Anda di halaman 1dari 8

TREND REPORT:

HOW MODERN EMAIL PHISHING


ATTACKS HAVE
ORGANIZATIONS ON THE HOOK
INTRODUCTION TO EMAIL
I.
PHISHING MITIGATION

Phishing has evolved from a mere nuisance into a Adam Conner-Simons, MIT CSAIL (04.18.2016)
global epidemic in which organizations of all sizes and
across all industries are being negatively impacted Artificial Intelligence predicts
at high frequency. In 2016 alone, the SANS Institute
revealed that 95% of all cyberattacks began with spear-
cyber-attacks significantly
phishing; the Ponemon Institute reported 86% of all better than existing systems
phishing attacks contain ransomware, and the Anti
Phishing World Group (APWG) discovered a 65% increase
by continuously incorporating
in phishing attacks compared to the previous year, input from human experts. - MIT
totaling 1,220,523 attacks wordwide.

Of all attack vectors, email remains the most commonly Knowing that the use of signature and rules-based
exploited for a variety of reasons. Malicious emails solutions continue as the status quo, attackers often
continue to easily bypass legacy SPAM Filters, firewalls, find their hacking tools and techniques relatively
and gateway security scans that still inexcusably rely on unchallenged by defenses that are limited to following
signatures and email content scanning when analyzing rules that hackers can easily subvert through spear-
messages. phishing and social engineering. Although there is almost
universal agreement by malware researchers to ditch
Secondly, due to human nature, it takes only a few YARA Rules and regular expressions, many email security
unaware or preoccupied users to download or click on solutions are lagging in doing so. In the meantime,
a malicious email link or attachment to inadvertantely many mid-sized and large organizations are investing
provide attackers with access to sensitive corporate millions in security awareness and training to help
networks and data. employees identify and report phishing emails in real-
time. But what most of the cybersecurity industry and
Thirdly, a report from FireEye cites the average time many organizations dont yet fully realize, is that to truly
from breach to detection being 146 days globally, and minimize the risk of email phishing attacks, machines
a colossal 469 days for the EMEA region, which means and humans must continuously work together.
early detection and alerts are as important as ever.
IRONSCALES combines human intelligence with machine
In the midst of phishing attacks becoming learning. By ditching rules-based email security,
exponentially more sophisticated and targeted, the IRONSCALES expedites the time from phishing attack
majority of email security providers continue to offer discovery to enterprise-wide remediation from months
signature-based and behavioral signature solutions or weeks to minutes or seconds, with minimal security
that scan links and attachments; determine domain team involvement needed.
reputation and verify sender-receiver relationship,
among other futile safeguards.

1. https://www.sans.org/reading-room/whitepapers/analyst/trenches-2016-survey-security-risk-financial-sector37337-
2. http://www.pymnts.com/fraud-attack/2017/phishing-attacks-hit-new-record-in2016-/
3. https://www.csail.mit.edu/System_predicts_85_percent_of_cyber_attacks_using_input_from_human_experts20%

2
IRONSCALES EMAIL
II.
PHISHING REPORT

IRONSCALES analyzed data from more Analysis:


than 100 of its customers and 500,000 We know that attackers target specific individuals who
mailboxes across four continents spanning they deem most susceptible to social engineering
attacks. As to why attackers are finding it increasingly
2016 - 2017 to better understand trends in beneficial to target attacks on fewer mailboxes, we can
email phishing, attacker patterns, phishing summize that it is likely due to:
tools & techniques, and hacker preferences.
In total, more than 8,500 verified attacks 1. Attackers preference of staying under the rader (e.g.
that bypassed spam filters were evaluated. -The less people targeted, the fewer conversations, as a
The following highlights the key takeaways, result of less alarm bells raised).
with analysis and details about how
2. More sophisticated targeting allows for tailored
IRONSCALES technologies can expedite the messages to certain projects and jobs.
mitigation and remediation of attacks once
discovered. 3. Hyper-personalized targeting has proven effective
at tricking people susceptable to emails written with a
A. Spear Phishing Increasingly Laser Designated personal touch.

