2013 State of The Phish

Transcription

1 2013 State of The Phish

2 ThreatSim: 2013 State of The Phish Introduction Phishing continues to be one of the most effective attack vectors in the attacker s tool kit. A significant percentage of documented data breaches involve some form of a social-engineered attack. Despite a large investment in technology such as spam filters, anti-virus, anti-malware, IDS, and web proxies phishing messages continue to reach end users resulting in damages. Organizations have come to the realization that securing the end user needs to be part of the defense against phishing attacks. This report examines the results of organizations utilizing on-going simulated phishing tests combined with security awareness training. An oft-asked question in the information security industry is How do we compare to other organizations? It's a natural desire to know how your activities compare to your industry peers that have similar threats and risks. This report analyzes two pools of data: ThreatSim s anonymous data aggregated across our customer base A survey of 300 IT executives, administrators, and information security professionals From this data, we are able to gain an understanding of how organizations are addressing the human element of phishing attacks. While not a scientific study, this report provides a glimpse into what forward-thinking organizations are doing to train their end users how to identify and avoid phishing messages.! 1

3 ! ThreatSim: 2013 State of The Phish ThreatSim Customer Statistics ThreatSim has a unique vantage point on the phishing epidemic: from the trenches with our customers. We provide the data below to give a better understanding of what we see on the front lines. The data in this report is an aggregate analysis of results from ThreatSim customer s phishing training efforts. Who Uses ThreatSim? Financial organizations have historically been information security trail blazers. They have to be. As the saying goes Why do people rob banks? Because that s where the money is. Banks, financial services, brokerages, credit card companies, and credit unions have always been a prime target of the threat agent. The financial industry was the first to make a big push into application security. They also lead the pack in the effort to train their employees using immersive simulated phishing exercises. After financial services, we see several industries that are commonly targeted by state-sponsored threats (aka China). Energy includes organizations that manage critical infrastructure such as utilities and oil/gas pipelines. The (well documented) targeting of the Defense sector is two-fold: steal intellectual property regarding weapons systems and disrupt the defense industrial supply chain. Education institutions are commonly targeted as attackers seek systems with premium network connectivity from which to launch spam/phishing and DDoS attacks. We have seen a surge of interest from the manufacturing sector as they have come under increased attack from threats seeking to steal intellectual property. The chart below illustrates show a breakdown of ThreatSim s customer base: Financial 30% Energy Defense 13% 12% Education Health Care Manufacturing Government Insurance Consumer Technology Retail Services 8% 7% 6% 5% 5% 4% 4% 3% 3% Transportation 2%! 2

4 ThreatSim: 2013 State of The Phish How many people click? The number of target users who click (click rate) depends on several factors including, but not limited to: the phishing lure in the message, sophistication of the , date/time sent, and the target s technical acumen. In our experience, the lure or call to action in the phishing message has the most impact on the click rates for untrained user populations. A message stating that your credit card was just used on Amazon to purchase a $500 purse will have a dramatic effect as it represents personal financial loss. The results below are from a sample of customer campaigns. Average click rate (all campaigns) Highest click rate for a single campaign 18% 72% Phishing vs. Spear Phishing Our data confirms that the more customized the message, the more targets will click on the phish. Generic or consumeroriented messages similar to what you see in your spam folder consistently have low click rates. Messages with more customized attributes such as the target s first name, company name, or employer s logo tend to have higher click rates. The two examples below show a wide variance. The Win a free ipad message is similar to many broad-base, consumer-oriented phishing attacks that end users see on a regular basis. The Black Friday Employee Discount message was directed at the employees of an IT company using their company name and logo that is more representative of a real spear phishing attack. This message was sent out around Thanksgiving and designed to look as if the organization sent it to the employees. FREE IPAD! 2% 41%! 3

5 ! ThreatSim: 2013 State of The Phish Of the users who fall for a phish, which plugins are most vulnerable? For the users who fall for the phish, ThreatSim performs fingerprinting of the users browser. This provides our customer with a good indicator of the target s susceptibility to exploit, had the message they clicked on been a real phishing attack. Our data shows that of the target users who fell for our phish, 71% were found to be vulnerable to attack. For any readers who perform incident response or support end users the data below should not come as a shock. 60% 45% 30% 15% 0% Acrobat Java Flash Silverlight Realplayer Quicktime Not Vulnerable Is there any correlation between frequency of testing/training and target clicks? Yes. ThreatSim customers that run campaigns on a regular basis have consistently lower click rates. Achieving lower rates is more a function of the campaign frequency than the training content. Customers that run frequent campaigns do not always use detailed training. Rather, a simple message that alerts the end user that they have fallen for a phish. The Pavlovian experience is highly effective in curbing the user s tendency to click on everything that comes into their inbox. The figures below show the click rates achieved by organizations based on how frequently they train their user base. Quarterly Every other month 19% 12% Monthly 4%! 4

6 !! ThreatSim: 2013 State of The Phish What percentage of users opened the but didn t click? 22% 18% 4% Opened Opened and Clicked Opened and not Clicked What devices are people using to read s? 40.0% 10.4% 1.2% 1.1% 0.7% 0.3% Outlook iphone Lotus Notes Android ipad Blackberry! 5

7 ! ThreatSim: 2013 State of The Phish How quickly does a target click a phishing message after it was sent? 1m 5m 10m 20m 30m 1h 2h 6h 12h 1d 2d 1w More than 1w! 6

