What is Actionable Intelligence?

Do you know what is actionable intelligence? Do you know the difference between threat intelligence and actionable intelligence? If not, read on.

The term actionable intelligence has joined the ranks of threat intelligence, big data and more words that are used in well-meaning ways, but are ultimately meaningless.

Don’t get us wrong, like many other vendors, we use these phrases to describe what we do. However, because there are so many companies out there using these terms with their own meanings attached to them, we feel the need to write this blog post and hopefully do right by the technology and service offerings that are transforming the way that we approach today’s cyber threats.

In fact, there was a recent LinkedIn discussion on this very topic. A LinkedIn user posted this question:

What exactly is “actionable intelligence”? I see a lot of start-ups being created by MBA persons who have no background or credentials in IT security. The product they offer for big fees is known as “actionable intelligence”. They are trying to duplicate for businesses what the NSA, CIA, FBI, and DHS are doing for, and within, the federal government. My question is: how can these companies have the manpower and the resources to provide services like the NSA, CIA, FBI, DHS. We all have heard of the failures in intel coming from the best intel services in the world, i.e. NSA, CIA, etc. Those big boys have failures. What should we expect from these start-ups and your companies that are jumping on the bandwagon.? And these companies do not know of the ordinary IT security practices like defense in depth, hardening systems. They are providing intelligence about the “bad guys”. How do they go about getting this intelligence? It is so secretive how does a CISO know if it is worth anything?

As the following definition from businessdictionary.com provides, actionable intelligence is not relegated to security; maybe that’s why ‘MBA person with no security credentials’ feel they can use it or may actually know something about it from usage in a different field:

“Any intelligence can be used to boost a company’s strategic position against industry peers. The acquired intelligence must be transferred into real actions which can be used to either launch a preemptive strike or prepare a counter strategy. Examples include the competitors’ price range, marketing budget, target demographic, advertising campaign and strengths over a company’s own product. Overly aggressive attempts to gather intelligence from competitors may be illegal and constitute corporate espionage.”

Now onto some of the other questions posited: Let’s get into the context of security. Here is one definition that’s pretty good:

“Actionable Security Intelligence is the real-time collection, normalization, and analysis of the data generated by users, applications and infrastructure that impacts the IT security and risk posture of an enterprise. The goal of Security Intelligence is to provide actionable and comprehensive insight that reduces risk and operational effort for any size organization.”

Not perfect, but not bad.

As for the vendors’ size, not everyone in the market of ‘threat intelligence’ is small – by the way, the industry analyst group The 451 estimates there will be $1.2B in spending this year and IDC thinks spending will be $1.8B. Symantec, Cisco, Intel/McAfee, IBM and many other large traditional security vendors have acquired threat intelligence offerings.

As for the startups and whether or not they can compete, the question isn’t one about manpower as you refer to with major security agencies; instead it’s about their technology and its ability to provide value. If they can provide that value with one person their ‘actionable intelligence’ will be purchased. And yes, just like traditional defense in depth systems, threat intelligence is not a panacea for the woes of security. However, the reality of failures of current defense in depth, hardening and other current security techniques has to be acknowledged. Many organizations realize that ‘defending’ and ‘responding’ is no longer as effective as it used to be, and that being intelligence led is required. Why? The hackers, the bad guys, are winning more and more.

As for traditional security (defense in depth, hardening, Etc.), I don’t think anyone would ever suggest that you not use these and other network defenses. And these threat intelligence vendors don’t either. The traditional security systems and methods play a vital role in securing your network, even if they have their individual shortcomings. Their efficacy can be raised, however, when given the right kind of intelligence that has an immediate impact on network security. Threat intelligence can make these devices smarter and the security professionals who are too few and overworked, ‘smarter’ about how to stop and prevent attacks.

As for how they get their intelligence, its different by vendor and it’s a great question to ask them if you evaluate their offerings.  And try before you buy—just like anything else—and that way you will know if it has value—and so will your CISO!

Got Any Good Phishing TIPs?

