TREND REPORT:

HOW MODERN EMAIL PHISHING ATTACKS HAVE

ORGANIZATIONS ON THE HOOK

2

Phishing has evolved from a mere nuisance into a global epidemic in which organizations of all sizes and across all industries are being negatively impacted at high frequency. In 2016 alone, the SANS Institute revealed that 95% of all cyberattacks began with spear-phishing; the Ponemon Institute reported 86% of all phishing attacks contain ransomware, and the Anti Phishing World Group (APWG) discovered a 65% increase in phishing attacks compared to the previous year, totaling 1,220,523 attacks wordwide.

Of all attack vectors, email remains the most commonly exploited for a variety of reasons. Malicious emails continue to easily bypass legacy SPAM Filters, firewalls, and gateway security scans that still inexcusably rely on signatures and email content scanning when analyzing messages.

Secondly, due to human nature, it takes only a few unaware or preoccupied users to download or click on a malicious email link or attachment to inadvertantely provide attackers with access to sensitive corporate networks and data.

Thirdly, a report from FireEye cites the average time from breach to detection being 146 days globally, and a colossal 469 days for the EMEA region, which means early detection and alerts are as important as ever.

In the midst of phishing attacks becoming exponentially more sophisticated and targeted, the majority of email security providers continue to offer signature-based and behavioral signature solutions that scan links and attachments; determine domain reputation and verify sender-receiver relationship, among other futile safeguards.

Knowing that the use of signature and rules-based solutions continue as the status quo, attackers often find their hacking tools and techniques relatively unchallenged by defenses that are limited to following rules that hackers can easily subvert through spear-phishing and social engineering. Although there is almost universal agreement by malware researchers to ditch YARA Rules and regular expressions, many email security solutions are lagging in doing so. In the meantime, many mid-sized and large organizations are investing millions in security awareness and training to help employees identify and report phishing emails in real-time. But what most of the cybersecurity industry and many organizations don’t yet fully realize, is that to truly minimize the risk of email phishing attacks, machines and humans must continuously work together.

IRONSCALES combines human intelligence with machine learning. By ditching rules-based email security, IRONSCALES expedites the time from phishing attack discovery to enterprise-wide remediation from months or weeks to minutes or seconds, with minimal security team involvement needed.

Adam Conner-Simons, MIT CSAIL (04.18.2016)

“Artificial Intelligence predicts cyber-attacks significantly better than existing systems by continuously incorporating input from human experts”. - MIT

INTRODUCTION TO EMAIL PHISHING MITIGATION I.

1. https://www.sans.org/reading-room/whitepapers/analyst/trenches-2016-survey-security-risk-financial-sector37337-2. http://www.pymnts.com/fraud-attack/2017/phishing-attacks-hit-new-record-in2016-/3. https://www.csail.mit.edu/System_predicts_85_percent_of_cyber_attacks_using_input_from_human_experts20%

3

IRONSCALES analyzed data from more than 100 of its customers and 500,000 mailboxes across four continents spanning 2016 - 2017 to better understand trends in email phishing, attacker patterns, phishing tools & techniques, and hacker preferences. In total, more than 8,500 verified attacks that bypassed spam filters were evaluated. The following highlights the key takeaways, with analysis and details about how IRONSCALES technologies can expedite the mitigation and remediation of attacks once discovered.

A. Spear Phishing Increasingly Laser Designated

Analysis: We know that attackers target specific individuals who they deem most susceptible to social engineering attacks. As to why attackers are finding it increasingly beneficial to target attacks on fewer mailboxes, we can summize that it is likely due to:

1. Attackers preference of staying under the rader (e.g. -The less people targeted, the fewer conversations, as a result of less alarm bells raised).

2. More sophisticated targeting allows for tailored messages to certain projects and jobs.

3. Hyper-personalized targeting has proven effective at tricking people susceptable to emails written with a personal touch.

Benefits:IRONSCALES’ combination of human intelligence and machine learning technology is the perfect anectdote to combat the number of complex and micro-targeted spear-phishing attacks that easily bypass rule-based spam filters.

