Presentation

Eric Hanselman

Welcome to Next in Tech, an S&P Global Market Intelligence podcast where the world of emerging tech lives. I'm your host, Eric Hanselman, Chief Analyst for Technology, Media and Telecom at S&P Global Market Intelligence.

And today, we're going to be talking about phishing, something I'm sure you've all heard about, but the nuances and changes both in the attack landscape, some technologies that are out there have evolved rapidly. And to discuss that with me today, I have Poornima DeBolle, Cofounder and Chief Product Officer at Menlo Security. Poornima, welcome to the podcast.

Poornima DeBolle

Very nice to be here. Thank you for having me.

Question and Answer

Eric Hanselman

And it's great to have you here. Phishing is one of those things that I think most people are familiar with, at least at a relatively high level, but it's something that I think really more in the last year or two has really taken the spotlight in terms of one of the more challenging attacks both to defend, one of the more higher impact attacks in terms of the consequences of successful compromise.

It's really been a topic that I think organizations also are wrestling with. But I wanted to start off with maybe just a little background about why phishing is such a concern. It'd be great to get your thoughts about some of the challenges and really some of the issues around phishing.

Poornima DeBolle

Yes, it's a great question. And to your point, it's something all organizations, big and small, Menlo Security has customers across the gamut from a size perspective and everybody continues to wrestle with it. So I would maybe put the phishing question or the concern into two stages or two buckets. I'm an engineer, so I always like to enumerate and bucketize things.

So the first one I see is the intent of phishing campaigns has changed over the time that we've been talking about phishing from in the beginning, it was very much about I'm going to get you to click on something and potentially have you buy something that you didn't think was correct. So it was kind of a level of sophistication and intent of phishing.

And then the second part of it that is correlated and comes along with it is what were the outcomes of it. And as we have seen over the last few years, as the outcome of it ends up becoming more financially motivated or agent -- nation state motivated, you end up getting more and more sophistication in the phishing techniques themselves.

So from a phishing concern, I would kind of reiterate those two things like the sophistication has improved as the outcomes of it have gotten to be higher and higher stakes, be it from a financial perspective or steal of IP or any of those kinds of things, that is the big evolution that we have seen in the marketscape for phishing.

Eric Hanselman

And the challenge, of course, is that it's targeting what is one of the most complicated assets to secure for any organization, which are the people. And one of those difficulties that -- we see it year after year in our data in terms of concerns about getting security education further out in the organization, raising at the higher levels.

But of course, that's happening at a point in time at which the sophistication of the attacks, to your point, is increasing and the difficulty winds up being that we wind up having, as with many cases in security, this hegemony back and forth between attackers and targets.

And of course, it's all too easy to keep one step ahead of the end user's perception of where this is at a point at which the attack sophistication can grow. And if we look at what's out there in terms of attack techniques, attack tooling, this is something that's evolving rapidly as well.

Poornima DeBolle

Yes, definitely. And I think you're right that it's always difficult to educate and keep your security awareness training up to date with all of the various techniques that are evolving. But I have started after seeing many of these techniques in the recent past. And I'm sure you and your listeners are aware of how AI came into the picture of phishing and took away a lot of the things that you would use for security awareness.

Eric Hanselman

Absolutely. Well, and AI was clearly going to rear its head relatively early on in this conversation. But yes, that is, again, one of the points is that we're -- with phishing, we're tasking end users to be able to discern what's real and what's not. And with the classic sort of poorly phrased e-mail with spelling errors and all the rest of that is unfortunately, seemingly becoming a thing in the past.

It's also something the tooling itself is getting better as those goals are evolving. You'd mentioned that transition. We've gone from what was originally some level of click-through that was relatively, I think, from a current scale, relatively benign even to now an environment in which whether or not it happens to be dropping malware or grabbing credentials.

Meaning you've now got a class of infostealing malware capabilities that are out there that can harvest credentials. We've seen a dramatic increase in credential attacks. And of course, phishing is one of the most direct and I think attackers are finding most effective way to do credential harvesting.