PhishMe Intelligence Integrates with Industry Leading Threat Intelligence Platforms (TIPs)

Swimming in a sea of threat intelligence indicators and services, security teams have been working towards effective ways to centralize, de-duplicate, and correlate massive amounts of threat data. The challenge is once this is done, acting on the what matters most. This requires intelligence, not just data.

This is why PhishMe has completed technical integrations with TIP partners Anomali™ and ThreatConnect®. These integrations offer security teams the ability to ingest and correlate phishing-specific indicators with easy-to-act-on impact ratings and contextual reports to make confident security and business decisions.

PhishMe Intelligence customers gain from our human-verified phishing intelligence. What does this mean? It means that our customers receive phishing indicators from daily criminal phishing campaigns such as compromised IP addresses, domains, URLs, hashes, and botnet and command and control infrastructure. These indicators and credible intelligence reports are meticulously maintained and verified by PhishMe security researchers. Customers receive expert phishing intelligence that connects indicators with threat actors’ infrastructure so that security teams can confidently act quickly and accurately in their investigations.

PhishMe precisely delivers timely indicators and intelligence about ransomware, business email compromise, credential-stealing phish, and other malware. It is the timeliness and accuracy that is so crucial because the longer it takes security teams to determine the impact and severity of the threat, the more time the attacker has to plot their next move and achieve their mission.

When PhishMe designates an indicator with a major impact rating, teams can heed this warning and confidently take action. PhishMe doesn’t just tell security teams what is malicious, we explain why something is malicious. This is the context that allows analysts to act on the data analyzed and enriched by trustworthy PhishMe researchers.

PhishMe also helps answer the never-ending question; “is this a threat to my business”? The Active Threat Reports are contextually-rich reports that illustrate threat actor tactics and the neighboring criminal infrastructure that supports their operation. The reports take “so what” about an indicator, and provide an inside-out view of the threat actor and tactics.

Security analysts spend less time deducing and more time executing.

Security teams invest in TIPs as a way of bringing multiple sources of data into a centralized location that can be correlated and then distributed to other systems as part of the workflow. Open source, paid subscription, and industry-specific intelligence exchanges, all provide a useful purpose in managing threats to the business. The difficulty is managing vast amounts of data and ensuring a low signal-to-noise ratio. As such, TIPs emerged to support the endless need for data analysis and decisive action.

PhishMe Intelligence product management and solution engineers collaborated with TIP providers to complete technical integrations suited for security teams accountable for defending the business.

Conclusion

TIPs emerged to help security analysts who are inundated with so much information and the need to centrally manage it. They’ve become a concentrated repository for security teams to ingest, de-duplicate, analyze, and act on the indicators received. PhishMe’s technical partnerships with Anomali and ThreatConnect, will help ensure that the quality of intelligence available is second to none when it comes to indicators of phishing. Phishing is the primary vector of compromise and oftentimes leads to data loss. Consuming human-vetted phishing intelligence into a TIP ensures security teams can be confident in the action they take to protect their business.

Sage and Locky Ransomware Now Sharing Delivery Infrastructure in Phishing Attacks

BY BRENDAN GRIFFIN AND GARY WARNER

Threat actors have demonstrated that despite the past two years’ explosion in new ransomware varieties, ransomware developers still believe that the market has not reached the point of saturation. Examples of encryption ransomware like Sage have made notable appearances on the phishing threat landscape in the early days of 2017, continuing the ransomware trend from 2016.

An Open Enrollment Reminder – Phishers Want Your HSA Money!

As the end of the year approaches, many companies are communicating with their employees about benefits and Health Savings Accounts via email. Criminals realize this and have decided to get in on the action!  More consumers than ever are using HSAs as a way to save pre-tax income for future medical expenses. A report released by Devenir Research shared that, as of August 2016, 18.2 million HSA accounts currently hold $34.7 billion in assets – a 22% growth over 2015, and projects that by the end of 2018, more than $50 billion will be on deposit in HSA accounts. That’s a tempting target for criminals, and, due to the increase in HSA-related emails, they are ready to use email-based phishing attacks to try to steal your account credentials.

