By Atif Mushtaq, CEO, and founder, SlashNext
Phishing poses a looming vulnerability for many enterprises today because the attackers have upped their game. They can now set up and take down phishing attacks within minutes, making it very hard for current defenses to identify the problem before users succumb to a scam. The major types of phishing and social engineering threats today go well beyond bogus email links and attachments. They include more sophisticated tactics such as credential-stealing, scareware, rogue software, phishing exploits, social engineering scams, and phishing callbacks.
Hackers now rely on a broad range of digital communication vectors to trick users into giving away their credentials and data. Sneaky new phishing expeditions might be carried out via phony pop-ups, fake ads, malicious search results, browser extensions, chat applications, social media posts, web “freeware” and deceptive apps downloaded from App Stores.
To make matters worse, researching URLs in suspected phishing incidents has become a costly and time-intensive process, according to a new survey of 300-plus security decision-makers at large U.S. firms. Nearly half of all survey respondents (47%) reported URL research times of six to ten minutes or more per incident, while 24% said they averaged just three to five minutes per incident.
This approach is costly and dangerous for large organizations that are facing a chronic shortage of trained cybersecurity staff. For larger organizations that have several hundred to several thousand incidents to research per day, taking more than 10 minutes to resolve each incident is extremely risky. Cumulatively, this task can easily consume dozens of hours per day and multiple full-time resources.
Protecting employees from zero-hour phishing threats is especially important for larger organizations in data-intensive fields such as financial services, government, defense, healthcare, energy, and large-scale manufacturing. Yet only 19% of survey respondents reported their URL research as being a fully automated, real-time process. And only one in eight organizations reported real-time operationalization of threat intelligence feeds to block live web threats.
Over half of survey respondents (56%) correctly noted that phishing URLs typically remain active for a very short time, under an hour to just several hours. Yet in a contrasting finding, when it comes to the top three anti-phishing security stack improvements still needed, “More timely phishing threat intelligence/blocklists” was the least popular choice. The most common improvement reported was a “Better way to detect traffic to previously unknown phishing URLs.” The other two most desired anti-phishing improvements were “More effective email phishing detection” and “Better automation across anti-phishing defenses.”
Credential stealing from fake login pages was cited by 21% of respondents as the most dangerous phishing type for an enterprise, followed by malware sites hosting rogue browser extensions and apps at 17%. But other types of phishing sites also ranked high, with scareware and sites hosting weaponized docs coming in at 16%.
Companies can adopt a wide variety of systems as the first system to ingest a third-party phishing threat intelligence feed, the most common being a Threat Intelligence Platform (TIP) at 23%, followed by DNS or Web Proxy (22%), SOAR (16%), NextGen Firewall (16%), SIEM (15%), and others. Relying on outdated blocklists is another common problem hindering the need for speed in response times, as only 23% reported continuous or real-time updates. A quarter (25%) reported blocklist update frequency intervals of five minutes to an hour, while over half (53%) reported update intervals longer than an hour. At the rate phishing campaigns are popping up, claiming your info and moving on, this is no longer a reliable method for attacks coming in at the web layer.
Clearly, it has become a race against time for most enterprises to implement threat intelligence quickly enough to protect employees from these fast-moving phishing attacks. This is an area where time and costs could be reduced through greater automation, as is becoming more common using Security Orchestration, Automation, and Response (SOAR) platforms, phishing IR playbooks, and other real-time defenses. More large enterprises will need to shore up their real-time threat detection capabilities or face the threat of catastrophic breaches and data losses.
About the Author
Atif Mushtaq is the CEO and founder of SlashNext, a leader in phishing protection solutions. Before launching SlashNext, Atif spent nine years as a senior scientist at FireEye where he was one of the main architects of its core malware detection system. He has worked with law enforcement and other global agencies to take down some of the world’s biggest malware networks.