What is MTTK and Why is it Important to Cybersecurity?

There has been much talk recently about MTTK, but what is MTTK and why is it so important? This post explores the term and explains why MTTK is such an important concept in cybersecurity terms.

When your organization is attacked, how long does it take you to know that the attack is taking place? Of course, we’d all like to be able to answer “right away.” However, for many companies that isn’t the case. Examples of phishing attacks lodged against major brands who don’t discover that they are being phished until months later have become commonplace.

When a phishing attack happens, time is not on your side. The faster that you react to mitigate the attack and take down the phisher, the less damage that you incur as a result of the attack. Of course, you can’t react if you do not realize that the attack is happening. Therefore, it is critical in this era of cyber security, that we take every measure identify attacks when (or before) they happen.

What is MTTK?

Mean time to know (MTTK) is the average time that it takes for a company to discover that security has been compromised. According to a recent article published by Dark Reading, the term became popular after this year’s RSA conference, although the concept has been around for a while. The point is that that we need to know what’s happening in our environment and the sooner that we do know, the better we are able to prevent damage and lasting impact to our company. We can quantify this by measuring the average time between the initiation of an attack and the breach being discovered by the security team. The lower your MTTK, the more effective you are at identifying when your internal environment has been compromised.

Why is it important to lower your MTTK?

  • The longer it takes for you to realize that an attack is happening, the more successful the phishing attack. In the case of a phishing attack, there isn’t much time to react. Most of the damage is done within the first two hours of a phishing attack.
  • The more successful the phishing attack, the more damage to your brand. This can be the most costly consequence of a successful phishing attack. Losing customers’ trust can stop them from purchasing from doing business with your company for years, if they come back at all.
  • A high MTTK suggests that you don’t have a handle on what’s happening within your internal security environment.

DMARC Failed to Protect Against Walmart Spam

Think that DMARC is all that you need to prevent your company from email spam? Think again.

Last week, there was a spam campaign that imitated a Walmart.com receipt. An email was sent to Walmart customers falsely confirming the purchase of a large flat screen TV costing approximately $1,000. The cinematic home experience was to be enjoyed by someone else, since the receipt showed the item was being shipped to an address that would be unfamiliar to the customer.

Upon receiving this email, the natural reaction would be to click on the link in email to find out more about the fraudulent transaction. However, doing so would require a visit to a malicious webpage that would download malware. That malware would then share credit card information and banking credentials with the scammers.

We’ve been hearing about DMARC as the solution to exactly this kind of email scam. In this particular spam campaign, the emails didn’t actually come from Walmart’s domain name.

Walmart.com (spelled with one “l”) is the real domain name. The company also owns Wal-mart.com. For either one of those domains, there would be a DMARC record published. If an email had been sent by the real Walmart, there would be a signature in the email that can be checked against Walmart’s registered domains. The email would be cryptographically confirmed as having been sent by Walmart. That’s the whole point of a DMARC record.

DMARC shows the true provenance of an email. If an email is not cryptographically signed, it should be rejected because that shows that it was not sent from an official source – in this case, Walmart. In this case, the domain name used to send the email wasn’t Walmart – it just appeared that way. If you were not careful, it would have been easy to be fooled. The email just came from a domain that looked very similar to that used by Walmart.

In fact, there are over 140 variations of misspellings of the Walmart domain name that are in use, such as “Wallmart.org” and “wallmart.net.” As a customer receiving the email, you might not even have noticed that Walmart was spelled incorrectly. Since none of those domain names are valid and do not belong to Walmart, Walmart did not have a DMARC record published for any of those domains. From the victim’s perspective, he sees “Walmart” spelled correctly in the “From Name,” but the email address (the domain portion of the email address) was not a DMARC protected domain. This, combined with high-resolution graphics and a professional look and feel makes for a convincing email, effectively mimicking an actual online purchase confirmation from Walmart. However, the emails were not being rejected because they didn’t fail the DMARC test. The DMARC test was never actually performed.

