As mentioned in the previous post, phishing emails that bypass perimeter and endpoint security controls is unfortunately quite common. Many of the successful breaches that happen today just wouldn’t if accuracy wasn’t a problem. According to multiple industry sources, phishing is responsible for approximately 90-94% of successful breaches. The reason why they happen to be so successful is due to the high email volume, bad threat actors that can pivot on a dime to bypass defenses, and users that click on phishing emails due to lack of training in how to identify them.

On average, 20% of users in an organization are the one’s responsible for clicking on email links or malicious attachments without consideration for their actions, according to SoSafe, a provider of CyberSecurity awareness training. Younger adults are more inclined to click on a phishing email than older people. Even when educated about the risks of phishing, fatigue can play a role in lowering the mental defenses, so too an urgency to complete certain tasks. Bad threat actors know this and leverage these traits in their email campaigns. That’s why it is important for every organization to implement a phishing training program with the ability to simulate threats, identify repeat offenders, and provide additional guidance and education when needed.

Post-Phish Penetration and Persistence

Depending on the malware, a successful ransomware attack doesn’t just happen in a day.

After an initial foothold on a system is established – typically by a phishing campaign – the bad threat actors start a new stage of reconnaissance and lateral movement throughout the network using stolen credentials purchased from initial access brokers (IAB’s). After planting additional backdoors to maintain future access persistence, the first stage of extortion begins with data exfiltration of the compromised systems to be used as leverage if the ransom payment isn’t made. Checking the Firewall throughput logs for multi-terabyte data transfers on uncommon ports using unknown protocols is one way to potentially identify an initial compromise at this stage of the ransomware implementation.

With all the system logs wiped to hamper investigations, the bad actors then initiate the second extortion stage by encrypting sensitive files and critical folders while still maintaining the system capability for boot up. This is so the ransom demand can be viewed and acted upon. The final stage of the triple extortion play – which is becoming more common – is the threat to DDoS the victim’s IT infrastructure if they fail to pay the ransom. In addition, they can also sell off the exfiltrated data to the highest bidder – another form of revenue the bad threat actors can benefit from.

Layered Security with 3rd Party Validation

The scenario given above recently happened to a Children’s Hospital in the US and brought it grinding to a halt. The cost to the organization wasn’t just financial or the loss of Personally Identifiable Information (PII) which violates HIPAA compliance. Nor was it the drivers’ licenses, passports, and other forms of ID stored in the data that can be used in identity theft. The highest cost was to the children attending that hospital for current and future cancer treatments – which in many cases were cancelled or delayed – setting patient’s wellness schedules back months and driving some into remission or worse.

Other than the moral depravity of the hackers to attack a children’s hospital, who is ultimately  at fault here? Is it HIPAA compliance for not providing enough guidance where cybersecurity is concerned?  Is it the IT Department for not deploying and implementing a layered security approach with compensating controls? Or is it the Phishing solution vendor ultimately at fault?

A cost analysis for an end-user education program and VMRay’s User Reported Phishing verses the digital destruction caused by a ransomware attack – which costs on average $4.2 Million per incident – is easily justifiable. Unfortunately for some, cybersecurity is still a knee-jerk reaction and complacency reigns until an organization falls prey to a crippling attack.

Part 1: Making the case for user-reported phishing

Part 3: How VMRay’s user-reported phishing works