Skip to content

Trending tags

Episode 51| Looking at Phishing Through the Intrusion Kill Chain

Melissa Michael

11.03.21 32 min. read

Phishing is the number one vector leading to data breaches. It’s an easy, effective way for attackers to trick users into giving up credentials or running malicious code. While organizations cannot stop motivated attackers from trying to phish their employees, they can make it harder to succeed. F-Secure’s director of consulting, Riaan Naudé, calls this building the path of most resistance. In episode 51 of Cyber Security Sauna, host Janne Kauhanen spoke to Riaan about how companies can make life difficult for phishers by addressing the earlier stages of the intrusion kill chain. Also in this episode: The most important metric of phishing simulation, why feedback is important, and the phishing emails users fall for.

Listen, or read on for the transcript. And don’t forget to subscribe, rate and review!


Janne: Welcome, Riaan.

Riaan: Thanks a lot Janne, thanks for inviting me to speak to you about this today.

Absolutely. Now in my experience, there are exactly two ways that organizations get breached. There’s phishing and unpatched vulns. Now searching for the vulnerabilities is easy and cheap, even if the patching itself isn’t, but there’s no blinky box to help with the phishing, is there?

Well, a lot of vendors would probably disagree with you. They’d say that there are blinky boxes. There’s always a blinky box. But there isn’t necessarily a blinky box that works against this.

Riaan Naude

Yeah. So what is the attacker looking to get out of phishing people?

Well generally, there’s two things they’re looking for. They are looking for information, so they want to understand the payment process, or they want a password, so they want you to divulge some sort of valuable information. Or they are looking for you to run some sort of code for them. They want you to run a macro or click on something for them.

Loosely speaking, those are the two main things that they are looking to do. And those are the things we’re looking to protect against.

So how can looking at phishing from the attacker’s perspective help defenders in preventing and detecting and responding to this threat?

If you understand how an attacker would approach your environment, it’s easier for you to understand the steps that they need to take, and that allows you to go and build preventative or detective controls for each of those steps. The traditional approach for phishing is simply that we look at it as a simple thing. We need to prevent people from clicking on things that say, “Click here.”

In reality, it’s not as simple as that. We know people will click, so therefore we need to understand if someone was to click, who would click and what are the sort of things that they might click on if it was to be introduced to your environment?

Right. So what’s the end goal here? To make the attackers… We don’t think we can stop them cold, so we’re just trying to make them invest more time and skill and resources to sort of make ourselves less of a target.

Well, at the end of the day, you can stop some attackers cold. I know a lot of people don’t necessarily like the threat actor capability pyramid, but imagine a pyramid where at the bottom, you’ve got simple script kiddies, or less experienced attackers, in the very top you’ve got the most experienced attackers. You can stop a lot of simple attacks. You can prevent a lot of very easy, the simpler things. You can certainly stop those.

You can’t realistically prevent an APT. If someone with a lot of resources and a lot of skills decide to target you, they going to get in.

But if you look at your environment from the perspective of these guys, your chances become better at at least detecting them. If we make the assumption that we can’t prevent everything, let’s think about what might happen if they were to target us, what is realistic to expect from the attackers, and then if we know what to essentially predict what’s going to happen, we can go and build detection capability for that. So when it does happen, we know about it as quickly as possible, and then we can respond to it.

Absolutely. Now you and I have spoken about phishing before, and for most of us, phishing is just about sort of the initial foothold and payload delivery. But your take on it is broader than that. Can you talk to us a little bit about that?

For anybody that’s spoken to me about any security topic, I’m a very big fan of framing everything around the kill chain. Now the kill chain is a term that was coined by Lockheed Martin and we, at F-Secure, we’ve slightly adapted it so that it has the following eight steps. So let’s quickly run you through those.

First of all, you’ve got the external reconnaissance phase. That’s where the attacker, the first time they Google your company’s name, that’s part of the external reconnaissance phase, where they start gathering information.

