Share:

Paving the cow path—why are we still using the same technologies to combat modern phishing attacks?

When the city of Boston was new and unpaved, the city fathers decided against laying out a regular street plan. Instead, they merely paved the paths that had been worn by cattle. The results? A chaotic and inefficient street plan that lacks logic. The admonition not to “pave the cow path” is supposed to remind us not to enshrine an existing way of doing something.

However, when combating phishing, the #1 threat vector in security*, we are paving the cow path.

Let’s start with some facts about email-based threats and their effectiveness:

  • 144 Billion emails every day/120 per person
  • 1 out of every 2 emails contains a threat
  • 10% of all email threats get through current defenses
  • 1 out of every 200 are effective

If we were building cars, computers or producing a ‘widget’ and had a 10% ‘defect’ rate, we would be out of business. Period. And yet what do we do today?

We pave the cow path.

To some degree or another, major enterprises recognize the need for combating all types of email-based threats, including phishing, spam and email-based malware.  As a result, we have many existing technologies in the ‘food chain’ for providing protection against phishing, including:

  • Security Awareness Training (Education & Training)
  • Filters (spam, phishing)
  • Web filtering
  • Forensic services
  • Takedown services
  • Standards/DMARC

If we look at these technologies as anti-phishing solutions, they all have one thing in common: they deal with the symptoms of phishing. They do not address the root source/ root cause issues. As a result, each provides some deterrent or protection against phishing issues. None address the cause: the source and nature of the cyberattack. Therefore, none of the current technologies can holistically address the countermeasures to prevent, detect and respond to existing and future phishing attacks.

We recently spoke with one of world’s most phished companies/brands. How were they attempting to solve the ever-increasing phishing problem (up 87% since 2012 according to Kaspersky) that they (and most others) are experiencing?

They planned to do more of the same.

Specifically, they planned to continue with their take down strategy. (For those of you unfamiliar with takedown or mitigation, there are companies that offer banks and other organizations round-the-clock services to assist in shutting down phishing websites)

First, they enlisted external resources (vendor)s for takedown.

Then, they began taking care of their takedown efforts internally.

Then, they adopted a hybrid approach, using both internal and external resources.

And now, they were planning to do more of both.

Do you see a pattern?

Yes, that’s right, it’s not working. Yet, they are planning to increase the use of ineffective tactics.

The status quo is not solving the problem. Whether you are utilizing internal or external resources, you are paving the cow path. The dirty secret of takedown vendors that every security professional knows is that most credential theft occurs within the first four hours of a phishing campaign. If your takedown time is greater than two hours, the phisher has already collected enough information to consider his mission a success. In short, no matter how fast the takedown promises to be, the phishers are faster. The damage is done. And spending more time and money on a fundamentally broken process doesn’t make it better. Adding more people to a broken process doesn’t make it better either. Takedown doesn’t solve the problem. It could, if it was done intelligently. But today, these services are the one-eyed man in the land of the blind for those looking for eliminate phishing servers.

Phishing can’t be solved by one technology, so the good news is there are multiple processes and technology in existence today to address the challenge. However, cybercriminals are moving ahead of many of the existing layers of defense, and becoming more successful.  We read about it every day, from the Target attack to Bank of America, Comerica, PayPal, Wells Fargo, Michael’s stores (and many, many others we don’t hear about.)

I think it is a natural tendency to want to pave the cow path; after all, what is wrong with how we are doing business today? Or, we may look at it from the perspective: we don’t have time to look at improving our processes, so by default we will have to pave the cow path. But by paving the phishing cow path, you will lose. It’s that simple. Continuing to play ‘whac-a-mole’ with the cybercriminals, and using tools from the ‘last war’ is not a winning. It’s losing. And with the cost of each phishing attack approaching $150,000, can you afford to lose even once?