We asked our CISO community: What is the largest threat impacting your organization?
Not surprisingly, the majority of CISOs said phishing was one of the primary vectors attackers use. We asked ourselves why this well-established threat mechanism continues to retain relevance as a top concern across industry, and what can be done to increase organizational resiliency in a measurable way.
Providing answers to our questions is Erik Kamerling, Lead Information Security Consultant at K logix.
Why do the majority of CISOs say phishing is one of the top threats impacting their organizations?
Erik: It has been some time since the convergence of counterculture old-school hacking and conventional street crime. When the Internet first evolved, the computer attack realm was largely ruled by talented technologists who were motivated by curiosity or cyber espionage. Street level criminals were not initially part of the computer attack game. So, how and why did they emerge as one of the primary syndicates in the threat community?
For one, phishing is easy and very low risk. Willie Sutton was famously quoted as saying that he robbed banks because “that’s where the money is”, giving us insight into what type of character, what profile of criminal, is attracted to the lowest hanging fruit. Much in the same way that strong arm robbery and menacing is often the simplest method to relieve someone of their money in street crime, phishing may be considered one of the simplest and easily accomplished forms of cyber-attack. However, face-to-face robbery often carries a high risk of physical consequence for the attacker, whereas phishing is equivalently simple, yet carries little to no risk for the perpetrator. This insight into the types of characters who phish us allows us to discuss a proven fix to this social phenomenon that we’ve seen succeed in other areas of society.
I’ve never observed a comprehensive off the shelf technical solution to the phishing problem. That’s because the core issue is conventional fraud; a targeting of process weaknesses that our organizations natively embody, rather than exploitation of technical exposure alone. That’s not to say that enterprises should not invest the time, energy, and money in things like secondary phone verification, a rotating intranet nonce, DMARK, DKIM, antivirus, endpoint security agents, email gateways, and reputation-based services. You should, since the above toolbox tackles about 50% of the phishing threat. But even when you have the tools, you’ll still be phished. The question is whether your organization as a socio-technical entity, can thwart the inevitability when your technology fails to inhibit an attack.
What is Business Email Compromise and how does it relate to Phishing?
Erik: One thing I observed is a rising flood of what the FBI calls “Business Email Compromise” or BEC. A Business Email Compromise is a phishing attack with commonly disastrous financial consequences. BEC is typically derived in phishing. According to the FBI: “Since January 2015, there has been a 1,300 percent increase in identified exposed losses, now totaling over $3 billion.” In a recent global law enforcement sting, the FBI, DHS, Treasury and Postal Services were able to seize nearly $2.4 million from a worldwide criminal syndicate and disrupt $14 million in BEC related wire transfers.
BECs are often initiated by a first stage phishing attack against a key employee within a company. The person doesn’t matter, it’s the person’s role that is typically targeted. An attacker looks to gain access to a privileged email account allowing them to further habituate through exploitation of inherent privilege, into the email server infrastructure itself. Once account access is gained, attackers often re-route email, change email rules, craft manipulative or access heightening internal communications to other employees, and further compromise additional accounts. The most noteworthy aspect of a BEC attack process is that the attacker will surveil internal employees’ messages to gain insight into the inter office communication process that takes place. They do this because they are staging to “strike when the iron is hot” and use intelligence they’ve gained to exploit interpersonal or procedural office conditions to pilfer money, databases, PII or trade secrets.
What is an example of Business Email Compromise in action?
Erik: An attacker has gained access to a Director of Finance’s email account through a sophisticated phishing attack. The attacker then surveils day-to-day email communications and determined the company CFO demands last minute financial requests, no questions asked, near the end of day every other Friday. In anticipation of this flurry of emails, the Director stays later every other Friday to quickly process these requests. The attacker lies in wait and spoofs an email from the CFO to the Director at 5 PM Friday, requesting a large payment to an offshore account. Since the Director is acclimatized to this frenzied process, they comply with the request without secondary authentication or second guessing. It will be Monday before the transaction is discovered, and the company loses a large sum of money.
This can only be accomplished through surveillance and intelligence gathering, and careful scheduling of fictitious communication streams. A phishing attack provided the first inroad to the organization, but phishing is not the only thing that could have been combatted. This scenario is largely a con, or what would be more accurately describes as a sting, the touch, a big store, or “big con” (David Maurer), which uses trickery and timing to exploit human procedural weaknesses to relieve a target organization of money and resources. This attack’s success was largely due to the exploitation of a flawed human to human process within the organization.
How do we build defenses against Business Email Compromise/Phishing?
Erik: If we are interested in building defenses against this phenomenon, then our solution partially lies in changing the authority structure of organizations. Just as important is to build a sense of skepticism, critical thinking amongst employees, non-deference to authority without secondary authentication, and the fostering of a “trust but verify” milieu to effectively combat this threat. The threat is the attacker, the exposure is where our technology fails, AS WELL as the propensity of employees to execute orders expeditiously for fear of consequences handed down by their superiors.
If we think of phishing and BECs as a natural evolution of classical conning, we must ask ourselves what led to the eventual disappearance of common street grifters? It’s a rare occurrence these days to be approached by a con man or “roper” on the street. According to David Maurer, the author of the study The Big Con on the language of con men; “Confidence games are cyclic phenomenon. They appear, rise to a peak of effectiveness, then drop into obscurity”. He also cites the “booming campaign of Federal and Postal propaganda designed to rob the criminal of the sympathetic public opinion” as the primary mechanism in the reduction of street grifting and roping methodologies and often their forced disappearance or extinction. What this means is the more jaded a populace becomes, the more homogeneously skeptical to the methods of the conman, the more a specific con (BEC in this case) loses effectiveness.
The more an organization has a culture of transparent, honest authority in furtherance of the shared company mission, and the more skeptical employees carry the shared mission no matter what their role, the more reluctant they are to blindly execute orders and transactions on behalf of their cohorts or their cohort’s respective authoritative procedures. A willingness to authenticate orders face to face with coworkers and managers results in a more phishing resilient organization. I’m quite sure that if we couple simple psychological changes within an organization with the technical toolbox outlined above, that we can all perhaps live through an era where we saw phishing arise as a new form of the Con, and we also saw it fade back into obscurity as yet another grift that’s seen better days.