One of the great things about a conference like BlackHat is that it gives people like me the opportunity to take a step back, get out of the specific back alleyways of cybersecurity that we usually inhabit, and take a broader, more holistic look at attack and defense. One concept that's been talked about for a while is the Cyber Kill Chain. It takes a military-theoretical approach to network asset defense that can be quite valuable. If you're not familiar with the concept, CSO Online has a nice article on it that's appropriate for any level of preexisting knowledge. If you want the original source research, check out this whitepaper from Lockheed Martin.
I had never really thought to apply the concept to Agari because we're outside the classic kill chain completely: we don't defend against attacks targeting your internal data assets. However, when you expand the definition of your "assets" to include your customers - and how could you not, without them you're out of business tomorrow - an interesting picture emerges. I have put together a kill chain for phishing the way I see it, but email me if you see it differently, I would love to have the conversation.
The Phishing Kill Chain in Context
| Military Kill Chain | Cyber Kill Chain | Phishing Kill Chain |
| Find | Reconnaissance | Targeting |
| Fix | Weaponization | Delivery |
| Track | Delivery | Deception |
| Target | Exploit | Click |
| Engage | Installation | Surrender |
| Assess | Command & Control | Extraction |
| Action | Action |
Let's discuss the steps in the Phishing Kill Chain quickly so we're on the same page. From top to bottom, start of attack to when they have your money, the criminals have to:
- Target: decide who they're going to try to defraud and assemble an email list
- Deliver: send messages to the people on their target list
- Deceive: the criminal needs to deceive the user into following their call to action to the next step
- Click: the customer clicks on the phishing site and attempts to load it in their browser
- Surrender: the user needs to input their data to the phishing site, surrendering it to the criminals
- Extract: the phishing site needs to transmit the stolen credential or other information to the criminal
- Act: the criminal, or one of their agents, needs to log on to the account in question and transfer money, use the stolen card number online or in person, or similar, in order to perpetrate the final fraud.
According to numbers published by the Canadian Government the success rates are pretty scary:
- Targeting: 156 Million messages sent per day.
- Delivery: 16 Million make it through filters, for a 10.2% success rate
- Deception: 8 Million are opened, for a 50% success rate
- Click: 800K are clicked, for a 10% success rate
Those numbers reflect our soberingly poor controls against phishing compared to, say, generic spam. According to Symantec, 29 billion spam messages were sent per day in 2013, but we know that, depending on the solutions used, something north of 99.9% of those are filtered out. Phishing, on the other hand, arrives in the inbox - passing the Delivery stage - more than 10% of the time!
There are various solutions that address phishing at various points in the kill chain. Programs like Google's "Gold Key" for Gmail also known under the slightly more unwieldy "Authentication icon for verified senders" try and cut the kill chain at Deception, by showing the user a visual indicator for trusted messages. Microsoft has a similar program, a "Green Shield" icon indicates trust at Hotmail and Outlook.com. Various financial institutions and other organizations such as social media have tried to cut the kill chain at Deception as well, by posting website warnings for users about how to avoid phishing. Unfortunately, though an important resource for Joe User trying to figure out if something that landed in his inbox is real, those types of website warnings are not particularly effective.
The Google Safe Browsing API addresses the problem at step 4 in the chain: the Click. If the user was successfully deceived, and clicks, the Chrome and Firefox browsers present a warning exhorting the user to return to safer waters. Microsoft has a similar program for Internet Exploder called the "Phishing Filter" which works similarly by warning a user who has already clicked before they give up their information. Unfortunately, however, the sites have to have been discovered and registered with those services before they're effective, and the user must be running at least a fairly recent version of whatever browser they use.
Some takedown vendors - I know MarkMonitor does this but others may as well - are able to pollute the data to cut the chain at Extraction, by making the expropriated data useless. There are also a whole host of anti-fraud solutions in use by financial institutions and others that attempt to cut the kill chain at Action, by detecting suspicious looking logons, transactions that appear fraudulent, or using any others of a multitude of anti-fraud techniques.
However, it's pretty late to try and insert controls when user credentials or card data have already been stolen. In fact, all of these approaches have in common is that they're later in the kill chain. Current doctrine informs us that the further up the kill chain we can insert our controls, the better the chance we have of preventing the breach. To that end, DMARC and Agari are a solution that can cut the chain at Delivery, where a proactive DMARC reject policy can prevent the message from even having a chance of landing in the inbox. Currently, about 85% of North American consumer inboxes are protected by the DMARC standard, but what about the other 15%?
Even beyond initial rejection, Agari uses DMARC forensic data to extract threat details and provide them to takedown vendors, who validate and classify the threats, then pass them onto Google and Microsoft for inclusion in their anti-phishing lists to be blocked by browsers, making the controls at step 4 in the kill chain, the Click, far more effective for emerging threats. (We detect phishing much faster than most systems as we'll pick up on the first unauthenticated emails rather than having to wait for a pattern to emerge.)
Long story short: if you're serious about defending your users' account infrastructure, defending the assets that are business relationships you've built up with your customers, and defending the asset of a clean outbound email channel to reach those customers, you need to be doing DMARC with Agari to move up the kill chain.
Well, this was an interesting mental exercise, and the conference hasn't even begun. Hopefully I'll have the chance to take a step back from the day-to-day a bit more once the conference proper actually starts, and, if you're at BlackHat too and want to talk: hit me up. [email protected].