best practices: phishing prevention · follow forrester’s best practices to prevent phishing...

Best Practices: Phishing PreventionProtect Against Email-Borne Threats With Forrester’s Layered Approach

by Joseph Blankenship and Claire O’MalleySeptember 30, 2019

LICENSED FOR INDIVIDUAL USE ONLY

FORRESTER.COM

Key TakeawaysPhishing Is One Of The Biggest ThreatsDespite being an older attack method, phishing is still a highly effective weapon. In the past year, 18% of externally caused data breaches involved phishing.

Phishing Emails Will Make It Past Your Email Content FilteringPhishing emails are more sophisticated than ever. Technical controls alone will not protect you.

User Training Is Not The Only AnswerAntiphishing best practices require a mix of technical controls, security awareness and training, and incident response.

Why Read This ReportAttackers use phishing and other social engineering tactics to infiltrate corporate networks. Advances in malicious email protection can recognize and stop obvious phishing attempts, but enterprises remain vulnerable to this common attack vector. In this report, we provide best practices that can help security and risk (S&R) professionals at enterprises stop phishing attacks.

This PDF is only licensed for individual use when downloaded from forrester.com or reprints.forrester.com. All other distribution prohibited.

© 2019 Forrester Research, Inc. Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. Unauthorized copying or distributing is a violation of copyright law. [email protected] or +1 866-367-7378

Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA 02140 USA+1 617-613-6000 | Fax: +1 617-613-5000 | forrester.com

Table Of Contents

Phishing Doesn’t Receive The Attention It Deserves

The Traditional Wisdom About Phishing Doesn’t Work

Follow Forrester’s Best Practices To Prevent Phishing Disasters

Implement Technical Controls To Protect End Users

Educate Your Workforce To Recognize Phishing Attempts

Plan For Technical And Human Failure

Recommendations

Craft A Layered Defense Strategy

Supplemental Material

Related Research Documents

The Forrester Wave™: Enterprise Email Security, Q2 2019

Now Tech: Antiphishing Solutions, Q1 2019

Now Tech: Security Awareness And Training Solutions, Q1 2019

FOR SECURITY & RISK PROFESSIONALS

Best Practices: Phishing PreventionProtect Against Email-Borne Threats With Forrester’s Layered Approach

by Joseph Blankenship and Claire O’Malleywith Stephanie Balaouras, Madeline Cyr, and Peggy Dostie

September 30, 2019

Share reports with colleagues. Enhance your membership with Research Share.

2

5

8

10

http://www.forrester.com/go?objectid=RES144398





http://www.forrester.com/go?objectid=BIO10765




Best Practices: Phishing PreventionSeptember 30, 2019

© 2019 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. [email protected] or +1 866-367-7378

2

Protect Against Email-Borne Threats With Forrester’s Layered Approach

Phishing Doesn’t Receive The Attention It Deserves

Phishing remains a top threat: Security decision makers told Forrester that phishing attacks were involved in 18% of the external data breaches their firm experienced.1 However, S&R programs don’t prioritize phishing prevention as part of their security strategy. The 2018 FireEye M-Trends report states that “phishing continues to be a primary preferred method of compromising organizations because of its simplicity and effectiveness.” According to security vendor FireEye, one in 101 emails is classified as “outright malicious.”2 The phishing email itself is usually just the beginning of an attack and opens the door to others:

› Credential phishing leads to credential theft. And attackers use stolen credentials to access your sensitive systems, appearing as if they’re legitimate users. According to Forrester survey respondents, 27% of data breaches in 2019 involved the theft of credentials such as logins or encryption keys.3

› Malicious files and URLs lead to malware outbreaks. Phishing is a common first step to introduce malware into an organization. For example, the Locky ransomware variant was largely distributed via email, and the attackers used phishing techniques to convince users to download and click on malicious files.4 Attackers responsible for advanced persistent threats (ATPs) also use phishing to spread malware that can lead to sensitive data theft.5

› Impersonation attacks lead to financial loss. Phishers imitate legitimate senders by spoofing their email addresses or compromising their accounts. Estimated exposed losses due to business email compromise between 2016 and 2019 totaled $26 billion.6 In some BEC scams, attackers impersonate coworkers or executives to persuade victims to conduct wire transfers or steal sensitive personal information like tax documents.

