Spearphishing has changed the game a bit. With tools like Data.com out there giving incredibly in depth information for a very low price (around $1 per contact, less if you know how to use Google properly) someone who wants in to an organization will have no problem finding the names and email addresses of high ranking people to attack. Spammers and phishing used to require a wide net, which meant that it was likely some blacklist somewhere would pick up the spammer and help to protect your users. Now, with such targeted attacks, we can no longer rely on blacklists for anything but the most mundane spam protection.
So what can protect us?
We are faced with an ever expanding number of platforms that access corporate email and resources. Because of this, we need to look at how to protect at a server level, regardless of the email client used to access emails. I am a big fan of content filtering emails, but can we somehow integrate a back check on links? Is there even a decent threat intelligence database on phishing attacks?
I have been vocal in my thoughts on threat intelligence, and because someone can spin up an AWS instance and register a domain name in minutes these days, I really don't think that the model of threat intel works at all for anti-phishing, especially the targeted spearphishing that I am really concerned with. White listing links would be an option, but there's no possible way for an IT department of any size to manage a white list of acceptable websites that are allowed to send a link. It would be a huge burden, and would quickly die off as a good idea that couldn't be maintained.
Also, a huge portion of the malware i see delivered to my clients is through malicious software uploaded to sites like Dropbox and others that may have legitimate business uses. I can't virus scan them because the file is out in the cloud. I can't block Dropbox for a lot of clients because they do use it for legitimate purposes,
So what can we do?
I have three things i am going to try to implement going forward.
1. Strip display names from emails. Sure, they look nice and make email more readable, but they also hide the domain name of the email address. If I don't deliver a display name, no client will display it, unless it's already in their address book. I want people to see raw email addresses as opposed to the masqueraded display names attackers hide behind. As i figure out how to do this in Exchange, i will put up another post with directions.
2. Disable HREF's and display them in plaintext - Making a user copy and paste an address will discourage mobile use, and is a tried and true way to make a user look harder at a link.
3. Educate users about the risks continuously, instead of in one big class. If we make education a continuous process, and make the content relevant and simple, we will get better results than we would in a classroom environment.