Cybercriminals have an ally. You.

Yes, you.

You’re opening emails you shouldn’t be opening. You’re clicking on attachments before checking to see whether they’re legitimate or not. And you’re typing in your password before finding out who is really asking you for it.

It’s not your fault — really. It’s just how we are, we humans. We’re social beings, and as a species we certainly have our catalog of shared quirks. We like being communicated with. We group together in herds. We can’t resist a good story. We want news of others, and respond to others when they want news of us. We’re easily frightened, mostly by the unknown. And in response, we gravitate to the comfort of the familiar, even if the familiar is suboptimal. Very often, we do not act in our own best interest.

Hackers know all this because, like all good con-men and women, they understand human nature. And they’re designing attacks they know you’re likely to fall for. But don’t feel too badly — you’re not alone. Even at the battle-hardened NSA, tests routinely showed counter spies and analysts couldn’t resist clicking on a cleverly crafted come-on. And if they’re getting tripped up, what hope is there for the rest of us?

It’s not like cyber attackers are going away anytime soon, either.

According to IBM’s most recent Cost of Data Breaches Study[1], businesses are attacked nearly 17,000 times each year — an average of 46 times per day. Cyber attacks are estimated to cost businesses nearly half a trillion dollars a year.

Hackers constantly jiggle the virtual door handles of global enterprises because they know, sooner or later, someone’s going to open up and let them in. They do this for two simple reasons:

1. It’s easy

Coming up with a convincing email that contains a malicious attachment or bogus link is simple compared to trying to crack the advanced crypto protecting a high value target, or hurting your brain trying to come up with the next big internet exploit.

2. It works

Phishing is by far the #1 attack vector, accounting for approximately 95% of all successful breaches.

Our traditional defenses are either aimed at detecting a malicious payload or erecting a perimeter around an organization. But payloads can change, and it’s very difficult to identify them all. And the perimeter does no good when the people inside are opening the door by falling for phishing.

And there is a time paradox in attacks. While the actual breach can take as little as 90 seconds, that hack may have been months or even years in planning. Hackers try multiple approaches. They may tap thousands of people at an organization to see who’s going to bite. They probe defenses, and look for applications that haven’t been patched recently, either because they’re obsolete, or because the IT department simply hasn’t gotten around to it.

When a payload is finally delivered, it can take a hacker months, or even as long as a year, to gather valuable information like credit cards, bank account numbers and confidential personal data. And it takes time to copy and move that much data without setting off alarms.

It’s time for technology that takes into account the tactics attackers use, as well as the infrastructure they need to launch attacks. No matter how much they’d like to hide it, every single hacker or hacker group has a particular way of going about their business — it may be a favorite handle or a lucky IP address or a certain way of writing their malicious code. Put enough of these small patterns together and you get evidence of malicious activity as unmistakable and identifiable as a fingerprint.

The delivery infrastructure of an attack is much harder to change than a bit of code. All it takes to change a payload is a single space in a file name which would throw off a computer search. But it takes months to build an effective delivery infrastructure. It’s not something that hackers are willing to walk away from.

Everything on the Internet has an IP address, including the servers hackers have compromised. Once you’ve identified their network, you can watch attackers probe organizations and even watch as they deliver malicious payloads. With that kind of visibility, you can see attacks coming, and disrupt, divert, or deny them before they even get started.

Taking this kind of preemptive stance turns the tables on the attackers. Hackers are successful because they’re leveraging the weaknesses in our systems: security holes, static defenses, even our own stubbornly trusting human nature. But we can be successful by using their weaknesses against them: their habits, their behavioral patterns, and their delivery networks.

Instead of waiting for our defenses to be breached or training ourselves not to do what feels natural, we can target hackers before they get started.

Human nature isn’t going to suddenly change. But we do have a long and colorful history of designing products, systems, and technologies that compensate for human fallibilities. Right after we invented fire, somebody had to come up with some sort of fire extinguisher. Brakes probably followed shortly after the creation of the wheel. Self-driving cars are our latest attempt to stave off dangers like road rage and distracted driving.

Attackers will certainly continue to prey on us, but we can change our approach to combating them. After all, we’re not going to stop using communications technology, so let’s make it safe enough to use without fear or undue precaution. We need to stop helping them, and start helping ourselves.

Want to keep up to date with the latest phishing trends? 

Subscribe to our newsletter here!



Shalabh Mohan

VP, Product at Area 1

With a career spanning 20 years fighting bad guys online, Shalabh leads all product and go-to-market functions at Area 1 Security, with extensive prior experience across security, enterprise, and cloud infrastructure companies such as Aspen Networks, IronPort Systems, Cisco and Bracket Computing. Shalabh and his teams have taken products from conception all the way to large scale businesses; and in the process have consistently helped make the Internet a safer place. An alumnus of Stanford University and the University of Texas at Austin, Shalabh holds five patents and can claim to know something about enterprise infrastructure and security.

How to replace your email gateway with Cloudflare Area 1

Leaders and practitioners responsible for email security are faced with a few truths every day. It’s likely true that their email is cloud-delivered and comes with some built-in protection that does an OK job of stopping spam and commodity malware.

Introducing email link isolation – Email gateway replacement playbook

This week was a big one for us at Cloudflare, one of our four innovation weeks which we hold annually, showcasing new developments, product news and reference architectures.

Superhero strategies for the Phish Fight

Today is National Superhero Day, and we would like to dedicate this day to you—the SOC teams and the security experts on the frontline of the phish fight.