Phishing - 6 February 2022
Science shows that the method that almost all companies adopt to solve 70% of cybersecurity problems is NOT the right one.
Photo by Mael BALLAND on Unsplash
This should concern us. But rest assured: nothing will change. Because this isn't cryptography or any other sexy topic in the field (EDR, blockchain security, crypto post-quantum, you name it). The cybersecurity market has already chosen a completely different direction.
What is it about?
Researchers at the Swiss Federal Institute of Technology Zurich (ETHZ) have just demonstrated that phishing test practices, those commonly found in companies, are the exact opposite of what should be done.
They say it in the muffled words of scientists who must take precautions and calculate their margins of error. While they belong to a predominantly technological laboratory, they are following the work of the European Cybersecurity Agency (ENISA) or other researchers who have explored behavioral, neuroscience and psycho-social approaches to cyber. But who reads these studies? Who implements their teachings?
Without these scientific studies in cyber, how can we tell the difference between grandma's recipe, which is still effective, and the "best practices" in cyber security?
Although not well known in France, ETHZ hazs an Institute for Information Security recognized for the quality of its work and teaching. ETHZ also hosts the Center for Security Studies, which also deals with cyber issues, but from a military and diplomatic perspective. Here too, very interesting work has been done, particularly on the subject of digital sovereignty.
The authors of the study are two PhD students supervised by Srdjan Capkun, the director of the Zurich Information Security and Privacy Center (ZISC), to which the Institute for Information Security belongs.
The problem of phishing - and its treatment - is far from trivial.
The impact of phishing remains major. According to the CESIN (Club des experts de la sécurité de l'information) 2022 study, published in January 2022, the most widespread attack vector remains phishing (73%) ahead of the exploitation of software vulnerabilities (53%). These figures, collected by an Opinion Way survey of CESIN members, are in line with those of the American company Verizon, which in its latest Data Breach Investigation Report (DBIR, 2021) announced that 91% of observed attacks involve phishing.
However, it cannot be said that the problem is new.
At the root of the problem
What is an email? Not much after all, a few kilo or mega bytes of exchanges. Invented in 1971 by Ray Tomlinson, email remains a universal way to reach just about any Internet user. Today, email is defined by a set of 15 to 18 specifications (RFC). Despite its initial simplicity (a terminal and a few commands - not far from our historical Minitel), email is a complex subject. 50 years after its birth, solving email security problems is still complex. If only to fight against the usurpation of its domain names, because to configure correctly DKIM, SPF and DMARC, it is not obvious. It is possible to have proof of the sender's identity with S/MIME signatures, the first version of which was invented in 1992. But nobody - or almost nobody - uses it.
In 1995, the first phishing attack was recorded. It targeted the users of the first public Internet access provider, AOL. A tool is distributed to steal passwords and credit card numbers. An automated message is sent to the users' email, chosen at random.
Hello, this is AOL customer service. We are conducting a security check and need to verify your account. Please enter your username and password to continue.
Here we find one of the foundations of many phishing messages: the use of authority. It is similar to the "money, sex, ideology, ego" levers used to recruit an intelligence source. This argument of authority is present in the rhetoric of Artistote, Schopenhauer or more recently of Clément Viktorovitch. As much as in the president's scams, particularly cinematographic ones like those carried out by Gilbert Chilki, finally sentenced in France in 2021: 11 years in prison and 2 million euros in fines. In particular, he assumed the identity of Minister Le Drian, under a mask and in front of a set, to extort funds from public figures. They thought they were financing a clandestine French intelligence operation.
At the same time, before his arrest in 1995, Kevin Mitnick was living the high life and making the FBI look bad. Two and a half years of tracking for the man who remains the first hacker to be on the FBI's 10 most wanted list. For his feats of social engineering, his manipulation skills worthy of Frank Abagnale, the American who inspired the film "Catch me if you can" by Spielberg. After several years in prison, Mitnik turned this experience into a cyber security consulting business. He became the "Hacker in residence" face of KnowBe4, the global market leader in phishing simulations and accompanying training.
Three incredible lives, certainly out of sync in time, but with comparable springs. Let's not forget that despite the panache: **malicious and criminal. Among many others.
In 2018, a statistic was circulating: 3.7 billion users send 269 billion messages per day. In 2021, the daily volume of sending is estimated at 320 billion. See the impact of fraudulent emails, even imagining that they are in small proportion?
