As technology advances, phishing campaigns continue to improve in sophistication, emphasizing the need for vigilance and awareness. The recent spate of ransomware attacks on US healthcare has shown major chinks in the armor of many an organization’s security stack. Zero-Day malware, if unchecked, can bring an organization quickly to its knees, and in the case of small and medium business (SMB’s), their eventual demise. SMB’s and some enterprises rarely have the money or skilled resources to prevent a targeted and sustained cyber-attack by determined bad threat actors.
It isn’t that many of these organizations don’t deploy security controls to mitigate threats, it’s that the almost static defenses can be bypassed by bad threat actors with diligent research using OSINT (Open-Source Intelligence) to profile a target, understand their technology stack, and investing in the technology infrastructure themselves to find a way in. Customer case studies are a good source of intelligence, for example, and why VMRay anonymizes details to obfuscate the customer. As a virtual last line of defense, it would be disingenuous to reveal one of the key technology’s keeping a customer network safe and secure just to have a brand logo on a website.
It’s Always The .x% That Gets You
After decades of maturity, phishing detection solutions – whether perimeter or endpoint – are still allowing malicious emails to infiltrate the network. Depending on the size of the organization, perimeter-based phishing solutions could be handling hundreds of thousands of emails every day. Do they work? Yes, they do. They’re very effective at addressing the 96-99.x% of threats thrown at them, but it’s that .x% that manages to get through, causing all the damage.
But let’s hypothetically quantify what that .x% number really means. Out of the 340 billion emails sent worldwide every day – according to Internet sources – there are 3.4 billion fake emails such as phishing emails and other types of email attacks. So roughly 10% of the overall total, with approximately 2% of the 10% flagged as truly malicious. An average person sends and receives 121 business emails per day. If you multiply the average number of emails per day, per employee and take 98% off the total, that quantifies your potential risk.
Moreover, different classifiers get different results, with perhaps the most accurate achieving 99.68%, with less accurate classifiers anywhere between 96%-99%. The more emails your organization sends and receives, the greater the exponential risk. The chart below should help you ballpark your exposure to phishing risk. Remember, these are malicious emails per day that primary phishing solutions potentially miss due to lack of classifier accuracy.
| Classifier Accuracy | 99.68% | 99% | 98% | 97% | 96% |
| 1,000 Employees | 7.74 | 24.2 | 48.4 | 72.6 | 96.8 |
| 5,000 Employees | 38.72 | 121 | 242 | 363 | 484 |
| 10,000 Employees | 77.44 | 242 | 484 | 726 | 968 |
| 25,000 Employees | 193.6 | 605 | 1,210 | 1,815 | 2,420 |
| 50,000 Employees | 387.2 | 1,210 | 2,420 | 3,630 | 4,840 |
Figure 1. Estimated number of malicious emails per day that could potentially bypass point phishing solutions based on accuracy.
For the .x% that do get through successfully and into a user’s mailbox, what is your backup plan to detect malicious email threats before a user clicks on them? The only plan working well right now is end-user education on how to spot and confirm an email threat, then forward to a quarantine mailbox managed by the SOC.
The SOC team then must manually triage the email or run it through a sandbox-like technology to identify behavior and any suspicious activity that would indicate an attack chain to a malicious payload. The automation of phishing email triage significantly reduces the reliance on SOC team resources and helps to close the gap on detecting zero-day threats and phishing email compromise. The larger the organization, the bigger the challenge, and phishing detection accuracy plays a big part in it.
The Attacker Always Has the Advantage
In the real world and on a level playing field, the defender has an advantage of 3 to 1. In the world of Cybersecurity, the inverse is true. The attacker always has the advantage and can pivot faster than static defenses to new tactics based on available intelligence, resources, and intent. Especially true if the online documentation for the solution they are trying to circumvent is available on the vendor’s website.
Malware authors know about the trade-off between performance and security and bury the payload deep inside recursive links and directories. They may know that links in PDF documents aren’t checked by a specific vendor solution, but if they are they replace the link with a QR Code to deliver a malware loader or payload.
With an increase of sophisticated social engineering toolkits such as Blackeye, NPhisher, and Zphisher, bad threat actors can setup and tear down convincing fake websites extremely quickly. The toolkits provide any number of preconfigured website templates that are very well made, making them very difficult to identify. Remember, it only takes one wrong click on a phishing email to potentially bring a company to its knees.
User-reported phishing blog series:
Part 2: What organizations can do to mitigate phishing email bypass
如有侵权请联系:admin#unsafe.sh