It’s Time to Take a Fresh Approach to Combat Phishing

Once an employee clicks on a malicious attachment, the now-infected employee becomes an attacker. When “the bad guy is you,” only a zero-trust approach will suffice.


Phishing has been around for 20 years, and it will continue as long as there is money to be made. To date, combatting it involves upgrading antivirus and endpoint detection and response (EDR) software, while educating users not to click on “suspicious” attachments or links.

We’ve been failing miserably.

It is time for a new approach, one in which we assume employees will click on nefarious attachments — at which point, the employees become attackers and are treated as such, says Tom Masucci, Security Sales Specialist at Hewlett-Packard.

For example, imagine your CEO is lured into clicking on a malicious attachment. “As soon as the CEO takes the bait, the CEO’s machine is infected and by extension, so is the enterprise. At that point, the CEO becomes the attacker,” Masucci says.

The weakest link is human behavior

 Looking at phishing this way, the threat vectors aren’t email, browsing, or a malicious link or attachments – and security awareness training gets you only so far. “Training is great for corporate hygiene, but the bad guys iterate too quickly,” Masucci says. “Humans are the perpetual vulnerability and the main threat vector into the enterprise. The victim of a phish is the enterprise, not the user. The user simply passes the baton.”

According to Verizon’s 2020 Data Breach Investigation Report, approximately 67% of security breaches are caused by credential theft – the typical goal of a phishing attack. The typical attack vector is an email luring users through trust, fear, curiosity, or fatigue. In the fourth quarter of 2020, 88% of the threats isolated by HP’s Sure Click endpoint protection tool were delivered by email, with the remaining 12% being web downloads.

The current pandemic compounds the problem.

“Due to COVID-19, about 80% of the workforce went from being inside the firewall to working from home,” Masucci says. “Successful phishing has risen because the bad guys have a broader landscape on which to operate.”

Isolation technology offers a solution

The solution lies in a zero-trust approach to security. For HP, that means not only assuming anyone trying to get on the network is a bad guy, but containing threats using isolation technology.

For example, with HP Sure Click Enterprise, whenever a user opens an email attachment or a new web browser tab, it opens in a micro virtual machine (VM) container, which is isolated from the rest of the user’s PC. Once the user closes the attachment, the micro VM is erased.

This approach ensures if the attachment contains malware, it detonates inside the micro VM and can’t infect the rest of the user’s computer or the wider enterprise. The user is warned about the malware, and once the attachment is closed, the micro VM disappears – along with the malware.

Forensics supported

HP Sure Click Enterprise also provides an opportunity for companies to gain greater understanding of the threat.

“If someone is constantly trying to lure you into a trap, don’t you want to study them the way they study you? With Sure Click Enterprise, companies can retain the micro VM and the attack chain/kill chain for forensics,” Masucci says. “CISOs and their hunters appreciate that feature because it helps them analyze the opposition’s playbook.”

Winning the battle against phishing requires thinking differently about what the attacker is exploiting. Once you accept that enterprise infections depend on user engagement, the principles of isolation and least privilege access are the only ways to manage the perpetual vulnerability: humans.

To learn more about the HP approach to implementing zero trust and the role of Sure Click Enterprise, visit this page.


Copyright © 2021 IDG Communications, Inc.