Rayna Healy is an MSP Sales Manager for Avanan
I want to talk to you about phishing. All sorts. Sometimes when I'm sitting in front of a screen all day, in a fugue state, I remember another job where I encountered quite a bit of fish.
I worked as a kayak and canoe guide in Juneau, Alaska. Salmon are ubiquitous in the summer. Which meant that another creature was as well- the majestic Bald Eagle. They are HUGE in Southeast Alaska due to the abundance of fish moving upstream in a wall of pink. They have, on average, six-and-a-half-foot wingspans and can often be found sitting with absolute poise and concentration all across the city. Does anyone know the most common cause of death for an eagle in Southeast Alaska?
They most often die from drowning.
This is because when they lock their claws into a fish, and fly up, the pressure essentially makes them unable to let go. So if they grab an extra fatty salmon, of which there are many, a battle of strength ensues. The fish swims down and the eagle spreads those giant wings to try and get the salmon out of its element. But the eagle gets wet, the fish is too heavy and good at swimming upstream, against all odds. Another American hero, down.
I think it's very difficult to work as an MSP and not feel like the eagle. The good guys, to be sure, but fighting against something that is abundant, scrappy and used to working against the current. Just when we feel like we've sunk our claws into something we can dig up, we realize its scope and immediately feel out of our element.
Phishing, the kind cybercriminals do, causes 91% of breaches. As we understand how to keep our clients safe, THIS is where we have to focus. There are no silver bullets in security but if we can figure out how to stop malicious emails, we can sleep a lot easier at night.
Last year, 83% of organizations reported experiencing phishing attacks. The FBI estimates that phishing attacks may increase by as much as 400% year of year. Half of IT decision-makers think that phishing is their number one security concern. We see new attacks and approaches every day, and we also see old tried and true ones.
The Nigerian Prince, or 419 fraud, is seen more as a punchline in this day and age. Although it's often seen as a trope , in 2018, the Nigerian Prince scam brought in more than $700,000 from Americans alone.
According to a Popular Science article:
The Nigerian prince is a variation on the centuries-old Spanish prisoner swindle, an advance-fee scam that emerged after the French Revolution, where people sent handwritten letters soliciting help for a (non-existent) nobleman falsely imprisoned. While it’s closely associated with the early internet, the Nigerian prince first went global in the 1980s when West African fraudsters began snail-mailing scam letters around the world.
This infamous scam continues to evolve to find new victims. Within the past few months, Avanan saw a new twist where a threat actor posed as Russian dissident Alexei Navalny asking for help withdrawing money from a Turkish bank account. According to the email, 25% of the money will go to the email recipient while 75% will go to help displaced Ukrainians. We've seen this scam show up in a variety of creative ways throughout history and people continue to buy in, literally. When we are still teaching people to recognize one of the oldest tricks in the book, it’s hard to keep up with the plethora of new scams that pop up every day.
Security Awareness Training has been widely implemented as cybercrime relies heavily on social engineering. We can, and should, throw as much Security Awareness Training as possible at end users. It's really important that people understand cyber-hygiene. From a business point of view, phishing costs organizations on average $4.65 million dollars to remediate. But as we dip our toes into the metaverse and an increasingly digital world, it's got to be a human right to understand how to keep your identity, your finances, and your businesses safe.
Still, we cannot confuse security awareness training with email security.
End-users are extremely ineffective at finding malicious emails, no matter how well trained. When we sent end-users real copies of phishing emails, they only caught them about 1% of the time. No matter how diligently we push Security Awareness Training, our approach to email security should not rely on end-users spotting malicious emails. They are not trained security analysts.
Phishing attacks evolve and are increasingly personalized. Even those of us in IT and security are treading water trying to keep up with the latest attack trends. We cannot place that burden on end-users. If a malicious email manages to evade technology, how are we meant to expect end users to catch that zero font trick? We have to have a technology that keeps malicious emails out of the inbox and evolves as the threats do.
My father-in-law works in finance and is incredibly security conscious. He was almost giddy when I began walking the infosec career path. He's always asking me what's new in security, asking me about certain security vendors' efficacy, and forwarding me TED Talks from security experts around the world. Last year, he was preparing to fly to Denver for Christmas. Two days before departure, he got an email from FedEx explaining that the gift he was expecting that day was delayed. He immediately clicked into the email to figure out if it would get to him in time for his trip. Luckily his company had certain protections in place so that he was prevented from following the malicious link. We will always have our click-happy end users-- that's a fact. However, even our well-trained and more knowledgeable end users are falling for ever more sophisticated and targeted attacks.
Cybercriminals are smart. They are topical and creative, and they understand atmospheres of chaos are ripe with the amount of multi-tasking and inattention to detail that they need to successfully unleash havoc.
Often end users can think that they aren't big enough to be targeted. State-sponsored Russian hackers gained access to the US power grid via phishing attacks. According to the Department of Homeland Security and the FBI, the attacks affected multiple organizations in the energy, nuclear, water, aviation, construction, and critical manufacturing sectors. However, this wasn't accomplished via spear-phishing of high-value targets. The hackers targeted smaller companies that worked with their larger target and used them as PhishBots against one another. They took advantage of the companies' known contacts, who were smaller and potentially with less sophisticated security, and used them to gain access to their final target.
Even if your clients aren't connected to the power grid, MSPs and their clients are HIGHLY targeted. In 2021 attacks against ISP/MSP organizations went up by 67%- making them one of the top targeted industries. When it comes to something getting through, it's more of a when than if. Anyone with an internet connection can buy Phishing as a Service packages. We are playing in a landscape of both sophisticated hackers and 16-year-olds with $20 trying to figure out how to make easy money.
