A Powerful New Approach to Phishing – the Biggest Issue for Cybersecurity
Originally published on Ericom's blog.
By Nigel Willis, Ericom Group CTO for EMEA
Phishing attacks – which start with emails that appear to come from a legitimate company but are really devised by cybercriminals – are the top delivery mechanism for ransomware. Phishing takes full advantage of human nature; Like soldiers shouting out their name, rank and serial number, we’ve all grown accustomed to providing credentials, when asked, to technology companies. And indeed, the technology brands which many users log into every day – Microsoft, Google, Netflix, Apple, Dropbox and Adobe – are the ones that phishers impersonate most, and most successfully.
Many phishers have tremendous resources to deploy; nearly 70% of cyberattacks are orchestrated by either organized crime or nation state affiliated actors. The companies they attack may not be as lucky. The average cost to recover from a ransomware attack is over $84,000 – and in some cases the costs can run to millions of dollars. A 2019 ransomware attack cost Demant, a Danish hearing aid manufacturer, an estimated $80-95 million in lost revenue, costs to restore their system, and steps taken to mitigate damage.
Should Your Business Rely on Users for Phishing Protection?
Phishing is predicated on the fact that there will always be users who do not notice that a phishing email is fake. For the phishers, of course, the more distracted users are, the merrier. And most phishers are merry indeed. In a recent simulated phishing attack created by researchers, 25% of users in North America clicked on a phishing email, and 18% gave up their login credentials. While Europeans were less gullible – or perhaps simply less distracted — sufficient numbers fell for counterfeit emails and websites to enable the researchers, had they been real phishers, to successfully breach the companies they targeted.
Many companies have reasoned that since phishing attacks could not succeed without users clicking, then educating them to not click on the wrong emails is the best way to thwart phishing attacks. In essence, they are trying to transform their workforce into the last line of defense against phishing attacks. When it comes to human behavior, however, reason does not always prevail.
In a large-scale simulation using over 100,000 test emails, user education was somewhat effective – but not nearly enough to protect users or organizations. Clickthrough rates ranged from 0% to 40% depending on how compelling the email was. The good news is that after training the click rates on the most compelling emails went down by 40%. The bad news is that even after that 40% improvement, 24% of employees who had been through training clicked on the most convincing phishing emails.
Clearly educating users isn’t effective enough to provide protection from sophisticated phishing attacks. And instead of depending on users to protect their business from phishers, it is the business that must protect its users from unwise clicks and credential shares.
Blocklisting known malicious URLs is an important first line of defense against phishing attacks. Almost all browser and email applications are equipped with URL filters that detect dangerous links by checking incoming URLs against those on the blocklist, and either blocking the site with that URL and the email containing it, or warning users of the danger.
Blocklists are compiled by webcrawlers which detect tell-tale signs that a site is malicious, such as unusually long URLs that exhibit phishing tropes. The detection technology is always improving, but cybercriminals also continually up their game to circumvent them. For instance, tools available for purchase on the black web automatically create large numbers of URLs for identical malicious content, extending the number of phishing emails that get through – and get clicked — before webcrawlers can flag each URL.
Webcrawlers, on average, require one hour to detect even the least sophisticated phishing sites. To extend detection times, cybercriminals are deploying increasingly sophisticated technological solutions to extend the pre-categorized lives of their URLs, enabling them to harvest more credentials and deploy more ransomware onto more systems.
Much More Effective than Training; No Risk from Blocklisting Lag
There is, however, a way to implement foolproof protection from the newest, as-yet uncategorized – and therefore most dangerous – phishing sites: Remote Browser Isolation (RBI). RBI executes all web content in an isolated container in the cloud, remote from the user’s device and corporate systems. Cloud-based RBI streams only safe rendering data to the browser on the user’s endpoint, so ransomware from a phishing site cannot reach the user device or company network. To protect against ransomware delivery via malicious attachments, RBI can isolate files downloaded from websites in the cloud-based container as well, sending them on to the user – with native functionality intact – only following a content disarm and reconstruction process.
Credential theft is also prevented through RBI policies that allow new, still uncategorized sites to be browsed solely in read-only mode. Beyond blocking ransomware downloads to endpoints, this stops users from entering login credentials on sites that have not been verified as safe.