Phishing Susceptibility
Phishing susceptibility refers to the degree to which an individual, organization, or system is vulnerable to a phishing attack. It's a measure of how likely a target is to fall for deceptive tactics designed to steal sensitive information.
Several factors can influence this vulnerability:
Human Factors: People are often the weakest link in the security chain. Susceptibility is higher in individuals who are not trained to recognize phishing attempts, are under stress, or are prone to clicking on links without thinking. Attackers often use social engineering techniques to exploit human psychology, such as creating a sense of urgency, fear, or curiosity to bypass a person's critical thinking.
Technical Factors: An organization's technical security controls also play a significant role. The absence of proper email filters, DMARC (Domain-based Message Authentication, Reporting, and Conformance), SPF (Sender Policy Framework), or DKIM (DomainKeys Identified Mail) records can make it easier for malicious emails to reach a user's inbox.
Digital Footprint: The more an organization or individual's information is exposed online—such as email addresses, employee names, or roles—the easier it is for attackers to craft a convincing, targeted phishing email.
High phishing susceptibility can lead to significant consequences, including financial loss, data breaches, and reputational damage. Reducing susceptibility requires a multi-layered approach that includes both technical controls and continuous user education.
ThreatNG is an external attack surface management, digital risk protection, and security ratings solution that helps manage an organization's Phishing Susceptibility by providing an outside-in view of the organization's digital footprint. It identifies and assesses vulnerabilities that could be used by attackers to launch phishing and business email compromise (BEC) attacks.
ThreatNG's Role in Managing Phishing Susceptibility
ThreatNG performs purely external unauthenticated discovery to find and map an organization's public-facing assets that could be used in phishing campaigns. ThreatNG discovers a wide range of assets that contribute to phishing susceptibility, including:
Email Intelligence: As part of its Domain Intelligence module, ThreatNG provides email security presence and format predictions. It can find harvested emails, which are often used in phishing attacks.
Domain Name Permutations: ThreatNG identifies both available and taken domain name permutations. Attackers can use these to create look-alike domains for phishing campaigns.
Archived Web Pages: ThreatNG identifies emails that have been archived on an organization's online presence, which could be used as targets for phishing attacks.
Example of ThreatNG Helping: An organization's employee email addresses are found on a public paste site. ThreatNG's discovery would identify these exposed emails, which are then used to assess the organization's susceptibility to phishing.
ThreatNG assesses the risk of the newly discovered assets to provide context and prioritization. Its assessments directly relate to phishing susceptibility.
BEC & Phishing Susceptibility: This score is derived from Domain Intelligence (which includes DNS Intelligence and Email Intelligence), Dark Web Presence (Compromised Credentials), and Sentiment and Financials Findings. The score provides a measure of an organization's vulnerability to phishing and BEC attacks.
Example: ThreatNG assesses a domain's email security presence and finds that it is missing a DMARC record. This weakness contributes to a higher "BEC & Phishing Susceptibility" score because an attacker could more easily spoof emails from this domain.
Brand Damage Susceptibility: This assessment is derived from attack surface intelligence, digital risk intelligence, and Domain Intelligence (which includes Domain Name Permutations). Phishing attacks that use look-alike domains can cause significant brand damage.
Data Leak Susceptibility: This score is derived from external attack surface and digital risk intelligence, including Dark Web Presence (Compromised Credentials) and Domain Intelligence. If an organization's email addresses are found on the dark web, it increases the risk of a data leak and phishing attacks.
ThreatNG's reports, which include Executive, Technical, and Prioritized (High, Medium, Low, and Informational), are essential for communicating the organization's phishing susceptibility status. These reports would detail the findings, their associated risks, and the specific vulnerabilities found.
Example of ThreatNG Helping: A technical report from ThreatNG would indicate that an organization has a high "BEC & Phishing Susceptibility" score due to several factors, including weak email security configurations and exposed employee email addresses. The report would then provide recommendations for improving email security and reducing the risk of phishing.
ThreatNG continuously monitors an organization's external attack surface, digital risk, and security ratings. This is crucial for managing phishing susceptibility because it ensures that the organization's inventory of public-facing assets is always up to date. As new assets are added, ThreatNG automatically discovers and assesses them, preventing them from becoming blind spots.
Example of ThreatNG Helping: An attacker registers a new domain name that is a permutation of an organization's brand name. ThreatNG's continuous monitoring would detect this new domain and flag it as a potential phishing risk.
ThreatNG's investigation modules enable a deep dive into specific areas of the attack surface, which is crucial for understanding new exposures.
Domain Intelligence: This module is crucial for investigating phishing susceptibility. Its Email Intelligence capability identifies harvested emails and assesses a domain’s email security posture. Its DNS Intelligence also analyzes domain records and finds domain name permutations.
Dark Web Presence: The Dark Web Presence module identifies compromised credentials and mentions of organizations on the dark web. If employee email addresses or credentials are found on the dark web, it significantly increases the risk of phishing attacks.
Archived Web Pages: This module finds archived emails and other information that attackers could use to craft phishing campaigns.
Example of ThreatNG Helping: An investigation using the Domain Intelligence module reveals that an organization's domain has a weak SPF record. This finding helps the security team understand the technical vulnerability that makes the organization susceptible to email spoofing and phishing.
ThreatNG's intelligence repositories, known as DarCache, provide critical context for assessing phishing susceptibility.
Compromised Credentials (DarCache Rupture): This repository contains information on compromised credentials. If employee email addresses are found in a list of compromised credentials, it is a direct indicator of increased susceptibility to phishing.
Mobile Apps (DarCache Mobile): This repository indicates whether access credentials or security credentials, which could include email addresses, are present within mobile apps.
Example of ThreatNG Helping: DarCache Rupture identifies a list of compromised credentials that includes employee email addresses. This allows the security team to prioritize a password reset for all affected employees and to increase phishing awareness training.
Synergies with Complementary Solutions
Other security solutions can complement ThreatNG's external focus on phishing susceptibility.
Complementary Solutions: Email Security Gateways (ESG) and DMARC/SPF/DKIM Management Tools: ThreatNG's Email Intelligence assesses the email security presence of a domain. Suppose ThreatNG detects an NHI email with a weak security configuration. In that case, the ESG can be configured to block emails spoofing that address, and the DMARC/SPF/DKIM management tool can be utilized to enhance the email authentication records.
Complementary Solutions: Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) Platforms: ThreatNG's alerts on newly discovered phishing risks can be ingested by a SIEM for consolidated logging. A SOAR platform can then use these alerts to automate response actions, such as sending a warning to all employees about a new phishing campaign or triggering a workflow to block a newly discovered malicious domain.
