CIA Director John Brennan is in the news this week, and for all the wrong reasons. A teenager managed to hack into the intel chief’s AOL account, thereby hijacking his email and other personal information, including his 47-page SF-86 security clearance background check application. Wikileaks has since published all of Brennan’s compromised data.
He, like executives everywhere, is a high-priority target for adversaries.
And though this hack wasn’t accomplished through spear- or whale-phishing, the chances of adversaries gaining access to an organization’s network or files though phishing is high. In fact, the business harm directly affects the bottom line.
Earlier this year, the FBI reported that adversaries stole nearly $750 million from as many as 7,000 different companies between October 2013 and August 2015. More specifically, the report disclosed that a total of $179 million was stolen by business email compromise scams or so-called “CEO scams.”
Though the targets are often individuals at the executive level, other employees throughout the organization may unknowingly become accessories to a phishing attack. Plus, targeted phishing emails often don’t set off traditional spam filters because they’re not part of a mass email campaign.
(Top Ten Tips for Not Getting Phished - pdf from AstralID)
“We’ve noticed phishing attacks are on the rise,” said AstraID Cofounder and CEO Gagan Prakash. Spam filters have been designed to deal with spam, he said, but he and his team noticed a big difference. “Spam filters are not context-specific and aren’t equipped to handle the misrepresentation of identity. The traditional blacklist approach of spam filters is inadequate.
“We are not a spam filter,” Prakash pointed out. “We just focus on phishing and spear-phishing and want companies to use us in conjunction with their existing filters.”
Prakash has a handful of powerful examples up his sleeve that help make the case for deploying anti-phishing technology. In one example, he pointed out that a senior executive at Ubiquity Networks fell for a phishing email and ended up authorizing a wire transfer for $46.7 million. I’d hate to know what it feels like to realize that mistake.
To help fight these vulnerabilities, Prakash and his team have created a suite of products called Phishing Guardian. This email security service integrates with standard enterprise email frameworks and acts in parallel with traditional spam and AV filters to help mitigate phishing attacks.
AstraID’s “imposter detection technology” is specifically designed to detect spoofed emails. “We base this on metadata and the style of communication so we can triangulate to assess the authenticity of the sender,” Prakash said.
To demonstrate, AstraID unveiled an online quiz to “Spot the Imposter” and found that only 17 percent of respondents correctly detected all seven of the simulated phishing emails. I took the quiz myself, and provided two additional fake names—one a “friend,” another a “co-worker”—to help qualify the simulation. I found that context is really important here, so these simulations were fairly easy to suss out. Sharing more personal information would help improve these simulations, but this requires more data collection and a different set of privacy issues altogether.
“We take a lot of care to minimize data collection, though more information is useful for prevention,” noted Prakash. He also said AstraID has a white list of vendor behavior and is not interested in gauging consumer behavior.
The second line of defense that AstraID offers centers on “in-line phishing awareness training.” Prakash said employee training always helps, but isn’t always effective. So to supplement training, AstraID can build in customizable tools for contextual reminders and filters for employees. These can take the form of just-in-time reminders and annotations in subject lines of high-risk emails and more.
Prakash said they have been able to drive down click rates on malicious emails from 30 percent to 15 percent. They also offer a reporting and forensics tool that allows admins to quickly investigate attacks originating from an email.
And with no shortage of security and privacy vulnerabilities from virtually every direction these days, dialing down your risk register by helping prevent spear-phished emails to your C-suite sounds like a step in the right direction.