HSA Phishing Attacks

PhishMe has observed a large spike in phishing traffic targeting HSA account userIDs and passwords, starting November 11, 2016, and continuing through today. More than seventy distinct phishing attacks have been observed since that date, targeting Health Savings Accounts at Optum Bank and Fidelity. Fortunately, both of these organizations have been very responsible with their response to phishing and have provided additional information to help protect their customers.

The most prominent Optum phishing attack we are seeing directs the user to a page that looks like this:

hsablog-1Optum customers are encouraged to familiarize themselves with the actual look of their HSA login page and, most importantly, to pay attention to the URL. In the phishing URLs reviewed by PhishMe, the website did not belong to Optum and in some cases didn’t even attempt to pretend to be Optum. The phishers know that most users do not look at the URL of each website they visit. Following are a few example URLs that users clicked on, thinking they were accessing their HSA:

  • twistshop.me/myuhcfinancial/optum/
  • opthsa.com/optumhealthfinancial/optum/
  • megaleft.com/optumhealth/optum/

OPTUM Financial Services provides great information about how to protect your account on this Account Security web page: www.optumhealthfinancial.com/protect-account.html. They encourage account holders who may have clicked a link or opened an attachment to call them, or, if you have NOT clicked the link or opened the attachment, to forward the email to assetprotection@optum.com.  Their account protection web page also provides a sample phishing email that may be similar to one you may receive.

PhishMe is also observing a large increase in phishing attacks imitating the Fidelity Health Savings Account. As with the Optum phish, the key to detecting these phishing web sites is inspection of the URL. In the example below, the web page looks very convincing, but the URL contains the domain name shoe-etc.com which is certainly not Fidelity’s main login page for HSA accounts!

Some of the suspicious URLs we’ve seen for Fidelity’s HSA accounts include the following:

  • myhrsa.com/mynetbenefit.fidelity/fidelity/
  • fidelitynetbenefit.shoe-etc.com/fidelity/
  • securemynb.fidelity.opthsa.com/fidelity/
  • ubs-money.com/netbenefitsfidelity/fidelity/

Fidelity also has a very helpful web page for letting its customers know about possible security problems. Suspicious emails that you receive can be sent to phishing@fidelity.com, and the Report an Online Security Issue web page at https://www.fidelity.com/security/report-an-issue  has telephone numbers and additional tips related to phishing.

And Malware, Too!

The PhishMe Intelligence team has also recorded health insurance social engineering attacks that delivered malware via spam messages. The most blatant of these was a high volume spam campaign observed on November 7, 2016.  Using the email subject line: Health Insurance, the email body read as follows:

The email attachment contained a zip file that used the word insurance and some random numbers as its name, such as:

  • insurance_39017dc45.zip
  • insurance_95341063.zip
  • insurance_bc9ebb1f.zip

These .zip files contained hostile JavaScript code for downloading and executing the Locky ransomware. Locky can encrypt all files on both your local machine and network drives, and these files can only be decrypted by paying a ransom to the criminal.

Conclusion

During this time when the corporate emails are likely to be full of reminders about Open Enrollment and Health Savings Accounts, regarding both spending your remaining balance and setting up the account for next year, be sure to not let the pressure prevent you from being cautious! As our friends at the Anti-Phishing Working Group like to say – Stop. Think. Connect.

Be sure to share this warning with your friends, and consider sharing it with your HR department as well.

Ransomware made up 97% of phishing emails so far in 2016, what about the rest? Learn more in our latest Q3 Malware Review.

A Warning on Christmas Delivery Scams

The time of year has once again arrived when post offices are busier than the freeway on a Friday evening. We buy gifts, online and in stores, and we send and expect packages to and from the far corners of the country, continent, and even the world.