Then we’ve got the delivery phase, that is where we traditionally put phishing, because that’s where we deliver something to the environment, whether it’s an email payload to an unpatched system.

Following that is execution, where that payload executes.

Then we’ve got persistence. Now, this is potentially an optional phase for the attacker. They don’t need to persist. They don’t need to dig in, but if you’re an attacker, you want to make sure that when someone restarts the system or something happens, that you can get your communication back.

Following that this command and control. That’s the first time the attacker interacts with your environment, or they have some sort of information about the environment internally. So the code will execute, that payload will communicate out to your system controlled by the attacker.

Then you’ve got internal reconnaissance, where they start digging around internally. There they’ve got interesting things to look at. They can look at the network itself, they can look at Active Directory.

Then they start moving around, which is the lateral movement phase.

And finally, there’s the objective, whatever that objective might be. That generally depends on the type of environment they’re attacking. If it’s a financial environment, we can assume that they’re after some sort personal information or financial targets, but if it’s retail, for example, again, they might be looking off at the price information, or there might be looking at again, personal information. Well, it all depends on the type of industry.

So traditionally phishing, we would think about it in the delivery phase. Only the delivery of mail. But if we understand that an attacker needs to, before they can phish you, they need to understand who to phish, so there’s going to be some sort of gathering exercise.

So during the gathering exercise, we can understand that if an attacker was to target us, what sort of information is available to them? So what sort of info do we put on job postings? What sort of information do we put up on LinkedIn? Or what sort of information do we allow users to put up on LinkedIn? Very often you get an email and you wonder, “How did this guy get my email address?” Well, if your company has information out on LinkedIn, or you put some details up, they might go and find you.

Then there’s delivery. That is where they actually email you. Now, most environments have web and mail gateways, so you can’t send any type of URL. You can’t send any type of email, so it’s up to you as a security team to understand what sort of URLs can be delivered to my inbox? What sort of payloads can be delivered? Because not all environments allow, well most environments, for example, don’t allow .exe files, but there’s many other ways to execute payloads. So macro enabled documents, HTA files, understand exactly what can be delivered.

For URLs for example, a URL is classified as malicious or non-malicious, or as a financial classification. A URL has certain classifications, so you can understand exactly what type of classifications can be allowed in your environment. Most businesses have some sort of exclusion set.

And then of course, command and control follows very much the same as the type of URL that can be accessed, because after a URL is delivered to your environment, the communication needs to go out to this host. Something to look at, for example, is can I communicate directly to an IP address on the internet? Or do I need to go through a URL?

So if you go through each of these steps, you can build out a very decent list of actions that an attacker needs to need to perform, and important that you can say, if an attacker was to phish me, this is what that phishing at a minimum, what that attack might look like, or has to look like.

Okay. So the attacker has to complete that whole kill chain to be at their objective and realize the goals that they want. So what can we do? What’s the sort of the short, simple answer at each of these stages? What can we do to throw those wrenches in their gears?

So for external reconnaissance, for example, it generally comes down to policy, but you need to make sure that what your users put out on the internet is as limited as it can be.

We need to make sure that in job postings, for example, that we don’t share too much information about the technology that we use, because if you advertise for example, you need a McAfee engineer, obviously the attacker knows already that you’ve got McAfee on the internal network. And then it goes for all controls.

For the delivery phase, we can implement preventative controls that ensure that only the minimum is allowed through to your environment. For example, not all users need to receive macro enabled spreadsheets. Not all users need to be able to receive HTA files, or URLs for that matter. So you can strip out a lot of the information that isn’t required by a specific user group.

For code execution again, and this is something that a lot of environments do these days, is you’ve got code execution policies in place. So only certain types of files can be executed. You can prevent anything that’s delivered by email to be executed, to restrict things as much as you possibly can.

And then for command and control, again, it’s important to prevent communication to new and novel web pages. If a webpage was registered within the last few weeks, why would you want to access that or allow access to that?

