No Phishing Allowed

November 13, 2017 • Amanda McKeon

This episode focuses on phishing, where a bad actor pretends to be someone they’re not in order to get a user to reveal information, like a login or password, or to get them to perform a task, like transferring money.

Phishing has been around for quite a while. Many of us remember breathless email requests from a certain Nigerian Prince looking to share millions of dollars. It’s still around today because it works and it’s inexpensive to do, taking advantage of human nature and most people’s tendency to be helpful and trusting.

Our guest today is Oren Falkowitz, CEO and founder of Area 1 Security, a company that specializes in protecting organizations from phishing attacks. He describes the history and continued effectiveness of phishing campaigns, the techniques that companies like Area 1 Security use to defend against them, and whether or not he thinks it’s a problem we’ll ultimately solve.

This podcast was produced in partnership with the CyberWire and Pratt Street Media, LLC.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, I’m Dave Bittner from the CyberWire. Thanks for joining us for episode 31 of the Recorded Future podcast.

Today, we’re going to talk about phishing, where a bad actor pretends to be someone they’re not in order to get a user to reveal information, like a login or password, or to get them to perform a task, like transferring money. Phishing has been around for quite a while. Many of us remember breathless emails from a certain Nigerian prince looking to share millions of dollars. It’s still around today because it works and it’s inexpensive to do, taking advantage of human nature and most people’s desire to be helpful and trusting.

Our guest today is Oren Falkowitz, CEO and founder of Area 1 Security, a company that specializes in protecting organizations from phishing attacks. He describes the history and continued effectiveness of phishing campaigns, the techniques that companies like Area 1 Security use to defend against them, and whether or not he thinks it’s a problem we’ll ultimately solve. Stay with us.

Oren Falkowitz:

You know, one of the interesting things about phishing is that it’s something people have been aware of for a long time, but what they don’t know is, about 95 percent of the time when there’s a cyber incident, phishing is the root cause. They often make comparisons between the types of spam and nuisance emails that you’re describing, those Nigerian prince emails, or “Wire me money for the Canadian pharmacy,” or things of that nature, but phishing has really evolved to be something much more nefarious, and it’s typically not related to those today. Phishing attacks are not more technically sophisticated, but they are more authentic than people have known them from the AOL base. And that authenticity comes in two flavors.

The first is, the vast majority of phishing attacks either look like the most common or trusted brands in the world — Apple, PayPal, Facebook, Ebay, Google, DropBox, all the largest financial institutions, or they have a flavor where they take authenticity that’s related to organizational dynamics, so it appears it’s an email requesting information from the CEO of your company, from the CFO, from your manager. And the challenge is that as humans, we see both the images and the authenticity on the brand side, and the authenticity on the colleague’s side, and often are unable to discern that they’re malicious or take actions to stop them. You know, if I worked at the Walt Disney corporation and I got an email from Bob Iger, it’s very unlikely that I would say, “You know, Bob, I thought that email looked a little strange and so I chose not to reply or do your job correctly.”

And almost 100 percent of the time, when users click on something or respond to a phishing attack, they’re trying to do their jobs properly, so that’s a piece where we want to provide technology to help them.

Dave Bittner:

So, take us through the spectrum, the degrees to which people use phishing to lure people in. What are the types of things that you all typically see?

Oren Falkowitz:

In over 95 percent of the time, when an organization learns that they’ve been the victim of a cyber incident, they will find that phishing is the root cause. Now, a lot of people think of phishing as an email-only problem, but a vast majority of phishing attacks have a web component, so the need to solve it has to be comprehensive. What we see are basically three flavors of phishing attacks.

The first are malicious emails that have links to websites that are malicious, or have files attached to them that when downloaded or opened, will harm a computer. Or, they have neither links nor files, but get the user to act — wire money, send me these documents. On the other side of it, we see a variety of different web-based phishing attacks that are either legitimate websites that have been compromised, such as popular schools like harvard.edu, or popular websites that people are going to without being lured through a link, and they’ve been compromised.

They have malicious links or malicious code running within the page to infect the computer, or users are entering credentials into those websites, usernames and passwords, that can be then used to log right in. We see this in financial institution credential harvesting forms of phishing, we see this in websites that look like logins to popular inbox providers like Google and Microsoft Office 365. So, when attackers are able to garner the username and password, they’re able to log right into those systems and not even have to really hack as the way most people think about it.

Dave Bittner:

That’s interesting. So, not all phishing is email related.

Oren Falkowitz:

Absolutely not. Email is a primary vector for phishing, but it requires a comprehensive solution. Phishing occurs across email, across the network, across the web, and it is not an email or email protocol-only problem.

