How’s the Phishing? Great!

My company was hit again with a Business Phish this February targeting a new hire, same as last time.  This is why it so important to have cyber training the first training a new employee receives.  In my cases, new employees were targeted within a few weeks of coming on board.  In each case, the new-be receives an email from an executive manager.  The request is simple, get bank cards, gift cards and so on and email back the transaction numbers so the receiver can cash in and the new-be just lost hundreds of dollars or more.  This is a “Business Phish” and the simplest to execute.

There are basically three types of Phishing attacks: Business, Spear and Account Takeover.  Business Phishing is easy because they do not require links or Http formatting.  Therefore, they can slide right by the technology gatekeepers.  Their attack audience is cultivated through social media content.  In our case, the phishing exercise happened within days of the new employees updating their social media profiles about the new position and company.  The red flag in Business Phishing is the sender’s email address, the majority of the time it is incorrect.  Typically, it’s found in the domain name, some slight variation that delivers the email to the attacker, and ready for this…with the current release (June 2019) of Top-Level Domain list which is now at 1,520 options.  The “.COM”, “.NET”, “.GOV” can have 1,517 new choices like “.FOOD”, “.TECH” and yes, “.SUCKS”.  The point here is the attacker is playing on the lack of company knowledge the new employee has.  The best defense is day one training on Phishing and how company communications work and how the chain of command interacts.

Spear Phishing is much like the name’s meaning, one hit and you can’t getaway.  This spear doesn’t have a barb, just a link and with one click, they own you.  They call it Spear Phishing because the link is delivered to you by email.  The phishing part plays on giving you the warm and fuzzy because you know these people or have done business with the company.  “Look, it’s just a service satisfaction questionnaire about the service I had done on my car last week, why not take it, they did a great job”.  “Congratulations on your child’s college graduation last week and click here to see their ranking on the National Honor Roll”.  Your best defense here starts with the domain name scrubbing.  If it’s someone you know but it’s a new domain, red flag.  Look at the URL, warning signs are 2 letter country codes (.CN – China, .IR – Iran, etc.).  Misspelled names and bad grammar in the email subject or email body, all red flags.

Account Takeover, like Spear Phishing, has one objective, click that link.  Where Spear Phishing is commonly associated with an identity thief, Account Takeover focuses on your company, stealing your company’s credentials whereby they can reach as deep as they can into the layers of security and disrupt your business (Ransom, IP Thief, Data Destruction) or steal your data (Breach, Hack).  When clicking that link the return is malicious code designed to harvest all the information it can and send it back to the mother ship where the analysis will shape the next malicious code insertion.  Studies report in 2019, malicious code attacks go undiscovered for an average of 290 days.

Today’s desktops have many tools available to protect you against attacks, but most people don’t go far enough in their product choices.  People should focus on Malware protection that includes defense against viruses, spyware, adware, nagware, trojans, worms, and more.  Also, not all malware tools can remove the malware once found. Many times you identify the malware and acquire a specific tools design to remove that specific malicious code.

Let’s now talk about what you can do today that is the best improvement you can act on, it’s your firewall.  Over the last decade with the maturity of Artificial Intelligence and its implementation into firewalls, we can keep malicious code away from our desktops and stop it at the front door.  All the leaders in firewall solutions have evolved their offerings to support many resources identifying bad actors, scan inbound and outbound traffic for malicious code and company data.  One of the biggest changes is the migration to the cloud.  If your Cyber Security staff wants to move from the on-premise appliance to a firewall cloud source, it’s probably a good thing.  Take advantage of new options like isolation, stopping all traffic from regions you don’t do business in; I don’t do business in China, therefore block all traffic originating in China.  Probably the most important feature is patching and policy management.  The cloud-based firewall options provide the largest possible data set AI can work with instead of islands of data recorded by on-premise appliances.  AI can see and predict the wave coming before it hits you and automatically change its defenses to block and protect you, at the front door.  All of the major vendors are moving to the cloud and continue to build on that model providing the best real-time perimeter security.  Data Loss Protection has also moved to the firewall. In most architectures, the firewall serves to segregate our data and how we divide it into multiple layers.  Typically, the lowest level is where the data is protected.  In normal operations, this data should never see the light of day.  AI learning your traffic behavior will detect if your lowest level data is streaming directly to your DMZ and stop it immediately.  Point is, sharing collective information on bad actors for a common defense is a good thing.

This approach is taking shape to what the Cloud Security Alliance calls “Software Defense Perimeter”.  The principle here introduces the concept of “Need to Know”.  A trusted principle in security clearance is taking shape in the firewall where AI is building training sets on who you’re communicating with.  I like to describe it like yesterday your front door needed a simple key to getting in, under SDP, your front door just became US Customs.

Finally, the best defense is to remove the value of your data.  We are shredding our databases making it’s content worthless but still available for day to day operations.  Our end goal is to remove any liability if our perimeter is breached protecting individuals once and for all.