Poornima DeBolle

Yes, absolutely. And I think we have seen very, very creative.

Eric Hanselman

That's why we're in security. I am constantly amazed by the level of creativity that some attackers and attacker communities are able to pull together.

Poornima DeBolle

Exactly. Yes, I think over the last 90 days that we published regular reports and one of the things that we have done in the last 90 days is expose three novel campaigns. And the statistics that we gather out of those have been phenomenal. It impacted something like 40,000 users across those three campaigns just in the Menlo customer base.

So in the scope of if you compare us to the likes of Microsoft, our customer base is much smaller. And within that, we had that very large impact within our customer base. What was also interesting was these campaigns in the past, to your previous reference around sophistication, used kind of specifically set up domains. And I would say it was maybe in the tens to hundreds.

And we're now seeing something in the order of 3,000 to 5,000 unique domains. It's not even -- I reuse this across different campaigns. There are unique domains that have been used across those campaigns. One out of four phishing links that have been clicked by a user completely bypasses what we've historically relied on, URL filtering. So those are staggering numbers.

If 25% of the time, your URL filtering, which ends up being your go-to technology is not really able to identify it, then that's a big gap that you have to fill with a different technology or elsewhere. And then to your previous, again, point about credential phishing or malicious downloads, what was interesting was 60% of the time when an enterprise said, "Hey, my user clicked on a malicious link, 60% of the time, it was phishing."

All of those numbers are getting more and more significant across -- just even month-over-month, forget even year-over-year, that it definitely means that phishing continues to be one of the most difficult things to defend on like we started at the top of the podcast. But what's interesting to me is the techniques are getting innovative and sophisticated more and more.

And I think Menlo uses a term we call heat, which is highly evasive, adaptive threats, and phishing campaigns are using many different evasive techniques to get to the end user. It's just in one sense, it's fascinating to see that creativity like we talked about, but at the same time, it's getting harder to defend against these innovative techniques with the existing security stack deployed in an enterprise.

Eric Hanselman

Well, you talk about innovation and I think my perception is that to a greater degree and in some areas of the attacker community, this is a place in which we're seeing a lot of that, that continuing shift to attack tooling as a service capabilities. And services really running in the back end and in environments in which they're really -- they're producing a product, they're innovating around the product capabilities.

They're building out infrastructure to support it. You talked about the challenges in domain reputation, URL filtering and a lot of the tactics that we've used and put in place. When you have an attacker community that has this marketplace of goods that they can -- and services that they can leverage, it now has really shifted that equation to one in which there are even greater incentives for both the toolmakers, the service offerings to continue to ramp up in terms of what their capabilities are, their ability to evade detection and traditional defenses, it really puts more and more pressure on defenders to be able to do better.

Poornima DeBolle

Yes. I think one of the techniques we wanted to really bring to the attention of your listeners, I'm sure they have heard about it, is this increase in what we call Adversary in the Middle attacks. And we saw an early version of it with the octopus attack that was associated with, I think it started out with kind of being exposed at Microsoft.

And all of the follow-ups from that, we saw a resurgence of that with fairly large Silicon Valley companies. And then what's interesting was that when we thought, okay, this is now a recognized method of attack. And everybody has battened down their hatches and tightened up their security postures that this is not going to manifest itself again. We saw a lull for about three months.

And then after that, what was interesting was it started manifesting or showing itself in customer environments that we hadn't anticipated in before or hadn't seen it before, which was large financials. This methodology had been tested in the broader market, large companies had, had its moment in the headlines. But six months later, we found exactly the same attack at a Fortune 10 financial.

So to me, this really reiterated many of the points that you just made on the podcast, which was point number one, this attack had to go through an e-mail filtering solution as it entered the enterprise. And this link was a partner link, which obviously the e-mail filtering solution thought that it was a legitimate link and led it through. So it now ends up in the user's inbox. And when the user clicks on it, the egress side of it, as it's going to that target website, is going through URL filtering and other filters.

