May 05 2016


The Verizon DBIR, the Phish Labs’ Phishing Trends & Intelligence Report, and a number of other recent announcements confirm what we all know. Phishing is a popular attack vector. This is an important data point for information security leaders. It also logically leads to two questions:

  • Can you stop phishing to secure your enterprise assets?
  • If you could stop phishing, what next?

There is a lesson here in building an effective and resilient information security infrastructure that is missing in most enterprises today.


“Phishing attacks are cheap, easy to execute and difficult to stop,” concludes Phish Labs in its 2016 report. Verizon DBIR numbers confirm this supposition: “That lovely ‘Person’ line trending up is due to the human asset falling victim to phishing attacks.”


The DBIR also includes data on phishing email opens and the subsequent clicks that lead to compromise. Phishers must be getting better at their email subject line optimization as email opens climbed to 30% in 2015 from 23% in 2014. And, the clicks only rose 1% during the year to 12%. So the attacker yield on attacks continues to rise. This is despite the sharp rise in phishing education and use of more sophisticated filtering tools.


Phish Labs details the rise in sophisticated Business Email Compromise spear phishing attacks as a key culprit. As you might suspect, the target of the phish is often not the objective; over 90% of the phishing expeditions yield stolen credentials. Those credentials are then used to fulfill another objective. We can draw three conclusions from this and other recent data.

  1. Phishing is increasing as an attack vector and is becoming more sophisticated.
  2. Phishing/Spear Phishing is a means attackers are using to gain access to enterprise networks and assets.
  3. Aggressive filtering and education has not eliminated phishing.

This answers our first question. We cannot simply stop the impact of phishing and need to consider how to best deal with its aftermath. The attackers are leaving a digital trail, but often employing tactics, techniques and procedures (TTP) to avoid detection by traditional cybersecurity tools. Information security analytics has a role to play in identifying incidents that are hidden in the data if you have sufficient scalability and speed to aggregate and analyze large volumes of information.

IKANOW’s recent 1.5 release directly addresses critical gaps in existing cybersecurity infrastructure. For example, the 1.5 release helps organizations establish their threat profiles by integrating information security data that defines assets, threat actors and threat intelligence so that the analyst can establish context and detect potential breaches in near real time.  Its open architecture and open source big data components are uniquely positioned to address the challenges of ever-expanding information security data volume and identify threat actor presence that eludes detection by other means.


If all phishing stopped tomorrow, I’m sure many information security professionals would be relieved. I’m equally certain that relief would be short lived. This answers the second question. Attackers are using phishing today because it works and is efficient. If phishing’s effectiveness was somehow curtailed, the attackers would resort to another vector for compromise.


Cloud, mobile, and IoT all provide an expanded attack surface area that cybercriminals have only started to explore. The elimination of one attack vector likely shifts the threat to another. This is a core reason that information security investment is shifting from traditional prevention measures to a greater focus on detection and response. The threat is not a particular vector. The threat is increasingly skilled attackers with the easy access to knowledge and exploit kits enabling multiple attack vectors. This also is confirmed in Verizon’s DBIR.

Christina Richmond from IDC told SearchSecurity, “The thing that is new that I think they [Verizon] do call out well is the combination, and that is over the last few years, we have seen a rise of multivector attacks.” It is obvious why prevention efforts are having trouble keeping up with attack tactics. They are less and less predictable.

Richmond pointed out that the report data showed several industries with high DoS incidents, but data breaches were executed with other types of attacks. Figures 21 and 22 from the report support this conclusion.


Verizon’s DBIR includes a number of suggestions that can improve your information security hygiene and put you in a better position to reduce phishing attacks and their impact. At IKANOW, we agree and recommend filtering, employee training and network segmentation. Verizon’s fourth suggestion is around monitoring outbound traffic that could indicate exfiltration or communication with a C2 host. We agree with that too.

Tools like IKANOW Information Security Analytics are particularly well suited to catch this type of communication to IP addresses that are flagged in threat intelligence and identify others by their patterns of behavior. However, to do this successfully your systems need to be capable of handling large quantities of data in the terabytes-per-second range. By automatically comparing internal activity to threat intelligence across individual assets and asset clusters, IKANOW has proven successful in identifying otherwise undetected incidents and enabling analysts to more efficiently and effectively investigate potential breaches.


Phishing is “kind of a big deal” as the Verizon DBIR points out a bit tongue-in-cheek. However, it may be that phishing is just like a Top 40 hit; here today, forgotten tomorrow, but resurrected and remixed every few years. The thing about the Top 40 is the list is always full because there is always something new to fill in the gaps. If you want to be prepared to identify the pivot from phishing to stolen credentials to lateral movement in your network and data exfiltration, you need more than employee training, filtering and network segmentation. Analyzing your data and comparing it to threat intelligence in real-time can help you address threats today and tomorrow as well.

Click the button below to learn more about the Information Security Analytics 1.5 release or to download our recent white paper on the Knowns and Unknowns of Information Security.

Share Post
Chris Morgan

Cofounder and Chief Technology Officer. Chris Morgan is responsible for technology innovation and delivering high-quality security analytics solutions to clients. He has more than 15 years of experience in research and development, software engineering, software development and product management. Morgan studied management at the Wharton School of Business of the University of Pennsylvania and economics and computer science at Virginia Polytechnic and State University.