Yet behind this frenzy of merriment skulk a series of dangers. Although Christmas is still more than a month away, scammers of this kind have already been active in various areas across the US. For a number of years, security experts have grown to expect a hike in the number of internet scams being spotted around the festive period, from fake deal websites to counterfeit greeting ecards. One example is becoming highly-popular among threat actors and is better positioned to trick even the most security-aware individual: failed delivery phishing scams.

UPS estimates that in the U.S., more than 630 million packages were delivered by shoppers during the holiday period last year, and FedEx predicts  317 million shipments between Black Friday and Christmas Eve. With all this holiday mail, not to mention everyone out and about to prepare for their celebrations, it is not surprising to find a “delivery failed” notice in your inbox. If the message concerns something needed by Christmas, the annoyance at having to re-organize a delivery can make us act rashly and even foolishly.

It is widely-known that the keys to successful social engineering are fear and greed.  When presented with compelling stimuli under these categories, criminals can count on a significant number of their potential victims briefly suspending their information security awareness training and clicking the link.  As Christmas approaches, certain malware families such as ASProx may have high-volume spikes, taking advantage of shoppers lowering their guard.  In December 2014, spammers used ASProx to deliver fear in the form of a Failed Delivery email from big, respected brands like CostCo, BestBuy, and Walmart.  Recall that PhishMe’s Gary Warner identified more than 600 hacked websites that were used as intermediaries to prevent detection by causing the spammed links to point to websites that had been “known to be good” until the morning of the attack.

So who should be on the lookout for these scams, and what can be done to protect Christmas shoppers?

Basically everyone, from individual consumers to massive businesses, should be on high alert. Though we should not let scammers turn shoppers into paranoid victims, being able to spot the details that reveal a scam can be the only thing standing between a scammer and your personal or company bank account details. While Christmas scams are thought of as dangerous, if the computer used to access these websites is a company or government computer, these scams can have a wide-ranging and long-term impact. And with nearly , this is a subject to take extremely seriously.

So be vigilant, and have a very merry (and scam-free) holiday season.

 

Did you know that 97% of phishing emails delivered in 2016 contained ransomware? Learn more by downloading our latest Q3 Malware Review.

Behavioral Conditioning, Not Awareness, Is the Answer to Phishing

BY AARON HIGBEE AND SCOTT GREAUX

You don’t stop phishing attacks by raising user awareness. A recent study conducted by a German university confirms what we at PhishMe have known all along: Focusing on awareness isn’t the point. The real solution is behavioral conditioning.

The study, conducted by Friedrich-Alexander University (FAU) of Erlangen-Nuremberg, Germany, used 1,700 students to simulate spear phishing attacks. An August 31 Ars Technica article published preliminary results of the study showing at least 50% of students clicked simulated phishes, even though they understood the risks.

With its headline, “So Much for Counter-phishing Training: Half of People Click Anything Sent to Them,” the article appears to suggest training is pointless. But we see it differently. While the article confirms what our own research has revealed – that awareness isn’t the problem – the proper conclusion to draw isn’t that training is futile. PhishMe tends to agree with this sentiment and encourages organizations to focus on conditioning their employees to identify and report security risks.

We focus our training on conditioning human behavior, and the results speak for themselves. Our customers spend 22 seconds reviewing phishing education, and yet their susceptibility to phishing decreases significantly. Why? It’s the experience we put them through that changes behavior. Even when they are aware of the risks, as studies show, they are susceptible to opening email from unknown users and clicking suspicious links. But conditioned through the real-world examples we provide in our simulations, users are much less likely to click.

Enterprise Relevance

The FAU study focused on students, who were sent emails and Facebook messages with links purporting to be for photos from a New Year’s Eve party held a week before the study. “Links sent resolved to a webpage with the message ‘access denied,’ but the site logged the clicks by each student.”

It’s dangerous to use research results conducted on a student population to Enterprise workers. We have several problems with the approach as described. For starters, it wasn’t created by people in the trenches who understand real-world threats, but by academics in a computer science department. We already know the bait used by the study’s authors works on students, as well as consumers, but is far less effective with enterprise users. Yet, readers of the Ars Technica article are concluding the study’s results apply to enterprise environments.