Dave Bittner:

Can you describe the sophistication of the criminals in these various cases? Do you start off from the broad people who are just trying to cast a wide net, and then at the other end, you have highly targeted people trying to hit executives or get corporate information, things like that?

Oren Falkowitz:

Yeah. Sophistication is a really interesting concept, I think, when you involve cybersecurity, because there’s nothing about phishing that is sophisticated, and it’s used so pervasively by everyone. I spent many years working at the National Security Agency focused on breaking into computer networks on behalf of the U.S. government, and I would describe that the organizational ways these hacking groups, or countries, or however you want to describe the work as being sophisticated, but I would describe the tools that they use and the methods by which they go about it as not being very technologically sophisticated.

What I would say is that they’re very effective. And the reason they’re effective is because if you send just 10 emails to a company, you’re going to have a 90 percent success rate of at least one person clicking or being impacted by that. And when you extrapolate that out further to the size of major corporations, small businesses in the United States and around the world, you can see why they’re so effective using relatively crude or non technically sophisticated means.

Dave Bittner:

Has there been much evolution in the tactics that these folks use, or do the old tricks still work well enough that they really don’t have to change them that much?

Oren Falkowitz:

The evolution, as we see … We see modifications in new brands that are using trust, using new, organizational dynamics that have trust with users, and also, taking advantage of world events. Every time there’s an election, every time there’s a hurricane, every time there’s a G20 summit, every time there’s a Super Bowl, every time there’s a Black Friday, every time there’s a tax day, these are themes that get used. So, the evolution is really one that responds to changes in what’s effective from the authenticity angle, and then what maps effectively to the calendar. Outside of that, there really isn’t a tremendous amount of evolution.

Dave Bittner:

Take us through what you all do in terms of being able to defend against these attacks.

Oren Falkowitz:

So, at Area 1, what we’re focused on is preempting phishing attacks, taking decisive actions in a comprehensive way that makes sure that our users aren’t impacted by them, so what we’ve done is we’ve built technologies that allow us to go find where these attacks come from. We find on a daily basis about 70 percent of the phishing attacks that we identify across email and network and web are unique, meaning they’re unknown to others in the cybersecurity industry, they’re unknown to our customer base or potential customer base. And the second is that there is a massive time gap between when we identify it, and when it actually enters into the environment, and that time gap is about 26 days.

We’re actually identifying the phishing attacks at a point in time before users are ever seeing them, and that allows us to take very specific actions to make sure that the messages don’t end up in the user’s inbox, that if they do click on a link, they’re protected from resolving that link to something that’s malicious, and ultimately, that stops damage completely. That damage, often, is thought about in the effects. If you stop phishing attacks, there is no ransomware. If you stop phishing attacks, there is no business email compromise or financial imposters. If you stop phishing attacks, there’s no zero day or APTs. Those are the effects, and they all come from phishing, and by stopping that, you will ultimately end up preventing damage.

Dave Bittner:

Help me understand how that could work. How can you detect a phishing email before it’s been sent out?

Oren Falkowitz:

Well, absolutely. Attackers use infrastructure, and if I were to register a new Gmail account today, and it was very similar to your name, and then I was going to send you an email with a link in it, the link within that body that might point you to a malicious website. That website actually has to exist before the email can be sent. So, we build active sensing capabilities that cover the breadth of the world wide web that allow us to identify those sites at the point that they’re created, rather than the point that you’re about to click on them, and so we create a time advantage on that front.

That’s just one example of that time delay. We often give attackers way too much credit for being sophisticated, as we talked about, but also for being fast. To run the types of effective, scaled-out operations that we’re seeing impacting hundreds of millions of people, tens of thousands of companies, you really need to be operating factories and assembly lines, and that creates time advantages for defenders. And because of some new advances in cloud computing and advanced analytics that we’ve taken advantage of, it actually is turning the advantage back for defenders to be preemptive.

Dave Bittner:

Now, is it right — I’ve heard people say that the websites that these people stand up, they can sometimes be up merely for a matter of hours.

Oren Falkowitz:

That certainly can be true, they can be up for short periods of time, but they can’t exist in a vacuum. A website that goes up is accessible to everybody on the world wide web, and that means it can be found. There are a variety of factors in the creation of those websites that make them discoverable. The second part of it is that we need to focus on certain normalcy patterns for user behavior and attacker behavior, and if you are the first person to visit a website, that’s a very unusual pattern that we can discern as being something that’s malicious, highly accurately.

Dave Bittner:

What about protecting a user from clicking on something? Is there a way to intercept that request for a web page, to preload it, make sure it’s okay before you allow the user to then go visit it?

