The end of phishingtranslated

When was the last time you got phished? Just now? Earlier today? Yesterday? It was probably more recently than you think, with phishing reigning as the most common credential-related attack according to the Verizon 2024 Data Breach Investigations Report and with 3.4 billion spam emails reportedly going out every day.

An even more interesting question: When was the first time you got phished? Ten years ago? Twenty? More? If you were around and online in 2000, you might have even been attacked by the ILOVEYOU worm, a very early phishing scheme that shut down email systems at AT&T and the Pentagon, among other places.

All of which brings us to the truly important question: Why the heck is this even still happening, and what’s it going to take to stop it?

Well, until now, we haven’t had the right security paradigm to fight phishing effectively. But the good news is, we do now: Zero Trust.translated

How we got here: the persistence of phishing and the challenge of fighting backtranslated

Phishing persists for several reasons: it’s easy to do, it’s hard to fight, and it pays off handsomely. The masquerading methodology that’s involved is incredibly simple; just pretend to be someone else, and in so doing, trick the victim into providing login credentials that will enable access to valuable data and other resources.

Like Charlie Brown trusting Lucy not to move the football, phishing victims seem to be perpetually fooled into making the same misstep time after time. That’s because the perpetrators’ methods are continually evolving. For example, initial phishing attempts were typically done via email; now they are just as likely to include text messages and other forms of communication. The constant shifts in forms and methods make it  harder and harder for recipients to recognize various phishing schemes for what they are—even when the recipient is someone who should know better.

As long as phishing schemes continue to work, organizations will keep losing money, and bad actors will keep enriching themselves. The latest average value of breaches that resulted from phishing? $4.76 million, according to IBM’s Cost of a Data Breach Report 2023.

But there is a route to a different outcome, and it lies in Zero Trust.translated

Fighting phishing with Zero Trusttranslated

After all these years of phishing attacks victimizing organizations to the tune of millions of dollars, we’re now seeing a shift in how we defend against phishing, ransomware, supply chain attacks and other threats—a shift that bodes very well for more effective defenses against phishing.

In this shift, Zero Trust is emerging as one of the most effective ways of improving security by going beyond traditional perimeter-based paradigms to combat threats more effectively.

As stated in the Gartner® report Quick Answer: What Are the Core Principles of Zero Trust?: “Zero trust is a paradigm. It replaces implicit trust with continuously assessed risk and trust levels, based on identity and context.”

In the Zero Trust security paradigm, checking that someone or something isn’t trustworthy is no longer a one-time event that only happens in response to an access attempt or other potentially risky event. Instead, organizations must verify trustworthiness constantly. Think of it as moving away from the idea of “trust, but verify” being the foundation for security—and instead embracing the concept of “never trust, always verify.”

Today, some of the world’s highest-security organizations—those that are either directly or indirectly part of government—are mandating Zero Trust to improve their security. The US Office of Management and Budget (OMB) executive memorandum M-22-09 sets forth a federal Zero Trust architecture strategy for government. And in Europe, the NIS2 Directive, which is the EU-wide legislation on cybersecurity, incorporates the seven tenets of Zero Trust—as defined by the US National Institute of Standards and Technology (NIST).translated

Putting Zero Trust principles into actiontranslated

You may be wondering how the high-level government directives on Zero Trust described above apply to fighting phishing, specifically. The Gartner report posits that: “Security and risk management leaders can standardize on five core principles to move their organization’s zero-trust strategy forward.” We believe several of those core principles seem directly relevant to anti-phishing efforts:

“Establish identity.”  To meet this Zero Trust principle, the Gartner report notes that organizations need “An established organizational policy for ‘who should have access to what, when and why.’”

We feel that policy is one of the most effective steps organizations can take to enhance their overall security and defend themselves from phishing specifically. With that policy in place, users who get phished are simply less likely to have the access to high-value targets that bad actors are looking to get. Phished accounts will also have less ability to move laterally and find or request new entitlements to exploit.

The report also notes that another requirement needed to meet this principle is “Technology support for implementation of multifactors for authentication.”

Since phishing targets credentials, a solution like RSA multi-factor authentication (MFA) could considerably limit the damage a single compromised credential could cause.

“Limited access.” It’s not just that organizations should establish identity and determine beforehand what entitlements a given user needs: they should also strive to limit access whenever possible. In the case of phishing, limiting access will help ensure that bad actors can’t rely on a user’s credentials to get what they want. It’s why the Gartner report recommends that, to move toward Zero Trust, “Users or systems should only have access to a resource based on the need to perform a required function.”

Likewise, the report notes that limited access requires “Reduction in implicit trust zones and rights granted to user accounts.” We feel that fewer people with less access and more locks together create an environment where there is simply not as much for a bad actor to exploit.

In support of this environment, RSA Governance & Lifecycle provides a framework for managing access that focuses on not just knowing what users have access to, but also what they do with that access.

“Provide risk-based adaptive access.” If you’ve read anything on Zero Trust, you’ll know that one of the key ideas behind the architecture is ‘Never Trust, Always Verify.’ Doing so means that organizations validate every access request in the moment before extending more privileges or access. That idea for continuous verification is mentioned in this point from the Gartner report: “A move from one-time gate checks to continuous assessment of risk during a session.”

Risk-based authentication is essential to moving toward Zero Trust and preventing phishing, as cybercriminals with phished credentials are likely to try to register a new device, work from a new location, or attempt access outside of the real user’s typical working hours. RSA Risk AI can detect those signals and challenge access attempts accordingly. (And even if a bad actor does somehow make it in initially, the risk-based intelligence capability will limit how long they can stay there.)

While the prospect of fighting phishing with Zero Trust is exciting, it’s also important to note that phishing is by no means the only threat vector that organizations can defend against using Zero Trust.

###

Download the Gartner report, Quick Answer: What are the Core Principles of Zero Trust?

Gartner, Inc. Quick Answer: What are the Core Principles of Zero Trust?, Wayne Hankins, Charlie Winckless, Andrew Lerner. Originally Published 2 May 2024.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

translated