These are the sort of controls. I mean, it goes very deep into each of these phases, but they are very simple things that you can do to prevent as much as you can. The detection game is arguably more important and becomes quite complicated.

Okay. So when we talk about phishing and that sort of payload delivery stage, we’re often saying that employees are the weakest link in the security chain, because if you have thousands of employees and somebody puts an effort into tricking them, they’ll trick one of those people. There’s nothing you can do about that. But you’re talking about how if you harden your employees against social engineering, they can be a great asset. So how do you go about that? How do you make your employees your first line of defense?

I think it’s sometimes a bit lazy for the industry to say that users are the weakest link. They’re very important. They run the business. So we as a security team need to do what we can to protect them. It’s not an us and them sort of situation. We are all employees of the same business.

Where you bring users into the fold: Traditionally, the idea of user awareness training for example, is to teach people not to click. So you want to reduce your susceptibility to phishing as much as you can. You want to reduce your click rate as much as you can.

I believe the answer is rather that you need to teach people to report phishing emails. Now, I know awareness training does that, but the emphasis generally is on click rate, because that’s a nice number. That’s a nice thing to look at. It’s good to say that, “Oh, only 2% of people click on an email, 1% of people click on an email.”

In reality, you need someone in the target list to report that email as quickly as possible, because it’s a detection function. It’s part of detecting that a phishing attack is happening. The quicker you can do that, the sooner the situation can be handed over to the security team to handle.

Yeah. So I know this from experience, that there are smaller companies out there who don’t have a full time security team ready to look at phishing, and there are companies out there who don’t even have a clear method. Like if you would get a phishing email today, what would you even do about that? And I know that all methods of reporting phishing are not equal, so if I just forward that email to the security person, it doesn’t contain all the information required, does it?

No. So when you forward an email, so click forward and you send that email, you lose a lot of the important header information in that email from a technical point of view, and most security people would need that info. There’s detailed information that they can pull from that.

So if you don’t have any sort of software in place that allows you to simply report a phishing email, the recommendation is simply that a user attach that email and forwarded through to the security team. If you attach the email in that manner, then at least that information is safeguarded. The security team has what they need.

Yeah. Now we just hope that the organization has that security staff available that can then look at that email and make decisions based on it.

Yes. Yeah. I mean, so at the very least, most businesses have some sort of IT function, so some sort of team, IT techie on site that could help with that.

For smaller businesses such as that, it’s important to have the information at hand about what a phishing email means and could mean to a business, a small business as well, because it isn’t just the case that big businesses are targeted by phishing. Small businesses are targeted, their financial functions are targeted because at the end of the day, there’s some monetary value to an attacker.

Okay, well, that’s sound advice for small companies, but what about if you are a company of a decent size, what should your, sort of, phishing response look like?

So phishing response is a relatively difficult one, simply because SOC analysts, or security operations centers in general are, depending on the scale of the business, inundated with phishing emails. And it’s not just phishing emails, it’s spam, it’s the false positives that come through as well.

Many users, as you teach them about phishing, might become paranoid and report emails that they simply didn’t expect. Well, I mean, that’s fine. It’s something you need to do. You should report the emails you didn’t expect to receive, but what happens is you need to consider that every email that’s reported to a security operation center takes time from someone’s day. And depending on the scale of the business, there’s too much for individuals or for security analysts to handle.

So some sort of automation is required, and you need to filter out the emails that can’t be malicious to the environment. But even that becomes tricky because at the end of the day, it is possible to send an email through that has zero technical markers of a phishing email, but can still be a phishing email simply through language.

I could, for argument, say, “If you don’t download something for me as the attacker, I’m going to keep your dog hostage, or your cat hostage, or whatever.” There could be an emotional response there from the user to actually go and enact something on the attacker’s behalf, but from a technical point of view, there’s nothing there that says it’s malicious. It’s only the language that becomes malicious.