Benefits:
THE KEY FINDINGS: IRONSCALES combination of human intelligence and
machine learning technology is the perfect anectdote
to combat the number of complex and micro-targeted
Approximately 77% of attacks targeted spear-phishing attacks that easily bypass rule-based
10 mailboxes or less spam filters.

Our automatic incident response technology, IronTraps,


One-third (33%) of attacks targeted just empowers phishing-vigilant employees to seamlessly
one mailbox. report attacks in real-time with a simple click of a
button, triggering an immediate enterprise-wide
remediation response that significantly reduces the
time malicious emails lie idle in employees inboxes.
Federation, our real-time actionable intelligence
AFFECTED MAILBOXES PER ATTACK sharing network, records and shares attack signatures
instantaneously with all other users, permanently
More than 10
mailboxes immunizing those organizations from this specific type
of phishing attack.

22.6%

77.4%

10 mailboxes
and less

3
B. Blast Attacks Becoming More Micro-Targeted as The Analysis:
Attackers Test Drip-Campaign Attacks Attack duration is defined as the amount of time
that it takes an attack to stop perpetrating. Phishing
emails, comprised of the same attack, can be repeated,
THE KEY FINDINGS: repurposed and sent multiple times per year. These
findings suggest that:

1. A majority of attackers have a limited threshold for


More than 47% of email phishing attacks
attack duration.
lasted less than 24 hours.

2. There is an increasing preference for Blast campaigns


targeting less than 10 mailboxes at a time.
Nearly 65% of email phishing attacks
lasted for less than 30 days. 3. Malware drip campaigns are successfully beating
traditional spam filters and, once they do, the attacks
continue to perpetrate for long periods of time.
Of the email phishing attacks that
lasted more than 30 days, 35% spanned With 35% of email phising attacks lasting for 12 months
for 12 months or more. or more, malware drip campaigns are having success
beating email security safeguards. This is most likely
because drip campaigns can easily defeat signature-
based email security solutions by using polymorphism
Percentage of
all attacks ATTACK DURATION (ONE YEAR)
techniques, changing email artifacts like the sending IP,
subject lines and elements of the email body.
60%
Benefits:
50% IRONSCALES technology provides 365/7/24 actionable
intelligence that combines the attack findings of users
40% and security analysts with our advanced machine
learning technology. For our users, the probability for
30%
detecting morphed attacks is scientifically higher when
20%
using machine learning technologies vs signature based
solutions. As a result, detection rates are vastly improving,
10% while detection times and response times decrease.

0%

Days 30 60 90 120 150 180 210 240 270 300 330 360

4
C. Machine Learning Expedites Detection to The Key Analysis:
Remediation from Months to Seconds Today, sophisticated malware often comes with a delayed
execution mechanisim built in to help avoid dynamic
analysis, such as Sandbox Solutions, which look for
THE KEY FINDINGS: malicious patterns and behaviors in an isolated virtual
environment. Because of delayed execution, overburdened
security teams, too many false positives and a lack of
55% of attacks were discovered in incident response technology, the average time from
one minute or less detection to enterprise-wide remediation for phishing
email attacks worldwide ranges from weeks to months

Benefits:
75% of attacks were discovered in less IRONSCALES expedites attack discovery by combing
than 5 minutes human intelligence with machine learning, thereby
accelerating the mitigation and remediation processes
through automated response technology. The rapid
detection and remediation times are primarily the
False positive rate was as low as 2% result of:
on user reported attacks
1. IronSchool IRONSCALES user awareness training, puts
employees through vigorous gamified simulations of
experiential learning.
DETECTION TIME
2. IronSights IRONSCALES inline email security
More than technology, visually flags any malicious impersonation/
1 min spoofing attempts.

3. IronTraps IRONSCALES automated incident response


technology, automatically analyzes and remediates
44.7% incoming threats in real-time.

55.3%
4. Federation IRONSCALES real-time actionable
intelligence plugin for IronTraps, automatically protects
all other IRONSCALES users from ongoing phishing
attacks verified by trusted security analysts.

Less than
1 min 5. Integrations with Sandbox/Multi AV partners, such as
Check Points SandBlast, further help expedite detection
times by automating forensics.

