Phishing Defense: a New Approach

By Spencer Parker, Chief Product Officer at OutThink

Looking back over the last twenty years of all the security vendors’ annual threat reports, there are a lot of things that have changed. Adversarial tactics never stay still, and they are always looking to find new ways to breach customer networks.

But one of the few things that stood out was that human factors were involved in 80-90% of breaches, every single year! The cyber security industry has preached to customers over that period the way to fix this is through Security Awareness Training and Phishing simulations.

These solutions have been present throughout that entire period, yet all they are achieving is keeping the figures at an unacceptable status quo. Just because you have achieved a compliance check box clearly does not make you any more secure than before!

So why is this not working? Having been on the other end of security awareness training for more than the last twenty years, cyber-splaining at people simply does not work. It does not matter if the video is slightly amusing, and most of these try to be, it just gets put to one side whilst it runs, and you tick the boxes at the end to say you have done it.

Phishing simulations on the other hand are a lot more engaging (especially when you fall for one!) and as this is the primary entry point for adversaries to harvest corporate credentials you would have thought the outcomes would have been better, but with the number of breaches exponentially rising this is certainly not the case. 

What is going wrong and is there anything that we can do about it?

Firstly, we need to understand what our desired outcome from these solutions are. 

  1. To encourage better security behaviours as standard in our users
  2. To provide ongoing positive movement to our users to help them improve over time
  3. To be able to track this movement and adjust training to get the best outcomes from it
  4. Stop users from clicking on stuff they should not!

This all sounds simple enough but for many of the incumbent solutions this is simply not what they do. To understand why these things are not working, we need to look, not at the cybersecurity industry, but at the advertising industry. For over sixty years now, Advertising firms have followed the Four Ps of Marketing invented in the 1950s by Neil Borden and popularized in 1960 by E. Jerome McCarthy. For those of you who do not know what the Four Ps are, they are Product, Price, Placement, and Promotion. To create an excellent marketing strategy, you follow these four Ps.

Step 1: Product: Determine what it is that you sell, whether it is a product, service, consulting, etc.
Step 2: Price: Decide how much you will charge for your product or service that will both help you make a profit but is realistic for your consumers.
Step 3: Place: Choose where you will sell your product or service.
Step 4: Promotion: Pick the best method of promoting your product or service.

You can influence all of these using error-provoking mechanisms such as Visceral influences; Failures of self-regulation; Authority; Overconfidence; Imagination…and many others.

What about Phishing?

Phishing has been around since 1995 when hackers started impersonating AOL staff on AOL Instant Messenger to trick people into giving out their passwords, and it has been going strong ever since, moving to email, social media networks, gaming, and now corporate messaging apps such as Microsoft Teams.

There have been many anti-phishing solutions created to deal with these things, but none will stop 100% of these so it is imperative that we arm our users with the tools and behaviors needed to stop these attacks and not give out their corporate credentials or inadvertently launch a ransomware attack against the company. Many large and high-profile companies also face attacks from nation-state adversaries whose purpose can be much worse than ransomware.

Up to recently customers faced two main forms of phishing, standard e-criminal “spray and pray” attacks which mimic parcel services or financial companies and hope 1 in a million emails get clicked on, or more targeted spear-phishing attacks using reconnaissance techniques to craft emails directly at a single user containing both psychological and personal lures using the four Ps of marketing and the error provoking mechanisms that go with them to make users do things they normally wouldn’t.

This does not even include smshing (SMS phishing), or vishing (Voice phishing) and combinations of all three to do things such as Business Email Compromise (BEC).

These emails use product (a trusted brand), price (usually something free or giving $$$ away), place (in your email and not in the junk folder) and promotion (why you should click here, and this is where the error provoking mechanisms mostly reside like a sense of urgency or an authoritative voice).

In 2023 we now find ourselves fighting new, smarter phishing powered by AI (Artificial Intelligence) using Large Language Models such as Worm GPT (adversary”s own LLM with the safety rails removed that tried to stop LLMs such as GhatGPT being used for nefarious purposes). No longer are the e-criminal mass phishing attackers easy to spot due to bad spelling and grammar! It can also be used in BEC attacks and reply convincingly to users. 

This in turn will make anti-phishing solutions less effective so our users will be exposed to more phishing emails. Phishing-as-a-Service (PaaS) is also being taken to new levels by platforms such as “Greatness” which primarily attacks Microsoft 365 customers today with advanced session cookie stealing capabilities and its ability to automatically mimic the target’s branded MS 365 login pages.

Adversaries also have access to power OSINT tools to search for information on people and their connections. Many spear-phishing attacks no longer go directly after their intended target, but by using these OSINT tools the adversary is able to work out a target who is within the sphere of connection of the end game target that is more likely to fall for a phishing lure. They can then impersonate the target, using the trust between initial target and end game target to get what they are after.

OutThink calls this Human Lateral Movement and understanding these connections form a critical use case of Human Risk Management solutions. OutThink uniquely target the training where it is most needed, bring down the risk scores especially of the high-risk individuals within an organization.

Thanks for taking the time to read this blog. In the next blog I will look in depth at more Security Awareness Training, before diving in to how OutThink is changing the game in Human Risk Management, empowering a security mindset in your staff which in turn changes your users’ behaviors and stops them from being so easily influenced by attackers.