The cyber threat landscape is rapidly evolving. In the beginning, hacking was a hobby taken up by people who did it just to prove they can. In the modern world, cybercriminals are hacking for profit, and the cat and mouse game between cybercriminals and cyber defenders has driven innovation in hacking. In some cases, new research and development have resulted in entirely new types of attacks. However, sometimes a cybercriminal will work on refining a certain technique to make it more effective.
Phishing is one of the oldest and simplest types of cyberattacks in existence. It is often easier to trick a human than to identify and exploit a new software vulnerability. As a result, most organizations have implemented some type of training program designed to teach their employees how to prevent phishing.
However, this training often has varying levels of effectiveness. To make things worse, cybercriminals are developing new forms of phishing, like lateral phishing, which are inspired by and designed to overcome the very same protective actions that organizations teach their employees.
Introduction to Phishing
Phishing attacks have been around for a long time and have evolved a great deal. In the beginning, phishing scams like the Nigerian Prince scam were designed specifically to be obvious. The intent behind making these scams so easily detectable was that anyone who fell for the pretext enough to respond to the phishing email would likely fall for the entire con. However, over time, people have grown more aware of the threat of phishing. Many organizations have implemented anti-phishing training designed to help their employees identify attempted scams. As a result, many of the simpler pretexts and scams are now less effective.
In response, cybercriminals have developed more sophisticated and realistic types of attacks. Most modern phishing emails are designed to look as realistic as possible and to minimize interaction with the victim and the probability of detection. This is accomplished by trying to trick the mark into taking a single specific action, like entering their credentials into a web page or opening a malware-laden document. Phishers can be surprisingly successful at capitalizing on a moment’s inattention.
Cybersecurity researchers and vendors work constantly to develop means of detecting and protecting against the newest types of phishing attacks, and cybersecurity awareness training teaches employees helpful tips and tricks for identifying phishing attacks. However, these tips and tricks don’t always work.
Lateral Phishing Attacks
One of the most common ways that end users are trained to identify potential phishing attacks is to look at the sender’s email address. Typically, phishers need to use lookalike or otherwise plausible email addresses to send their emails since they do not have access to a legitimate email that the recipient would trust. But what if that wasn’t the case?
Lateral phishing attacks are designed to exploit an attacker’s foothold on an organization’s systems using phishing. First, the attacker gains access to an employee’s official email account. This can be accomplished in a variety of ways, including traditional phishing attacks or exploiting weak passwords or a reused one exposed in a breach.
Once the attacker has control of an employee’s trusted email account, they can send another wave of phishing emails from that account. These emails can even be made more plausible since, if the attacker can access the email account, they can read past mail and build an extremely plausible pretext. When the intended target receives the email, many of the traditional warning signs of a phishing email are absent, increasing the probability of success.
Recent research has demonstrated that this type of lateral phishing attack has become more common and is a growing threat to organizations. 11% of the time, these emails are successful at compromising other employees within the organization despite the fact that 45% of them are sent to random targets.
Protecting the business against phishing attacks is no longer as simple as training users to pay attention to the email address of the sender. As email account compromise becomes a more common problem (due to data breaches, etc.), employees must know how to identify a potential phishing email and not just trust one because it comes from a legitimate account and from someone with whom they regularly communicate.
Protecting Against Phishing
Despite the fact that it might not always be effective, cybersecurity awareness training is an important tool in protecting against phishing attacks. Training employees to recognize and respond properly to a phishing email, i.e. by reporting it to IT, can help weed out many of the more obvious scams and protect other users who may have been targeted by the same attack but didn’t identify it as malicious.
However, phishing attacks are growing more sophisticated. Techniques like lateral phishing are designed specifically to overcome one of the most common anti-phishing protective behaviors taught to employees: checking the email address of the sender. While these attacks can still be identified by other means, it is likely that some percentage of phishing emails will succeed in slipping past the mental defenses of the average employee who spends about 13.4 seconds on reading an email.
Protecting an organization against the threat posed by phishing attacks requires protection against the results of phishing. Phishing attacks are typically designed to steal credentials or drop malware. Deploying multi-factor authentication to make stolen credentials less usable and strong anti-malware defenses dramatically reduces the threat that an organization faces from phishing emails.