Phishing continues to be a top cybersecurity risk. Despite the availability of security awareness trainings, materials, and products on the market, attackers are savvy and honest employees are busy and curious. It used to be that a Nigerian Prince asked victims for a few hundred of dollars in return for a promised multimillion dollar inheritance — a claim that was relatively transparent to anyone who stopped and thought for a second. Today, however, cyber criminals are often careful about collecting and correlating personal details from publicly available information that lends credence to their requests. The bigger the potential payoff from exploitation, the more precise the targeting of the individual. But even an “urgent” notice about a delayed shipment or threat of cancelled service is enough to fool otherwise-thoughtful individuals into clicking.
Hence, the security industry’s focus on educating users about the dangers of phishing attempts. While there is nothing inherently negative about awareness and behavioral training, all of the investment in these programs hasn’t significantly moved the needle in terms of efficacy. Phishing is still attackers’ primary means of finding their way into companies’ networks and users’ accounts. And all the awareness in the world won’t stop attackers; organizations need to implement layered technological security capabilities that stop adversaries’ progression after they weasel their way onto the network.
Two-factor or multi-factor authentication are effective controls, but many organizations have 2FA/MFA turned off because it’s not convenient. Further, attackers have been known to go the extra mile to to pilfer the second factor of authentication from end users, so even requiring 2FA isn’t always foolproof. And of course there are other types of technologies that look for the presence of malware or unauthorized access on the network, but traditional controls and techniques often rely on network constructs like IP addresses and port numbers that are less effective in modern computing environments like public clouds and containers.
Down with address-based security control
The answer to the phishing problem isn’t more awareness and it isn’t more network-based technology. In Edgewise’s world, we think there are two things organizations should be adopting if they truly want to defend against cyber adversaries and prevent large-scale breach:
- Zero trust
- Software identity-based security control
Zero trust, the first recommendation, is a philosophy or a methodology, not a product (though it is the underpinning of many commercial security products today). For those unfamiliar with zero trust, the quick version is “Never trust, always verify.” Edgewise takes it one step further to mean, “Never trust networks or network addresses, always verify software and services communicating on your networks.” Taking our vendor pitch out of the mix, zero trust says:
- Network admins and security teams must assume their networks are inherently hostile
- Authenticate and authorize every user, host, workload, and device every time it tries to communicate and connect
- Access to resources is confined to least privilege for all systems, users, hosts, and applications
Meet Edgewise at re:Invent, November 27-30, 2018.
How does this help when it comes to thwarting cyber attackers who have used phishing to access network resources? Asserting zero trust principles means that a user’s credentials, devices, or permissions are tested at every communication attempt, if they’re trying to access applications or connect to hosts. With zero trust, a valid set of credentials isn’t enough for a “user” to gain access. Things like geographic location, the UUID of the device BIOS, and other behavioral attributes are all taken into consideration before verification is granted.
The above is looking at zero trust from an end user perspective, the BeyondCorp model, if you will. But zero trust is about more than users and their devices. Importantly, zero trust security controls should apply to applications, services, and hosts communicating on the network, too. Therefore, if a zero trust network is configured to focus only from the outside-in, it’s entirely possible that a set of phished credentials could lead to lateral movement and additional application/software or system compromise.
This is why the identity of communicating software and services is so important. In the security field, we’re all familiar and comfortable with identity as it relates to users and devices, but the industry is less comfortable with the idea that software and services can possess similar immutable attributes, attributes that can be used for verification and “trust” purposes (“trust” will remain in quotes because “trust” in a zero trust network is finite). Adding identity to the set of conditions that must be met for software and services to communicate on a corporate network means that if an attacker manages to infiltrate the network and access resources, that attacker can’t add malware or change the source code and launch an additional attack from inside the network. Likewise, in an identity-centric network, dual-use technologies like PowerShell can be recognized for when they’re being used in unexpected or anomalous (i.e., malicious) ways. Software identity-based security controls mean that attackers can’t change the nature of software or services with malware and have it propagate throughout the system.
In this sense, software-based identity doesn’t stop phishing attacks, per se, but it does ensure that cyber criminals can’t launch secondary or tertiary attacks against the network, which is a big win for companies who want to keep systems in tact and available to users.
Cut bait after the phish
The harsh reality is that phishing is going to be successful in perpetuity. And this post isn’t suggesting that the security industry merely scrap all education about cyber hygiene. That said, in this day and age most security practitioners should recognize awareness and education aren’t enough to stop attackers getting into the network, therefore, additional controls that stop lateral movement, unauthorized access to and use of software and services, and the injection of malware are necessary. Zero trust and software identity-based controls (that are not bound by network constructs) get companies closer to eliminating disastrous consequences when an attacker does find their way into the data center or cloud.