In the final installment in our series of blogs on the Fundamentals of Phishing we will explore how to prevent phishing attacks.
To truly prevent email phishing attacks we need to consider the ‘Phishing Kill Chain’. This uses the principles of the popular Cyber Kill Chain methodology, a military-theoretical approach to network asset defense that can be quite valuable, especially when you expand the definition of “assets” to include your customers. If you’re not familiar with the concept, CSO Online has an article on it that’s appropriate for any level of pre-existing knowledge.
The Phishing Kill Chain in Context
|Military Kill Chain||Cyber Kill Chain||Phishing Kill Chain|
|Assess||Command & Control||Extraction|
So what does the Phishing Kill Chain look like? Cyber criminals need to achieve seven steps in order to conduct a successful phishing attack on email:
- Target: decide who they’re going to try to defraud and assemble an email list
- Deliver: send messages to the people on their target list
- Deceive: the criminal needs to trick the user into following their call to action
- Click: the customer clicks on the phishing site and attempts to load it in their browser
- Surrender: the user needs to input their data to the phishing site, surrendering it to the criminals
- Extract: the phishing site needs to transmit the stolen credential or other information to the criminal
- Act: the criminal, or one of their agents, needs to log on to the account in question and transfer money, use the stolen card number online or in person, or place an order to perpetrate the final fraud.
According to numbers published by the Canadian Government the success rates are alarming:
- Targeting: 156 million messages sent per day.
- Delivery: 16 million make it through filters, for a 10.2% success rate
- Deception: 8 million are opened, for a 50% success rate
- Click: 800,000 are clicked, for a 10% success rate
These numbers reflect the poor controls against phishing compared to, say, generic spam.
The key point to note is that many security solutions aim to stop criminals later in the chain, such as at the Click, Surrender and Extract stages. But the earlier in the kill chain that controls can be inserted, the better the chance that organizations have of preventing their customers from being phished.
To that end, DMARC and Agari deliver a solution that can cut the chain at Delivery, where a proactive DMARC reject policy can prevent the message from even having a chance of landing in the inbox.
Even beyond initial rejection, Agari uses DMARC forensic data to extract threat details and provide them to takedown vendors, who validate and classify the threat. This intelligence is then passed onto Google and Microsoft for inclusion in their anti-phishing lists so that browsers block the threats. This makes the controls at step 4 in the kill chain, the Click, far more effective in preventing emerging threats.
If your organization is serious about preventing phishing and defending your customers as well as your brand reputation, you need to be deploying systems that help you move up the kill chain. Only then can you ensure your organization is safe from falling victim to the growing pain of phishing attacks.