So it is a very difficult game. At the basic level, what needs to happen is you need to have a team that has an efficient mechanism to process phishing emails as quickly as they can. If you can, automate a triage of that email, so that of the hundred emails it’s reported, there’s only 10 that actually needed investigation or some sort of attention. That makes it simpler for the SOC analysts, that makes sure that they know that when they do receive something, it’s high-fidelity, and that they’re not stuck triaging useless emails every day.

Yeah. Okay. Now I know for a fact that our lab here at F-Secure looks at phishing emails and malicious payloads and things like that every day, so for our customers, we’re certainly in a position to tell them, “We’re not seeing this attack anywhere else,” or, “We’re seeing this attack hit your industry,” or, “We’re seeing this as just like a commodity attack.” Does that have value for the defender? Does that inform their response somehow?

It absolutely has value, and for two reasons. If an email is received and we are able to tell the customers that we have seen this before, that means first of all, that we know this is malicious, and we have analyzed it before.

But it also means that it isn’t necessarily targeted at your business specifically. It might be a spray and pray sort of thing, something that goes out to many businesses. That of course doesn’t mean it’s less serious, but when you are targeted specifically, that does mean that the attacker might be a bit more motivated than they otherwise would have been. And that is concerning.

Makes sense. So getting back to the employees, I sometimes hear comments that awareness training is sort of a wasted effort, like you’ll never be able to catch everyone, teach everyone. So why even try? What are your thoughts on that?

So yeah, awareness training might to most technical security people seem like snake oil, a bit of a silly exercise. In reality, it is a very important component of your detection function.

One of the realities of industry is that awareness training is very often not handled by the security team. It’s handled potentially by HR or dedicated awareness team. So there’s often a disconnect between the team who runs awareness training and the security team who needs to enact what might come afterwards.

Awareness training is important because it teaches users, what do we need to look out for? For example, we need to teach users that if there’s any sort of urgency in an email, if an email sort of causes emotional response from the end user, so any sort of urgency, that you just need to pause for a second and look at what is happening, because that is something that attackers do a lot. Users might not think about that until they’ve been taught to think about that.

So you just want your average user in your environment to feel uncomfortable when there’s urgency in an email, especially if there’s a link or an attachment.

The important thing though is not, in my opinion at least, to stop you just from clicking. It is to allow users to know how to report an email. How do we, as quickly as possible after receiving this email, get that email to a security team to actually care about it?

Yeah. That makes sense. There’s also good and bad security training. Like I’ve seen security training, like there’s a video of a guy walking with a laptop in their arms like, “Would you hold the door open for this guy?” Well, no, now that you’re asking me. Like in real life, yes. But this is a test. I understand enough to say no. So what’s a good way, what’s an effective way to get employees to that level that you’re talking about with the phishing? Understanding what should they look out for? What should they do next? How do you get people there?

So the approach that we’ve taken, and that I believe is an important approach, is to do awareness training in a practical manner that actually phishes users. So it’s one thing telling a user about, “This is what phishing looks like, through a communication that you send out.” But it’s another thing if a user is actually caught by a training exercise.

So the training exercise is an actual phishing email sent out by your business. It’s something that people would actually fall for, and they do actually fall for it. The moment they do fall for it, there’s a pop-up that says, “Oh, you’ve been caught by a phishing email. This is what you should have looked out for. This is what you need to look out for in the future.”

So they receive that point-in-time training while they are, I don’t want to use the word embarrassed, but I’m personally, when you do fall for a type of phishing email, you do feel a little bit embarrassed.

Riaan Naude of F-Secure on phishing simulation exercises


There’s a story I tend to tell about phishing. Because a lot of people would say, “I’ve never been phished.” Those people probably have been phished, they just don’t know they have.

