While Black Hat USA 2017 ended three weeks ago, I wanted to share my thoughts and experiences on my very first Black Hat USA 2017 after being in security for 15+ years.
Black Hat was everything that I thought it would be. Incredibly clever, astute security-focused people willing to learn all about new and improved cybersecurity protections. Equally intelligent, insightful folks presenting on very relevant security topics. Then there was Las Vegas at the end of July: Miles of walking and it was ridiculously hot. (I know – it’s a dry heat. So, you bake instead of broil. Big difference.)
We were so busy in the Menlo Security booth that I wasn’t able to attend many of the great briefings. One briefing that I really wanted to attend, but couldn’t, was the one titled, “Ichthyology: Phishing As A Science”, presented by Karla Burnett, an engineer at Stripe who works on authentication and application security. But, in her I’m sure copious spare time, she dabbles in building and analyzing internal phishing campaigns at Stripe. In her briefing, according to an article in InfoSecurity Magazine, Ms. Burnett dove into the psychology of phishing, and why it’s so successful.
Ms. Burnett stated that most organizations consider phishing attacks unavoidable, that some phishing emails will inevitably get through the racks of security appliances, layers of cloud services, the filters, and more that organizations throw in the path of email-based cyberattacks, and that – as long as an employee, contractor, or other user has been through training on how to identify a phishing email – there isn’t much else that can be done.
But, as Ms. Burnett points out and as quoted in the article, “Just because you say phishing is inevitable that doesn’t actually make the problem go away.”
On the psychology of phishing and why it works so well, Ms. Burnett suggested that there are two schools of human thought: System 1, or Fast; and, System 2, or Slow.
System 1 is not just fast; it’s life at the speed of stream of consciousness. It’s the pace at which we all seem to work today. It’s emotionally driven, almost automatic, and can be easily fooled. System 2 is slow and careful. It’s logical, measured and almost suspicious. But, System 2 takes time and attention, two commodities most of us in today’s world don’t possess nearly enough of.
With attackers using reams of personal and business data on all of us readily available from social media with their ability to create hand-crafted, almost artisanal phishing emails leveraging social engineering, coupled with our time driven sense of urgency and immediacy, it’s no wonder phishing attacks aren’t more successful than they already are.
While phishing training is useful, it relies on System 2 or slow. But, if we are already rushed, stressed, and pushed to the brink, do we really have the time or temperament to hover over a link in an email to see if it’s real before we click on it? Or, to study a URL to see if it’s legitimate? Or, to read every line of an email to see if there are any spelling or grammatical errors, or if the brand logo looks right, or to check with the email sender to verify that they sent the email?
Phishing training and internal phishing tests definitely help – but only when a user is already skeptical or suspicious of an email they’ve received. Otherwise, the user is not likely to slow down, take a beat, and examine the email. They will simply continue in their fast, emotionally-driven, get it done manner, and are likely to fall victim – with your organization – to a phishing attack.
With attackers injecting a sense of urgency – such as a loss of access to critical software or the threat that someone has already hacked your account; a sense of authority – such as a weblink or attached document coming from your manager that needs immediate attention; plus a familiar look-and-feel to their phishing email, it’s obvious why phishing works. And, then there’s spearphishing, which is even more personal and surgical.
Remember: It only takes a single user to fall victim to a phishing attack to lead to an organizational disaster.
While it may seem that, based on this information, phishing attacks are and will continue to be unavoidably successful, that’s really not the case.
As Ms. Burnett pointed out in her session, what is needed is not simply user training to stop phishing attacks.
Technology is also necessary to stop any phishing attacks.
And, the most effective technology to end phishing is isolation.