Visibility, Insight & Action into Cyber Attacks - Part 1 of 3

Visibility, Insight & Action into Cyber Attacks - Part 1 of 3

May 31, 2019
Craig Huitema

Today’s threat landscape continually reinforces the fact that people, not computers, pose the greatest cybersecurity risk.  Of all the malware that’s executed, 99% is the result of attackers convincing people to click links or open attachments: people, not CVEs, are being exploited.  Furthermore, no malware is even present in Business Email Compromise (BEC) emails—threats that accounted for financial losses of $12.5B over the past five years or so, based on FBI statistics.  No matter how you slice it, people are repeatedly and effectively targeted, exploited, and monetized by bad actors. 

As a result, Proofpoint’s focus is on building solutions that protect people.  To create a cybersecurity model that protects people, we must understand who is most attacked and how they are attacked.  We can then prioritize those people and apply controls to help mitigate their cybersecurity risk and more effectively protect them.

The Proofpoint Attack Index provides a mechanism to identify and prioritize those people who are most attacked.  This is one of many Proofpoint tools that provide visibility.  I’ve previously discussed how to use it and what it can do to convert that visibility into insight.  Some quick examples include answering questions like:

  • Who are the Very Attacked Persons in my organization?
  • Which shared email lists are most attacked?
  • Who is being targeted by credential phishing?

As we look into these questions, it’s important to point out that the Proofpoint Attack Index uses multiple factors: how targeted the cyber attack is, who the actor is, what type of threat it is, and so on.  Volume is also a component, yet looking only at volume yields an invalid outcome: it doesn’t accurately characterize the true risk associated with a given person. A low volume of high severity threats may be far more dangerous than a high volume of low severity threats.

Essentially, the Attack Index provides visibility and insight into what actors are attacking who inside the organization, when and with which types of cybersecurity threats.

All of this is great, but so what?  How do we act upon that?  What can we do with this?  Fundamentally, how does this reduce the risk that people represent?

All good questions.  And I have some good answers, which I’ll share in my next two blogs.  In those, we’ll discuss:

  • How to identify Very Attacked Persons, and how to proactively address the risk they represent by providing customized security awareness training.
  • Very Attacked Lists (e.g., shared email lists like sales@acme.com) and the need to leverage browser isolation to better safeguard list members.
  • What happens with Very Cred Phished People, and how to protect against compromised accounts that result from heavy phishing.

To learn more about the people who are being targeted, how they are being attacked, and what you can do about it, see Proofpoint’s Protecting People report.