In this interview with Help Net Security, Dirk Jan Koekkoek, VP, DMARC at Mimecast, talks about the growing threat of brand impersonation attacks, their increasing level of sophistication and how security awareness as well as adequate tehcnology can tackle this threat.
Brand impersonation attacks have seen a rise in frequency lately, perhaps because of their high success rate. Do you agree with this statement and what is contributing to its success?
That’s exactly what we have observed. In fact, a recent report found that the number of brand impersonation emails increased 44% in 2020 vs. 2019. However, it’s not only a significant increase in frequency as much as an increasing level of sophistication. Unsophisticated attacks are relatively easy to recognize by people and systems. From an adversary’s point of view, straightforward phishing campaigns have become less successful and profitable. This motivates the bad actor to put more effort into targeted, more advanced attacks.
It’s commonly known that victims are more likely to engage with brands they trust. From a malicious point of view, this is what makes attacks with a brand impersonation component more attractive, especially for brands with a strong reputation.
We see that the gain of cybercrime is rising while we arguably just see the tip of the iceberg in the media. Ransomware attacks play a big role here. Victims, especially outside of the public sector, often pay the ransom to prevent media exposure and, ironically enough, to prevent brand and reputational damage. This results in hackers rewarded with an increasing bounty for impersonating brands, which stimulates the frequency of brand impersonation attacks.
Do you think organizations are aware of the risk and are doing enough to prevent brand impersonation attacks?
Based on research, one can conclude that awareness of this problem is increasing. An increasing number of organizations and individuals are exposed to brand impersonation attacks. An easy conclusion would be to state that we are all familiar with this risk.
However, an aware organization must have visibility into attacks that impersonate them. Logically, that insight is followed by measures to block and remediate these attacks. According to that definition of awareness we have a long way to go.
It really depends where and in which organization you ask. Many of the clients we engage with are fortunately very aware. Still, I’m very often surprised by the lack of awareness that I observe in the landscape.
It pleases me that many nations and trade zones take measures to enforce the adoption of open standards that can contribute to brand and domain protection. That contributes to overall security awareness and shines a light on brand impersonation attacks.
What would be your recommendations to avoid such attacks or at least lessen the impact?
There is no silver bullet here and the best practices definitely apply. On a high level, I would say ensure the people in your organization are aware and are trained in their security awareness. I mention this first because it’s all about people. These same people work with brands and systems that need to be protected. The most common used attack route is still email and this expands to other communication channels and platforms. It seems obvious to start protecting these channels.
Getting back to awareness, this is not just about people, it’s also about being aware of (unauthorized) usage of your organizations brand and to have protection and remediation measures in place when that brand gets abused in an impersonation attack.
This might sound overwhelming, and in a way, it is. Similar to security, the work on brand impersonation protection is never entirely done. Can it be simplified? Well yes. Make a risk assessment and start with the first steps that deliver the best ROI on protection. In my view, security is a journey, even when it’s in a close to perfect state in any given moment. Circumstances or risk exposure will change which results in finetuning. Think of our work from home situation for example.
How much would security awareness among employees and people in general help tackle these attacks?
Security awareness among employees and people is key to protect organizations against external threats, but also to prevent impersonation aimed at external victims. Over 90% of all cyberattacks have an email component to them. In a way, 100% of all attacks have a human component to them. It could be as simple as an end user who clicks a phishing link. But also consider the people involved on the product development and system side. All it takes is a small human mistake to cause a lot of damage. Security awareness (training) is effective to increase resilience.
What qualifies a good brand protection solution?
This depends partly on the risk profile. A Fortune 500 brand is typically exposed to a greater risk than a smaller organization. Protection should be applied accordingly. Brand owners should be aware of their risk profile before bad things happen so there’s time to act and protect. To start, adopt open security standards such as DMARC and prevent unauthorised senders to impersonate your domain in the first place. This is so effective that I see this as default domain hygiene, just as supporting SSL/HTTPS.
A good brand protection solution always provides insight. It tracks where a brand is exposed both for legitimate and unfortunately often malicious purposes. Capabilities to block engagement with the discovered threat as well as remediating the threat entirely are part of a decent brand protection solution. Timing is key, and every second counts.
In my view, every strong brand should have a Security Operations Center (SOC) in place. A SOC doesn’t have to be part of the brand-owning organization necessarily, it can be outsourced as well. As long as it’s there and that team is ready to act immediately when needed.