Oren Falkowitz:

Yeah, absolutely. A very important part of our solution is to be comprehensive. So, not only do we make sure that if the attacks are coming through email, users don’t get them in their inbox — that’s one way to prevent users from clicking, is not even presenting them the messages that have those links or lures within them — the second is that when users are going to those legitimate websites, or when they’re getting messages through alternative means, such as … You’re protected on your corporate email account, but you open up a personal Gmail tab in your browser and click — our technology sits in front of those web streams, so users are not resolving themselves and getting to those pages and going for it.

Dave Bittner:

Now, what about the technology on the consumer side? If I have a Gmail account and I’m using the chrome browser to visit websites, how effective are those kinds of things that are running behind the scenes?

Oren Falkowitz:

Well, I would say that the major web companies, Microsoft, Google, and Apple, are doing really amazing work on that front and they are providing a lot of capabilities, but they’re not perfect. And what we consistently see are misses around the phishing attacks that cause damage. When you look at what happened during the election, you see misses by Google, emails going to John Podesta that allowed him to reveal his username and password, and allow hackers to get into the election and into the campaigns. So, because it only takes one click, because a single miss can cause so much damage, what we really focus on are plugging those gaps. And those gaps often end up being the expansive circle of spam, and the things that are targeted that are phishing, that cause damage. That’s really where we focus on, is on the phishing side.

Dave Bittner:

What about the human side? What about training people to be wary of clicking on things, or just even knowing the things to look for to know that something may not be on the up and up?

Oren Falkowitz:

Well, I think it’s extremely important that users have an awareness and be a part of the solution, but it’s a totally ineffective strategy to expect users to be perfect. There is no example of user awareness, education, and training being effective at stopping problems of driving accidents, the spread of infectious diseases, and particularly, in cybersecurity. So, while I think it’s really critical that companies be talking to their employees about the risks in cyberspace, that it’s important for users to be aware, to be on the team and be proactive on that front, we don’t stop the flu by just washing our hands. We take vaccines. And that’s the role of what we do, is to provide those vaccines to our customers so that our users can be informed, they can be a part of the solution, but we know that they will be ineffective at totally stopping it because, again, it only takes one user to see something that looks extremely authentic to cause a lot of damage.

Dave Bittner:

What is the role that threat intelligence plays in what you do?

Oren Falkowitz:

We live a world today that’s data-driven, and the ability to amass massive volumes of data and to learn from that data is critical to driving actions. There is nothing more important than being able to bring data together, and then to implement that into a series of actions to change outcomes. Data in its own right has no value, but when you can transform that data into very specific actions and measure what those actions are, and measure their returns and their efficacies, then you really have something that’s very interesting. And that’s what we focus on, is honing data, refining it through analytics, transforming it into specific actions that stop attacks.

Dave Bittner:

What do you see on the horizon when it comes to fighting phishing? Do you ever envision a day when this sort of thing is behind us?

Oren Falkowitz:

Oh, absolutely. I think it’s a totally solvable problem. We live in a world today where mankind solves many amazing feats. We’ve sent people into outer space. My grandfather, who’s 90 years old, had a heart surgery where they went through his leg. He went home the next day. We talk about reversing the effects of climate change. There is no reason why we cannot get in front of these types of cybersecurity incidents. It requires a different angle of vision, new approaches, but the trend is really on our side to stop these attacks — not on the attacker’s side.

Dave Bittner:

Where do you feel like we are right now? Are we gaining on the problem? Are the bad guys winning?

Oren Falkowitz:

The way I see it is kind of two things. The bad guys are certainly being very effective, right? It’s every day that you wake up and you learn about a company that has had an incident. The scale of those incidents seem to be growing. I think, often, we cover the massive breaches more than the breadth of breaches that are happening at the smaller businesses. The pain is really being felt, and the problem is really being universally subsumed by everyone. That being said, attackers always get caught. And that’s not a good trend for them, that even with the much-needed improvements and focus on the core problems like phishing, attackers are not walking away scot free.

Their operations are being caught, their tools are being leaked, being discovered, what they’re doing, and so we just need to get preemptive and get in front of it. That new approach, which is based on expertise that new teams such as Area 1 are bringing to the market, new analytic capabilities, new compute power capabilities — those will really allow us to be successful going forward. But it takes leadership from executives at companies, and it takes action. This is a problem that needs to be acted upon today, not something that you want to wake up to and learn you have a problem, and then start responding.

Dave Bittner:

Our thanks to Oren Falkowitz from Area 1 for joining us.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where everyday you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Patrick, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.