Several weeks ago, I wrote a blog entry about phishing emails using zip files with executable files attached to them. Using PhishMe Reporter, several of our users (yes, we use our own tools internally) successfully identified a new round of phishing, this time using Dropbox links in the body.
What, you may ask, do takedown vendors and fire hydrants have in common? Well, perhaps more than one might think.
In this post, we’ll examine a couple of different aspects: what they do and their intended use, their impact on us and our businesses and where they fall short in protecting us and our assets from harm and how we can address these shortcomings.
Let’s start with what each does and their intended use. Both are intended to protect us from further harm once a threat to our security and wellbeing are identified. In the case of the fire hydrant, water is provided by an individual hydrant for a limited area for use by a third party, firefighters, to put out a fire at its source and save our assets, a home or building. Timeliness and accurate identification of the source are critical to success.
Similarly, once a brand is notified of a fraudulent website, the takedown vendor acts on the suspected phishing urls. The hope and intent is to reach the source of the attack and eliminate it by “taking it down” and protecting credentials with a quick response. Timeliness and accuracy are critical to success in much the same way putting out fires is.
What do fire hydrants and takedown vendors truly provide us?
In the case of fire hydrants, they can help lower our insurance premiums if they’re close enough our home or building. They can give us some piece of mind. And they help firefighters put out fires. Unfortunately, they do nothing to prevent fires and in that sense, they only address symptoms.
In a similar fashion, takedown vendors make us feel good because we are reacting to threats and attempts to steal credentials, etc. But they too are dealing with symptoms and generally not effectively addressing the critical time between the onset of the phishing campaign and credential theft and the remediation or successful take down of the fraudulent sites. Again, they do nothing substantially to prevent attacks.
It’s important to remember, time is critical and time is not on your side in either case. Fires spread at a geometric rate in their early stages. So, in summary, both fire hydrants and takedown vendors do what they are intended to do well but are ineffective at identifying the true source of the threat and preventing destruction of assets.
So what’s one to do: abandon fire hydrants and stop using the services of takedown vendors?
Certainly not. They perform their intended function. But there are things that can be done to complement their function and result in more effective protection of our assets.
Just as inspections of homes and buildings for potential fire hazards go a long way in preventing fires and reduce the need for reliance on fire hydrants and fire trucks, actionable threat intelligence with deep contextual information can make cybersecurity measures more effective and more timely in their response. Tools can be more preemptive, reducing the need to take down fraudulent websites. When they are needed, takedown efforts can be more focused on the true sources of the threats and improve takedown time. And some of that portion of the budget can be used elsewhere.
So, ask yourself this question: how pleased are you with your current takedown approach/vendor? The intelligence-led security approach is gaining traction in corporate security circles. It’s an approach worth investigating. It can help make the difference between merely being compliant and being effective as well.