Our automatic incident response technology, IronTraps, empowers phishing-vigilant employees to seamlessly report attacks in real-time with a simple click of a button, triggering an immediate enterprise-wide remediation response that significantly reduces the time malicious emails lie idle in employees’ inboxes. Federation, our real-time actionable intelligence sharing network, records and shares attack signatures instantaneously with all other users, permanently immunizing those organizations from this specific type of phishing attack.

IRONSCALES EMAIL PHISHING REPORTII.

THE KEY FINDINGS:

Approximately 77% of attacks targeted 10 mailboxes or less

One-third (33%) of attacks targeted just one mailbox.

More than 10 mailboxes

77.4%

10 mailboxes and less

AFFECTED MAILBOXES PER ATTACK

22.6%

4

B. Blast Attacks Becoming More Micro-Targeted as Attackers Test Drip-Campaign Attacks

The Analysis: Attack duration is defined as the amount of time that it takes an attack to stop perpetrating. Phishing emails, comprised of the same attack, can be repeated, repurposed and sent multiple times per year. These findings suggest that:

1. A majority of attackers have a limited threshold for attack duration.

2. There is an increasing preference for Blast campaigns targeting less than 10 mailboxes at a time.

3. Malware drip campaigns are successfully beating traditional spam filters and, once they do, the attacks continue to perpetrate for long periods of time.

With 35% of email phising attacks lasting for 12 months or more, malware drip campaigns are having success beating email security safeguards. This is most likely because drip campaigns can easily defeat signature-based email security solutions by using polymorphism techniques, changing email artifacts like the sending IP, subject lines and elements of the email body.

Benefits: IRONSCALES technology provides 365/7/24 actionable intelligence that combines the attack findings of users and security analysts with our advanced machine learning technology. For our users, the probability for detecting morphed attacks is scientifically higher when using machine learning technologies vs signature based solutions. As a result, detection rates are vastly improving, while detection times and response times decrease.

THE KEY FINDINGS:

More than 47% of email phishing attacks lasted less than 24 hours.

Nearly 65% of email phishing attacks lasted for less than 30 days.

Of the email phishing attacks that lasted more than 30 days, 35% spanned for 12 months or more.

30

0%

10%

20%

30%

40%

50%

60%

Days

ATTACK DURATION (ONE YEAR)

60 90 120 150 180 210 240 270 300 330 360

Percentage of all attacks

5

C. Machine Learning Expedites Detection to Remediation from Months to Seconds

The Key Analysis: Today, sophisticated malware often comes with a delayed execution mechanisim built in to help avoid dynamic analysis, such as Sandbox Solutions, which look for malicious patterns and behaviors in an isolated virtual environment. Because of delayed execution, overburdened security teams, too many false positives and a lack of incident response technology, the average time from detection to enterprise-wide remediation for phishing email attacks worldwide ranges from weeks to months

Benefits: IRONSCALES expedites attack discovery by combing human intelligence with machine learning, thereby accelerating the mitigation and remediation processes through automated response technology. The rapid detection and remediation times are primarily the result of:

1. IronSchool IRONSCALES’ user awareness training, puts employees through vigorous gamified simulations of experiential learning.

2. IronSights IRONSCALES’ inline email security technology, visually flags any malicious impersonation/spoofing attempts.

3. IronTraps IRONSCALES’ automated incident response technology, automatically analyzes and remediates incoming threats in real-time.

4. Federation IRONSCALES’ real-time actionable intelligence plugin for IronTraps, automatically protects all other IRONSCALES users from ongoing phishing attacks verified by trusted security analysts.

5. Integrations with Sandbox/Multi AV partners, such as Check Points’ SandBlast, further help expedite detection times by automating forensics.

