Go phish!

Cyber-attacks are big business. And the bad guys know that in any business, the more revenue you can generate with least investment means larger profits. It makes sense that when the bad guys find a reliable attack vector, like email phishing, they’ll use it for as long as it makes financial sense.

In other words, if it ain’t broke, don’t fix it. And phishing ain’t broke, friends.


Breaking with the past

Motivated attackers are good at what they do and they are very creative in how they go about their work. Email security is not so simple as to only be on the lookout for spurious claims to royal lineage or attached “invoices” for goods never ordered. To detect and block advanced email attacks requires something more than what “traditional” email security brings to mind.

I’d written about fileless malware in my last blog post, how it breaks traditional security models, and the new ways we need to look at defending against constantly-evolving threats. Phishing is another example of the evolution of threats breaking traditional security models. For instance:

Attackers send phishing emails to the clients of a particular vendor. Posing as that vendor, the attacker’s email states that the vendor’s bank account routing number has been updated. The email instructs the clients to now make payments using the updated routing number that the attackers provide in the email. The real vendor, who has now stopped receiving payments from customers for a period of time, start calling the customers to find out why the customers hadn’t paid their bills. The customers replied that they’d been paying on time and were using the new routing number as they were instructed to do. The bank routing number was real, there was no malicious signature; attachment, content or URL, the only criminal component was the true identity of the sender! The money is long gone!

Is there something that Cisco can do to protect our customers? Of course!


Block ‘em coming and going

Phishing protection has both inbound and outbound components that must be addressed. First, how do you detect a threat like this when the content of the message is just false information with no malicious links or attachments? Second, how do you know when attackers are posing as employees of your company to use your good reputation?

Here’s how we approach it from the inbound perspective. We use data modeling to create a metric of trust for each user in an organization based upon statistical analysis of email telemetry. Characteristics like a sender’s email address, the IP address of a sender, a sender’s organization’s domain reputation, and so on are used to build a baseline of “normal.” Deviations from the baseline may generate an indicator of compromise (IoC). If you’re like me and constantly traveling, meeting new people, and exchanging emails with them, it would be beyond inconvenient to have all emails with new contacts quarantined. It would seriously impair my ability to do my job. Because our analysis includes those characteristics that I mentioned like domain reputation, we balance the need for the business to operate while being able to home in on what’s suspicious.

Now let’s reverse the scenario. A good buddy of mine works for a small, but reputable, online content company, here, in Massachusetts. One day they found that their legitimate outbound emails were being blocked and that their domain had been placed on several blacklists. Of course, this seriously impacted their ability to do business. It turned out spammers were using their victim’s good reputation to bypass their targets’ email protection… until the victim was blacklisted, that is.

While it would seem very difficult to detect and block that kind of parasitic attack, there is good news. Using standards like DMARC (Domain-based Message Authentication, Reporting and Conformance, if you were curious), we are able to detect and stop attackers who are attempting to use your organization’s good in illegitimate ways.

Based on these evolved threats, is it time to dispense with “traditional” security technologies? Of course not. The bad guys will try to get at your data with whatever means they have at their disposal. So, it would be ill-advised to build defenses for only one threat. And you need to be prepared for the eventuality that something bad will get in. Therefore, it’s vital to handle these threats with a layered defense.


Next steps

Join me and a panel of our email security experts on November 15th at 1PM EDT where we’ll discuss the state of phishing and ways that you can protect your organization. You can find the registration link for the live phishing webinar here. Plus, I’d also recommend you check out our new at-a-glance on our Advanced Phishing Protection, our latest innovation in email security. And as always, I welcome your comments below.


Marc Blackmer

Product Manager, Engineering

IoT Product Mgmt Networking