Phishing has long been an infection vector of choice for threat actors, and for good reason — it is relatively easy, inexpensive and consistently successful. In 2018 and 2019, attackers used phishing as an entry point for one-third of all attacks tracked by IBM X-Force Incident Response and Intelligence Services (IRIS) — the most commonly used of all known attack vectors.
Phishers prey on human emotion and the urge to act on written words, and since phishing is so ubiquitous in our work environments, it is a constant threat. Even as training for employees and end users improves, so do the tactics of threat actors crafting and deploying phishing emails. Their ability to create authentic-looking emails with believable logos, letterheads, wording and topics of interest to the target audience continues to fool even the most security-savvy users into opening an attachment or clicking on a malicious link.
Many advanced persistent threat (APT) groups use phishing as a means of delivering malware, remote access Trojans (RATs) or malicious links to recipients. These groups are some of the most advanced cyberthreat actors in the world, underscoring the reliability of, and risk from, phishing as an attack vector. IBM X-Force IRIS has found that 84 percent of the APT groups we track use spear phishing as a primary infection vector. Of those, 68 percent appear to use it as their only infection vector, according to information from our ongoing analyses.
To explore the current state of phishing against enterprise networks, this blog will pair the perspectives of X-Force IRIS, our front-line response and intelligence teams, and X-Force Red, our team of veteran hackers who are hired to run phishing attacks against real organizations, to present new data and analysis. While the plague of phishing is unlikely to wane in the near future, having current data on the severity of the problem and a few remediation measures in one’s back pocket can assist organizations in addressing risks more effectively.
View From the Front Line: Phishing Still a Top Entry Point
X-Force IRIS assists clients in responding to cyberattacks and data breaches on a daily basis, from forensic research to in-depth intelligence, giving our team a front-row perspective of the types of attacks organizations face and how threat actors most likely found a way inside.
According to X-Force IRIS data, phishing attacks are the most common known attack vector for malicious cyber actors who target organizations. Phishing attacks are also the phase that occurs at a critical juncture in the X-Force IRIS Cyber Preparation and Attack Frameworks, a model we use to assess threat actors’ activity. In the “Launch Attack” phase, phishing is the critical bottleneck that, if successfully defended against, can make a substantial difference in the risk and impact the organization may face.
Figure 1: IBM X-Force IRIS Cyberattack Preparation and Execution Framework
In 2019, nearly one-third (31 percent) of all cyber incidents we investigated had a known infection vector that could be traced back to a malicious email or phishing attack. Use of stolen credentials — which could have been obtained through a variety of methods, including phishing — came in at a close second, at 29 percent.
In addition, of all the organizational phishing attacks X-Force IRIS has observed since June 2018, 42 percent involved business email compromise (BEC), a type of spear phishing where attackers hijack a business email account and use this access to persuade employees to send money or information to the attackers. BEC fraud is one of the most damaging spear phishing attacks that an organization can suffer, costing companies a total of more than $26 billion worldwide as of September 2019, according to the FBI.
View From the Red Line: Focus on Incident Response
X-Force Red is IBM’s autonomous team of veteran hackers, hired to break into organizations and uncover risky vulnerabilities that criminal attackers may use for personal gain. X-Force Red’s mission is hacking anything to secure everything (people included). And phishing is one of the top ways our team hacks people, as well as one of the most popular assessments we can conduct in the social engineering practice. Phishing is thus something our hackers are very familiar with performing and often rely on to find a way into an organization.
Statistics gathered from our X-Force Red engagements from September 2018 to September 2019 indicate that, on average, 26.5 percent of recipients to whom we sent a malicious email clicked on a link contained in that email. In addition, the same data shows that, virtually without fail, at least one recipient would interact with our test phishing campaign every time. This means that within our data set, phishing was always a successful entry point whenever used. These findings suggest that beyond employee education, we should focus the security team’s priorities on response, rather than prevention.
When it comes to conducting phishing assessments, our team of hackers spend more time gathering open-source intelligence (OSINT) than actually attacking. The more we are able to understand about our target’s environment, and what would appear credible to them in an email message, the better we are able to craft a custom-tailored and convincing phish that’s likely to be opened.
View From the Spam Traps: Additional X-Force Data
In addition to data from X-Force IRIS and X-Force Red, our team has access to additional information that lends insight into the current state of phishing attacks today. IBM X-Force runs a network of spam traps that give us insight into spam and phishing emails that are most prevalent. Notably in 2019, spam email commonly appeared to come from large technology or social media companies. By spoofing email addresses and URLs and creating fake webpages, spammers and phishers are able to request legitimate credentials that they can then use to gain unauthorized access to accounts or email.
Quad9 data also indicates that the majority of suspect DNS requests last year directed users to spam sites — making up 69 percent of all suspect DNS requests in 2019. That means that if a user clicks on a malicious link, that link was most likely attempting to send the user to a spam site, as opposed to a malware-laden website or other malicious URL.
Resisting the Phish, Responding to Compromise
Phishing attacks are unlikely to abate in the foreseeable future, so focusing on resilience in the face of such attacks is as important as focusing on prevention. The following tips can assist your organization in identifying ways to strengthen both prevention and resilience and decrease the chances that an attacker will use phishing to obtain a critical foothold in your systems.
Threat Prevention Tips
While phishing can be a cunning adversary, some points can help keep it at bay:
- Are employees over-sharing online? People working for your organization could be over-sharing information on the internet, both from an organizational and a personal standpoint. Inform employees about the risk associated with these activities. The most successful attackers spend significant time researching their targets by looking into their online footprint and then use this information to create highly customized messages, making them more likely to succeed.
- Keep tabs on your typo-squatted domains. A typo-squatted domain looks very similar to the domain an organization uses, but it is slightly altered by swapping characters, for example, turning a small “L” into a capital “i.” Sometimes vowels switch location, characters are omitted and other tricks are used to make our eyes read a believable domain name. Most people overlook these small changes, and attackers know it. Organizations should check to see if any typo-squatted domains are attempting to impersonate theirs. If any are found, it is wise to proactively purchase them so attackers cannot. If the typo-squatted domain is already registered to another person, it is recommended to block those domains from communicating with your networks.
- Test employees regularly. While it’s great to train employees on how to spot phishing emails, security teams should also provide the opportunity to spot and report suspicious emails through regular test campaigns.
- Routinely provide role-based employee education with updated phishing techniques used by attackers — some of the intelligence in this blog may be helpful in crafting training with up-to-date information. Warn employees to be aware of emails that create a sense of urgency or come from an external address.
- Implement email banners that will flag messages coming from outside the organization to allow employees to identify potentially fake CEO or CFO emails.
- Disable the ability to launch macros from an email attachment.
- Use email security controls to flag potentially malicious emails coming from blacklisted domains, emails containing disabled attachments or emails from typo-squatted domains.
- Use a layered approach to security and consider including behavioral analysis. A layered approach is more likely to detect threats such as zero-day malware, and adding behavioral components is easy with an advanced user behavior analytics (UBA) solution to help detect suspicious internal activity via your company’s security information and event management (SIEM) solution.
Expect Trouble and Respond Effectively
Since someone is bound to click on a malicious link or attachment, organizations must place added focus on response and assume that user devices can and will be compromised. That is why it is important to:
- Limit user privileges attributed to each user group so that each employee can only access what is needed for their actual work.
- Ensure proper adaptation of security technology and procedures to detect endpoint compromise.
- Review network segmentation to effectively limit moving from one area to another.
- Have an incident response and management plan in place for scenarios big and small.