And obviously, all of them thought this was legitimate. And so that egress side of the filtering technology also let it go through. And then the third one is exactly what you said. It used this Adversary in the Middle kit from attacks we had seen before, and it was able to then plug in such a way your MFA was completely bypassed or it was resistant to the MFA by using an evil proxy.

It's called the evil proxy kit in the middle, which is a reverse proxy that captures the credentials but actually connects you to the legitimate target website. So when you think of that anatomy of that attack, it is exactly what we had been seeing before, but the fact that it showed up in a very sophisticated Fortune 10 company and five people clicked on it means that it's still out there in the wild being productive for these threat actors.

Eric Hanselman

Yes. That's the challenge, isn't it? Isn't that attackers are going to prove out a particular technique, try it out and then retarget it and redirect it to new targets with specialized capabilities to be able to be that much more specific. And especially when you look at some of the depth to which they were building infrastructure to support this, it's not just a, "Hey, go to this URL. We're going to drop something on the link for you."

They actually had a proxy to be able to go manage the authentication process, a lot of different pieces to this that are all being brought together to build sophisticated infrastructure to support this, which places a lot of challenges on the defenses. Actually, thinking about that, it'd be great to talk about some of the defenses when you think about phishing defenses, I think most of us have got some rough ideas about the various capabilities that are out there, but -- and they have a series of pluses and minuses, it would be great to dig into that.

And I think maybe start with what you'd identified is that, that first link in the chain which is typically, hopefully, for most, if not all of us, we've got e-mail filtering. We've got the ability to be able to do that examination of inbound e-mails. It's that target from that initial phishing contact. Great way to be able to identify what hopefully are the majority of those attacks and really a necessary first step in terms of defensive capabilities.

Poornima DeBolle

Yes. And I think e-mail filtering has been around for a long time, so it definitely is your first layer of defense. But where e-mail filtering is great at calling out a lot of what was historically referred to as spam and still continues to exist, like be it your Nigerian prince or here you can buy something.

Eric Hanselman

I'm still waiting for my check from the prince. I don't know what happened.

Poornima DeBolle

Exactly. Or here, you can buy some diet pills or whatever those things are, those still exist, much to my surprise. I'm not sure who's clicking on them. And this e-mail filtering products do a phenomenal job of removing all of that crude from even entering the enterprise. So they definitely have merit in what they do with that bunch of campaigns.

On the other hand, when you are using a benign website or a known website or a categorized website, it's this particular campaign I referenced, they were actually using a link from a partner that this bank works with. So it wasn't like it was an unknown website. In that case, it's abuse of trust. We refer to that as an invasive technique where it is legacy URL reputation evasion, we call it lure, it's actually specifically knows that, that's what you're relying on and abuses that trust to use a benign website and to refer back to my statistic, those are one used domains.

So it's not even like, hey, I identified that this particular partner site is getting abused, let me put that on a block list for a certain period of time. You cannot because it starts to morph that into simple modifications that will go through again and again and again. So with e-mail filtering, that abuse of trust is maybe one of the best ways to get around it.

Eric Hanselman

Well, in that next stage, then that outbound filtering of user clicks on the link, and then we're evaluating where that link is actually trying to go, if the attackers have leveraged or compromised a good site, traditionally, it was -- there was the type of squatting in domain names, I'm clicking on microsift.com or something like that.

And they've moved beyond that in terms of what were a lot of the algorithmically generated domain names and a lot of things that were moving rapidly enough that we could identify a lot of them through domain and how long the domain existed. But when you take that extra step of being able to compromise a known good domain, now the filtering gets harder.

And it now drops us into that next stage of really having to manage the authentication part and originally getting to multifactor authentication as phishing resistant authentication mechanisms, MFA should be able to do that for us. But now we've got an attacker community that's actually starting to subvert some of that MFA capabilities as well.

