A rhetorical question about the effectiveness of our security solutions
If our approach to cyber security is working, why in 2019, are we reading about hacking, social engineering and data breaches every day? Every day?
I know it’s easier to attack than it is to defend, but we all know in the industry that many of the successful attacks can be prevented. Unfortunately, “PEOPLE” are the weakest link in the chain of our security solutions. And unfortunately, telling PEOPLE not to open emails from people they don’t recognize doesn’t stop them from… you know,… opening emails from people they don’t recognize. And telling them to “check the URL” is the single worst piece of advice you can give to anyone.
Below are domains that are available right now for purchase. Buy one and then get yourself a free SSL cert from Let’s Encrypt. That will fool 99.9% of everyone you test, including security professionals. Can you see what’s wrong with the domains below? If like me, you get 99% in ‘feature detection’ aptitude tests, you’ll be able to spot the difference, eventually. Unfortunately you can probably tell from my poor writing skills, that I tested average to below average in English. 🥴
Did you spot what’s different about the domains?
Below is a funny thread I found on Reddit that summarizes the problem with today’s anti-phishing awareness training techniques. Awareness training is important, but you get my point. 🤣
If existing email security solutions that use massive threat intelligence systems work well, why are the five bullet points below true in 2019? When speaking to people at RSA, it was apparent that most companies are focused on blocking known threats. And many of the companies on display, collaborate beautifully by sharing knowledge, technology and techniques, so together, we can tackle these challenges. I absolutely love how collaborative the cyber security world is. But is this enough? Is it working? Do we need to stop and think differently?
It’s 2019 and we are only now starting to see the Web being encrypted — but there’s still a very long way to go. It’s only now that Let’s Encrypt, a non-profit initiative, is helping to create “a more privacy-respecting Web”. But as I’ve discussed in previous posts, that introduces other challenges.
Even organizations that use five solutions from five different security vendors say that Phishing remains a serious concern for them. And while these systems may block over 95% of spam and threats, it only takes one person to open one link that goes to the wrong site or downloads the wrong software. If you want to go down a rabbit hole, here’s a post I wrote in April 2015 “How WebView has weakened the TCB of the Web infrastructure” — most people at the time didn’t even know what a WebView was and today, almost every mobile app opens links inside the WebView instead of the native browser. How are we detecting and preventing malicious links from being opened or shared inside Facebook, Twitter, LinkedIn, Telegram, Slack, WeChat, WhatsApp…?
- We read about a hack or data breach everyday
- 90% of data breaches start with Phishing
- 59% of ransomware attacks originate with phishing emails
- 91% of all malware is delivered by email
- 93% of Phishing sites have a padlock thanks to automatically issued DV certs
Are we proud of these stats?
How I came to learn that chasing after the Phishers is like chasing Moby-Dick
In summary, I learned that we were doing it wrong. In this instance I’m referring to MetaCert, and not us cyber geeks as a collective.
In June 2017 MetaCert was approached by a number of crypto currency companies to help bring a stop to the outrageous Phishing scams on Slack — they were happening every 5mins, literally. MetaCert was the only company with an anti-phishing security integration, for which I own foundational patents. More specifically, I own patents for anti-phishing and anti-malware detection and prevention inside mobile app WebView using an API for URI detection techniques. It’s impossible to detect a phishing or malware link inside a mobile app without using this technique. I digress, but I’m simply highlighting some personal insights to show that this stuff is all I’ve been thinking about for a while — even though our website is terrible and doesn’t tell you anything.
So I made a risky call and decided not to execute a go-to-market strategy for our enterprise customers to see if we had a good product/market fit, in favor of addressing the immediate need of people who were losing their money every 5 minutes. Again, literally because the Slack bot reminder was set to repeat attacks every 5 minutes in many instances. This was a big risk because our customers included IBM, Sage, SAP, NTT Security, AppDirect, Blackhawk Network and about 900 other companies. I had no idea at that time, if they appreciated the utility and whether they were willing to pay for the solution or not. But what can I say? I didn’t know if there was utility, because I had no way of knowing if we were actually preventing attacks from happening.
Crypto was rife with phishing problems, and in public communities, so I knew we could achieve demonstrable, measurable success. It took three months of further product iteration to get it right, as threat actors were using techniques that we couldn’t have predicted when building our solution for enterprise customers — they were using Slackbot Reminders, DMs and the incoming webhook API. Our integration ended up automatically deleting messages that contained a malicious link with a DM sent to an admin so they knew what had happened.
Finally, we nailed product/market fit. MetaCert was installed across almost every crypto company worldwide and like turning off a tap of water, Phishing was completely eradicated, with zero attacks today. And naturally, soon after the attacks stopped, crypto customers decided that they no longer needed our service. But that’s another pain point in the life of a startup trying to find its way in the world of big amazing competitors. 🤦♂️
Along the way, we built a very passionate community of over 7,000 members who would immediately (and still do today) report new attacks, which MetaCert would classify within minutes, and then blocked by our products across every company in real time — all while the Google Safe Browser API is fast asleep. I sometimes wonder if Google’s API is addicted to sleeping pills it’s that slow — they’re too big for comfort so I don’t mind naming them.
Don’t get me wrong, I don’t think we built a solution that could detect and prevent every new attack. That’s the problem I came to learn the hard way.
We didn’t make it impossible for threat actors to scam people. We just made it less attractive to attack our customers and by doing that, we made Slack a less attractive platform, as it became more difficult for them to gain momentum before being caught and blocked. Imagine if you could achieve the same success for every customer using email. 🤔
I predicted that threat actors would migrate their efforts to a less secure platform. I recommended to the crypto ecosystem that they remain on Slack as by then, it had become the most secure platform for communities and companies who want to connect with other companies, as Phishing was now a thing of the past. I specifically warned them that if they moved to Telegram, threat actors would move there with their scams. Guess what happened? Crypto companies moved to Telegram to build their communities as it became the new cool tool in town. And of course, the threat actors migrated with them and started their shenanigans yet again. $1.6bn was stollen in 2018 alone. So, MetaCert built a security bot that’s now protecting over 1.3 million crypto people across 1,300 groups on Telegram. And I’m pleased to say that phishing has stopped there too.
But what about email?
All of this work and more, taught us that no matter what we do to detect and protect people from new threats, it’s technically impossible to stay ahead of the bad guys — they’re just too smart and most people are easy prey. It’s impossible to protect 99% of the people 99% of the time. At that time, we didn’t have a security solution for native email clients (but we do now, and they are mind blowing!), so we asked ourselves; “if we were to invent how we do things at our core today, what would that look like?” — similar to what Apple did when they re-invented how we listen to music with the AirPods. Apple didn’t design tangle-free wires. They removed the problem by changing the narrative. The AirPods is arguable one of the best products launched since the first iPhone, if not the best.
We answered that question with a social experiment that started in December 2017, involving a new way to present Website identity with new visual indicators. I will explain what happened next in follow up posts. But suffice to say, we learned the hard way over a period of 2 years, while protecting the most widely targeted people on the planet, by an order of magnitude, that trying to detect new threats alone, isn’t the answer. It helps, and it’s very important, but it’s not the answer.
Dear cyber colleagues, we need to rethink this stuff. While we opted for Google’s search algorithms over Yahoo!’s carefully curated listings back in the day, perhaps we need to consider going back to URL curation. Perhaps we need to curate what is verified as “safe”, and assume everything else is either hostile, or part of the long tail — content we shouldn’t care about.
Perhaps we should ignore the long tail and focus on the head. What do you think?