Disrupting the phishing killchain with new defenses [Q&A]
Recent reports have shown that email is still the channel where enterprises are most vulnerable to attacks, in particular phishing.
But adding new browser-based layers of security protection can disrupt such killchains, for example by preventing phishing victims from accessing or engaging with spoofed sites. We spoke to Red Access co-founder and CTO Tal Dery to find out more.
BN: Could you describe the typical phishing kill chain? What steps are involved?
TD: There's a wide variety of different potential starting points with phishing attacks, the most common being email and SMS (known as smishing). But really any common communication channel that users are familiar with and comfortable using. So any communication applications like WhatsApp, Facebook, and LinkedIn, can all be points of origin for phishing attacks.
The malicious actors begin by sending an authentic-looking message (i.e. same design, similar domain name, etc.). And the more authentic they can make the message, the better. So, the most effective attacks typically get the right tone of voice, the right linguistic details, and most importantly, are correctly targeted. This means sending an email pretending to be a representative from a bank where the target is a customer, rather than from a bank they have no connection with.
From there, the user is invited to click a hyperlink, which will take them to a malicious website. Once again, it's important that the site looks authentic in its layout, design, URL, and so on. While there are ways of spoofing a legitimate URL, most phishing sites make use of slightly altered versions of the URL they’re trying to imitate. For example, rather than 'facebook.com', the URL may have an extra 'o' or an 'i' instead of an 'l'. Anything that will look legitimate at first glance. Once at the malicious site, the victim is typically prompted to login using their credentials or provide some other form of sensitive information.
Once the information has been typed into the field and submitted, the login credentials (or other data) are received by the malicious party, who uses it to access the victim’s account on the real version of whatever site was being impersonated.
Once again, the better the above steps are executed the more the user will fall for the deception.
BN: Where do traditional tools and technologies, including browsers' native defenses, fall short in preventing these types of attacks?
TD: There are a couple of different stages at which traditional tools and technologies can fail in the phishing kill chain. The first stage takes place at the point of the initial message. For the purposes of this description, let's focus on email as the initial step in the chain. The most common types of email phishing defenses will seek to block the phishing email before it even lands in the user’s inbox. They do this using a variety of different strategies, but unfortunately, the most commonly used defenses have been around for quite some time. And, as a result, many hackers have already figured out how they work, and thus, how to circumvent them.
And the workarounds aren't necessarily complex or difficult to pull off. For example, if the hacker includes an image file in the body of the email, that can often circumvent these security measures. Or, the hacker can send several innocuous emails to their target before sending the phishing email (containing the malicious link), which can give the email security tool the sense that the attacker is a regular, trustworthy correspondent. Both of these tactics, as well as avoiding certain red flag terms, such as '‘'password' or 'card number,' can undermine traditional email security measures, leaving targeted users vulnerable.
The second point where common tools often come up short concerns the phishing website itself. At this stage, the most commonly relied upon security tool is likely the secure web gateway (SWG). SWGs rely on a predefined list of dangerous URLS (i.e. a black list) that is used to block users from navigating to those sites. However, if a new phishing website (one that is not included on the blacklist) is employed, the SWGs will not block it -- which will, in turn, leave the target vulnerable to attack.
There are defense solutions available for this kill chain stage, but their capabilities are likewise limited. One example of this is AI-enabled plugins that can block a website from loading when it doesn’t match a logo with a URL. However, these solutions only work reliably with well-known brands. Meanwhile, lesser-known brand identities may leave users potentially vulnerable to spoofed, malicious sites.
BN: What additional layers of defense are needed today to protect organizations from phishing, especially as it relates to site spoofing?
TD: Unfortunately, there are no magic bullets when it comes to phishing. With the wide variety of approaches used and constant innovation coming from the threat actors of the world, no single solution can reliably defend against the full range of modern phishing threats.
However, that doesn't mean there aren't things organizations can do to stem the tide. In today's threat landscape, organizations would be wise to employ several layers of defense to improve their odds of success in the face of modern phishing threats. And underpinning all those layers should be a zero-trust approach. The basic idea behind zero trust is that to ensure an optimal security posture, one must remove all implicit trust from one’s computing infrastructure and ensure access to resources is strictly controlled based on identity, context, and policy.
Another wise approach is to establish and enforce proactive policy measures that flip the script on traditional site lists. Rather than rely on an (often out-of-date) blacklist of URLs to block site access, today’s organizations would be wise to establish and enforce a policy that ensures end-users can only enter sensitive information (e.g. login credentials) on a limited list of websites approved by the organization.
Finally, the shift to a passwordless solution will be a major step forward in the ongoing effort to stem the tide of phishing -- as passwordless authentication solutions are inherently more phishing-resistant than traditional passwords.
BN: What else can organizations do to better protect themselves against these attacks?
TD: One of the most important steps security leaders should take in response to these phishing threats is to increase awareness among employees. Well-designed simulation training is a great way to safely expose people to common phishing strategies, and ensure they recognize them for what they are when encountering them in the wild.
It’s also important that companies use protections to avoid the malicious use of email aliases in order to send out emails on behalf of employees. Authentication methods such as domain-based message authentication, reporting and conformance (DMARC), sender policy framework (SPF), and DomainKeys Identified Mail (DKIM) are all useful tools for safeguarding email accounts and verifying a sender's identity.
It’s also important that organizations implement security policies at the browser-level as well. That way, even if a malicious email makes it into an employee’s inbox and they click a malicious link, they are either prevented from navigating to the malicious page or prevented from entering their credentials.
BN: Beyond phishing, what kinds of threats and challenges are you encountering in the secure browsing space?
TD: The better question would be what don't we see in the browsing space? In recent years -- especially with the advent of remote and hybrid work -- web browsing has become the average knowledge worker's primary means of accessing work. Whether it's checking email, drafting memos, building a slide deck, or researching for a project, practically everything we do for work now happens in the browser environment.
As a result, we are seeing a wide range of threats and challenges that fall under the purview of browsing security. Everything from data leakage from SaaS proliferation and credential theft, to webcam takeovers and malicious plugin installation are on the rise. With the browser now playing such a central, foundational role in the average employee’s day-to-day, it is increasingly important for organizations to employ additional security measures to protect this attack surface.
Image credit: kopitin/depositphotos.com