Phishing attacks remain a source of anguish for CISOs and security professionals. But those who choose to just throw technology at the problem are overlooking a vital component of their defence – the ‘human firewall’. Kamel Tamimi, Principal Security Consultant, Cofense Inc, tells us more…
Until human nature changes (don’t hold your breath) phishing attacks that target unwary people will be a headache. Two recent headlines show the Middle East and Africa are not being spared.
Last November, a leading regional bank issued a customer alert about a phishing email dangling a value-added tax refund. Naturally, the email purported to come from the bank. Whose pulse wouldn’t quicken at the thought of getting some money back?
The following month, Amnesty International warned of several credential phishing campaigns, likely from the same attackers, targeting Middle Eastern and North African organisations. In one campaign, the threat actors took aim at accounts on ‘secure’ emails services like Tutanota and ProtonMail.
It would be nice if automation could solve the problem completely. But while automated systems, Machine Learning and AI can help, malicious emails are still getting past the perimeter. Just ask the regional bank and Amnesty International.
Here’s what organisations tell us about the human factor.
You could also ask organisations in the region and across the globe. At Cofense, we talk to them every day about effective phishing defence. Following are some of their insights on thwarting attacks on humans by empowering them with the right expertise and tools.
Let’s start with the head of information security at a Middle Eastern university. A few years ago, after large-scale attacks by nation-state actors on other regional targets, he made human-vetted phishing defence his number one priority, anchored by a rigorous phishing simulation program.
When he launched the program, users – students, faculty, administrators and anyone else using the network – fell for simulated phish 55% of the time. That number has now dropped to close to 10%, with the number of users reporting bad emails up to 50%.
(FYI, Cofense data shows that the energy industry leads the region in phishing reporting – on average, over 16 users report a simulated phish to every user that falls susceptible.)
“My mandate was to do everything necessary to protect the university community,” the head of information security reported.
“We invested in technological solutions, but with 30 years of IT experience, I know that you need to invest in people, not just processes and technology. You need to make them human firewalls.”
He added: “Look at it this way. You can put five locks on your door, but if you leave the keys under the doormat, the locks don’t do much good. Fortifying the human firewall is my utmost priority. The human element is the most important part of your defence.”
“Hey, is this the right payment?”
The cyber-program director of a multinational utility echoed these remarks.
“My CISO often states that if he had to cut all of his budget, down to the bare bones, all that he would choose to spend on would be awareness and response,” he said.
“We had a scenario where, all the way up to the CEO, they were ready to make a treasury payment until somebody finally picked up the phone and said, ‘hey, is this the right payment to be made?’ And it was blocked.”
Referring to constant changes in attack techniques and the need for defensive adjustments, he added, “I’m reminded of a quote from Alice in Wonderland, when the White Queen was saying, ‘In order to keep up, you have to run as fast as you can.’”
Removing phishing emails ‘sometimes in five or 10 minutes’.
An operational risk consultant with a global financial company shared with us an example of employees helping the SOC stop phishing threats in minutes.
“I don’t think security is going to be improved by the next best technology we put in place, whether it’s an appliance or a firewall or something that blocks at the proxy,” she said.
“For example, we had a Word document with macros slip through our filters, so we just need to teach the humans that own our email addresses to be extra-vigilant.”
She continued: “We see some departments reporting as high as 60 percent in phishing simulations, but they also report [real] malicious emails that go to our cyberdefence teams – and they get them out of the network sometimes in five or 10 minutes.”
“That’s a return on investment.”
Noting the futility of investing in technology while users remain untrained, a cybersecurity awareness evangelist at one of California’s largest companies said: “In one corner you’ve got 10 million dollars in defence perimeter equipment and on the other side, of course, you’ve got ‘Dave.’
“A machine cannot apply a non-linear approach to a problem. A machine is just conditioned to do one thing. But a human-being with instinct can make decisions that are a lot more intricate.”
His company too relies on employees to report actual phishing threats.
“Last month, we saw 33 reported threats come into our IR inbox,” he said. “When you consider that a breach could cost six million dollars, that’s a return on investment.”
“What did you do to prevent this?”
The last word comes from another global financial company:
“To not focus on phishing would be pretty negligent on any company’s part,” said the company’s operational risk consultant.
“At the end of the day, if we have a breach it’s probably going to have stemmed from some sort of phishing attack. When our regulators or clients are asking us, ‘What did you do to prevent this?’ it’s important to feel confident that we have an anti-phishing program in place.”
She noted that inbox behaviour is ‘easily measurable’. It’s not hard to sustain a phishing defence program because the metrics are simple to gather and use to demonstrate success.
In fact, automation makes it even easier, allowing program managers to schedule a year’s worth of simulations in a matter of minutes. Other automated systems enable SOC teams to filter and analyse reported emails quickly, plus remove them from users’ inboxes when verified as threats.
Those are smart uses of technology. After all, machines are great at saving time and handling repetitive tasks, saving human brains and intuition for critical decision-making. But if you’re placing all your bets on tech and neglecting the human factor, it’s going to be a long, and very phishy, year.