Shortly after moving to the UK – I still have a bank account in South Africa. And this particular bank does not allow you to reset your password online. You have to go to a branch. Now, we don’t have a branch in the UK for that bank, and I’d been trying to reset my password for a few days and on the one day I receive an email saying, “We now allow you to reset your password. If you’ve got your bank card, or you’ve got a cell phone, whatever, you can reset your password.” And I thought that was wonderful. Click on that link, start following the process.

And only as I started typing, I noticed that, I can’t remember if it was the coloring or some sort of formatting on the webpage, something wasn’t right. And then I look at the URL and then I realized this is a phishing email. It wasn’t of much value to the attacker because I didn’t remember, I didn’t know what my password was anyway, so I couldn’t give it to them even if they wanted it.

But the point is, everybody gets caught. Everybody has some sort of trigger, some sort of situation that is emotionally relevant to them. And that could have just been an exercise for me.

So you need to do certain exercises that are realistic, this sort of thing that they could expect in the real world, and as you do that, it ingrains in the users that, “This is what I should do. This is what it looks like if an attacker was to get something from me.”

Because what you also have is users might say, “Nobody would target me. Why would they phish me?” Everybody needs to assume that you will be targeted in some way, even in a personal capacity or in your capacity as an employee of a business.

Yeah. I mean, you’re still an employee of that company or still a way in, and presumably you do something worthwhile for the company, so you have value.

Yeah. I mean, there was a, I’m not sure who said it or where it comes from, but the easiest way to get someone’s password is to ask them.

And that is exactly what phishing does very well. It asks someone to give some sort of information or do something in a very useful way, in a very sneaky way, because these emails do look perfect. They look exactly as you’d expect them to. And a lot of users simply are good hearted and they simply want to help this person that sent this email. So there’s that aspect as well.

Yeah. I do like your thinking that, sort of, awareness training is not about reducing click rate, because you do want people to sort of click on your simulated phishing so that you can provide them with that on-the-spot training, like, “Here’s what you should have done in this specific situation.” So that’s interesting because at the end of the day, you do want the people to not fall for real phishing…as little as possible, right?

I mean, it’s very difficult to tell users not to click on anything, because what happens is, you’re an F-Secure employee, you know that we have surveys that go around internally, you know that we have, and these legitimate emails do say, “Please click on this link and do this thing.” So that is exactly what an attacker would do.

So you want to teach a user to discern between the legitimate click here email, and the illegitimate click here email. Is it an email that you were expecting? Is it the sort of email that is normal in your situation? Show the user what they can have a look at. What can they look at in that email to tell them it’s actually an illegitimate, potentially phishing email?

Okay. Now the point of all this is to get the people to report these phishing emails, that they get the actual phishing emails as much as possible. Why isn’t that happening? Like, what are some of the barriers, why people aren’t reporting phishes that they get?

It would differ from business to business, but it might simply be that the users don’t know who to email. And if a user needs to spend a moment trying to find the right email address to forward to, they might simply not do it. If you’re lazy like me, you’re not going to go through the effort to go to find who to email.

No, absolutely. Like these days at F-Secure, we eat our own dog food. But before when that was the case, I’m ashamed to say that there were times when I didn’t know who to email about things like that.

Yeah. I mean, information like that isn’t necessarily always available. You need to know where to look. But the simplest thing probably to do is if you have an internal mailbox that does this, simply call it or something easy for a user to remember.

Then the next thing is, I mean, now we work from home, so it’s probably not as relevant, but to have posters up in the coffee area, to have information that’s always available to users to know, if there’s a security incident in any way, what do we do? I mean, we do it for fire escapes. We do it for fire marshals. We always know where the first aid kit is.

In the same way we share that information, we should share information about what to do if an IT security-related incident occurs. The simplest way to report a phishing email is just to have a button available, something simple for you that you just simply click on, all at once sort of situation. Then at least they know that they can click on that, it’s gone, and they get their feedback.

