a cloud-based mail transfer agent that allows the vendor to intercept messages as they are flowing through to a customer, as well as a cloud-based DNS service that takes action before the user can get infected. With its extensive knowledge of the phishing infrastructure information, Area 1 Security can look for relevant indicators and stop targeted attacks, malicious phishing, ransomware and fraudulent messages before they can get to the intended recipients.
Area 1 Security believes the best defense is a good offense, and that means stopping these malicious activities before they become actual attacks.