DomainTools recently teamed up with Osterman Research and six other security companies on a survey and corresponding white paper discussing how organizations are dealing with phishing and ransomware. While we hear about high-profile (successful) attacks, or technical details about the behaviors of the latest variant, there hasn’t been as much coverage of how organizations are preparing for, defending against, and recovering from the attacks.
There are elements of the old and the new in this: phishing is almost as old as spam, which itself is ancient by Internet standards, but ransomware is a rapidly-evolving scourge. As you might imagine, the best defenses generally will incorporate a blend of old and new techniques and tools.
The survey polled security organization leaders—a mix of CIO/CISO and other IT leadership titles from a variety of companies, generally fairly large enterprises. By way of summarizing the content of the questions themselves, here are a few high-level takeaways:
- Ransomware is increasing significantly, and so are other phishing-delivered attacks (more details below).
- The vast majority of the surveyed organizations have been attacked in the last year, and phishing and ransomware are among top concerns cited by the respondents
- 11% of respondents said that a Business Email Compromise phish had succeeded in tricking someone in their organization
- Security isn’t improving fast enough. Only around 40% of respondents described their security solutions and practices as “excellent.”
- Perhaps correspondingly, these organizations plan to increase security spending significantly in 2017
- On the upside, security awareness training does seem to help: the respondents with well-trained users reported fewer successful attacks
Everyone can probably intuit that phishing is increasing, but the Anti-Phishing Working Group puts some numbers to it: they have observed a 250% increase in the number of phishing web sites from the 4th quarter of 2015 to the 1st quarter of 2016. It’s not a stretch to infer from this that, as phishers see their activities paying off, they increase their investments in infrastructure (domains and IPs) in order to increase their returns.
McAfee saw ransomware attacks increase by 24% over that same period, reaching 1.2 million by the 1st quarter of 2016.
OK, Got It: Bleak Picture. Now What?
Here are a few things you can take away from this to help your organization:
- Invest more in training: You don’t have to invest a ton of money, but invest some time. Half of the organizations surveyed train their users once a year or less (7% replied “never”). Couple this with the 11% figure for successful BEC incursions, and you have a strong case for educating users more often and more rigorously.
- Recruit those users as forensic collectors: a phish is a valuable forensic artifact. The domains and IP addresses in the email and its headers can help your team gain context on successful or attempted attacks.
- Defend forward: If you can pivot and expand from one phishing domain to a whole collection of them, you just used that initial email as a force multiplier on your defenses. Exposing connected threat infrastructure is an incredibly powerful way of achieving informed prevention: defenses that align with the specific threats targeting you.