The impact of email-borne threats

Why companies should recognise and embrace the need for change.

Phishing Attacks per Year

Source: RSA (2014)

 135,426      161,112    

 205,575    

 279,580    

 445,004      448,126    

 -­‐        

 50,000    

 100,000    

 150,000    

 200,000    

 250,000    

 300,000    

 350,000    

 400,000    

 450,000    

 500,000    

2008   2009   2010   2011   2012   2013  

Phishing  a4acks  detected  by  RSA  An?-­‐Fraud  Command  Center  

Phishing Campaigns per Year

Source: APWG (2013)

 273,831    

 322,228    

 383,343    

 -­‐        

 50,000    

 100,000    

 150,000    

 200,000    

 250,000    

 300,000    

 350,000    

 400,000    

 450,000    

Year  to  Sep  2011   Year  to  Sep  2012   Year  to  Sep  2013  

Phishing  campaigns  reported  by  An?-­‐Phishing  Working  Group  

Reality Check

Source: APWG (2013)

 -­‐        

 10,000    

 20,000    

 30,000    

 40,000    

 50,000    

 60,000    

 70,000    

Jan-­‐11   Apr-­‐11   Jul-­‐11   Oct-­‐11   Jan-­‐12   Apr-­‐12   Jul-­‐12   Oct-­‐12   Jan-­‐13   Apr-­‐13   Jul-­‐13  

Unique  phishing  campaigns  (APWG)  

Change in measurement methodology

300% increase

Phishing  sites  reported  to  associaCon  or  vendor  

Phishing  sites  reported  to  other  bodies  

Phishing  sites  not  reported  

Phishing  emails  sent  

Other  email-­‐borne  threats  

The Thin End of the Wedge

Why is Accurate Measurement Important?

“To measure is to know… If you cannot measure it, you cannot improve it.”

Lord Kelvin

New measurement

Upstream ISPs

Getting Upstream for Accurate Measurement

Current measurement

Downstream vendors

Data filters

Fuller picture

Upstream insights

Full Spectrum of Email Threats

Unaffiliated Domain Threats

Direct Domain Threats

Look-a-like Domains

Subdomains of Another Domain

Different Brands’ Domains

Unaffiliated Domains

Generic Domains

Active Emailing Domains

Non-Sending Domains

Defensively Registered Domains

• 3 dimensions of email threats: •  Nature of threat •  Size of attack •  Efficacy

• Combinations determine impact • All data points available

upstream

3D Vision

Nature of threat

Size of attack Efficacy

1st Dimension: Nature of Threat

Phishing (Direct Domain Threat)

419 (Unaffiliated Domain Threat)

1st Dimension: Nature of Threat

Malware (Direct or Unaffiliated Domain Threat?)

Malware (Direct Domain Threat)

1st Dimension: Nature of Threat

Credit score spam (Direct Domain Threat)

Pharma spam (Unaffiliated Domain Threat)

• Different scams will concern different departments • Prioritise based on impact to organisation • Different threats have different remedies

1st Dimension: Why Differentiate?

2nd Dimension: Attack Size

• Getting upstream enables us to see how many emails were sent in a given attack

• Quantify risks • Prioritise risks •  Justify the right investments • Measure ROI

2nd Dimension: Why Measure Attack Size?

3rd Dimension: Efficacy

Users decide what is good and what is bad, but don’t always get it right…

ISPs decide what is good and what is bad, but don’t always get it right…

Phishing

Phishing

Legitimate

Phishing

Phishing

3rd Dimension: Efficacy

Lots of inbox noise on a daily basis What happens today will affect what happens tomorrow

• Quantify impact • Prioritise risks •  Justify the right investments • Measure ROI

3rd Dimension: Why Measure Efficacy?

• Upstream data enables accurate risk assessment • Downstream metrics are inadequate:

•  No visibility into size of attack •  No visibility into efficacy

The Benefits of 3D Vision

• Upstream data enables us to see true impact

Nature of threat

Size of attack Efficacy

• Fraud losses • Call centre support • Remediation:

•  Site shutdown •  Reset accounts •  Credential recovery •  Investigation & reporting

• Malware à secondary losses • Negative publicity

Impact of Attack: Security Perspective

Impact of Attack: Reduced ROI of Email Program

40  

50  

60  

70  

80  

90  

100  

11-­‐Nov   12-­‐Nov   13-­‐Nov   14-­‐Nov   15-­‐Nov   16-­‐Nov   17-­‐Nov   18-­‐Nov   19-­‐Nov   20-­‐Nov   21-­‐Nov   22-­‐Nov  

Inbox  rates  for  "good"  emails  sent  from  hijacked  brand  (%)  

Attack start Attack end

90% average

58% low

32% drop

What can you do …

• Build partnership plan between Security and Marketing • Gain visibility into full spectrum of email threats • Leverage latest technologies to:

•  Develop a holistic view of detection •  Proactively block fraudulent messages •  Increase the ROI on existing solutions

3-Step Plan to Effectively Manage Risk

Conclusions …

• Old metrics are inadequate and incomplete • New technologies offer “3D vision” •  It is not just a security concern … it must be enterprise-wide • New technologies:

•  Reduce fraud •  Improve performance of email programs

Conclusions

Ken Takahashi General Manager, Anti-Phishing Solutions Return Path ken.takahashi@returnpath.com www.returnpath.com/security +44 (0)845 002 0006

Thank you