Earlier this year a whitepaper from Osterman Research – Addressing the Top 10 Security Issues Organizations Face explored a range of top security concerns. There’s a lot of great data in there, so be sure to check it out. One of the key takeaways is that “Security defenses are improving…sort of”. What their data showed was that while the median, per-employee security budget will increase by 16 percent in 2019 – to $90.91 per employee –the overall security training organizations provide their employees, including phishing awareness training, is inadequate.
According to Osterman:
“… Our research found that many organizations use informal training processes that don’t include phish testing to determine the effectiveness of the training regimen. In the absence of adequate training, many users will not be appropriately skeptical of the various threats they encounter, especially if these are delivered through social media channels, malvertising or text messaging that are implicitly assumed to be more trustworthy (or at least less suspect) than corporate email or the web.”
While cybersecurity defenses against malicious email as an attack vector are improving, the level of improvement for phishing threats beyond the inbox are not. Email phishing is still prevalent, but there are more attack vectors happening under the umbrella of phishing. Phishing URLs have spread beyond links in email to social media, advertisements, search engines, browser extensions, chat apps and mobile.
Fake login pages are no longer the only game in town. HTML phishing can be delivered straight into browsers and apps, bypassing infrastructure (SEG, NGFW, NGAV, AEP), evading URL filtering, and domain reputation analysis methods. Bad actors have become sophisticated, employees can’t always spot the fakes, and traditional defenses that rely on domain reputation and blacklists are not enough.
There are attack vectors outside of email that often get overlooked by traditional cybersecurity protocols. All of the following types of social engineering and phishing attacks can be delivered outside of an email.
- Credential Stealing
- Rogue Software/Browser Extensions
- Phishing Exploits/Weaponized Documents
- Social Engineering Scams
- Phishing Callbacks (C2s)
All it takes is a simple URL distributed from a fake website. The lifespan of a phishing URL has decreased significantly since 2016. SlashNext Real-Time Phishing Threat Intelligence feeds are seeing bad actors gather valuable personal information from their target and move on quickly. The average malicious URL phishing page has a lifespan of approximately 40 to 50 minutes.
Bad actors are aware of how current technologies are trying to catch them, and they see perfect opportunities to evade detection. They change domains and URLs fast enough so the blacklist-based engines cannot keep up. For example, malicious URLs might be hosted on compromised sites that have good domain reputation. People click and within a few minutes the bad actors have collected all the data they need, so they move on to the next site. By the time the security teams have caught up, the phishing page is already gone and hosted somewhere else. It’s no surprise at this speed that old legacy methods of chasing URLs and using domain reputation are no longer enough. Of the tens of thousands of new phishing sites that go live each day, the majority are hosted on compromised, but otherwise legitimate domains. These sites would pass a domain reputation test, but they’re still hosting the malicious pages.
According to the Osterman report:
“…Many security solutions lack native phishing site detection capabilities. Many URL filtration, Secure Email Gateways, Firewalls, etc., have blacklists, but we are not aware of any that have the ability to detect if a user has browsed to a previously unknown malicious site. These blocking defenses need to be informed, on a real-time basis, about malicious sites and command-and-control server IPs to block.”
The time-to-discovery deficit is becoming a major cybersecurity concern for organizations. Two different studies indicate that the speed of automation is the most likely way to combat detection deficit. Unlike other anti-phishing technologies and threat feeds, SlashNext works across all phishing attack vectors (email, pop-ups, ads, search, social media, IM, etc.) and covers every one of the six major categories of phishing and social engineering threats. SlashNext Real-Time Phishing Threat Intelligence identifies live zero-hour threats in real-time and allows organizations to respond in real-time with automated blocking through their firewall.
You can check this technology out yourself. Contact us to learn more or try SlashNext Real-Time Phishing Threat Intelligence free for 15 days.