Poornima DeBolle

Exactly. So this MFA bypass or MFA impersonation attacks is not so much about I'm going to be able to evade a legitimate MFA. It's about saying, how do I get you to click on a lookalike domain to your previous point, where I insert that evil proxy. And once you do that, I don't have to worry about authentication anymore because I can still send you to your authentication process, I'm capturing the credentials in the middle.

So I don't even have to worry about the bypass, I have a way of capturing it even as you are interfacing with the legitimate application itself. I think last year, into beginning of this year, that was one of the most effective attack methodologies we saw. The other one that we see a huge increase in use to your previous description of like I'm going to either a legitimate site that has been compromised or a site that has been categorized to be good, even if it is a campaign side is code obfuscation.

So when you talk about clicks going through like a URL filtering technology, if the code is obfuscated inside of it, it makes it even harder for anybody who's doing inspection of the page beyond the URL, where many e-mail technologies are going today, but you don't have the ability to inspect that unless you execute that.

So the combination of those three things, the abuse of trust, the code obfuscation and the MFA bypass or the MFA impersonation attacks is just such a trifecta of just specifically and systematically circumventing everything you have put in place as an enterprise to protect your users from these type of targeted phishing attacks.

Eric Hanselman

Which then brings us right back to that execution space, which is closest to the user, which is the browser. And again, if you've got the ability to deliver obfuscated code into that, what is the ultimate environment of user interaction, you've now got the ability to really subvert much more of what that user is able to see and even further degrade the ability for the user to discern what's out there and potentially capture significantly greater amounts of information because we've seen over the course of the last couple of years, the rise of enterprise browsers, especially packaged browser capabilities.

It is an interesting approach to managing that capability in that you've now got a new, more hardened version of that browser. That is that question it is, in fact, possible to harden browsers, hardened existing browsers and the question of whether or not you want one more application to manage in terms of that. But the next stage of being able to actually abstract away some of that risk on the end-user perspective is browser isolation.

One of the things that Menlo has spent a significant amount of time working that actually brings that execution space out of the immediate vicinity of the end user takes it out of what is the traditional browser environment and now gives you an extra layer of isolation in terms of separating the user from the consequences of what may be taking place.

Poornima DeBolle

Yes. So you brought up two very good points. One is when you talk about the enterprise browsers or even browser isolation, obviously, another application to manage, another application to patch and maintain, worry about zero days is definitely not an ideal scenario. But the point I also want to make here is with browser isolation or enterprise browsers, they in themselves are not going to prevent a credential phishing attack.

They definitely bring to bear the benefits that you talked about in terms of abstraction of execution. So the phishing attack is targeting a malicious file or an HTML smuggling download absolutely have good technical ability to get in the way of those. But if we go back to credential phishing, there needs to be additional instrumentation knowledge and technology that needs to be layered into those kind of abstracted browsers, you start with the benefit of seeing what the user sees.

So contrary to either URL filtering or e-mail filtering, which are all trying to operate on network-based inspection without the benefit of what the user is seeing, you start the browser isolation with the benefit of seeing what the user is seeing. So you see the logo, you see a credential page and all of the URL and information that's in that page. But now your isolation needs to be instrumented to recognize all of that and do something with it.

That's where it is very important to add that intelligence on top of your isolation to be able to say, now I see this page has a Microsoft logo. I see this page has an input field. And couple that with actually things that the user does not see. So when you are doing browser isolation, you're seeing the entire innards of that page, be it JavaScript or where this content is actually getting posted to which the user doesn't see.

So it's not just isolation on itself doesn't give you the protection from a credential phishing that you need, but you have a great starting point and instrumenting and building on top of that with marrying the information with what the user can see and the browser can see, you can start to get to greater and greater levels of efficacy to stop these credential phishing campaign in real time rather than do it retroactively you need to remediate it. So it's definitely a phenomenal starting point that you can go from and deliver security outcomes that are really much appreciated by large enterprises who are getting targeted.

