How To Catch A Phish

Spear phishing is a type of cybercrime based on email fraud, in which an attacker impersonates a trusted contact of their target and attempts to trick them into disclosing sensitive information, such as account credentials. Phishing attacks are one of the most prevalent threats that organizations are currently facing; last year, the FBI’s Internet Crime Complaints Center (IC3) found that phishing was the most commonly reported threat, with 241,342 victims.

Unfortunately, phishing isn’t just a common threat, but an incredibly dangerous one, with successful attacks resulting in huge financial loss, account compromise, data loss, and damage to company reputation. To find out more about how organizations can protect themselves against phishing attacks and other sophisticated email threats, we spoke to Eyal Benishti, founder and CEO of IRONSCALES.

Benishti started his tech career as a software developer, and then moved into a security research and malware analyst role, in which he explored how various malware strains infiltrate a system. While in this role, friends would regularly forward him emails asking him to check their legitimacy, and Benishti would respond with advice on how to detect a fraudulent email. This helped increase their confidence in their abilities to detect phishing attempts, and eventually those same friends started sending examples of phishing emails that they themselves had successfully identified. This concept of training users to detect phishing attempts—and be proud of their ability to do so—inspired Benishti to launch IRONSCALES.

Founded in 2014, IRONSCALES is an integrated email security solution that offers protection against sophisticated email threats from within users’ mailboxes. As well as delivering technical, AI-powered protection that helps IT teams detect, analyze, and remediate phishing attacks, the IRONSCALES platform offers employee security awareness training and phishing simulations.

Intelligent Threats Require An Intelligent Response

Traditional secure email gateway (SEG) solutions provide pre-delivery protection against email-based threats by scanning incoming emails for malicious content and blocking them before they reach the server—similarly to how a castle wall keeps intruders out of the grounds within. While these are good at filtering out spam and legacy phishing attacks, they struggle to detect cleverly disguised spear phishing attempts.

“The SEG falls short when it comes to threats that are malicious by context, but not necessarily malicious by content,” says Benishti. “The intent is malicious; there’s no malicious URL or attachment, but someone is trying to get you to do something you’re not supposed to.”

“In order to really stop phishing, instead of trying to block attacks at the gate from coming intothe organization, we need to protect the organization from the inside out,” explains Benishti. “And we start by learning how the organization communicates.”

IRONSCALES’ AI-powered algorithm analyzes each user’s typical communication patterns and creates a user profile and behavior baseline. The platform then scans all email communications, comparing messages to this baseline to detect anomalies that could be indicative of an attack. This method of threat detection enables the platform to constantly evolve to provide protection against even the most sophisticated attacks.

“The threat landscape is constantly changing, and phishing attacks are increasing in sophistication and becoming highly targeted,” says Benishti. “Our holistic, hybrid approach brings the best of machine and human learning in order to stop phishing.”

Phishing Is A Technical And A Human Issue

“Understanding user behavior and business processes is an essential part of protecting the organization,” Benishti says. But the targeted attacks we see today are constantly evolving to slip past even the most advanced machine learning algorithms.

To solve this problem, email security platforms should combine artificial intelligence with human intelligence, i.e. awareness training which empower users to report phishing, to create a “self-learning” solution, where the technical and human components are constantly improving and working to fill in the vulnerabilities that the other presents.

“Phishing is a human and machine problem,” says Benishti. “This is why it needs a human- and machine-based solution.”

“Our solution is constantly fed by human-vetted intelligence driven by real teams. Attacks that are detected in real-time by one security team are removed from the inboxes of everyone in our community. This means that humans detect threats that the machine is missing, and re-trains the machine to pick them up next time.”

There’s no single silver bullet solution to phishing, and adding a human layer of defense can help bolster the protection offered by a technical solution—be that human layer in the form of awareness training, or crowdsourced intelligence that helps Customer One and Customer Two prepare themselves against the attack that Patient Zero experiences.

“If you want to have a good anti-phishing email security stack, you must make sure you have everything from user awareness training to anomaly-based mailbox-level protection, to anti-malware protection installed on each endpoint,” explains Benishti. “Each layer is strong on its own, but they’re much stronger when they’re working together.”

However, integrating these layers with one another is just as important as the layering itself.

“If your protection is layered, but not integrated, things can fall between the cracks,” says Benishti. “You’ll have lots of layers, raising lots of flags, but you might not have someone to manage those layers or the capacity to detect in real-time which layer has been hit by an attack.”

The Challenge Of Hybrid-Remote Email Security

Over the last 18 months, we as a global workforce have become more dependent than ever on virtual communication. This shift seems to be here to stay, as 74% of organizations plan to permanently transition employees to remote work post-pandemic. In the new hybrid-remote workplace, it’s critical that organizations take steps to secure their virtual communication channels—but that comes with its own challenge.

“When people work from home, there’s no perimeter,” says Benishti. “People are working different hours, in different locations, and security teams can’t build fences around their users anymore.” Because of this, clear communication between security teams and the users they’re protecting is more critical now than ever.

“People need to know when the security team is available, who they can go to with which problems, and when.”

“It’s not as easy as getting up from your seat and asking someone in the next room. You’re sitting by yourself, and you need to make tough decisions sometimes.”

As full- or part-time remote employees become a critical part of their organizations’ security infrastructures, implementing a robust security awareness training program will be integral to creating a culture of security that not only helps protect each user, but also alleviates the strain on security resources being stretched across multiple locations.

However, though email is the most common channel through which phishing attacks are delivered, it isn’t the only channel. To further assist in creating a secure virtual office environment, IRONSCALES plans to expand its platform to offer phishing protection across other communication channels, such as messaging apps.

“Wherever people are communicating, we want to help them secure that communication,” says Benishti. “Whether that’s internal or external, inbound or outbound; we want to use what we’ve learned about analyzing user behavior with machine learning and apply it to other problems that organizations are facing, with a very strong focus on messaging.”

Enterprise Security On A Budget: Protecting Your Business Against Phishing Attacks

Small- to medium-sized businesses (SMBs) often fail to implement security measures that are strong enough to protect against phishing, because they don’t see themselves as likely targets for cybercriminals. Unfortunately, this is a hugely inaccurate misconception: phishing targets organizations of all sizes, and the consequences of a successful phishing attack can be devastating for small businesses.

But “on the bright side,” as Benishti says, there are plenty of cost-effective ways in which SMBs can protect themselves against phishing attacks.

“Today, SMBs have access to enterprise-grade solutions that were only available to large enterprises in the past. They can get AI-based solutions that are easy to deploy and can be managed by just one full-time employee.”

As well as implementing post-delivery protection, Benishti recommends that SMBs invest in security awareness training and phishing simulations, to increase employee awareness help detect the threats that slip past the machine.

Finally, says Benishti, organizations need to encourage their employees to reduce their digital footprint—that is, the information people leave behind on the internet as a result of their online activity. “Attackers can, and will, use information from social media and that’s posted on the web in general in their attacks, either manually or by leveraging smart technology that can scrape the web for information.”

Once they have this information, they can use it to trick victims into believing they’re communicating with someone they know, rather than a criminal.

“Phishing is an epidemic, and everyone is a target today. It’s not just a large enterprise’s problem anymore; it’s everyone’s problem.”

Thank you to Eyal Benishti for taking part in this interview. You can find out more about IRONSCALES and their email security platform at their website and via their LinkedIn profile.