In technology, and particularly in security, we have to move fast to make sure that our preventative measures can still outperform the innovative means that criminals are using to get into our inboxes. The first iteration of email security was with Secure Email Gateways (SEGs). They sit outside the cloud to scan incoming emails. This was a great solution when our networks were run mostly on-prem, particularly for the pesky spam problem for those of us who weren't looking to update our car warranty every other day. However, as more businesses moved to the cloud, it became easier and easier for agile attackers to figure out how to sneak around them.
Limitations with SEGs include the fact that they are public knowledge to a savvy attacker via websites like MX Toolbox, meaning they can personalize threats to get around your company's specific SEG. SEGs aren't great at spotting BEC attacks and are blind to internal threats.
According to the FBI, Americans lost $2.4 billion to BEC Scams in 2021. To effectively safeguard our clients, this is an attack that we CAN NOT be blind to. SEGs are great at spam. But spam is annoying, not dangerous. Beyond the threat factor, they can be a management nightmare. They require time-consuming and tedious MX record changes and techs often spend a good deal of time auditing false positives and updating sender lists.
In 2015, the founders of Avanan realized that SEGs were a dated way of looking at an evolving problem.
They were the first to build a cloud API-based email security solution to better address the pitfalls of the shifting landscape. These API connections allow Avanan to bring email security to the cloud. They also allow us to use AI&ML to build social graphs, index users, and understand usual communication in the first 48 hours of implementation. Understanding normal communication helps detect anomalies. My CEO isn't often asking me for my bank account information. He's actually never emailed me. So when Avanan sees that Gil Shwed suddenly pops into my inbox and is asking for oddly specific information, it can understand that it isn't normal, and pull it out, regardless of whether or not it has a link or attachment.
We've seen the API approach catch on in the market. Sitting inside the cloud is necessary to combat BEC attacks along with many others. However, they can have limitations. API-based solutions offer post-delivery 'detection'. An email will land in a user's inbox, the API-based solution will analyze it, and if deemed malicious, will pull it from the mailbox. This process takes, on average, three minutes. End-User Eddy though is primed and ready to click into the message during that gap. In fact, on average the time to click is just 82 seconds. Now IMAGINE if the subject of the email proclaimed you as a big winner? As someone who isn't often noticed for being a winner, I'm clicking in. I feel seen for the first time. It won't even take me 82 seconds. Detection is not fast enough. It exposes users to malicious emails.
We can't talk about protecting email in the cloud without also talking about collaboration and file-sharing applications. I don't know about you all, but I don't get out of bed if not to send funny gifs to my friends and coworkers on Teams. We all have our WHY. If you take away any industry trend today, I hope it's this: there is no better gif category for the day-to-day obstacles of work than "infomercial." Point being, more and more, employees turn to collaboration apps like Teams and Slack for morale, culture, and urgent questions and requests. Urgency is often employed by cybercriminals to convince end users to interact without thinking. If we want to protect from BEC and other phishing attacks, we have to protect our entire collaboration suite.
Pax8 partnered with ESG last year, interviewing over 500 MSPs on what's important to focus on when they build out their security stack. The takeaways were that MSPs were looking for efficiency and efficacy. As we've discussed, 91% of breaches start via email. When we look at our security stack, we want to have an eagle-eyed focus on protecting email and collaboration. Our goal is to find a solution that scans incoming, outgoing, and internal communication and PREVENTS malicious messages from ever reaching the end user. End users aren't security analysts and no amount of training will shift that. From an administrative perspective, we can't buy time, so we need to have automation, low false positives, and ease of use and deployment. One MSP recently told us they spent about 15 hours a week auditing emails, false positives, and sender lists. That's a huge business cost. This has to be cut down to run efficiently and focus on more complicated security tasks.
Avanan is uniquely positioned in the cloud prior to the inbox. We PREVENT malicious emails from hitting the inbox, we don't rely solely on remediating something that's already been delivered.
When we were acquired last year by Check Point, our 300+ AI phishing indicators were able to rely on Check Point's ThreatCloud. ThreatCloud processes 86 billion transactions a day over 150,000 networks, making it the largest data lake of threat intelligence in the world. It's processing threats beyond the email space. It discovers 7,000 zero day attacks every day. AI is only as smart as the data set it's pulling from, and with ThreatCloud, our AI engines understand with extreme detail and nuance what the latest attack trends are.
Security is as much a technology play as it is a psychology play. We have to use best-in-class technology along with a creative approach to remain competitive with the new threats being created each day. How are we thinking about protecting our customers and their businesses from the massive attack surface that is email and collaboration?
Eagles are known for their acute eyesight- almost 5 times better than that of humans. I once spent a good 30 minutes on a very rainy Alaskan Camping trip watching an eagle dive after a duckling, miss, regroup on a branch, dive again, miss, circle above, swoop, and another missed attempt. It was horrifying. I didn't know who to root for and it was impossible to look away. There's a lot that we, as IT Professionals, know how to look for- Nigerian prince scams, gift card number requests, outlooks.com- but when we hyperfocus on one approach, or one attack, there are many things that get missed. We might find ourselves going after ducklings instead of the real threats that lie below the surface.
We need to take a step back, survey the landscape, and understand that, like glacier-carved Alaska, it is constantly changing due to powerful and steady forces. It's become harder and harder to keep our eyes on every shift. Alone, we can't come at this massive problem from every angle. We have to continue honing our acute eyesight and focusing on the latest attack vectors and the best possible means of defense.
In the end, the eagle didn't get the duck. But that's okay, there were quite a few fatty salmon that he fished for just after.