Escaping the enterprise security bubble

The vast majority of the security industry’s efforts and billions of R&D dollars focus on how to keep attackers out of the enterprise security perimeter. For example, email gateways, firewalls, application firewalls, and endpoint agents are all intended to keep out bad emails/packets/requests/files from the enterprise network and prevent them from stealing sensitive data or manipulating the organization's employees.

This cat-and-mouse arms race has been going on for decades. For example, in email, we have seen an evolution from large-volume phishing to much more targeted spear phishing, to business email compromise that specifically manipulates C-level executives, to account takeover attacks where an existing enterprise email account gets used to deceive other accounts in the network.

While this cat-and-mouse game is obviously important and will continue to go on in the coming decades, I’d like to highlight the increasing threat of attacks that simply bypass the enterprise security “bubble,” circumventing all of the sophisticated defenses built around enterprise infrastructure.

New attacks that bypass the bubble

I'm sure all of you have received (and so have I) text or WhatsApp messages like this:

These types of attacks are on the rise. While there is nothing new in the tactics (they resemble millions of phishing emails that Barracuda sees every day), the vector of attack is new: Attackers are now targeting users on their personal phones.

A much more sophisticated version of this attack vector works in the following way: An employee receives a phishing email that instead of a link contains a QR code:

Why would the attacker bother encoding the link as a QR code you may ask? Well, first, it's less likely an email security system will go through the effort of decoding the QR code and inspecting the link. But second, and much more importantly, the QR code will be scanned, and the link will be opened by the user's personal phone rather than on their laptop.

Why are attackers targeting personal phones?

So you may ask, why are attackers so dead set on targeting personal phones? Well, chances are, there is no sophisticated (or even basic) enterprise security system monitoring incoming messages on a phone. If you click on a link in one of these messages, there is a good chance that there will be no system that will block the phishing website, because your phone is probably not part of the enterprise network. Finally, if malware is installed on your phone, the vast majority of you have no enterprise endpoint protection that will protect your personal device.

This problem, of course, isn't new. Readers of a certain age will recall that about a decade ago there was a big trend in the security industry of protecting “BYOD” (bring your own device), which was shorthand for phones, laptops, and tablets that access enterprise data. And back then there was a slew of companies that offered protection for these devices, termed MDM (mobile device management). Some of these offerings still exist.

Of course, many companies still maintain and protect certain endpoints, in particular laptops. But for phones, for the vast majority of organizations, that ship has sailed. It is a very high order for IT and security organizations to track down and protect all the employees' phones. Even with an agent running on the phone, it would be a Herculean task to monitor any incoming message that might be sent via text, iMessage, WhatsApp, Messenger, Instagram, etc. for potential phishing.

Thus, we have reached the current point where smartphones are more or less completely outside the enterprise security bubble, and attackers are increasingly targeting enterprise users on their completely unprotected personal devices. Once they get into the personal devices, they can then use those to target those same valuable enterprise systems (e.g., email, file system, SaaS applications) from the device itself.

What do we do about this?

This begs the question, what can we collectively do about these attacks? This is a big open challenge facing the security community. I don't think bringing back MDM is going to work because chasing after all those employee mobile devices is very costly. Some companies have the resources to do it, but most don't. 

One solution that is available today and every organization should be able to implement is, of course, security awareness training. A comprehensive security awareness training program should not only encompass the "classic" attack vector of enterprise email, but also include other ones, such as SMS phishing and other types of scams. Another important tool is Zero Trust, which allows companies to implement access control and monitoring on potentially compromised personal devices when they try to access the enterprise network.

While these solutions are very important, they are not sufficient. We need automatic tools that can block phishing against personal devices, similar to how they get blocked by sophisticated enterprise email protection solutions. How to intercept and monitor these messages without having an invasive agent on the device is still an open challenge.