The Traditional Wisdom About Phishing Doesn’t Work

The traditional advice about recognizing and avoiding phishing emails has been to look for misspellings, grammatical errors, and odd language. The advice applies to a large percentage of the phishing emails that are scattershot around the internet, like the old Nigerian prince scam, but it doesn’t apply to the most dangerous attacks, those specific not only to a targeted organization but also to individual users. Phishing attacks still work because:

› Phishing emails are well crafted to look like legitimate email. Savvy attackers know that email content-filtering solutions and users are on the lookout for emails that look like phishing attacks. Armed with this knowledge, attackers take care to use business language to fool the technology as well as the recipient (see Figure 1).7 Russian attackers recently targeted Russian financial institutions with emails that appeared to originate from the Central Bank of Russia.8 The emails not only appeared to be from a relevant source, but they also directed targets to download an attachment (which turned out to be malicious) that related to a relevant, everyday task.




3


› Spoofed emails appear to come from trusted senders. Phishers spoof email domains and addresses to make emails look like they’re coming from inside the company or from vendors, partners, or customers (see Figure 2). Often, phishing emails come from compromised accounts, which make them even harder to detect. An interview subject revealed that a US federal government organization’s audit team all fell for a phishing attack that used the address of a supposed real, but fake, internal IT team that was prompting audit members to complete their annual safety training. Attackers also impersonate government officials in order to infiltrate organizations.9

› Attackers study their targets. Thanks to the plethora of information available on social media, attackers can learn quite a bit about their prey — what they do for a living, systems they use, and who they work with. They may also get personal information like birthdays, names of family members, and favorite hobbies, which they use to fool their victims. If attackers have compromised an email account in the target organization, they can also spy on communications to learn the patterns and vernacular of target users.

› Phishing preys on victims’ desire to be helpful. Phishing is a form of social engineering (see Figure 3). That means that phishers use psychology to convince their victims to take an action they may not normally take. Most users have a desire to be helpful and to do what someone in authority tells them to do. Phishers know this, so they prey upon those instincts and ask the victim to help with a problem or do something immediately “because the CEO wants it done now!”




4


FIGURE 1 Sample Phishing Email

CEO <[email protected]>Hello Sarah,Let me know if you are free to help me run an errand. I’m held down here in a meeting.Just reply my email.Sent from my iPad. . .

CEO <[email protected]>Okay Rachel,Actually i need someone to help me get some couple of gift cards. It’s really urgent because I’ll need to send them out in less than an hour. Can you get this done? Will provide you with the type of cards and amount of each.. . .

CEO <[email protected]>Yes Rachel, they should be physical cards please. The type of card i need is Amazon gift cards £100 denomination. I need £100 X 10 cards When you get the cards,scrub the back to reveal the card codes,take pictures of them and email me the cards. Hope you can get this done now? Its really urgent.. . .

CEO <[email protected]>Okay. She can make clear photos of the cards and email them here and get cards activated as well.. . .

Rachel <[email protected]>Is this for customer complaints? I can order stuff online for you, but I don’t know who would send them out in an hour. I won’t be able to leave the of�ce, as I’m currently by myself.. . .

Rachel <[email protected]>We have got the money from wages, Anita is leaving now to go buy them.. . .

Rachel <[email protected]>Hello (Name of CEO),Unfortunately Sarah is on holiday today, so I am taking over installations and with it being Monday morning we’re pretty up against it at the moment.. . .




5


FIGURE 2 Phishing Attack Types

Spear phishing

Whaling

Non-targeted phishing

Business email compromise (BEC)

Targeted toward speci�c users in an organization

Targeted toward high-ranking executives (CEO, CFO, etc.)

Non-targeted phishing attack that distributes phishing emails to as many employees as possible, in hopes to catch at least one

Impersonation attack where emails appear to come from within the company, typically from management or someone in authority

Attack type

Phishing attack types

Description

FIGURE 3 Common Phishing Methods

Impersonation

Filter evasion

Malicious URL

Malware embedded

Malicious pop-up

The attacker poses as a trusted sender by spoo�ng a domain or email address.

The attacker uses images instead of text in the email body, so antiphishing �lters can’t detect the suspicious text.

Email includes a link that leads to a malicious website that may contain malware or is used to capture credentials.

The email may contain a �le or attachment containing malware.

The attacker places a pop-up window on top of a legitimate webpage that asks users to enter credentials.

Phishing methods

Follow Forrester’s Best Practices To Prevent Phishing Disasters

One of the oldest (and most tired) tropes in cybersecurity is that end users are the weakest link. It’s true that users are fallible and are likely to fall victim to phishing emails, but victim shaming isn’t useful. Even trained cybersecurity pros can be victimized by well-crafted phishing emails, so it’s not surprising that users don’t recognize every attack aimed at them. Antiphishing best practices require a mix of technical controls, employee education, and incident response best practices.




