What to look for when buying a tool
Information and IT security within an organisation is a complex beast and keeping it under control is not always just a matter of throwing money at it. We have seen a growing trend for integrated approaches to security and it is no longer sufficient to drop ad-hoc tools into an environment and expect them all to play nicely.
One thing is for sure, no matter how good your network, applications and endpoint security are, the human element can be exploited. The most successful social engineering techniques employed in cyber attacks is email phishing. Phishing is effective because it doesn’t rely on any technology vulnerabilities but instead on the lack of security awareness of targeted employees. Phishing scams are easy to execute, cheap and growing in sophistication.
Setting up a phishing campaign for an attacker is relatively easy due to the fact that a good phishing kit can be bought on the black market for as little as $2-$10. These kits are easily customisable and don’t require deep technical knowledge to implement. The selling of phishing kits has become very professional with some sellers even offering guarantees of phishing success and customer service.
The larger your company, the greater the risk of a successful breach using a phishing attack because it’s a simple case of numbers. Your company needs to be successful 100% of the time. A phishing scam only needs to be successful with one of your employees. Traditional security awareness training programmes often fall short because classroom concepts are not well retained by employees in their day-to-day job.
The latest research shows that certain types of phishing campaigns targeting employees is growing and the click-through rate for malicious messages is as high as 25%. If you take a minute to stop and think about that, you may well ask yourself, “Why is this not my top priority?” Many of the top breaches in the news over the last couple of years started with a targeted phishing attack. Phishing tools are an essential part of any organisation’s cyber strategy and have proven to be successful in reducing the levels of malware and increasing your employee’s security awareness. The future of phishing tools is changing and includes further integration to not only help improve awareness but also identify, reduce and protect against malware attack.
A good anti-phishing tool should offer a joined up, end to end capability for defending against phishing scams. To provide this end to end capability, anti-phishing software companies need to not rest on their laurels, but consider the Anti-Phishing Triangle (APT). The APT covers areas of Identification, Training and Protection. These three elements should form the baseline for any future Anti-Phishing Tool, and can be broken down further.
Identification of any existing malware before you begin and form of training is key for any mitigation tool to be effective. Identification, is simply, the discovery of existing malware, the categorisation of the malware and the remediation.
- Discovery: All current phishing scams, TTPs and potential malware (e.g. ransomware, crypto lockers, etc.) threats that are out in the wild should be catalogued within the anti-phishing tool. The tool should be able to scan your network and provide a dashboard of existing issues.
- Categorisation: By categorising the discovered scams, etc. by type and impact, it is possible to enable users to understand the actual threat posed.
- Remediation: How to lower or nullify the threat posed should also be included within the tool, along with the capability perform the specific actions to do this. This could take the form of a reporting function of a possible phishing threat, within any generic email software.
The training and awareness of personnel should be the foundation of the end to end solution with technical mitigations developed to help complement the training and awareness.
- Baseline knowledge: The initial state of your personnel’s knowledge of phishing threats utilising a survey of a select number of staff to ascertain their current understanding.
- Testing: Testing of your personnel’s ability to spot phishing scams. Testing is already widely covered by many anti-phishing tools. The testing should be followed up reinforcement training that explains the How, Why and What of phishing, again this should be followed by some form of assessment to test the personnel’s knowledge.
- Monitoring: Personnel’s susceptibility to targeted campaigns and their progress in the assessments of their phishing knowledge should be monitored. The tool should offer capability for users to analyse whether the training and phishing campaigns are achieving their intended outcome.
Although, it is not entirely possible to build a total technical solution to prevent phishing scams, the technical solutions can help weed out the potential threats.
- Prevention: The anti-phishing tool should provide enterprise level protection against known threats identified within the Identification section.
- Threat Analysis: The threat analysis should provide a form of forward-looking phishing intelligence that offers the user an awareness of the potential threats and attack vectors that scammers are likely to utilise.
- Support: The protection section of the APT should support the main two sections of the APT by bolstering the knowledge of new threats and feeding it back into the Identification and Training sections.
The three main points of the Anti-Phishing Triangle, Identification, Training and Protection, should feature in any anti-phishing tool you purchase to offer an end to end defence capability. Identification of threats is coupled with the capability of protection from those threats forms a solid line of defence. However, as phishing is a social engineering form of attack, personnel training and awareness should also feature heavily and be measured for its effectiveness.
In doing so, a defence in depth strategy against phishing is formed.
As is the same for all traditional scams, phishing will evolve and become more sophisticated the more resources and mitigations are placed in front of it. However, whatever new technical or non-technical mitigations are put in place, at the core of the idea behind them should be the Anti-Phishing Triangle, with training of your personnel given the upmost of importance as they are your first line of defence.