In early February, SlashNext debuted “Phish Stories,” a videocast and podcast series designed to educate cybersecurity professionals about the latest, most innovative phishing attacks challenging businesses today.
In each episode, cybersecurity experts discuss new zero-hour phishing attacks — their latest strategies, attack vectors, and technologies used to manipulate and deceive people — before a live audience of CISOs, CSOs and cybersecurity professionals.
Experts also discuss steps organizations can take to protect their employees from the fast-evolving attacks coming at them from all directions.
The State of Phishing
SlashNext CEO Patrick Harr kicked off “Episode One: Preventing Phishing 2.0 Attacks with Next-Gen Security Defense with the observation that disruption caused by the pandemic, including the rapid shift to a remote work environment and the convergence of workers’ personal and businesses lives onto the same devices, have massively increased the opportunity for sophisticated actors to attack people successfully:
“At its core, I would say that 2020 was the year of targeted spear-phishing attacks,” he said. “Where phishing was once email-based and exclusively for credential stealing, what has fundamentally changed is big phishers are using legitimate infrastructure that cannot be detected by most threat detection services. They’re using AI and automation, and they have access to very, very low compute resources to execute very targeted, fast attacks using a much broader range of communication channels.”
Google, AWS, and Azure are all trusted sources available at a low cost to generate phishing attacks without being detected by most phishing detection labs. Factor in using AI or behavioral models with actual information from the Dark Web, and combine that with automation, highly effective, targeted attacks can take place that live for just 24, 36, or even 48 hours. It is simply mind-boggling.
As Patrick explained, it’s no longer just email that bad actors are using to attack people. They’re also using SMS, perhaps the second most popular way to attack; social networks including LinkedIn and Facebook messengers; and chats inside of business collaboration tools like zoom and even inside popular gaming platforms.
At the same time, the attacks themselves are becoming more sophisticated. It’s no longer just credential stealing. SlashNext threat labs have observed a dramatic uptick in scareware tactics, social engineering attacks, rogue software attacks, ransomware, and malware that are delivering significant damage.
All of this means that hackers can scale up, scale-out, attack in minutes, and disappear just as quickly.
New Zero Hour Attacks And How To Counter Them
Patrick then discussed two new zero hour attacks. In one, a criminal attacked Google’s app engine and created 36,000 subpages in the first 36 hours, none of which were detected by any other phishing detection service (not even Google) because they were all hosted on legitimate infrastructure. The second used compromised two-factor authentication technology, long heralded as a sure-fire way to stop these attacks in their tracks.
To mitigate risk, Patrick recommends using the same tools and techniques available to threat actors to fight fire with fire. Creating phishing simulations using the same next-gen technology such as AI, ML, automation, and so on, puts the ball back in your court and allows you to defend your business more effectively.
That said, having traditional cybersecurity solutions installed is no guarantee of any defense against the modern spear phisher. “Phishing 2.0 is an entirely different game, and bad actors play it well,” he said. “So, start looking at behavioral analysis and natural language processing tools that consider different dialects from around the world to perform dynamic analysis. When you get this balance right, you start putting machines against machines, which is the only way you will detect and block attacks.”
Tune into Episode One here.
Register for Phish Stories, Episode 2: Zero Hour Attacks Hacking Humans Today with Chris Hadnagy, CEO of Social-Engineer and host of The Social Engineering podcast.