Eric Hanselman

Well, and that I think is the really important insight, which is that you can take this up to a level in terms of being able to really get behind the kinds of things that the attacker -- the tricks the attacker is trying to perform. It's all of the deception. It's the how do I make it look like a good site. How is the site actually rendered because the end user only has the ability to see what's actually rendered to them directly.

But if you can basically look -- pull back the curtain on the magician a little bit, you get to see how the page was put together, what kind of deceptive tactics are being deployed, where is information looking to be siphoned off. Those pieces that allow you to actually get a little bit more of a view in terms of where that's headed.

Poornima DeBolle

Exactly. And in many of my CISO conversations of recently I do bring up to the CISOs of like who always start the conversation with like, oh, my users are my weakest link, and I don't know how to make this any better. And I like to bring it up to them is like the combination of like we talked about, AI taking away a lot of your things that you taught your users to identify, to all of these sophisticated techniques, which some of your most sophisticated products in your stack cannot identify, maybe we need to be looking at how do you improve and supplement your phishing defenses rather than really hold the user to account.

I mean you always need to increase security awareness, but I do believe there needs to be some evolution in kind of the security thinking that matches the sophistication that we've seen with the threat actors. If they are getting more sophisticated and circumventing your tools, you can't keep using those same techniques and expect a better outcome.

Eric Hanselman

Well, as you pointed out, I think that's one of the really important points in all of this is that we're getting to a point at which the various deceptive tactics are outstripping users' abilities to detect them. So we need to take a big step back and think about what the technology pieces are that can help us manage this.

I think you've called out that general expectation, and I guess the question is, what should organizations be considering here? And I guess it's -- as we often say, layering defenses, but here with phishing, expecting that you do have to have capabilities that are going to move beyond depending upon user action and really deploy technologies that are going to get you to a point that will actually protect users without having to depend upon the user to actually be a key part of that process.

Poornima DeBolle

Yes, absolutely. Look, I think the user is both your partner in this process. Their awareness and education has to continue and has to be added and upgraded to understand some of the new things. But at some point, you want the lawyer to be a good lawyer, not be a cybersecurity expert. You want your accounting team to be a great accounting team, not the cybersecurity expert.

So organizations, I do believe need to start looking at things like we talked about. Like I said, an enterprise browser or browser isolation is not necessarily the end point, but they can be a good starting point because you're now seeing what the user is seeing, but now you start to correlate and coordinate what are the types of attacks that you're seeing?

And how do you kind of backtrack to a place where you can say, here is where I could have actually solved this problem and start looking at solutions like we talk about, instrumenting your browser isolation platform to supplement it with AI and put all of that together to help this educated, fully good intention user with these new technologies that address the new sophistication of your credential phishing campaigns. And the two put together, in our opinion, gets you the best outcome.

Eric Hanselman

Makes sense. I mean because the user will always have that extra degree of context that it's hard to represent. Even though that Nigerian prince just seemed so familiar to me, I still somewhere in the back of my head, had a feeling that something wasn't quite right, and we can count on employees to be able to do that sanity check of the relationship.

Yes, this is coming from somebody we expect. Yes, a lot of the known good information is in there, but some other aspect of the context is off. They wouldn't never ask for this. This is something that happened months ago, all those kinds of things that the human sides are really good at. Well, this has been fascinating, Poornima. I appreciate all the insights.

Poornima DeBolle

Yes, we're absolutely happy to share them and trust is we have a lot more of it. So happy to come back and share more when your listeners are ready, but thank you for having us today.

Eric Hanselman

A pleasure, and that is it for this episode. We are at time. We finished up one more episode of Next in Tech. Thanks to our audience for staying with us. And thanks to our production team, including Sophie Carr, Gary Susman and Kate Aspen on the Marketing & Events teams at our agency partner, The 199.

Please keep in mind that statements made by persons who are not S&P Global Market Intelligence plays represent their own views that are not necessarily the views of S&P Global Market Intelligence. I hope you'll join us for our next episode where we're going to be digging into open source software innovation, a whole set of interesting insights to be glean there. I'll hope you join us then because there is always something next in tech.