Almost 30 years after Mitnik, the phishing problem is far from over. Today, companies no longer face isolated attackers, but highly structured ecosystems, which share information and offensive R&D far better than companies do with each other in their defense. Criminal ecosystems, such as ransomware gangs, and state, private and public espionage ecosystems within countries that include China, Russia, North Korea and Iran.
The right image for phishing is not the good fisherman with a hook on the end of a line. It's more like the much maligned electric trawling, which goes very wide and doesn't give the fish a chance.
Presidential candidates can always be made to pay for it. As in her time Hillary Clinton and her Democratic National Committee (DNC), during the campaign won by Trump. With the rise of tensions around Ukraine, a climate that looks more and more like the Cold War, and the first destabilization operations of critical infrastructures in Europe, this is not to be taken lightly.
So, what are phishing tests really worth?
Let's get back to our... sheep. Insurers now have significant experience (and statistics) on cyber claims. But when it comes to cyber, insurers don't bother with science for what remains, for the moment, a specialty risk. The immediate causes of each major loss lengthen the list of prerequisites to be insured, or from one year to the next, to hope to maintain the premium rate. Making a false declaration at the time of subscription, or not applying the declared measures, during the life of the contract, is to expose oneself to its nullity. This is essential to enable the insurer to fight against insurance fraud. And practical in the event of a major claim: no need to pay.
This is why it is required to carry out phishing simulations for phishing risks. With one major problem: the simulation takes place in the real environment. Real emails are sent to email boxes by cyber experts who seek to "sensitize" or "crash" users. It depends on your point of view.
Shooting someone, even with blanks, is not going to teach them to dodge bullets.
Yet that's what's being done with phishing. Instead of focusing on setting up an effective filtering device and a way to trace suspicious emails.
Because many companies don't know what to do with these email reports, so they don't encourage them. Don't know how to use the results of an indicator? It's simple, we delete it. It's a pity, when this indicator can contribute directly to solving 70% of the problems for which, in the companies of the SBF 120 and similar, millions, tens or even hundreds of millions of euros are spent every year.
This is another proof of the key phenomenon in cyber security: the concept of "throwing money at a problem" (in my opinion more explicit).
Let's come to the results of this study and its lessons learned
A study that should lead to a complete overhaul (source: cyberbrief.fr)
After 15 months of experimenting with anti-phishing campaigns with more than 14,000 participants, doctoral students from the ETH University in Zurich, Switzerland, came to a clear conclusion: Awareness raising against phishing in companies can make employees even more vulnerable. Faced with this major problem, the conclusion of the experiment advocates the sharing of phishing detection by all employees.
Phishing techniques are becoming increasingly subtle and complex. To protect themselves, companies can send a test to their employees to train them. However, current practices are not very effective or even counterproductive.
This is the main result of a study conducted at the ETH University of Zurich in Switzerland, involving 14,000 participants over 15 months. This study, submitted on December 14, 2021, details an experiment conducted in collaboration with an anonymous company and its cybersecurity manager. This company did not inform participants of their participation. "What we saw that was interesting, if you go through training to find email bombs, it becomes much more likely that you actually fall for future phishing attempts" exposes Daniele Lain, a PhD student involved in the study. Indeed, 32.1% of the study participants clicked on at least one dangerous link or attachment.
If you are trained to find phishing emails, you are much more likely to actually fall for future phishing attempts.
These findings contradict previous research and call into question industry practices. Phishing training, when integrated with a phishing simulation, is therefore counterproductive.Yet, many, many players in the market offer mini-training as part of phishing tests. This has become a standard expectation of the principals, cybersecurity directors and CIOs. Furthermore, repeated exposure to phishing tests does not significantly reduce the vulnerability of certain groups within the company.
Only the use of a shared, enterprise-wide detection service can reduce the threat. To reach this conclusion, the researchers sent out booby-trapped emails with a report button in case of suspicious emails. The result: 90% of employees reported six or fewer suspicious emails. These doctoral students are the first to demonstrate experimentally that only the detection of phishing by all employees of the company is really effective.
To deal with phishing emails that would not be detected by email filtering tools, only one practice is truly effective:
- Give all employees the possibility to report potentially dangerous emails
- When the email is viewed, display an alert message to all other employees
- Have a technical team and tools that will confirm or not the dangerousness of these emails, without this confirmation being necessary before step 2.
As with any safety or security issue, the key issue is time control.
Not the number of people who "pass" or "fail" phishing tests.
The time it takes to detect a fire and automatically extinguish it by triggering the sprinklers and the intervention of the fire department, on site or nearby. In addition, the role of the first responders, who can be simple employees trained to handle an extinguisher or to be a queue guide or queue clerk to facilitate evacuations.
