The Phish Chain: Phishing Attack from Start to Finish

A few years ago, Computer Security Intelligence expert, Mike Cloppert discussed the Cyber Kill Chain, the process through which a cybercriminal uses malware to attack the victim. In a recent webinar titled “How to Use Email-based Threat Intelligence To Catch a Phish,” Securosis’ Mike Rothman applied Cloppert’s methodology to how cyberattacks work in the instance of a phishing attack.

The kill chain begins with weaponization and ends with monetization, the point at which credentials are stolen. In this post, we’ll dig into the Phish Food Chain, as explained by Mike Rothman and discuss how cybercriminals utilize this process to attack your brand. Let’s take a closer look at how Rothman took Cloppert’s work with the kill chain and applied it to phishing.

Leverage

Step 1: Reconnaissance

Reconnaissance is all about leverage. Phishers are seeking large consumer brands, that have a broad base of customers that they can target. Think about it, why go after 100 people when you can go after 100 million people? These are the kind of attacks where you see the big brands targeted – the companies who have the broadest array of customers.

Phishing Kits

Step 2: Weaponization

Weaponization occurs in the form of phishing kits. Phishing kits are pre-packaged attack materials targeted at a specific brand, containing all of the files, malware and materials that a phisher would need to launch an attack against a specific brand. As soon as the phisher uses these materials to launch a phishing website, they are officially “in business” (and on their way to putting you out of business).

Spam Filter Evasion

Step 3: Delivery

Delivery aims to evade spam filters. This is the point at which phishing email is delivered to its target.

Advanced Malware Attacks

Step 4: Exploitation / Step 5: C2 (Command & Control)

Exploitation and command and control has everything to do with advanced malware attacks so that they’re using fairly advanced malware to gain presence on those devices to take advantage of vulnerabilities.

Monetize

Step 6: Exfiltration

This is where the monetization takes place. Phishers acquire credentials that allow them to access the resources that they are seeking in the phishing attack.

What is MTTK and Why is it Important to Cybersecurity?

There has been much talk recently about MTTK, but what is MTTK and why is it so important? This post explores the term and explains why MTTK is such an important concept in cybersecurity terms.

When your organization is attacked, how long does it take you to know that the attack is taking place? Of course, we’d all like to be able to answer “right away.” However, for many companies that isn’t the case. Examples of phishing attacks lodged against major brands who don’t discover that they are being phished until months later have become commonplace.

When a phishing attack happens, time is not on your side. The faster that you react to mitigate the attack and take down the phisher, the less damage that you incur as a result of the attack. Of course, you can’t react if you do not realize that the attack is happening. Therefore, it is critical in this era of cyber security, that we take every measure identify attacks when (or before) they happen.

What is MTTK?

Mean time to know (MTTK) is the average time that it takes for a company to discover that security has been compromised. According to a recent article published by Dark Reading, the term became popular after this year’s RSA conference, although the concept has been around for a while. The point is that that we need to know what’s happening in our environment and the sooner that we do know, the better we are able to prevent damage and lasting impact to our company. We can quantify this by measuring the average time between the initiation of an attack and the breach being discovered by the security team. The lower your MTTK, the more effective you are at identifying when your internal environment has been compromised.

Why is it important to lower your MTTK?

  • The longer it takes for you to realize that an attack is happening, the more successful the phishing attack. In the case of a phishing attack, there isn’t much time to react. Most of the damage is done within the first two hours of a phishing attack.
  • The more successful the phishing attack, the more damage to your brand. This can be the most costly consequence of a successful phishing attack. Losing customers’ trust can stop them from purchasing from doing business with your company for years, if they come back at all.
  • A high MTTK suggests that you don’t have a handle on what’s happening within your internal security environment.

PhishMe surpasses 200 customers and 4 million users trained

CHANTILLY, Va., May 28, 2013 — PhishMe, the leading enterprise provider of immersive phishing awareness training, has now trained over 4 million unique users at 200 different organizations. PhishMe’s customer base includes a number of the Fortune 500, and leaders in the financial, energy, insurance, healthcare, and government sectors. This milestone demonstrates how enterprises globally are working to counter the most common attack methodology used to compromise networks through managing employee behavior.