8 ! ThreatSim: 2013 State of The Phish ThreatSim Phishing Survey Results & Analysis ThreatSim conducted a survey of 300 IT executives, administrators and security professionals. The results of this survey are below. Have you ever experienced a phishing attack? If yes, rate the impact. 84% of organizations surveyed have experienced a phishing attack. For those in the 16%, it is probably wise to prepare for the inevitable if it has not already happened without your knowledge. 27% rated the impact of the attack(s) as material. The survey defines material as some form of malware infection, unauthorized access, or stolen data from a breach tied to phishing. 57% rated the impact of the attack(s) as minimal. At first blush a minimal impact may not seem detrimental as it will not land your organization in the news. However, in talking to security managers within our customer base we often hear just how disruptive even a minimal impact phishing attack can be due to how frequent they occur, the level of IT staff time spent in responding (endpoint forensics), and employee downtime (account reset, system restoration). The opportunity cost is huge; for example, one of our customers report that up to 50% of security team time in a week can be spent chasing account compromises with minimal impact. Everyday phishing attacks may not result in a data breach, but the costs associated with them still have a very negative impact. Reducing click rates can result in real time and cost savings that over time result in a material rather than minimal impact on your organization s productivity. 57% 27% Minimal Material! 7

9 !! ThreatSim: 2013 State of The Phish Have you seen the rate of phishing attacks on your organization increase each year? This result corroborates the headlines. Phishing is among the most active, growing, and consistent threat vectors. 60% 40% Yes No Do you currently implement phishing training and awareness programs? If so, in what format? The majority of organizations are using traditional awareness techniques such as advisories, webinars, and inperson training that historically have not worked. Advisories 46% No 25% Webinars or Meetings 17% Simulated Internally 10% Simulations 2%! 8

10 ThreatSim: 2013 State of The Phish Do you measure your organization s exposure to phishing? We find it interesting that 60% of respondents see the rate of phishing increasing each year, but only 30% are measuring their exposure to this threat. We feel that the industry s response to phishing is lagging. On a near weekly basis, we see evidence of major phishing attacks resulting in significant loss, and this only includes those reported the number of unreported attacks are likely much greater. If you asked these same organizations if they are doing /web filtering, they'd say yes yet phishing messages still reach end users. How do you know how susceptible your end users are to phishing lures? Understanding your exposure will aid in developing the right approach to limit your risk of compromise. No 70% Yes 30% How do you monitor the vulnerability of 3rd party software on every desktop? For the most part enterprise endpoint patch management is a mature activity. Even mid-tier organizations have figured out Microsoft patch management. However, the one area that still remains a weakness is 3rd party patch management; and the attackers know this. Nearly half of the respondents do not have a formal 3rd party patch management process, which leaves a significant number of end points vulnerable to exploit-based phishing attacks. The well-known RSA breach resulted from an Adobe Flash exploit embedded in an Excel spreadsheet. Central Patch Management 51% Not formally monitoring 3rd party software Leave it to the user 24% 20% Other 6%!! 9

11 ThreatSim: 2013 State of The Phish ThreatSim Survey Methodology This survey was completed double-blind and transmitted electronically via a third-party survey service. The sponsor of the study, ThreatSim, and its parent organization, Stratum Security, had no influence over the selection of the respondents. ThreatSim was not mentioned as the sponsor of the study at the beginning of the survey, and no further information about ThreatSim and ThreatSim s services were provided to survey respondents. All respondents were required to be knowledgeable and/or responsible for planning or implementing phishing/security training and awareness in their organization, at least 18 years of age and employed full-time in Information Technology. Survey respondents were paid a small honorarium by the third-party survey service for completing the survey. N=300 qualified respondents. The survey had a 23 percent response rate among those invited, and has a 4.97% margin of error. All surveys were completed between September 26 and Oct. 4, 2013.! 10

12 About ThreatSim ThreatSim was created by Stratum Security, an plugins (Flash, Java, etc.) enable attackers to information security services firm headquartered in the compromise victims by simply visiting a malicious website Washington, DC metro area. We eat, breathe, and drink security. Stratum s core business is performing security assessments: application security, penetration testing, mobile software assessments, and security program and Weak Egress Controls permissive network security controls that allow data to be exfiltrated out of the network undetected compliance reviews. While each of these offerings have These attacks represent a blind spot in traditional network matured industry-wide, we identified a need for a security assessments. scalable, feature rich, end-to-end spear phishing and advanced attack assessment service. It is also apparent that current user awareness training Traditional network and application oriented assessments attacks start. While an important component of an are not sufficient in determining your risk to more information security program user awareness training advanced attacks. Hackers are using techniques to alone, regardless of its maturity, cannot completely circumvent perimeter security controls that these address the threat posed by advanced attackers. In assessments test. If you examine recent high-profile response to these common themes, customer demand, security breaches, several commonalities exist: and real-world observations, Stratum developed a Spear Phishing targeted attacks that use targeted messages that attempt to trick users into clicking on malicious file attachments or URLs Data Exfiltration - the covert transfer of data from within an organization to an external server that the attacker controls Vulnerable Browsers & Plugins - outdated software (Internet Explorer, Firefox, Safari, etc.) and 3rd party does not prevent spear phishing, which is how advanced Security-as-a-Service (SaaS) solution that allows our clients to simulate advanced attacks against their people, processes, and technology in a controlled, repeatable, and cost-effective manner. For more information visit

13 13800 Coppermine Rd. Suite 302 Herndon, VA