Phishing is in the news again – and for good reason. Last month, the story first came to light regarding a “megabreach” drop of 773 million email and password credentials. At first, this disclosure made a sizable splash. But as researchers dug in further, it turned out the dump of online credentials had been circulating online for some time, as independent security journalist Brian Krebs covered in his blog, KrebsonSecurity. Maybe the news wasn’t as big of a deal as we first thought?
The news turned out to be bigger, in some ways. More large tranches of credentials continued to be uncovered in the days that followed. These new collections of credentials bring the total to 2.2 billion records of personal data made public. Even if the vast amount of these records is old, and by all estimates they probably are, this massive collection of information substantially increases the risk of phishing attacks that will target these accounts after they’d been pushed above ground.
Phishing remains one of the most common and, unfortunately, successful attacks that target users – and it’s not just user endpoints that are in the sights of the bad guys. Often, phishers aim first at users as a way to get closer to something else they are seeking, perhaps information on corporate executives, business partners, or anything else they deem valuable. When an employee clicks on a link or opens a maliciously crafted attachment, his or her endpoint can then be compromised. That not only makes a user’s data at risk from compromise or destruction, such as through a ransomware attack, but attackers can also use that endpoint as a platform to dig deeper into other networks, accounts and cloud services.
Consider ProofPoint’s most recent annual State of the Phish Report, which found that 83 percent of global information security respondents experienced phishing attacks in 2018. That’s up considerably from 76 percent in 2017. The good news is that about 60 percent saw an increase in employee detection after awareness training. According to the State of the Phish Report, since 2017 credential-based compromises increased 70 and 280 percent since 2016.
Unfortunately, the report also found that data loss from phishing attacks has tripled since 2018. Tripled.
This latest uncovering of credentials is a good reminder as to why organizations always have to have their defenses primed against phishing attacks. These defenses should be layered, such as to include security awareness training, antispam filtering, and endpoint and gateway antimalware, along with comprehensive data protection, backup and recovery capabilities for when needed, such as following a malware infection or successful ransomware attack.
However, even with all of those controls in place, the reality is that some phishing attacks are going to be successful. Someone is going to click something bad, and antimalware defenses will miss it. The organization needs to be able to investigate successful phishing attacks. This includes investigating and understanding the location of IP addresses, gaining insights into the reputation of internet domains and IP addresses, and establishing workflows to properly manage the case. These investigations can help your organization protect itself by blocking malicious mail and traffic from those addresses, notify domain owners of bad activity, and even assist law enforcement.
When you find a file that is suspected of being malware, you can then search across the organization for that file. Chances are that, if it was a malicious file in the phishing attack, it may have targeted many people in the organization. Nathan Hunstad details how, in his post Tips From the Trenches: Enhancing Phishing Response Investigations, our hunt file capability integrates with security orchestration, automation and response (SOAR) tools to rapidly identify suspicious files across the organization and swiftly reduce risk.
There’s another lesson to be learned here, one that is a good reminder for your organization and your staff: We are all on the dark web, where much of its information is about us – all of the information that has been hacked over the years; such as financial information, Social Security numbers, credit reports, background checks, medical information, employment files, and, of course, emails and logon credentials, is likely to be found there.
That’s why, while much of the information in this trove of credential information that has surfaced from the depths of the web turned out to be old information, it doesn’t mean there aren’t lessons here that need reminding. For instance, it is critical to assume the increased risks as a result of all of the information that is out there and how it can be used in phishing attacks.