Why Employee Training Can't Solve The Phishing Problem
- Posted by
Michael Landewe on June 27, 2018
Microsoft’s 2018 23rd Edition Security Intelligence Report is out, and it confirms the conclusion that most in the security industry already know: we can no longer rely upon the end user to protect our networks.
Security training is a vital part of every organization's defensive posture. When automated systems fail, the end user might be the very last line of defense. In the last year, however, we have seen a marked rise in the number and sophistication of phishing attacks.
Humans are imperfect on the best of days. When reading a hundred emails in the middle of a stressful workday, even the most well-trained and observant employee will click on a malicious email.
“As the cost of circumventing security measures increases, hackers are taking advantage of low-hanging fruit. The point is that phishing and other social engineering tactics can be more simple and effective than other methods, and they work most of the time for more human beings. If successful, phishing is an easier way to obtain credentials as compared to exploiting a vulnerability, which is increasingly costly and difficult.”
—23rd Microsoft Security Intelligence Report
Phishing Attacks are Increasingly Sophisticated
In the same way that there are various types of malware—keyloggers, ransomware, macro documents—phishing attacks are also broken down into various types. They can be categorized by the attack lure, the attack spectrum, and the attack methodology used to manipulate the user. In each category, it is becoming increasingly difficult for a human being to identify a spoofed email.
Attack Lures and Threat Indicators
Attack lures come in a wide variety of forms—from a file attachment to a malicious link or user impersonation. From the report:
Phishing Attack Landscape: Lures/Payloads
These are the threat indicators that most employee-education programs use to identify a malicious email.
Text Lures are Improving: Employees are taught to look for typos and poor grammar to identify a text lure, but over the last year, attackers have improved their spelling and learned to match legitimate messages. For most users, if the body of an email does not arouse suspicion, they do no further analysis. Most new attack methods in 2018 were designed to improve the look and feel of the phishing email.
Links to Fake SaaS Apps and Credential Phishing Links on the Rise: In 2017, email/online services—especially Office 365, DocuSign, Dropbox, Apple, and Amazon—overtook financial institutions as the #1 phishing target (26.1% vs 20.5%, respectively). This indicates an increased focus on enterprise user credentials—while profit is less direct, the payout is often much higher. More than 75% of phishing mails include malicious URLs to phishing sites.
More phishing sites are using HTTPS certificates in order to fool users with the green “secure” icon in the browser that, ironically, users will interpret as ‘safe’.
Domain Spoofing and Domain Impersonation Is More Sophisticated: 2018 has seen widespread use of Punycode, Homograph, redirect attacks, and other methods that make it very difficult for a user to identify a spoofed URL or fake email domain without taking a few minutes, per email, to identify. Unless there are other threat indicators in the body of the email, few users take the time or have the tools to do further digging. In those cases in which an attacker is spoofing a Microsoft sender, the attacker can send from an authentic Microsoft address, passing all the authentication protocols (SPF, DKIM) that would otherwise flag them.
Phishing Attachments are Less Popular: The lowest hanging fruit keeps changing. As email providers have adopted new security, malicious files that bypass the new filters are becoming more expensive for attackers. This is one reason we are seeing fewer malicious attachments even while every other phishing method is on the rise. Often the only advice that security training offers for a malicious file is to ‘only open a file from someone you trust.’ As the spoofing methods become more sophisticated, this directive can be difficult to follow.
Even Highly Trained Users are Clicking
As each of these lures become more sophisticated, they are moving beyond the scope of the average user to identify a malicious email. Even as training has improved, the click-through rate of malicious messages at companies that employ security training is still dangerously high.
The aggregate click-through rates of employees with awareness training grants an attacker a 1 in 10 chance of a successful attack per employee and a 5% click-through rate for malicious emails is considered a hard-won victory, often achieved after years of regular exercises.
Phishing Has Become too Targeted for Traditional Spam-Type filters
Phishing attacks can be categorized by the narrowness of their targeting as illustrated in the Microsoft report:
Broad Spam-like Phishing Attacks are Easily Caught: Most anti-phishing tools were built atop a vendor’s spam filters, using the information learned across millions of email accounts to identify mass-email attacks. This is why large email providers like Google and Microsoft have become so adept at blocking these types of attacks. The more inboxes they monitor, the faster they can identify a new attack and block it across all their users.
Targeted, Customized Phishing Attacks are Hard to Catch and on the Rise: Spear-phishing attacks, especially business email compromise (BEC), have almost doubled since the beginning of the year, made easier by the large scale data breaches last year. Equifax was just one of 1,293 data breaches, compromising more than 174 million records. These types of attacks are difficult or impossible for Microsoft to detect, especially if the attacker is sending from a compromised email account.
Targeted Attacks Have Become Psychologically More Sophisticated
Attackers have learned to combine personalized information with a number of effective motivators to elicit the behavior they want. For example, in the recent Cofense Enterprise Phishing Resiliency Report and Defense Report we see that the attackers have learned to respond when users become immune to certain messages.
It is possible that mature anti-phishing programs have trained users to spot work related scams, but most don't focus on consumer-targeted messages. In last year, phishing messages have moved away from workplace messages to social and safety messages that are not commonly addressed. Similarly, fear, urgency, and curiosity were the top motivators in previous years, but they've been replaced by entertainment, social and reward recognition.
These are signs that the attackers are adapting to user behavior at a rate that might be faster than even the most aggressive training programs can respond.
The Future of Phish Defense is A.I.
Microsoft's recommendation for addressing the changing phishing threat is the same as it was in the last edition—more training.
- Tips on recognizing phishing email messages, links or phone calls
- Overview of phishing and security tips from US Federal Trade Commission
- Phishing overview and resources to report and learn more from US CERT
The lesson we should take from the first half of 2018 is that, soon, training will not be enough. Once an email reaches the user's inbox, even the most well-trained employee will click on a well-crafted attack.
The future of email protection will be found in machine learning and advanced, interactive A.I. In the same way self driving cars can augment the inattentive driver, individualized systems can perform all the same analysis that an intelligent human might perform after years of training, but do so repeatedly, patiently, and quickly for every single message. Ask us how Avanan is leading the way.