Cipher Book Review, Issue E133

Phishing Dark Waters: The Offensive and Defensive Use of Malicious E-mails
by Christopher Hadnagy and Michele Fincher

Wiley 2016.
ISBN 978-1-118-95847-6
Table of Contents

Reviewed by  Richard Austin   July 15, 2016 

Hadnagy (joined by Finch in this case) is one of those inconvenient people who keep reminding us that despite all the shiny equipment, whiz-bang software and expensive consultants, it's the human factor that will often allow our adversaries to penetrate our defenses. He first raised this unpleasant allegation back in 2011 with his book "Social Engineering: The Art of Human Hacking" (reviewed in the June issue of that year) and has returned to vex us with a detailed look at a technique much in the news: phishing.

The book opens with an overview of the modern world of phishing which serves as a stark reminder that the phishers' craft has advanced far beyond yesteryear's plain-text, poorly worded deceptions. The modern phish is skillfully designed to look real and bait the recipient into carrying out the phisher's intent.

The next two chapters delve into why phishes work with insights from neuropsychology and other social sciences. This material provides good background for understanding the "buttons" the phishers try to push in tricking us into carrying out their wishes.

After a solid introduction to the tactics of the phishers, Chapter 4, "Lessons in Protection" provides guidance on how to foil those tactics. Of particular value is the catalog of bad ideas which far too often make it onto the list of suggested defensive measures.

Self-phishing or applying the tactics of the professional phisher to your own organization is the subject of Chapter 5. Done correctly, this is an excellent way to assess the efficacy of your defenses and identify those who need additional awareness training. However, as the authors point out, this type of thing must be well-planned and aptly executed in order to achieve the objective. Doing it right requires substantial planning but following the guidance in this chapter will make it much more likely that you succeed in improving your organization's posture.

Studying policies and their implementations is about as exciting as watching grass grow or paint dry - installing a new messaging gateway or endpoint protection project is much more interesting to the technical security professional. However, as Chapter 6 "The Good, the Bad, and the Ugly: Policies and More" so aptly points out, policy and awareness are critical to defending your organization against human-based attacks.

An enabler of the growth in phishing attacks is the quality tools that are available, and Chapter 7, "The Professional Phisher's Tackle Bag", provides a whirlwind tour of the tools and how they are used to mount a campaign. The quality of the tools underlines how far phishing has come since the days of plain-text, badly written promises of quick wealth.

The final chapter, "Phish Like a Boss", is a gem as the authors avoid the temptation to rehash the preceding material. Instead, they identify the most important factors that a successful anti-phishing program must include. I recommend particularly their advice on setting reasonable goals for your organization given your particular circumstances, resources and culture.

I hope you will buy and read this book but, most importantly, I hope you will apply its guidance. The authors are experts in their field and have an engaging writing style that holds your interest while exploring this dark territory. Their exposition is well illustrated and firmly grounded in the reality of having engaged the professional phishers and foiled their activities.

It has been said "Be careful, for writing books is endless, and much study wears you out" so Richard Austin fearlessly samples the latest offerings of the publishing houses and opines as to which might most profitably occupy your scarce reading time. He welcomes your thoughts and comments via raustin at ieee dot org