They arrive in the form of apparently innocuous emails from information technology managers, automated system messages or even loved ones, with seemingly benign requests to download a file, go to a link or authenticate login information. They can be nearly flawless, sporting company logos and personal signatures.
But with a click, or the entry of only a few characters, a network is compromised, a doorway opened for cyber attackers to extract whatever they desire.
Spear phishing attacks, the targeted form of phishing that uses familiar or official-looking emails to take advantage of trusting network users, have become an all-too-common threat, compromising small, simple networks and advanced security systems. Some of the most highly publicized cyber attacks, including the RSA SecurID breach in March, have relied upon spear phishing as an initial point of entry onto networks.
The RSA SecureID breach potentially compromised millions of the company’s tokens, either software or hardware systems that provide a regularly changing authentication number. Reports indicate the compromise may have provided vital information to attackers who targeted L-3 Communications and Lockheed Martin.
PhishMe, a 15-person software company that counts defense companies and federal agencies such as the Energy Department among its list of clients, wants to improve security at its weak point: human beings. The company has designed a software system that creates emails that employ the tactics cyber attackers use, but instead of harmful consequences, users who are tricked are met by information on phishing, sometimes in the form of a video or even a “Jeopardy!”-like trivia game training them to avoid phishing attacks in the future. The emails are sent periodically to network users of the 99 organizations that subscribe to the service, indistinguishable from normal email traffic, lying in wait to surprise a user just as a malicious email would.
Although an initial notice is normally sent to users informing them of the upcoming training emails, the simulated attacks themselves bear no special mark, preventing employees from screening for test emails and creating an immersive training environment.
“You’ll see the typical security geek saying, ‘People are dumb, people are stupid, they’re never going to be trained,’.” said Rohyt Belani, PhishMe co-founder and CEO. “We have statistics to prove otherwise.”
The company, headquartered in Chantilly, Va., has seen drastically improved phishing awareness in the 3.1 million people who have been trained using the software, Belani said. When the software is used, the percentage of people susceptible to an attack falls by roughly 80 percent with the remaining targets falling to less than 10 percent of a company’s total number of employees, he said.
The effort to improve security through training as opposed to technology runs contrary to security orthodoxy, Belani said. “.‘What’s a blinky, shiny box that I can throw at it and this problem will go away?’ has been the mindset,” he said.
Companies and agencies can’t block all incoming unrecognized email using security tools, because that would hinder operations, but computers have difficulty detecting phishing attempts and filtering out harmful traffic. So despite advancements in filtering technologies, problem emails get through.
“Computers are very good at matching data, they can be good at matching patterns,” said Michael Graven, a director at Mandiant, a Washington information security company. “They’re not very good at thinking about what they’re looking at. If you can reduce a problem to ‘Is it the same or is it different?’, you’ve got a good shot of technology being able to help. If you have to stop and think about the implications, all of a sudden it gets a lot harder for a computer to make the decisions.”
The result, experts said, is that organizations can pile on new systems and new software that will protect against direct threats but are unlikely to catch many spear phishing attacks. Cyber attackers have caught on, and spear phishing has become the tool of choice.
“We noticed a trend where hackers said, ‘Organizations are protecting their crown jewels of the past, like their main Internet, Web applications and websites,’.” Belani said. “.‘How about we go after the weaker link, which is their employees and workforce, and if we can get them to assist in compromising their systems, guess what, now we’ll have a foothold in their internal networks.’.”
Security measures that can remove obvious attacks are helpful, said Jim Lewis of the Center for Strategic and International Studies. But since human beings serve as the only direct defense against an email that gets through filters, training is also needed.
“Technology alone can’t solve the problem,” he said. “You need to do both. At some point, we’ll get to technologies that make it less important for human beings, but until that happens, you need to have a human component.”
The training, while necessary, is not a permanent solution, Belani said. He cited one client who skipped a year of training while reorganizing the company, and then returned to the service.
“We found that the numbers had crept back up, not to the original crazy levels, but they had crept back up significantly in their susceptibility,” he said.
Belani said he has heard some complaints from IT departments that employees are now being very cautious about internal emails, but he believes the price is worth it.
“If we’re hitting productivity by people spending an extra four seconds on email so that you don’t have to shell out hundreds of thousands of dollars on incident response and reputational impact if one of these spear phishing attacks succeeds, I think it’s fair enough,” he said.
Headquarters: Chantilly, Va.
Employees: 15.
Founded: 2008.
Parent company: Intrepidus Group.