We believe that DMARC is a good thing. We’re happy that people are using DMARC. We believe that there will be some spam campaigns that will be blocked because of a failure to comply with DMARC, but in this case, DMARC wouldn’t have helped them at all. That’s why it’s important to use DMARC as one tool in the fight against phishing, as opposed to a single method to stop phishing. It is far from an all-encompassing solution.
Similar instances of phishing attacks are lodged against major brands each day. What are some of the other lessons we can learn? Please feel free to share your comments below.

2-factor authentication wouldn’t have prevented AP Twitter hack

When a hacked Twitter account spreads false news of an explosion at the White House and causes hysteria that spurs a 140 point drop in the stock market, it should encourage calls for Twitter to bolster its security measures, so it’s no surprise that many are clamoring for Twitter to offer 2-factor authentication. One problem with this – news outlets are reporting that hackers gained access to the AP’s account through a phishing attack. While 2-factor authentication makes it more difficult to phish an account, it will not prevent this type of attack from being successful (nor will a more complex or longer password for that matter).

Phishing and Brand Reputation: What’s the Damage?

There has been a lot of talk recently about phishing and brand reputation, specifically how phishing attacks often have a major negative effect on how customers view a particular brand. After a phishing attack, many customers lose trust in a brand.

What happens when you lose your customers’ trust?

Successful brands are built on trust. You’ve spent years building your brand and earning your customers’ trust. Don’t leave your brand equity vulnerable to an attack that could cost you your current and future customers.

Your Brand is at Risk

It’s with good reason that, according to Frost & Sullivan, 71% of security executives consider “protecting their brand” as their top priority. Each year, hundreds of brands are targeted by cyber criminals who are launching targeted phishing attacks. According to the most recent Anti-Phishing Working Group (APWG) Phishing Attack Trends Report, the number of brands targeted for phishing attacks reached the highest levels on record last year.

Phishing attacks happen, but can they happen to you? They most certainly can. In fact, there are an ever-increasing amount of high profile attacks reported in the press on a regular basis. Brands who possess customer data that is considered highly desirable to hackers are bigger targets for phishing attacks, but any brand doing business online is at risk.

Brand Damage: The Cost of Phishing to Your Brand

When a brand is attacked, there both are quantitative and qualitative repercussions. The cost of a phishing attack that affects 500 customer accounts can reach upwards of $1.4 million, when you account for the direct financial loss of funds to the cybercriminal plus the strain on internal resources to manage and investigate the crisis. That’s the immediate financial hit that you can expect, but there are long-term costs too – your reputation.

When your customers fall victim to an attack on your brand, consumer perception is that it’s all your fault. Once your brand is targeted, your customers are 42% less likely to do business with you in the future.

This sentiment applies even if the consumer doesn’t fall victim to releasing credentials. Simply receiving a phishing email is enough to write you off. Thus, your brand can be assumed as “guilty by association”. When a consumer is targeted via a phishing attack directed at your brand, the consumer has a negative experience that he/she associates with your brand. Negative experiences will certainly not increase shareholder value.

Adding further insult to injury, the media often takes note of the situation, cementing consumer perception that doing business with you is a risk. While perhaps not fair, your brand becomes caught up in the associated downward spiral. Consumers, fearful of identity theft, choose your competitor.

Be the Brand Consumers Trust

It all comes down to trust.

In many ways, you are the brand that consumers trust. You have a proven track record of delivering quality products and/or services to your customer base. But, cybercriminals are using that same strength and equity of your brand to carry out their mission.

In today’s world, your success as a brand is determined in part, by your ability to protect the safety of your customers. Building a security infrastructure that will allow your customers to do business with you safely is crucial when it comes to keeping and expanding your customer base.

Defining a Sophisticated Attack

What do nearly all of the recent high-profile data breaches have in common? They have all been traced to sophisticated threats and cyber criminals. While there are many disagreements in the security industry, after every significant breach nearly everyone agrees that it was sophisticated (Twitter, Apple, and the Department of Energy are some of the unfortunate organizations to be compromised by a sophisticated attack recently).