Or the detection of a threat, physical or digital, and its suppression or return to normal. With more and more, supported by platforms such as Captain Cyber (our startup), the intervention of non-experts in cyber security operations, in support of the SOC.
According to Verizon, a large-scale phishing campaign takes an average of 16 minutes to make its first victim. In contrast, the first report of such an email to an IT department takes (again on average) twice as long, 33 minutes.
The problem with phishing is not the email channel alone, it's the ability to exercise sound judgment to make a quick and safe decision following an online solicitation.
Over the years, communication channels have multiplied, with alongside email, text messages and other iMessage (Smishing by sms), messaging integrated into social networks (facebook messenger, instagram, DM on twitter, LinkedIn message. ...), professional instant messaging (Slack, Microsoft teams, Google Chat ...) or personal (Whatsapp, Viber), customer contact messaging (Intercom, Zendesk, Crisp), messaging more or less secure (Olvid, Signal, Telegram). Without forgetting the "traditional" vishing (by voice / phone). Already observing, in attacks, deep fake of photos of non-existent people, and soon deep fake of audio and video conversations.
Far from simplifying, the problem of phishing, in all its forms, is increasing. For the moment, inexorably.
This means that if we want to approach phishing as a technical problem specific to each channel, it's lost in advance. Instead, we should exercise our employees' critical thinking skills. As innovators and hackers do: "think out of the box".
Conclusion: in fact, the real situation is much worse than the results of the ETHZ study show
Because this technical obsession with email phishing is exactly what is done in companies:
"phishing is email first. Let's send phishing emails, and then we'll see what we do. To those who are "failing", we send back new tests, and train them. To the ones who fail, we'll start HR procedures. After all, these people are c***".
Speech of a CISO who lost his faith? I'm hardly exaggerating.
Naming the evil, and naming it well, is not catastrophism, it is on the contrary giving oneself the means to take action.
In this case:
- Not only the distribution of cybersecurity budgets is not aligned with the risks (according to the available figures, about 20% of the budgets should be dedicated to the human factor, whereas this human factor represents rather 1 to 2% of the budgets observed in companies). Who wants to make better use of this 20% which today is used on the accessory?
- Also the budget today dedicated to the human factor (these 1 to 2% which should be 20%) is not well composed: an obsession for phishing will not effectively treat the problem of phishing (it is the tree, seen too closely, that hides the forest). And the ETHZ study teaches that the way in which these phishing tests are carried out, accompanied by training, needs to be completely revised.
Thus, it will always be counterproductive to use a SaaS service, even if it is European or French, and with a very ergonomic interface. If it only targets this interface and this beautiful experience to 1% or 1 per thousand of the main people concerned: CISOs and CIOs, instead of employees, it is completely useless. Even worse, it gives the illusion of security.
CIOs, CISOs and their teams are the customers, but it is the users who should be the focus of all efforts. Because they are on the front line.
Not for the sake of it, to achieve the customers' objectives. You get the idea, especially if this "nice" service is aimed at sending out phishing test campaigns and "training" employees following these tests.
But hopefully, some of you will choose to act.
Two examples show us that it is possible to turn the tables. ETI as well as large groups. All sectors combined. Beyond the subject of phishing, cyber strategies can be reviewed from top to bottom. And the benefits are considerable, including in terms of brand image. So can we really afford the luxury of not changing anything about phishing?
Completely changing strategy (if not doctrine or ideology) is the situation of Equifax (USA, finance). And the Leader Group (France, HR services), described this week by our colleagues in Les Echos. There is not enough time and space to talk about these cases here, it could be the subject of another newsletter.
These two groups have suffered cyber attacks that have largely destabilized them (respectively at the end of 2017 and the beginning of 2021). Fortunately, these groups survived (with some loss). However, they each decided to transform, from the ground up, their approach and practices to cybersecurity. Across the enterprise.
But why wait for such a big bang, in a destructive impulse?
Cyber is like climate change: by the time you feel its negative effects, it's already too late.
I don't know about you (at the same time, if you are reading these lines, it may not be totally by chance) but I don't want to be part of those people who blindly follow the movement. Especially with such stakes, individual and for the whole of our human societies. Because it would be to accept the same destiny as a herd of 600 sheep jumping off a cliff. And this happens regularly.
On the contrary, I believe I am one of those who make things change. That's why I went into what was not yet called cyber, and which was not "sexy" 20 years ago. And you, what do you want?