We know that because we’ve started to get messages with their reactions. So we feel an obligation to point out the study didn’t use a realistic scenario, from an enterprise point of view. Real-world enterprise phishes are more likely to be emails pretending to be files from a scanner, a document with a job evaluation, or a message that someone has signed for a package addressed to the user.

There’s also a difference of perspective between students and enterprise users. Students, whose primary experience with computing revolves around mobile devices such as tablets and smartphones, don’t worry about cyber risks. Clicking a link from a smartphone isn’t going to compromise the device because such devices are nearly impervious to attacks. But click the link from a computer, and the story is quite different.

It also appears the FAU study focused only on clicking links, but phishing threats aren’t limited to one vector. Others include data entry, password credentials, clicking attachments, and email conversations that don’t involve links or attachments. Replicating some of these vectors in a real-world simulation is a bigger challenge than the method used by the study.

Focus on Reporting

A PhishMe-commissioned study found 94% of office workers know what phishing is and the risk it presents to organizations. The study also found that 94% of office workers know how to report suspicious emails in their organization. And that’s where the focus of training needs to be – reporting. When users are conditioned to report suspicious email, even if they do so after already clicking on it – maybe they had a lapse – the reporting is still valuable because it helps your security operations teams.

Learning to identify suspicious emails through conditioning is far more effective than general efforts to raise awareness. PhishMe simulator provides customers with templates that include the exact content used by threat actors.  By deriving content from our Phishing Intelligence platform we provide experiences that are relevant to enterprise users.   This method allows customers to condition users to spot potential phishes, avoid interacting with them, and report them to their security teams.

While we appreciate the FAU’s study’s confirmation of what our own research has shown about awareness, we fear it may lead enterprises to make decisions based on the erroneous conclusion that training doesn’t matter. This perspective could lead to the compromise of a network with disastrous results. To avoid such an outcome, we at PhishMe stand ready to work with any academic institution or researcher that could benefit from our experience in the trenches to produce meaningful research about phishing.

Cyber Crime: The Unreported Offense

On July 22, 2016 the UK’s Office for National Statistics released crime details for the year ending March 2016.  For the first time, this data included information about fraud and computer misuse offenses, which was compiled in the National Crime Survey for the first time in October 2015. While the police recorded 4.5 million offenses from March 2015 to March 2016, the survey indicates there were likely 3.8 million fraud instances and 2 million computer misuse instances during that same year, with the vast majority of these crimes being unreported to law enforcement.  The report has caused for a new call for additional cyber crime reporting at all levels.  In the UK, consumers and businesses alike are encouraged to submit suspicious activities and cases of loss to ActionFraud: the National Fraud & Cyber Crime Reporting Center.  ActionFraud also offers a Business Reporting Tool for bulk submissions by businesses of both fraud and scam emails.*

Earlier in July, the UK’s National Crime Agency also released their report “Cyber Crime Assessment 2016.”   The primary point made by the NCA report is the “need for a stronger law enforcement and business partnership to fight cyber crime.”

NCA Cyber Crime Assessment 2016The NCA report called special attention to the sophisticated abilities of international crime groups, making them “the most competent and dangerous cyber criminals targeting UK businesses.”  These groups are behind the most sophisticated financial crimes malware.

“This malware is a substantial source of financial crime in the UK, with three variants: DRIDEX, NEVERQUEST and DYRE /DYREZA, appearing frequently and responsible for many hundreds of thousands of individual crimes in 2015.”

The report also highlights the danger of ransomware and Distributed Denial of Service (DDoS) attacks.

While arrests were made in the DRIDEX case, the same botnet is now the leading source of the Locky ransomware family, the focus of more than 50 PhishMe Intelligence reports in the past month alone!

Statements made in March by Sir Bernard Hogan-Howe, the police commissioner of the Metropolitan Police of London, received mixed reviews when he said that banks that refunded their customers after cyber incidents were “rewarding them for bad behavior” instead of teaching them to be safer online.  The GCHQ suggested that 80% of consumer-facing cyber crime could be stopped just by choosing safer passwords and keeping one’s systems updated with current security patches.