THE KEY FINDINGS:

55% of attacks were discovered in one minute or less

75% of attacks were discovered in less than 5 minutes

False positive rate was as low as 2% on user reported attacks

More than1 min

55.3%

Less than1 min

DETECTION TIME

44.7%

0

0%

10%

20%

30%

40%

50%

Minutes

DETECTION TIME (FIRST 30 MINUTES)

5 10 15 20 25 30

Percentage of all attacks

6

D. Majority of Targeted Attacks Bypass Email Filters The Analysis: Although brand spoofing attacks are on the rise, IRONSCALES sees a low number of these attacks because spoofs are more likely to be picked up by traditional spam filters. However, email impersonations, such as BEC and CEO fraud, are increasingly bypassing traditional email security controls, especially those that target internal executives versus large brands.

Benefits: IRONSCALES’ IronSights automatically discovers, mitigates and remediates impersonation, CEO fraud and brand spoofing attacks that bypass spam filters by inspecting and analyzing all emails at the mailbox level using deep scans and machine learning. Acting as an employee’s virtual security analyst, IronSights validates sender reputation and authenticity, while also assessing behavioral patterns in search of anomalies in communications.

All suspicious emails are visually flagged as soon as the email hits the inbox, and a button inside the Outlook toolbar enables instant notification to security teams for further investigation or immediate remediation.

0%

Apple

Vodafone

Facebook

Fedesx

Microsoft

Yahoo

Paypal

Amazon

Google

DHL

Percentage of All Branded Attacks

10 MOST FREQUENTLY SPOOFED BRANDS

5% 10% 15% 20% 25% 30%

5%

Production

R&D

Logistics

Marketing

Management

Customer Service

Human Resources

IT

Sales

Finance

Operations

AutomatedRemediations

MOST REMEDIATED DEPARTMENTS

10% 15% 20% 25% 30% 35%

THE KEY FINDINGS:

Almost 95% of email phishing attacks were highly-targeted campaigns, with the majority impersonating internal commmunications teams or individuals (i.e. CEO fraud).

For every 5 brand spoofed attacks identified by spam filters, approximately 20 spear- phishing attacks bypassed the safeguard and went undetected.

Top 10 Most Spoofed Brands

Top 10 Most Remediated Departments

7

The following chart chronicles remediated attacks for 12 companies with approximately 5,000 mailboxes each (60,000 mailboxes total) that started using IRONSCALES during the same month in 2016.

The Results: The increasing number of employee detections can be explained by improved employee awareness training due to gamified educational simulations conducted over time.

Increasing Federation numbers correlate with its official rollout at end of Q2 2016. Upon confirmation of attack identification, Federation immediately logs the attack data and cross-references all users for emails containing a similar pattern. When an attack is matched, the users are notified in real-time through in-line messaging or instant quarantine. With this intelligence sharing, Federation then communicates immediately with IronTraps, which automatically remediates the attack without the need for employee or security team intervention.

AV detection improvement during Q4 was the result of a new partnership with Check Point, which began in Q3 2016.

The Key Takeaway: All 12 organizations benefitted from exponential improvements in phishing attack discovery, mitigation and remediation. This resulted in reduced risk and less burden on security teams and their resources..

DETECTION & REMEDIATION IMPROVEMENT WITH IRONSCALESIII.

0

1000

2000

3000

4000

5000

6000

Automatedremediations

Detected by company empolyees (Report button)

Detected by employees in other companies

Detected by AV / Sandbox / URL scanning (IronScan)

AUTOMATED REMEDIATIONS OVER THE YEAR 2016

Q4Q1 Q2 Q3

8

IRONSCALES is the leader in anti-email phishing technologies.

The first and only anti email phishing provider to combine human intelligence with machine learning to automatically prevent, detect and respond to today’s sophisticated email phishing attacks using a multi-layered approach.

IRONSCALES expedites the time from phishing attack to remediation from weeks to seconds, with minimal security team involvement. Headquartered in Raanana, Israel, IRONSCALES was founded by a team of security researchers, IT and penetration testing experts, as well as specialists in the field of effective interactive training, in response to the increasing phishing epidemic that today costs companies millions of dollars annually. It was incubated in the 8200 EISP, the top program for cyber security ventures, founded by alumni of the Israel Defense Forces’ elite Intelligence Technology unit.

For more information on IRONSCALES,visit our website at: www.ironscales.com and follow us @ironscales on Twitter

START WITH IRONSCALES TODAY