6


Implement Technical Controls To Protect End Users

It’s the job of S&R pros to use technical controls to reduce the likelihood of a malicious email ending up in users’ inboxes. The fewer malicious emails received by users, the less likely your users will be to make the wrong decision. Protecting users from credential theft and malware is also an important part of a Zero Trust strategy.10 Follow four best practices for using technical controls that protect end users:

› Best practice No. 1: Install email content filtering. Email content filtering is the first line of defense against spam and other malicious emails. Using a combination of methods to identify malicious emails, these filters block, quarantine, or allow emails based on policy. They protect against malicious URLs by rewriting or stripping links or working with web filtering tools to scan websites before allowing users to connect. Established vendors like Barracuda, Cisco, Proofpoint, Symantec, and Trend Micro offer on-premises and cloud-based email content filtering.11 Newer vendors like Area 1, Avanan, Inky, and Vade Secure interface via API with cloud email providers (Google and Microsoft), providing an extra layer of protection.12

› Best practice No. 2: Implement email authentication. Email authentication uses domain-based message authentication, reporting, and conformance (DMARC) capabilities for antispoofing prevention so the security team can detect when incoming emails are using false “from” addresses.13 However, DMARC only works when sender policy framework (SPF) and domain keys identified mail (DKIM) are employed. Implementing authentication can be a challenge for internal teams, so that legitimate email traffic isn’t affected. Vendors that can assist authentication include Agari, Dmarcian, Proofpoint, and Valimail.

› Best practice No. 3: Provide security awareness training. Security awareness and training solutions supplement antiphishing solutions with eLearning modules, assessments, workshops, promotionally themed content, user data segmentations, and phishing simulation platforms. They’re used to train users to recognize phishing attempts so that the security team is extended to the rest of the organization, instead of being solely the CISO’s responsibility. Sample vendors include Infosec Institute, Knowbe4, MediaPRO, Mimecast, PhishLabs, Proofpoint, and Webroot.14

› Best practice No. 4: Leverage threat intelligence. Many antiphishing solutions and email security vendors have threat intelligence teams that focus on threat research. The threat research is collected from phishing attempts, open source intelligence, or other private feeds. Sample vendors include Cofense, IntSights, PhishLabs, RiskIQ, and Webroot. They use the data to inform users of impersonation attempt examples, new attack types, sender and domain reputation, and geolocation information about where possible attacks are originating from or to flag emails from high-risk areas. Security teams can also update their policies and training materials regularly with details collected from the threat intelligence sources.




7


Educate Your Workforce To Recognize Phishing Attempts

Sophisticated phishing emails will inevitably pass through your technical controls and end up in users’ inboxes, but you can train your users to be the last line of defense. Follow three best practices for educating your workforce to make sure your organization remains protected:

› Best practice No. 5: Implement ongoing security awareness and security education. Train your users to recognize phishing emails and also how to handle them after they’re spotted. eLearning modules in SA&T solutions teach users to report the email to the IT team so it can be identified as risky and shared with the rest of the organization as an attack attempt. Simply deleting the email is not enough — the rest of the workforce should be warned, as similar attacks could be coming their way and filtering technologies should be updated to stop future attacks. Training should be ongoing and based on real-world attacks, not once a year using vague examples.

› Best practice No. 6: Report phishing attempts. Have a mechanism for users to report suspected phishing emails. Deleting a phishing email isn’t enough. The security team should implement a reporting methodology that they teach the organization so employees follow the protocol whenever the emails reach their inbox. Reporting the emails allows for the security team to not only protect the organization but learn which attack types are coming through, the language used, and other details that they can use to update their security awareness and training education. The information is also used to update detection technologies.

› Best practice No. 7: Test and measure performance. Test your users regularly and measure performance. Security awareness and training eLearning modules offer assessments whose results can be collected, tracked, and reported back to the security team. The security team can use the results to make improvements in their security awareness and training programs or to target riskier users with supplemental training. The assessment results also track the effectiveness of the program or other current efforts.

Plan For Technical And Human Failure

Despite your best technical and educational efforts, your users will be successfully phished. One interview subject even asked, “How can I stop users from clicking on emails aside from cutting their fingers off?” Some well-crafted malicious emails will make it through your defenses, and your users will fall into the trap. That action may be clicking on a malicious URL, opening a malware-infected file, or going to a website that asks for their credentials. Apart from using technical controls to limit the impact of these actions, your team must also be ready to respond quickly to clean up the mess.15 Follow four best practices for incident response to limit the impact of a successful phishing attack:

› Best practice No. 8: Use browser isolation technology (BIT). BIT isolates and executes user web sessions in a protected sandbox or proxy service to render malicious sites harmless. This prevents phishing sites from delivering malware to endpoints or harvesting sensitive information from employees who click on phishing links. Sample vendors include Bromium, Menlo Security, Proofpoint, and Symantec.