The NCA report points out, however, that it isn’t just consumers who are not pulling their weight in the fight against cyber crime.  Businesses also have a responsibility to do more.   The report urges corporate board of directors to make sure that their information technology teams are not merely checking the boxes required of compliance regulations, but taking an active role in assisting the cause by ensuring that their businesses are reporting cyber crime incidents.  As widely seen in the United States, one may be compliant with PCI, Sarbanes Oxley, HIPAA, and other regulatory standards yet still be extremely vulnerable to the type of sophisticated cyber attacks presented by these sophisticated international crime groups.Moving beyond Box-Ticking cyber security

“Directors also have an important role in addressing the under-reporting of cyber crime which continues to obscure the full understanding of, and hence responses to, cyber crime in the UK. In particular, we urge businesses to report when they are victims of cyber crime and to share more intelligence, both with law enforcement and with each other.”

– NCA Strategic Cyber Industry Group

Dridex, NeverQuest, Dyre, Ransomware – Meet PhishMe Reporter & Triage

At PhishMe, we are intimately familiar with the prevalence of the malware families discussed in the UK government’s reports.  We provide detailed intelligence reports to our customers about all of those malware families, which are among the most common email-based threats that we encounter as we scrub through millions of each emails each day to identify the greatest threats and get human-driven analysis about those threats back out to our customers.

We support the security strategy and defense posture recommended by the NCA Strategic Cyber Industry Group.  Our industry must move from reactive, check-box security mentality to a proactive method of gathering and analyzing security incident reporting.  PhishMe customers not only have the ability for every employee to become part of the solution to “under-reporting” with a click of the mouse on the “Report Phishing” button, but also to share that information back to PhishMe to allow us to provide indicators that help protect ALL customers and to help inform our law enforcement partners.

PhishMe Reporter

The PhishMe Reporter Button

PhishMe Triage provides a single place for all of those employee reports to be integrated, if your business would like to answer the call to do more information sharing about these top malicious threats. By providing a dashboard-driven interface to all employee-reported malicious emails, the security team can quickly spot the most dangerous trends, confirm the facts, and report to law enforcement, as recommended in the UK’s National Crime Agency report.

In addition, PhishMe Intelligence customers received over 2,500 malware email campaign reports in addition to more than 600,000 individual phishing reports that can be used as an intelligence feed to strengthen your corporate defenses against these malicious actors.

We look forward to partnering with our UK-customers, and all of our customers, who choose to take an active stance in the fight against cyber crime by answering the call for increased vigilance and reporting.

 

* – U.S. businesses are encouraged to report cyber crime and fraud to the FBI’s Internet Crime & Complaint Center, IC3.gov.

 

Awareness isn’t the goal, it’s just the beginning

When people refer to PhishMe as the awareness company, we smile and nod. I want to correct them, but the label ‘security awareness’ is comfortable and relatable. One of the activities that organizations commonly believe will help reduce risk is mandatory security awareness computer-based training (CBT) lessons.  The hope is that if we enroll our humans in online courses about how the bad guys hack us, they will walk away with a wealth of new-found awareness and avoid being victimized.  (Try to visualize how far in the back of my head my eyes are rolling…)

PhishMe Celebrates National Cyber Security Awareness Month 2015 and UK Based Security Serious Week

It’s that time of year again. No, it’s not the arrival of the pumpkin spiced latte at your local coffee shop. It’s National Cyber Security Awareness month (NCSAM) as proclaimed by President Barack Obama last year. “National Cyber Security Awareness Month — celebrated every October — was created as a collaborative effort between government and industry to ensure every American has the resources they need to stay safer and more secure online,” as stated by the National Cyber Security Alliance located on their StaySafeOnline.org website. At PhishMe, we are proud to once again play a lead role in the cyber security community as a 2015 NCSAM “Champion” sponsor.