Percentage of
all attacks DETECTION TIME (FIRST 30 MINUTES)

50%

40%

30%

20%

10%

0%
Minutes 0 5 10 15 20 25 30

5
D. Majority of Targeted Attacks Bypass Email Filters The Analysis:
Although brand spoofing attacks are on the rise,
IRONSCALES sees a low number of these attacks
THE KEY FINDINGS: because spoofs are more likely to be picked up by
traditional spam filters. However, email impersonations,
such as BEC and CEO fraud, are increasingly bypassing
Almost 95% of email phishing attacks traditional email security controls, especially those that
were highly-targeted campaigns, with target internal executives versus large brands.
the majority impersonating internal
commmunications teams or individuals Benefits:
(i.e. CEO fraud). IRONSCALES IronSights automatically discovers,
mitigates and remediates impersonation, CEO fraud
For every 5 brand spoofed attacks and brand spoofing attacks that bypass spam filters
identified by spam filters, approximately by inspecting and analyzing all emails at the mailbox
20 spear- phishing attacks bypassed level using deep scans and machine learning. Acting
the safeguard and went undetected. as an employees virtual security analyst, IronSights
validates sender reputation and authenticity, while also
assessing behavioral patterns in search of anomalies in
Top 10 Most Remediated Departments
communications.
MOST REMEDIATED DEPARTMENTS
All suspicious emails are visually flagged as soon as the
Operations
email hits the inbox, and a button inside the Outlook
Finance
toolbar enables instant notification to security teams
Sales
for further investigation or immediate remediation.
IT

Human Resources

Customer Service

Production

R&D

Logistics

Marketing

Management

Automated
Remediations 5% 10% 15% 20% 25% 30% 35%

Top 10 Most Spoofed Brands

10 MOST FREQUENTLY SPOOFED BRANDS

DHL

Google

Amazon

Paypal

Yahoo

Microsoft

Apple

Vodafone

Facebook

Fedesx

0% 5% 10% 15% 20% 25% 30%

Percentage of All Branded Attacks

6
DETECTION & REMEDIATION
III.
IMPROVEMENT WITH IRONSCALES

The following chart chronicles remediated attacks for


12 companies with approximately 5,000 mailboxes each
(60,000 mailboxes total) that started using IRONSCALES
during the same month in 2016.

Automated
remediations AUTOMATED REMEDIATIONS OVER THE YEAR 2016
6000

5000

4000

3000

Detected by company
2000 empolyees (Report button)

Detected by employees in
1000 other companies

Detected by AV / Sandbox /
0 URL scanning (IronScan)

Q1 Q2 Q3 Q4

The Results: The Key Takeaway:


The increasing number of employee detections can be All 12 organizations benefitted from exponential
explained by improved employee awareness training improvements in phishing attack discovery, mitigation
due to gamified educational simulations conducted and remediation. This resulted in reduced risk and less
over time. burden on security teams and their resources..

Increasing Federation numbers correlate with its official


rollout at end of Q2 2016. Upon confirmation of attack
identification, Federation immediately logs the attack data
and cross-references all users for emails containing a
similar pattern. When an attack is matched, the users are
notified in real-time through in-line messaging or instant
quarantine. With this intelligence sharing, Federation
then communicates immediately with IronTraps, which
automatically remediates the attack without the need for
employee or security team intervention.

AV detection improvement during Q4 was the result of


a new partnership with Check Point, which began in
Q3 2016.

7
IRONSCALES is the leader in anti-email phishing technologies.

The first and only anti email phishing provider to combine human intelligence with machine learning
to automatically prevent, detect and respond to todays sophisticated email phishing attacks using a
multi-layered approach.

IRONSCALES expedites the time from phishing attack to remediation from weeks to seconds, with
minimal security team involvement. Headquartered in Raanana, Israel, IRONSCALES was founded by
a team of security researchers, IT and penetration testing experts, as well as specialists in the field
of effective interactive training, in response to the increasing phishing epidemic that today costs
companies millions of dollars annually. It was incubated in the 8200 EISP, the top program for cyber
security ventures, founded by alumni of the Israel Defense Forces elite Intelligence Technology unit.

START WITH IRONSCALES TODAY

For more information on IRONSCALES,


visit our website at: www.ironscales.com and follow us @ironscales on Twitter
8