If It Ain’t Broke, Don’t Fix It.

It’s a foundational principle of all football offensive coordinators: if something is working, keep running it until the defense proves they can stop it. Your top wide receiver is consistently beating the opponent’s rookie cornerback? Keep throwing to him. Your offensive line is opening holes that result in 7 yards a carry every play? Keep running the football. Unfortunately, cyber criminals have learned the same lesson.

A recent report from the Anti Phishing Working Group (APWG) noted a 61% quarter-over-quarter increase in phishing attacks from the first quarter to the second in 2016. The number of attacks from January through March was 289,371, while the number grew to 466,065 in the following three months.

Why?

Because if you spot a weakness in your opponent, keep exploiting it until they show they can stop it. Phishing is all the rage among the bad guys… because it works.

In a previous blog post, we talked about the percentage of successful phishing attacks – 84% – in 2015, a figure that should surprise very few of us in the corporate world with 100 new emails in our In-Box and 27 minutes to get through them before the next meeting. Even those of us who work in cyber security can be fooled (see the RSA Security breach of 2011).

And what’s most unsettling to cyber security pros – or should be – about the success and subsequent popularity of phishing attacks is how the technique completely neutralizes traditional/conventional security defenses at the endpoints. Phishing attackers couldn’t care less about SSL vulnerabilities, open ports, firewalls, etc. They’re depending 100% on the carelessness that emerges from the harried schedules of the typical enterprise employee. No one has developed software to eliminate that, and it’s unlikely to be available soon.

The appreciation of this reality extends all the way to the top of the cyber-security ladder. I recently attended the Aetna 2016 Global Security Third Party Conference in Orlando, and had the pleasure of listening to a Keynote presentation by Brett Leatherman, one of the FBI’s leading agents for cyber security: “I cannot emphasize enough time to detection…no one can prevent 100% of attacks.” Spending a good deal of his presentation discussing what he called the “detection deficit,” he compared the first hours of a successful breach to the first hours of a missing child case. The longer the criminal can avoid being caught and stopped, the less the likelihood of a satisfactory outcome, whether they’re cyber criminals or kidnappers.

Phishing is insidious not only because it’s successful, but because it’s subtle. Clicking on a toxic link in a well-designed phishing attack doesn’t shut down the user’s computer, generate an alarm, or start a fire. It simply begins a long, surreptitious process that – if thrust on an organization living in the past and unprepared for today’s threats – can result in substantial damage.

Until the cyber security world can show it can stop it, look for quarter-over-quarter phishing attack growth to accelerate. Thus, regrettably, for the foreseeable future, the game-planning job of the average cyber-criminal will be much easier than that of an offensive coordinator.