According to this interviewee, the technology will surpass human detection capabilities soon, and only AI and Zero Trust can intervene
Cybercriminals have been at the forefront of weaponizing generative AI (GenAI) since it became democratized in late 2020. What are some of the latest trends and developments in the phishing/vishing landscape of the region?
According to Shannon Murphy, Global Security & Risk Strategist, Trend Micro, phishing awareness training, as we know it, will soon become obsolete as organizations rethink their approach to cyber threats.
Read on to find out what Murphy discussed with CybersecAsia.net here…
CybersecAsia: How has GenAI been abused by cybercriminals in the region of late?
Shannon Murphy (SM): Before the technology’s breakthrough, cybercriminals had two main phishing strategies. One was to mass-blast a huge number of targets and hope to catch a few vulnerable users. The other was to extensively research specific users and target them manually — a high-effort, high-success method known as ‘harpoon phishing’ or ‘whale phishing’.
Now, cybercriminals are using GenAI to converge those two models, making it easy to send targeted, error-free, and tonally convincing messages on a mass scale in multiple languages. And this is already branching beyond emails and texts to include persuasive audio and video ‘deepfakes’ for an even more business-affecting threat.
In the South-east Asia region, we are seeing this trend play out. Our own research is showing increases in malicious/phishing URLs and malware detections. Attackers here are not only using emails with embedded malicious and phishing URLs to randomly victimize users: they are also making use of more sophisticated ways, such as malware embedded within attachments, to avoid detection.
CybersecAsia: To what extent is social engineering less about exploiting technology and more about exploiting human weakness?
SM: Defending against deception-driven attacks is definitely not solely a technological battle; it is equally a human challenge, necessitating a combination of adjustments across people, process, and technology to fortify organizations against emerging threats.
Given the sharp escalation in the effectiveness of business email compromise techniques, organizations need to acknowledge that defense strategies have to evolve. For example, phishing awareness training as we know it today — where employees learn how to scrutinize emails to identify suspicious language or typos or unknown senders — will no longer effective.
Technology needs to pull more of the weight to detect and respond to these types of threats, including using a combination of AI-powered detection techniques. This can be accomplished through adopting a Zero Trust philosophy and security culture, and the use of AI for writing-style analysis, computer vision and other aspects, to make security stronger.
Identities should always be verified, and only the relevant people and machines can access sensitive information or processes for defined purposes at specific times. This limits the attack surface and slows attackers down. For example, large transfers often require ‘live’ voice authorizations. Today, an attacker could send a convincingly authentic email request with a rigged phone number embedded, and then answer the confirmation call with an audio-faked voice to validate the transaction.
However, for firms aligned to the Zero Trust framework, users would not default to calling the number in the message. Instead, they would have an established ‘safe list’ of numbers to call, and/or need multi-stakeholder approval to verify the transaction. Coded language could even be used for additional authentication.
CybersecAsia: Could you elaborate on your extreme pessimism about the phishing awareness training, and how organizations can avoid falling victim to GenAI-enhanced threats?
SM: Phishing attacks have evolved to become too compelling and well executed for users to detect on their own. Organizations need to invest in AI-driven detection tools to protect the enterprise and help employees identify malicious content and behavior more efficiently.
However, cybersecurity awareness training and building security aware culture remains essential. The key is to adopt Zero Trust approaches and the right verification processes Employees will need to understand when and how to execute these processes to prevent successful phishing attempts.
Another consideration would be ‘tailored training’ for specific departments within the organization, and training staff on defused real-world attempts. For example, HR departments often receive emails containing personal information, making them prime targets for phishing attacks. Ensuring the training is specific to the needs and risks associated with each department can increase awareness and preparedness.
Most importantly, cybersecurity training should not be a one-time event but an ongoing process with content that is regularly refreshed and updated with the latest phishing techniques.
CybersecAsia: While organizations are still struggling to deal with increasingly sophisticated threats, AI-powered quantum computing attacks are on the horizon…
SM: The reality is, there is a perennial talent or resource gap in organizations’ struggles to keep up with the rapid evolution in the threat landscape. Working with a specialized third party cybersecurity firm can often help security teams stay on top of the latest emerging threats.
More importantly, businesses need to adopt a proactive posture towards cybersecurity. This involves:
- Moving away from traditional approaches of applying uniform security measures across all known systems, and towards adopting a ‘risk-based approach’ that includes continuous asset discovery and assessment to focus on prioritizing and building the appropriate controls for the most critical vulnerabilities.
- Adopting proactive attack surface risk management: a combination of exposure management; attack surface management; user and entity behavior analytics — and gaining increased visibility across multiple systems and information stored across all business units. Having deep observability across these categories empowers organizations to identify the most at-risk assets and potential intrusions. The idea is to disrupt threats upstream in the kill chain before any damage occurs, to improving the likelihood of prevention.
CybersecAsia thanks Shannon for sharing her professional and personal insights on the SEA phishing landscape.
