A report from ProofPoint released at the RSA conference discussed what is supposedly a new phishing technique dubbed “longline” phishing. The report touts “longlining” as the newest way criminals are sending phishing emails in efforts to bypass technical controls. Mass customization of emails allows criminals to fly under the radar of most email filters and successfully deliver spear-phishing emails to a larger number of email users at a single organization. This tactic combines the best of both worlds from the criminal’s standpoint, but it doesn’t really change the game in terms of defending against phishing attacks, as your users still provide the most effective line of defense against the phishing threat.
Whether “longline” phishing is actually a new type of attack or not, Security Officers should focus on the fact that adversaries will continue to modify their attack strategies to circumvent or evade technical controls in an attempt to directly exploit humans. This is why it’s increasingly critical for organizations to invest in proven and effective behavioral change programs that educate users about the attacks that target them.
If you have trained your entire user base on the variety of techniques used in spear phishing emails, they will be able to recognize and respond to attacks, even highly personalized and targeted ones. Basically, a well-trained user base that knows how to properly react to phishing emails will keep your enterprise prepared as cyber criminals, nation states, and hacktivists continue to refine their tactics to get past technologies designed to stop them. Regardless of what kind of tactics they use, the core goal of a phishing email is to trick the human – getting past technology is just a roadblock. This fits in with the points Aaron made about “sophisticated” attacks in our last post. A savvier user base makes “longlining” not quite as scary as it’s made out to be.
In addition to dramatically decreasing the attack surface, increasing employee awareness increases user-reported incidents, which provides incident responders with near real-time information about attacks. This additional source of information can have a significant impact on mitigation and containment strategies and allows responders to focus on proactive measures.
A thriving user reporting program could be especially useful when an enterprise is hit by longlining attack. According to ProofPoint, “longlining” means that in a matter of hours, adversaries “can cost-effectively send 10,000 or even 100,000 individual spear phishing messages, all capable of bypassing traditional security.” If security administrators are aware of phishing attacks, they can react faster and limit the damage of an attack.
This doesn’t dismiss the need for technology solutions (as we’ve discussed before), but highlights the never ending cat and mouse game that has become email security. In the end an aware workforce is still the best way to fill technology gaps exploited by “new” phishing techniques like “longlining” and will continue to be a CSOs most pervasive and effective weapon again advanced threats.