The automated triage systems that’s available these days would give the user some sort of feedback saying, “Well done, you reported an actual phishing attempt,” or, “You caught a training exercise,” or, “This email was clean. You can actually go ahead and access email.”

Yeah, and that feedback is important because if users, if they report an email, never hear it back ever again, they’re like, “Well, maybe nobody cares. Maybe I shouldn’t care either.”

Yeah, absolutely. I mean, if you don’t have the feedback, positive or negative, if I receive an email, I send it onto a security team. I don’t get an automated response and I don’t get feedback on that. I will assume that nothing’s happening. And if nothing’s happening, what’s the value in this thing that I just did? So it’s important to get feedback.

Absolutely. Now, you already shared a personal story about how you got phished.And there’s this one time there was an email from HR saying, I don’t even remember, there was some change in some HR policy, and I felt that it would have a negative impact on me. And I was like, flew into this rage and I was clicking on that email. And as I’m clicking it, I’m like, “I’m reacting very emotionally to this email, just the way an attacker would want me to react.” And then sure enough, it was a training exercise.

So any other cool war stories you have about people getting phished? Do we have like any success stories where we made phishing so hard that attackers just gave up and went away or anything like that? Any cool phishing stories?

Well, I mean, cool phishing stories are generally from the attacker’s point of view, what our red teams have done. And I wasn’t personally involved in this phishing situation, but what happened was you target an environment assuming certain things. So you’d assume that they have a certain level of operating systems.

So for example, the assumption was that this environment, as most environments have Windows 7 or Windows 10 and upwards. However, what happened was the specific environment that was targeted, the payload didn’t execute. Because it doesn’t execute, you don’t get a callback, so you don’t know what happened.

But luckily for us, there was a user that was very friendly and said, “Listen, this thing you sent me doesn’t work.” So then there was a situation where our red team built up this sort of relationship with the user, and it turned out that this user was using a Windows XP system so the .net version was incorrect.

And after this back and forth, they were able to troubleshoot why the malware didn’t execute. And the user would say, “If you send me this payload, that happens, if you send me that payload, this happens.” And they figured out, of course, because it was windows XP, didn’t have PowerShell. And then they built a new payload that actually did work and the user executed it, and everybody was very happy.

(Laughing)Oh, that’s perfect.

And that happens in the real world with real attackers as well, because we very often assume that malware is just something that is omnipresent on the internet. It just, it happens, but we need to see that there’s a human behind that attempt. There’s a human that is attempting certain things, and yeah, so they could interact.

Perfect. So we also do phishing simulation. So you’re not only defending against phishing sort of by providing these report mechanisms, but also by training people. So what are some of the things you’ve found to be very effective? What are your favorite tricks when you are phishing people?

Real world events are always very exciting, using attacks that are relevant that has some sort of, the story already has legs.

So for argument’s sake, when the pandemic started, a lot of airlines went bust and there was one in the UK that went bust. I believe it was Flybe. And on the day, our team built a campaign and they sent the other campaign that says, “Flybe went bust, click here to reclaim your voucher.” And people want to go on a holiday, and you elicit that emotional response that they want, and you just click on it because my holiday is at risk here.

COVID, I mean, it still is a very popular, very common topic to talk about. “Your vaccine is ready, click here to claim.” Whatever the case might be.

And there’s a lot of stories involved around how you should not do phishing and how you shouldn’t do phishing. And some of those things could be don’t tell a user to click here to claim their bonus, or there’s a secret here, don’t tell your colleagues about, you’ve been selected for a bonus this year, because they’ll click on it and they’ll realize there isn’t any bonus and then there’ll be reminded about how they didn’t get a bonus. And you upset your people. You don’t want to do that. But again, there’s a balance. There’s a balance there.

Riaan Naude of F-Secure, on phishing and emotions

What’s the most sort of unusual phishing email or phishing trick you’ve seen? Is there a moment you were sending out something and you were like, “I don’t think this is going to work,” and then you can’t believe it worked, or something that you’ve seen the attackers do that you were like, “I can’t believe people are falling for this.