On the surface, it isn’t hard to see why. First, technology vendors need attackers to be super sophisticated, because simple tactics couldn’t circumvent their products, right? For victims of a breach, it is advantageous for it to seem as though it took a sophisticated actor to penetrate its network. And from the incident response standpoint, it behooves IR consultants to describe these breaches as ultra-sophisticated to help their customers save face.

Breaking the Myths of Social Engineering

Last week, a Washington Post article by Robert O’Harrow offered an interesting look at the most common attack vector used by cybercriminals to penetrate enterprises today: spear phishing. While we applaud (loudly) the thrust of the article – that enterprises need to educate users on the dangers of spear phishing – there are some very real challenges in user education that the article does not address.

User Awareness: A Growing Concern Among Organizations

Phishing has always been a challenge for companies, but in recent months high profile breaches have cast a bright light on a more pressing aspect of the phishing threat – user awareness; or the lack there of! The reason phishing attacks are so effective is because most employees have a basic level of phishing awareness. Companies attending recent events such as Black Hat and SANSFIRE, reiterate a common theme; “we need more effective ways to increase our employees’ awareness to help minimize the success of phishing attacks.”

Once thought of as a threat that could be mitigated simply by an email filter solution, phishing (and now more importantly, spear phishing) has evolved to such a sophisticated level that technical controls are no longer effective in differentiating well-crafted and targeted emails from legitimate ones.  This leaves employees as the last line of defense which is highlighting the need for improved education. The challenge for many security IT professionals is that they have little time to develop programs that provide effective education and reduce the risk to their organization. While many companies indicate they have an awareness program, they also indicate that they lack consistency and content.  This awareness model does little to increasing their employees’ awareness or change their behavior.

Organizations with mature awareness programs attribute their success to a mix of periodic communications and structured training that provide immediate, informative and relevant awareness content to employees. The inline awareness saves both time and resources and targets training to those who need it most. At PhishMe we encourage our customers to conduct sanctioned simulated phishing exercises. This allows organizations to identify where targeted education should be directed and offers the ability to provide immediate education.

There are several different ways PhishMe works with our clients to improve overall employee awareness including online games, tutorials, custom training and awareness program consultation.  In the end it comes down to striking the right balance between content and repetition for your enterprise.  Having trained over 2 million users to date our customers have seen how consistent training can raise awareness and reduce the risk of employees falling victim to phishing attacks by up to 80 percent.

If we are in your area, we welcome you to come speak with us at an upcoming event!

 

The PhishMe Team

 

RSA breach: Lessons Learnt

Most of you have probably heard about the “RSA hack” by now. It was hot news three weeks ago when an employee at RSA fell prey to a targeted phishing attack as explained in this blog post: http://blogs.rsa.com/rivner/anatomy-of-an-attack/ . A couple of issues highlighted in this article really caught my attention.

The article states – “These companies deploy any imaginable combination of state-of-the-art perimeter and end-point security controls, and use all imaginable combinations of security operations and security controls. Yet still the determined attackers find their way in. What does that tell you?“.  That tells me that technology by-itself is not the answer to combating spear phishing attacks, it’s also about training the end user to get better at how to be suspicious. Don’t get me wrong, I don’t think education is a silver bullet, but it’s more effective than filters and shiny, blinking boxes.  I like technologies that give the human another piece of trusted information they can use to evaluate the authenticity of an email. One example is Iconix’s SP Guard. We trained over 1.5 million (using PhishMe). The results show that perioidic training that immersed the subjects in the concept through mock phishing  was successful in bringing down susceptibility rates in excess of 60% on average within a few months.

The article aslo discussed how the attackers targeted employees that ” you wouldn’t consider…particularly high profile or high value targets.” There’s a lesson here; security awareness programs should not focus only on executives and systems administrators, but on the entire organization. “Low profile” employees can severely undermine the organization’s assets too, just through a couple of clicks.

Oh yes, and finally, the phishing email was caught by the email client’s junk filter; the victim went out of their way to retrieve the email into the inbox and act on it.

IMHO, end-point security technologies are to phishing attacks (or *APTs) what radars are to a stealth bomber.

Rohyt Belani

*APT term used facetiously 😉