LinkedIn Short #4 - Our Journey in Phishing Mitigation

Every organization struggles with the phishing epidemic. This article is a summary of the things we've tried, what has and hasn't worked well, lessons learned, and our ongoing journey to be phish resistant. It's not intended to be an introduction to the topic or a summary of phishing methods - those are available elsewhere. We assume the reader has at least a basic to moderate knowledge of phishing, its impacts, and general methods to mitigate the threat. Where appropriate, I may explain a specific point. If you are familiar with the topic, you may want to skip to the end of the article to see a concise table of my recommendations. I'll say up front that this article is more informal and also more technical than most of my others, so reader be warned.

Preventive Controls

• DKIM/DMARC/SPF implementations. These allow you to tell recipient domains to trust/not trust an email sent from your domain. Therefore, it's much more useful to your customers than to you. You can block emails spoofed as your domain (e.g. Business Email Compromise attacks) using these protocols. The flip side? More scammers are executing attacks using free domains or domain names that are variations of the legitimate domain (e.g. ceo@acme1nc.com). This control is ineffective in those types of attacks.
• Flag external emails. This control tags emails from the Internet in the subject line or in the body of the email. We performed extensive testing before we implemented a 4 word warning in the body of external emails: "*** External email: use caution ***". We found that people were apt to get phished 50% less when we had the flag than when we didn't. Your mileage may vary but we worry about flag fatigue, where people ignore the flag because they get so many external emails. We change the color, font, and other appearance of the flag to keep it fresh. In staff groups for whom external email is almost 100%, we removed the flag. It's not perfect. It's pragmatic.
• URL blocking (OpenDNS, block uncategorized websites, link rewrite, etc.). These types of controls attempt to stop people from clicking on links in emails that might be malicious. We've found enormous success by blocking uncategorized websites (sure, a few false positives, but almost all malicious sites are uncategorized). We're about to implement link rewriting functionality as well, where web links in email are redirected to a sandbox for verification. Again, not perfect, but little impact to users and a significant security bump.
• Digital signatures on email. This is a Holy Grail project. Theoretically, it works well - give all your employees a digital signature, give all of your vendors a digital signature, and then only accept digitally signed emails. The problem is - this is a scale issue, getting thousands of employees + hundreds of thousands of vendors and other third parties to adopt digital signatures. It's not a problem any one company can solve by itself, and so we've basically ended up limiting ourselves to using digital signatures in niche implementations. Not a bad thing, but definitely not a big win from a phishing mitigation perspective.
• Dual verification of sensitive operations. We've continued to assess and enhance our sensitive operations to have dual verification. That is, at least 2 people have to sign off on some operations (e.g. changes in bank information, bulk requests for personal information, requests for confidential information). That way, if someone gets fooled by a phish, you have the second person as a backstop. The risk? That the second person assumes the first person verified the request and rubber stamps their approval. You solve one problem, you create another - what you hope to do is make the problem smaller in scope, scale, or impact.

Detective Controls

• Mailbox analytics. You can use third party tools to perform mailbox analytics (e.g. Greathorn). Mailboxes are analyzed for suspicious content based on the user's profile (i.e. heuristics for inbound email). We've had some success in this regard, but suffice it to say this is an early, evolving field of security. Vendors, including Microsoft, are fast attempting to catch up with technology such as ATP (Advanced Threat Protection).
• Lookalike domain detection and response. We have a script (H/T to Paul Braxton) which we use to detect the creation of lookalike domains (e.g. lexxisnexis.com). We can then perform a combination of (a) block the domain from sending email to us; (b) report it to abuse@...; (c) attempt to claw the domain back through our Intellectual Property team; (d) warn our customers about the dangers of possible phishing of them using that domain. Now, some of these domains are clearly domain-squatting, click-jacking, etc. and are not malicious. Depending on the perceived risk, we take the appropriate actions. We've found so many gonna-be-phishing domains and skewered them before they made an impact. Easy to do, when you find a bad domain, it makes your day.
• Report a phish capability. (H/T to) Karl Boyd in our InfoSec team wrote a plugin that embeds a button in Outlook and will send a phishy email to InfoSec for analysis. We migrated to using the Cofense plugin, but for those of you that are not Cofense customers, we are very glad to share our (unsupported but easy to understand) code. We love this functionality - it engages users and it provides us with early warning of attacks. We receive several thousand submissions every month, which implies that the response mechanism needs to be pretty robust. Karl and his team have implemented significant automation. You'll end up there too in any implementation of scale.

Mitigating Controls

• Third party "takedown" services. These services allow you to take down phishy emails, fake domains, and uploaded malicious apps. They work by maintaining a network of relationships with ISPs, telecom providers, and law enforcement to be able to get things done quicker than you ever might. Their value is undisputed when you need them (sort of like you hate insurance until you have an accident), but there is a real question around which companies should purchase these services. Large, targeted companies are the obvious ones. The others - not so much.
• Security awareness. Another Holy Grail. How do you make awareness fun, interesting, educational, and behavior changing? We are struggling with the same problem as everyone else, but we do a combination of: multi-media awareness messages using email, newsletters, first person accounts, etc; videos such as the humorous Restricted Intelligence series; and town halls, both in person and virtual.
• Phishing simulations. A recent trend in the industry has been to "test" employees with fake phishing emails. We have been testing our employees for a couple of years now, but just testing is not your solution. You have to either adapt your training to change behavior; or you have to tie in disciplinary action to force behavior change. Either is a reasonable option. We've started with the former, but are pivoting towards the latter. But we're giving our employees every chance to get educated, re-train, and be more secure. Let's be clear - phishing simulations should have the goal of improving user security and company security and should never be punitive for compliance reasons alone. What we have found is that in combination with these simulations, training, and phish reporting capability, users are 5x more likely to report a suspicious email and also more likely to flag a legitimate email as phishy (which we are perfectly OK with).

We measure a few things about our phishing simulations program. Percentage of people who succumbed, percentage who reported it, the ratio of the two, and all of these measured for new employees who get a standard test every quarter.

• Response processes on phish detection. Do you have the capability to swiftly respond when someone in targeted by a phish? For example, can you tell who else was targeted? Can you tell which of those people succumbed to the phish? Can you delete the emails in user mailboxes? Can you block senders, subject lines, domains, and others? Can you get websites or domains taken down? You don't have to have the capability to do all this, but make sure you address the most important (to you) capabilities.

Recommendations

So, we do a lot of things to mitigate against phishing attacks. Here's a chart of how these controls have worked for us (the mapping between sections above and chart below is excellent but not perfect). Your mileage may vary, but it's at least a good benchmark from which to start. What do you think? What's worked well for you? Share with the InfoSec community in Comments below.

///

Aurobindo Sundaram is a security executive with 20+ years of experience in the information security space. He has written code that went into Windows NT, met Bill Gates, visited all 50 US states, and he really, really enjoys Sichuan cuisine. The opinions presented above are his personal views and are not those of any organization with which he is affiliated. All his LinkedIn Short Articles are available here.