By bagging a privileged user early on, attackers can move from entry point to mission accomplished in no time at all.
In the world of cybersecurity, there are two wildly different approaches to phishing.
The first, which we subscribe to, recognizes the threat posed to organizations by phishing attacks, and seeks to defend against it by both educating employees and tightening internal controls. In those cases where a phishing attack is successful, our camp aims to eliminate the threat as quickly as possible, and then learn from it.
The second approach is quite different.
There are those within the cybersecurity world who believe that since it is impossible to completely prevent employees from being suckered by phishing emails, there’s no point in even trying to educate them. The theory goes that defending against any form of cyber attack (including phishing) is the responsibility of your information security team. Employees are simply too busy, and too ignorant, to be involved in the process.
I believe this is a mistake, and I’ll explain why.
Understanding your attacker
Whatever your approach to cyber security, it makes sense to start with an understanding of the people you’re trying to protect.
Image Source: PhishLabs
The Verizon 2016 Data Breach Investigation Report is a tremendous resource for this sort of research; it immediately informs us that external attackers cause the majority of breaches. The insider threat is certainly a concern, but statistically you’re far, far more likely to be breached by an external actor.
The report also explains that although you’ll need to defend against many different cyber weapons (malware, social engineering, hacking, etc.), most attacks fall into two categories: point of sale (PoS) and phishing. Unsurprisingly, our main focus is on the various threats posed by phishing attacks. But perhaps most important of all, the report provides an insight directly into the mind of your attacker. Over the past 12 months there has been tremendous speculation as to the motives behind cyber attacks, with much being made of a few high-profile instances of state-sponsored cyber espionage.
But are governments and competitors really lining up to steal your secrets? Well… no.
In an overwhelming majority of cases, the motivation behind cyber attacks is financial reward. There is a huge black market, accessible through the Dark Web, where hackers can sell proprietary and payment data to the highest bidder. Typically this is a collection of large organized crime syndicates, many of which are based in countries with no extradition treaties.
Rest assured that there is big money in play here, and successful hackers get paid extremely well for their “work.”
So what does all this tell us? In short, it lets you know where to concentrate your cybersecurity efforts for maximum effect. If your organization does fall prey to an attack, it’s most likely to come in the form of a phishing email designed to grant access that can ultimately be used to steal saleable information.
The anatomy of a (successful) phishing attack
Now that we understand the methods and motivations of most attackers, it’s much easier to comprehend the format of a typical attack. Initially, the attacker needs an entry point. In most cases, this will be a phishing email that baits one of your employees into installing malicious software (malware) or giving away their login credentials (social engineering).
Once the attacker has gained access to your network, they’ll try to make lateral movements to expand their access and level of control. This could include stealing proprietary data to inform further targeted phishing attacks (spear phishing), identifying vulnerabilities, and/or stealing higher value credentials.
Finally, once they have the required level of access, your attacker can enact their primary mission: to steal and sell your data.
Going after the big phish
As you’ve no doubt gathered, your attackers’ job will be much easier if they can successfully phish someone with a high level of access. Rather than spending time gradually increasing their permissions and control, by bagging a privileged user early on they can move from entry point to mission accomplished in no time at all. This tactic is known as whale phishing, or “whaling,” and it can spell disaster for your organization. Clearly, this is not what you want to happen.
Every phishing attack relies, at some point, on being able to sucker employees into clicking on something they shouldn’t. Now, while it’s true that the information security team can play a huge part in preventing this, many phishing emails can be kept out of employees’ inboxes by well-maintained filters, and more can be foiled by tight security controls.
But what about your privileged users: directors, executives and system admins who all usually have a high level of access? What if they’re targeted by spearphishing or whaling attacks?
Access controls on your whales
I know it’s tempting to overestimate access requirements, but it’s important to consider how much access these people really need. Nobody wants the finance director to fly off the handle because he can’t run a report, but in reality he probably doesn’t need read/write access to every area of the network.
Regardless of your approach to dealing with the threat of phishing attacks, tightening internal controls such as user access levels is hugely important, and can spell the difference between a narrow escape and a crushing data breach. Most users do not need to be able to install programs or access sensitive data, and if for some reason they do, they can always be granted specific access on a case-by-case basis.
Controls aren’t enough
It’s true that you can’t rely 100% on your employees to report and delete phishing emails, but you also can’t rely 100% on your security controls. Like it or not, some phishing emails are going to end up in the inboxes of privileged users, and it’s going to come down to them to determine whether that attack is successful. If you can engage and train your employees to recognize and report phishing emails, you’re adding a vital last line of defense that otherwise wouldn’t be there.
At the end of the day, it’s a choice between a reported phishing email and a successfully installed malware package. I know which side I’m standing on.