Although cybersecurity discussions often focus on the increasing sophistication of cyberattacks, recent data from Verizon revealed cybercriminals continue to rely on old techniques that have been around for decades, particularly phishing scams.
Verizon’s 2015 Data Breach Investigations Report (DBIR) analyzed more than 2,100 confirmed data breaches and approximately 80,000 reported security incidents. The report also addressed more than 8,000 breaches and nearly 195,000 security incidents that have occurred over more than 10 years.
The Department of Homeland Security’s US Computer Emergency Readiness Team (US-CERT) defines phishing as an attempt by an individual or group to solicit personal information from unsuspecting users by employing social engineering techniques.
Traditionally, phishing involved sending an email from a reputable institution, such as a bank, and asking the user to provide personal information or change their password. Phishing has evolved over the years, now featuring the installation of malware in the second stage of the attack. Phishing is often a hallmark of state-sponsored cyberattacks.
In Verizon’s 2013 DBIR, phishing was associated with over 95 percent of incidents attributed to state-sponsored actors. Moreover, for the past two years, “more than two-thirds of incidents that comprise the cyber espionage pattern have featured phishing.”
“Lessons not learned from the silly pranks of yesteryear and the all-but-mandatory requirement to have email services open for all users has made phishing a favorite tactic of state-sponsored threat actors and criminal organizations, all with the intent to gain an initial foothold into a network,” the report said.
The Verizon researchers revealed that 23 percent of recipients now open phishing messages and 11 percent click on attachments. Furthermore, nearly 50 percent of users open emails and click on phishing links within the first hour.
“How long do you suppose you have until the first message in the campaign is clicked?” the Verizon researchers asked. “Not long at all, with the median time-to-first-click coming in at one minute, 22 seconds across all campaigns. With users taking the bait this quickly, the hard reality is that you don’t have time on your side when it comes to detecting and reacting to phishing events.”
To mitigate phishing attacks, the report recommended better email filtering before messages arrive in users’ in-boxes, developing and executing an engaging and thorough security awareness program, and improved detection and response capabilities.
The researchers stressed technological defenses will always be imperfect and that people are the key to effective mitigation of the phishing threat, since the human factor is one of the top security vulnerabilities facing organizations.
“One of the most effective ways you can minimize the phishing threat is through effective awareness and training,” said SANS Securing the Human Program Training Director Lance Spitzner. “Not only can you reduce the number of people that fall victim to (potentially) less than 5 percent, youcreate a network of human sensors that are more effective at detecting phishing attacks than almost any technology.”
Similarly, as Homeland Security Today previously reported, the August 2014 McAfee Labs Threats Report found phishing continues to be a heavily used and effective mechanism for exploiting the weakest link in enterprise security: human behavior.
McAfee Labs indicated that in 2014 there was a significant uptick in both the total volume and sophistication of phishing attacks. Since last year’s threat report, McAfee has collected more than 250,000 new phishing URLs, with the United States hosting more phishing URLs than any other country.
More recently, Homeland Security Today reported that, according to data reported to US-CERT, phishing and malicious code continue to present threats to both the federal government and public at large. Commenting on the breach of the State Department’s unclassified email system, Dr. Mike Lloyd, CTO at RedSeal, called phishing attacks “the new normal.”
Although phishing remains a favored tactic, the report indicated 70 per cent of cyberattacks use a combination of techniques. These attacks alsooften include a secondary victim, making defense and attribution more difficult. In 60 percent of cases, attackers are able to compromise an organization in just minutes.
While technology can assist in detecting malware, ultimately the burden is on the email recipient to detect fraud. Businesses and individuals must begin modifying human behavior through better training in how to identify phishing attacks and other cybercriminal opportunities.
A major takeaway from this year’s report is that many cyberattacks could be prevented through a more vigilant approach to cybersecurity—a message that has been conveyed in previous Verizon DBIR reports. “We continue to see sizable gaps in how organizations defend themselves,” said Mike Denning, vice president of global security for Verizon Enterprise Solutions. “While there is no guarantee against being breached, organizations can greatly manage their risk by becoming more vigilant in covering their bases. This continues to be a main theme, based on more than 10 years of data from our Data Breach Investigations Report series.”