You’d imagine for phishing that people would fall for expensive tricks. They would want that that Bose headset, or they would fall for some sort of thousand euro prize or whatever the case might be, but people fall for things as cheap as coffee.

So you could simply say that the cafeteria today has a free coffee if you click here. Guaranteed, you will get a lot of clicks because people want their coffee. It doesn’t matter there’s a two pound thing. They want it now.

So sometimes, it’s interesting how trivial the prize is and how for what a trivial prize, users would compromise their business. And the thing you’re looking for is that emotional response. You want people to click before they think about it.

But it’s also like free coffee is more plausible than a free thousand euro bonus, so that’s a more likely to happen.

Absolutely. It’s more likely that a person would report an email that’s obviously phishing, because why would you give me a thousand pound bonus or whatever? But trivial things make the email seem trivial and less important.

That’s interesting.

So we’ve got team members that dive deep into the psychology of this. And we were doing a research piece on why phishing is as effective as it is, to understand empirically what’s going on.

But it’s interesting how emotions play a massive role in phishing. That urgency that’s created, how important that is, because what happens is if you can create any sort of emotional response, it means someone would potentially react before they had time to think about it.

So we get the CEO fraud a lot, where your CEO or the CIO or someone high up within the business, an email is spoofed from this person that says, “Listen, don’t tell people, but I need money transferred to this account as soon as possible.” And people see, “Cool, this is a CEO. This is an important person. I need to do this immediately before I upset this person.” And very often that happens. They go and they approve the payment, they do the payment.

Okay. So at the end of the day, it’s all about sort of preparing your workforce on what’s suspicious and equipping them to do the right thing, because we know people want to do the right thing if they know what that right thing is.

Yeah. Repetition is important in training people as well. I know that for the bank I still do use in South Africa, every time you log onto your online banking, there’s a prompt that says, “We will never ask for these things.” I think that is an important thing.

It’s important in your business, to explain the sort of thing that will never under any circumstances happen so that when they do happen, the user can immediately say, “Well, this isn’t supposed to happen. This isn’t normal. We won’t be notified of bonuses in this way, we won’t be notified of increases in that way.” Making sure that you have a very strict policy of how things happen and anything outside of that norm needs to be reported some way.

Yeah. That’s some sound advice. So AIs are going to solve everything, every single technology problem out there. Are they going to solve this one as well?

In an ideal world? Maybe. I personally think that AI is very much a word that’s been stolen by marketing. It’s very rarely, I think something that the technical staff would say, “This is what we’re doing,” because it’s a catch all term for all the magic that we do these days.

But at the end of the day, if our goal is to solve phishing as a problem, in order to solve phishing, we need to understand the intent of any given email. You need to understand why someone wants to do that. And that goes deep into security for anything. You want to understand the intent of an action.

And potentially what we could do is natural language processing on emails to understand intent, so what is the sender trying to achieve with this email? Now we’re very long ways off making that something that works well. I’d like to say the short answer isn’t that AI is the solution to everything, but if we mean by AI, that we wish to have human level analysis of every single email automated, then yes, hopefully that is the solution in the future, but it isn’t as simple as the simple thing AI might seem.

Thanks for being with us today, Riaan.

Thanks, Janne. Thanks for inviting me.

If you want to read some more about phishing, we have just published an ebook called Combating Phishing that’s available on our website, and we’ll also link to that on the show notes.

That was the show for today. I hope you enjoyed it. Please get in touch with us through Twitter @CyberSauna with your feedback, comments and ideas. Thanks for listening. Be sure to subscribe.

Melissa Michael

11.03.21 32 min. read

Related posts


Newsletter modal

Thank you for your interest towards F-Secure newsletter. You will shortly get an email to confirm the subscription.

Gated Content modal

Congratulations – You can now access the content by clicking the button below.