Recent years have seen a marked increase in phishing as a preferred attack avenue. Phishing emails come in various forms. Some contain malicious attachments or have links which, once users click, direct them to a malicious website for a drive-by malware download, leading to infections by ransomware or other malicious software.
Other phishing attack variations do not deliver malicious files, but rather rely on pure social engineering techniques whereby the user is manipulated into undertaking a harmful action. A popular variant of this has been CEO fraud in which an email appears to come from the CEO of a company and instructs a CFO (or equivalent) to transfer funds into an account controlled by the attackers.
At Info Security Europe 2016, we asked nearly 300 security professionals what steps they have taken to protect their organisations from phishing threats.
The results were encouraging, with 45 percent of respondents stating that every person within the organisation, including the CEO, is trained to be able to spot a phishing email. A further 35 percent stated that most of their employees received such training.
However, delivering user awareness training is often the easy part of the solution. Ensuring that it is effective and having confidence in its ability to change behaviours is slightly more challenging.
Over a third of participants responded that their executives had fallen victim to a CEO fraud email. The confidence level about future events is even worse as over half of respondents stated that their execs could very well fall victim to phishing scams in the future. A further 30% stated this might be possible if the phishing scam was well-crafted and convincing.
The challenge that lies here is two-fold. Firstly, most phishing scams that target execs are well-crafted and researched. Attackers typically register similar-looking domains and thoroughly research an exec’s background.
Secondly, many execs have personal assistants who manage their day-to-day operations who are often more susceptible to social engineering tactics than the execs themselves. As such, it is important to train all users within the organisation as attackers will likely identify and strike through the weakest links.
For attackers, the weakest links don’t always reside within the company.
CEO fraud is a form of impersonation fraud, and isn’t always limited to personnel within the company. Third party suppliers, partners, and even customers are routinely targeted by such scams, so initiatives to raise awareness should include all associated parties, not just internal employees.
Also, it is important to monitor third party activity and utilise up-to-date threat intelligence to bring to light the ever-evolving methods employed by criminals.
The Price of Data
Ransomware has been on the rise over the last couple of years. Phishing emails usually provide access into an organisation. Once a malicious payload is executed, it connects to a Command and Control (C&C) server where the malware begins to encrypt specific file types on a system as well as shared drives. The ransomware will then demand payment, usually within a set time period, in order to unlock these encrypted files.
From a business perspective, ransomware runs on a different model from traditional cyber attacks. In the case of ransomware, the attackers are typically not looking to steal data. In fact, the encrypted data itself would likely be worth nothing on the black market. However, for an individual or business, the locked files may be valuable from a financial or sentimental perspective.
Unless backups are available from which the data can be recovered, victims face the choice of whether or not to pay to have their files restored.
Our poll of 300 security professionals was split as to whether or not they’d pay and also the reasons behind their decisions.
44 percent stated they would likely pay the ransom to recover files or to avoid public disclosure.
27 percent of respondents stated they would refuse to negotiate or pay a ransom as a matter of principle.
Only 28 percent of security professionals surveyed stated that they had backups of all data and thus would have no need to pay the ransom as they would simply wipe the infected machines and restore.
When awareness is not enough
Even with comprehensive training programs in place to raise employee & partner awareness, this is often still not enough to prevent the inevitable. Therefore it is important to also have a plan in place to detect and recover from ransomware attacks.
Having reliable backups is the first port of call. In addition, it is important to have detection controls on both network and host, which are correlated and kept up to date with the latest threats in order to isolate indicators of exposure (IOE’s) and indicators of compromise (IOCs) relating to ransomware. This will make it easier for you to detect when a ransomware file is being downloaded or systems are attempting to connect with a C&C server and post data.
Similarly, for financial payments, it is vital that instructions are validated prior to executing. There needs to be processes in place so that simply accepting an email directive to make a large payment to a new entity is possible, even for the highest executives. Rather secondary verification should always take place.
This serves as a good reminder that no matter how robust preventative controls are, they are susceptible to being bypassed. It is why having effective threat detection controls in place are essential, as well as having recovery plans in place.