8


› Best practice No. 9: Enable multifactor authentication (MFA). Many phishing attacks are aimed at harvesting user credentials so that the attacker can carry out another attack. Using captured credentials is more difficult when MFA is enabled. Google reported that it completely stopped credential theft once it implanted hard tokens for MFA.16 Sample vendors include CA Strong Authentication, Cisco (Duo Security), Okta Verify, and RSA Authentication Manager.

› Best practice No. 10: Have an incident response plan. If everything else fails, the quality of your incident response will make the difference between a bad problem and a disaster. Have a playbook in place for what happens after a successful phish and regularly practice that playbook. If you don’t have an internal incident response (IR) team, contract with a third-party firm that can assist you in your time of need.17 Sample vendors include Cylance, CrowdStrike, and FireEye.18

Recommendations

Craft A Layered Defense Strategy

S&R pros know that technical controls alone won’t protect their end users. A blend of technical controls, end user education, and incident response offers the best protection, so prioritize solutions that offer these protections. Also be sure to:

› Use customizable content. Many users despise security awareness and training solutions because the eLearning modules are boring and impersonal. Keep your users engaged with their antiphishing educational content by looking for vendors that offer customizable learning platforms that let your security team edit learning modules to have relevant and relatable examples that are valid for your organization.

› Invest in authentication capabilities. Many end users and security practitioners are fooled by phishing emails because they appear to be from a legitimate sender using your own domain. DMARC protects against email spoofing, but its adoption rates remain low due to lack of understanding and complexity. Choose a vendor that can assist you with DMARC so that you’re not only reporting but also able to reject emails based on authentication.

› Employ phishing takedown services. Phishing takedown services also step in after a user has clicked on a malicious link. The services work by limiting or blocking access to the website that users are being directed to after they click the malicious link from the phishing email. These services can also prevent phishing attacks by hunting down malicious domains and working with hosting providers to remove them, so users are never directed there in the first place. Sample vendors include CSC, IntSights, and PhishLabs.




9


› Take the shame out of your security policies. Users are being unnecessarily shamed for being victimized by phishing attacks that would fool even the most senior security practitioners.19 Punishing users only makes them more resistant to security policies, less likely to report phishing attempts, and less likely to complete their training. Frame security policies and security education in a positive light that shapes security as a helpful business enabler rather than an exclusive, bitter group.

› Make it personal. Many users believe that phishing attacks are limited to their work inboxes and don’t realize that cybercriminals target their personal email as well. Users may also access their personal email from corporate systems or networks, thereby introducing risk into your environment. Incorporate the risks of home online safety in your training materials so they can share the knowledge with their family as well. Continue security education to protect users outside of the office and off your network.

Engage With An Analyst

Gain greater confidence in your decisions by working with Forrester thought leaders to apply our research to your specific business and technology initiatives.

Forrester’s research apps for iOS and Android.Stay ahead of your competition no matter where you are.

Analyst Inquiry

To help you put research into practice, connect with an analyst to discuss your questions in a 30-minute phone session — or opt for a response via email.

Learn more.

Analyst Advisory

Translate research into action by working with an analyst on a specific engagement in the form of custom strategy sessions, workshops, or speeches.

Learn more.

Webinar

Join our online sessions on the latest research affecting your business. Each call includes analyst Q&A and slides and is available on-demand.

Learn more.

http://www.forrester.com/app

http://forr.com/1einFan

http://www.forrester.com/Analyst-Advisory/-/E-MPL172

https://www.forrester.com/events?N=10006+5025




10


Supplemental Material

Companies Interviewed For This Report

We would like to thank the individuals from the following companies who generously gave their time during the research for this report.

Agari

DMARC Analyzer

IntSights

Kaspersky

KnowBe4

Mimecast

PhishLabs

Proofpoint

Valimail

Webroot

Endnotes1 Base: 465 security decision makers with network, data center, app security, or security ops responsibilities who

experienced an external attack when their company was breached. Respondents could select more than one method by which an external attack was carried out. Source: Forrester Analytics Global Business Technographics® Security Survey, 2019.

