By Atif Mushtaq – CEO at SlashNext,
Successful phishing attacks depend on a quick response from users – and it’s working all too well.
While many employees have some form of training to spot potential security scams, studies have found that users are still likely to click on malicious email in less than a minute. In addition, Webroot reports that 75% of phishing URLs are shut down within less than 8 hours and the bad guys move on to the next attack. This leaves little time for slow-paced security tools, as web page domains and URLs change so fast that standard blacklist-based engines can no longer keep up.
Security tools for email and web browsers are designed to provide protections against the majority of known phishing attacks and malware, but sophisticated socially engineered phishing threats continue to evolve and render security protections too slow to be effective. Email phishing is the most popular attack vector, but criminals have broadened their horizons to target unsuspecting users within pop-ups, social media, ads, search, IM, rogue apps, and more. People click on these seemingly innocent items through their browser and within a few minutes the bad actors have collected all the data they need before moving on to the next site. By the time the security teams have caught up, that attack is already long gone and being hosted somewhere else.
The new timeline of phishing attacks shows how much is at stake based on just the first few minutes. Successfully protecting your organization in today’s phishing threat landscape requires a high-speed, highly automated, real-time approach that is designed to operate faster than both users and attackers. If a threat feed is just 45 minutes late there’s a strong chance the attack has already disappeared. A majority of phishing URLs detected by our threat detection technology are either hosted on a compromised domain or legitimate cloud services. The phishers know that it’s not possible for organizations to completely blacklist Amazon or SharePoint, so any online services that provide HTML hosting are prey for these types of attacks to evade domain reputation engines.
A better approach is to use live data streams without any manual intervention, providing the necessary speed required to protect organizations from being phished in real-time. Otherwise, detecting phishing URLs after two hours or more becomes useless because bad actors have already obtained the information they want and moved the attack elsewhere in search of new business.
Blending real-time analytics, automation, and integration across a broad observation space reflects the agile, technology-based approach to security that defenders need to have going forward to successfully manage the highly dynamic risk of phishing attacks. A combination of pre-delivery detection and protection and post-delivery protection and response, leveraging the expertise and focus of specialized solution providers, is by far the fastest and most effective approach in the accelerating race against time. Ignoring phishing-specific security features can leave your organization vulnerable to today’s fast-moving threats coming in from all over the web.
What’s needed to address this problem is a new approach to threat intelligence that is more automated, with higher levels of accuracy. By evaluating many more characteristics of each site in the cloud, such a platform can immediately render a definitive verdict: Malicious or Benign. This approach is much different than legacy threat feed approaches that only offer a probability of being malicious and suspicious. By taking a binary Yes/No approach, new security strategies can provide a blocking threat feed with a continuously updated list of zero-hour phishing URLs, domains, and IPs, including indicators of compromise to stop attacks before they begin.
A real-time threat intelligence feed instantly sifts through all the dynamic data collected from multiple proprietary sources and proactive threat hunting. Another major benefit of a real-time threat feed for instant blocking is the output of near-zero false positives, which helps protect against blacklisting legitimate websites.
About the Author:
Atif Mushtaq is founder and CEO of SlashNext, the company pioneering a new, more effective way of protecting companies from the growing problem of Web-based phishing. Prior to founding SlashNext, Atif spent nine years at FireEye as a senior scientist, where he was one of the main architects of FireEye’s core malware detection technology. He has spent most of his career on the front lines of the war against cybercrime. He has worked with law enforcement and other global organizations to take down some of the world’s biggest malware networks including Rustock, Srizbi, Pushdo and Grum botnets.