A recent ZDNet article cites statistics from Proofpoint that indicate a noticeable shift in the tactics of adversaries who use phishing to deliver malicious code. Eighty-five percent of all malicious email spam sent in Q2 2019 contained a link to download a malicious file.1 Malicious links are the preferred method, appearing three to four times more often than malicious attachments; this is consistent with what Agio’s incident handlers have encountered over the last 12 months. Our data suggests that efforts related to cybersecurity education and awareness have been effective in conditioning users to avoid opening attachments. However, almost every major organization’s ubiquitous use of links when sharing documents or asking for updates accounts for increased susceptibility in the user population.
More than 99 percent of the observed attacks required human interaction to succeed.2 The cat and mouse game of improving defenses only to have adversaries adapt is a dynamic where technology is the ever-changing variable. Users are the one constant. Heuristics, optics, threat hunting, artificial intelligence, process monitoring, threat feeds, and predictive models are effective to varying degrees at different points. The challenge—and likely the most effective strategy—is to condition users (wherever possible) to recognize the bait AND to avoid temptation by taking specific actions related to email and avoiding certain actions that involve links.
Review your cybersecurity training content and make sure it’s aligned with the threats. Give your users more than an annual “check in the box” by combining a realistic evaluation of their susceptibility with meaningful examples of the actions they should take and those they should avoid.
Avoid Using Supplied Links
Instead, use an app to access your account when prompted to take action, update your account, or check the status of your order.
Use Your Saved Links
Visit sites directly by using your own saved favorite or by manually typing in the destination.
While we, the users, are the weakest link, there are technical controls that can serve as a backstop if a user ignores their training and clicks a link or is exposed to other forms of malicious content, such as pop-ups or malvertisements. Using artificial intelligence and machine learning to label incoming mail can increase awareness and serve as a platform-independent visual indicator for suspicious messages. Controlling the Domain Name System (DNS) at the host level has also proven effective for reducing the number and effectiveness of ransomware, malware, and phishing instances.
Despite the increase in targeted, sophisticated phishing campaigns, Agio has had great success in evaluating threats, testing users, and training organizations to avoid becoming victims. Additionally, our Phishing Protection and Mobile Web Security solutions can complement Cybersecurity Awareness Training to provide a defense in depth approach to combat the biggest threats to your firm. Contact us to discuss how we can help raise awareness and prevent your organization from becoming another statistic.