2 Source: Danny Palmer, “Phishing warning: One in every one hundred emails is now a hacking attempt,” ZDNet, September 12, 2018 (https://www.zdnet.com/article/phishing-warning-one-in-every-one-hundred-emails-is-now-a-hacking-attempt/).

3 Base: 465 security decision makers with network, data center, app security, or security ops responsibilities who experienced an external attack when their company was breached. Respondents could select more than one method by which an external attack was carried out. Source: Forrester Analytics Global Business Technographics Security Survey, 2019.

4 Source: Danny Palmer, “This giant ransomware campaign just sent millions of malware-spreading emails,” ZDNet, August 31, 2017 (https://www.zdnet.com/article/this-giant-ransomware-campaign-just-sent-millions-of-malware-spreading-emails/).

5 Source: Danny Palmer, “Russian hackers are trying out this new malware against US and European targets,” ZDNet, November 20, 2018 (https://www.zdnet.com/article/russian-hackers-are-trying-out-new-malware-against-us-and-european-targets/).

6 Source: “Business Email Compromise The $26 Billion Scam,” Public Service Announcement, Federal Bureau of Investigation, September 10, 2019 (https://www.ic3.gov/media/2019/190910.aspx).

7 This example was provided to us by Mimecast.

8 Source: David Meyer, “Russian banks hit by major phishing attacks from two hacker groups,” ZDNet, November 16, 2018 (https://www.zdnet.com/article/russian-banks-hit-by-major-phishing-attacks-from-two-hacker-groups).

9 Russian attackers impersonated US State Department spokesperson Heather Nauert in order to target people working in US defense and law enforcement agencies. Source: Alyza Sebenius, “Hackers Impersonated State Department Spokeswoman, Experts Say,” Bloomberg, November 20, 2018 (https://www.bloomberg.com/news/articles/2018-11-19/hackers-impersonated-state-department-s-nauert-cyber-firms-say).




11


10 See the Forrester report “The Zero Trust eXtended (ZTX) Ecosystem.”

11 See the Forrester report “The Forrester Wave™: Enterprise Email Security, Q2 2019.”

12 For more information about antiphishing solutions, see the Forrester report “Now Tech: Antiphishing Solutions, Q1 2019.”

13 Source: Catalin Cimpanu, “DMARC’s abysmal adoption explains why email spoofing is still a thing,” ZDNet, July 29, 2019 (https://www.zdnet.com/article/dmarcs-abysmal-adoption-explains-why-email-spoofing-is-still-a-thing/).

14 See the Forrester report “Now Tech: Security Awareness And Training Solutions, Q1 2019.”

15 See the Forrester report “Planning For Failure: How To Survive A Breach.”

16 Source: Bruce Schneier, “Google Employees Use a Physical Token as Their Second Authentication Factor,” Schneier on Security blog, July 26, 2018 (https://www.schneier.com/blog/archives/2018/07/google_employee.html).

17 See the Forrester report “The Forrester Wave™: Digital Forensics And Incident Response Service Providers, Q3 2017.”

18 See the Forrester report “The Forrester Wave™: Cybersecurity Incident Response Services, Q1 2019.”

19 See the Forrester report “Video: Protect Your Organization From Business Email Compromise (BEC) Attacks.”









We work with business and technology leaders to develop customer-obsessed strategies that drive growth.

PRODUCTS AND SERVICES

› Core research and tools › Data and analytics › Peer collaboration › Analyst engagement › Consulting › Events

Forrester Research (Nasdaq: FORR) is one of the most influential research and advisory firms in the world. We work with business and technology leaders to develop customer-obsessed strategies that drive growth. Through proprietary research, data, custom consulting, exclusive executive peer groups, and events, the Forrester experience is about a singular and powerful purpose: to challenge the thinking of our clients to help them lead change in their organizations. For more information, visit forrester.com.

CLIENT SUPPORT

For information on hard-copy or electronic reprints, please contact Client Support at +1 866-367-7378, +1 617-613-5730, or [email protected]. We offer quantity discounts and special pricing for academic and nonprofit institutions.

Forrester’s research and insights are tailored to your role and critical business initiatives.

ROLES WE SERVE

Marketing & Strategy ProfessionalsCMOB2B MarketingB2C MarketingCustomer ExperienceCustomer InsightseBusiness & Channel Strategy

Technology Management ProfessionalsCIOApplication Development & DeliveryEnterprise ArchitectureInfrastructure & Operations

› Security & RiskSourcing & Vendor Management

Technology Industry ProfessionalsAnalyst Relations

141598