The Psychology of Phishing

44
The Psychology of Phishing

There is no silver bullet that can completely eradicate all risks of phishing attacks, but there are many actions that can mitigate the risks and consequences,” says Riaan Naude, Director of Consulting, F-Secure in an exclusive interview with ITSecurityWire.


ITSW Bureau: Why do today’s enterprises struggle to protect themselves from phishing attacks?

Riaan Naude: Phishing attacks remain prolific because, in the greater scheme of things, phishing is a relatively simple attack to perform. Even though it consists of technical components, it fundamentally relies on human psychology. So even though technical safeguards have seen significant improvements over the years, a phishing attack can trick a person into performing any arbitrary action on behalf of the attacker. This could be as simple as clicking on a link.

ITSW Bureau: What preventative measures can enterprises take to safeguard their products and services from the evolving phishing attacks?

Riaan Naude: The solution, unfortunately, does not only lie with prevention. Even though it’s comforting to say “prevention is better than cure”, in this case, it’s just as important to build detection controls around phishing attacks.

Phishing is not only avoided by preventing an email from reaching an inbox. One may assume that a phishing attack only lives within the “delivery” phase of the cyber kill chain, however, it’s much more complex than this and a phishing attack has at least the following components:

Also Read: Five Strategies for Addressing DDoS Attacks

  • External Recon: The attacker needs to know who to phish. Information about potential targets could exist on LinkedIn and therefore, businesses could implement policies to limit the kind of information that should be shared on such public platforms.
  • Delivery: This is where the email is actually delivered and where email security controls come into play. It is important that the minimum number of executable filetypes can be delivered. This means for example that if your business requires macro enabled documents, that it be allowed. Should any such filetypes be allowed, it’s important that the implications of each is well understood by the security team.
  • Code Execution: Following the delivery of a phishing email, often an attacker tricks a user into executing malicious code. This happens on an endpoint where further preventative and detection controls can, and should, be implemented.
  • Command & Control: During this phase, the executed code attempts to communicate to an attacker controlled system. This is where more prevention and detection can occur. Outgoing communications from your network should only be allowed on https where, for example, other channels such as DNS and FTP should be denied.

For a phishing attack that culminates in control of an endpoint to succeed, each of the phases above needs to be effective. It is important that security teams consider phishing attacks in their entirety, and not only consider isolated components of the attack.

ITSW Bureau: What technical and ethical challenges are IT teams facing within enterprises regarding training and phishing?

Riaan Naude: One of the most effective mechanisms at the disposal of security teams to teach users about the dangers of phishing, is to frequently simulate phishing attacks on a regular basis. When a user falls for a given training email, they are then educated about the specific email, helping to prevent it from happening again. This has the ultimate impact of building a habit of being more careful when actioning any email. It is important that users are taught not only to avoid falling for a phishing email, but that they report it to the security team. Phishing resilience is ultimately a detection function. The quicker an email is reported, the quicker it can come to the attention of the security team and be dealt with.

The scenarios used in phishing simulations often pose ethical questions i.e. an attacker might send a link that would allow a person to claim their annual bonus, which is a scenario that West Midlands Trains service recreated in a security test . Though this would be effective from the attacker’s point of view, this would surely upset your workforce. It is therefore important to set boundaries with such training endeavors in collaboration with the HR team to ensure that a harmonious balance is maintained.

Also Read: Strategies for Businesses to Address Security Failures in RPA Projects

ITSW Bureau: How do IT leaders build a mindset that will enable them to create the path of most resistance?

Riaan Naude: The fundamental step is to put yourself into the minds of the attackers. What are your weak points? What are your most valuable assets, and therefore what might represent likely targets for attackers? If you understand how an adversary can exploit your environment, then it is easier to put those preventative and detection controls in place to make their success less likely. There is no silver bullet that can completely eradicate all risks of phishing attacks, but there are many actions that can mitigate the risks and consequences.

Accepting that you can’t prevent all phishing attacks is phase number one. Next is to understand which steps an attacker would need to take in order to be successful during an attempt, and then building detection and preventative controls around these enumerable actions.

The above mindset should be instilled in the security team and this will ultimately strengthen your approach against the threat of phishing.

Managing Director of Phisd and originally from South Africa, Riaan has over a decade of experience working in cyber security. His career flourished in the financial sector before he found his true passion: consultancy. He has since brought his breadth of information security knowledge to the UK and the US.