Amid a troubling rise in zero-day phishing attacks, recent research suggests that some companies may be making an ill-advised shift away from blocking advanced email threats to responding to them post-delivery.
If true, the capitulation couldn’t come at a worse time. Since January, cybercriminals taking advantage of the COVID-19 outbreak have been targeting businesses and individuals with an unprecedented wave of phishing emails fraudulently offering government stimulus checks, alerts over exposure to the coronavirus, miracle cures, and more.
According to Google, as many as 68% of all email scams are zero-day phishing attacks, or attacks that have never been seen before—making them extremely difficult to detect and block using traditional signature-based inspection, which relies on recognizing a previously reported attack. Last year, for example, the most advanced forms of email threats factored into more than half of all cybercrime-related business losses amounting to more than $1.7 billion.
In fact, the situation may be so dire, a new survey from Ponemon Institute suggests as many as three-quarters of all companies may be giving up on trying to prevent new cyberattacks all together. If the survey findings bear out, it would be a very costly mistake.
According to the Ponemon survey, 40% of security professionals say they “strongly agree,” and another 36% “agree” with the statement that, “My organization focuses on the detection of cyberattacks because prevention is perceived to be too difficult to achieve.”
To be clear, the question gauges perceptions rather than verifiable data. But the responses are troubling all the same—especially when it comes to phishing, characterized by the FBI as the top vector for cyberattacks. While 79% of survey respondents report their organizations have been hit by phishing attacks, only 18% say they were able to prevent them. Zero-day phishing attacks are a particularly vexing problem.
Often, the malicious emails used in these attacks point to phishing sites on domains that haven’t been used in previous attacks. These are often set up and removed within as little as 4 hours to avoid detection. Others are hosted on legitimate sites that have been compromised. Increasingly, they involve cloud-based email systems and other cloud-connected services including Microsoft Office 365, G-Suite, and others.
With millions of the world’s corporate employees working from home due to the coronavirus pandemic, it’s a situation that’s growing worse by the day.
The harsh reality for many is that email attacks leveraging popular cloud services are unlikely to be blocked. Even worse, cybercriminals who manage to harvest credentials for employee email accounts can have little trouble moving laterally through an organization’s cloud-connected services—SharePoint, OneDrive, Teams, you name it—hijacking one account after another, seeding key systems with malware, stealing corporate IP, or exfiltrating customer data, along the way.
From January 2014 through October 2019, cybercriminals pilfered $2.1 billion in phishing scams targeting organizations operating within just two popular cloud-based email platforms, according to the FBI. And within the last few weeks, the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings that more than 50,000 corporate employees have been targeted in new phishing attacks that impersonate an automated email from Microsoft Teams that links to a bogus login page in order to harvest their Office 365 logins. Blocking those attacks gets harder when the embedded links are set to redirect only after the email has landed in an employee inbox.
The problem: While most email platforms provide solid support for anti-spam, virus, and malware blocking, email archiving, email filtering, and even sandboxing, they rely on scanning for known dangers, including malware, or malicious links that have been added to watchlists. As a result, they lack what it takes to protect against advanced email threats that impersonate trusted senders (sometimes from compromised email accounts) in order to trick recipients.
Despite these shortcomings, the answer isn’t to give up on trying to block inbound attacks from reaching employees in favor of mitigation ipso-facto. According to reports in Security Boulevard, 56% of cybersecurity analysts say they’re already overwhelmed, with nearly a quarter (23%) unable to successfully investigate all identified incidents as it is now. We’ve already blogged about how false-positives reported by employees add to the chaos.
The fact is, it’s not about pivoting from prevention to response. It’s about optimizing for both.
Agari uses identity-based defenses based on real-time intelligence from trillions of emails to recognize and understand relationships and trusted behaviors between senders and receivers. But we also realize no defense is perfect, which is why we developed automated continuous detection and response technology to hunt down latent threats that escape initial detection or have activated post-delivery.
According to Ponemon, a single phishing attack could cost an average $832,500 when you factor in detection, containment, recovery, and remediation efforts. And that’s not counting the average $8.2 million in costs associated with a data breach that may result from such attacks.
But Ponemon also reports that the ability to prevent attacks costs less than 20% of those potential losses.
As Larry Ponemon, the organization’s founder and chairman puts it, “As companies continue to suffer revenue losses due to cyber breaches, we expect budgets to start allocating increased resources to preventative solutions given the amount of money they save.”
Of course, it’s not an either/or proposition. As part of a comprehensive approach to defense, boosting prevention against zero-day phishing attacks and other advanced email threats may be a very wise investment, indeed.