Matt's Blog (⁠+⁠_⁠+⁠)

Why Perfect Defenses Create Imperfect Results

Security teams are building stronger defenses than ever before. Multi-million dollar security stacks, advanced threat detection, zero-trust architectures - the works. So why are major organizations still getting breached through something as basic as phishing emails?

When Even the Government Gets Phished

The U.S. Department of the Interior, an agency that handles sensitive national data and should have security as their top priority, fell victim to a phishing attack that compromised their BisonConnect email system. Government-level security, bypassed by a fake email.

They weren't alone. Reddit had an employee get tricked by what they called a "plausible-sounding prompt" that led them to enter credentials on a convincing fake domain. Activision suffered a similar fate, with hackers gaining access through social engineering tactics. Three major organizations, three different sectors, one common thread: phishing worked where sophisticated attacks might have failed.

So what's going on here?

The Problem with "Secure" Solutions

Here's the uncomfortable truth—even our supposedly secure solutions aren't that secure when humans are involved. Reddit likely had two-factor authentication with TOTP codes, the kind of security that's supposed to stop attackers cold. But when faced with a convincing fake domain that looked legitimate, those security measures became irrelevant.

This isn't about Reddit having bad security. It's about attackers realizing something important: why break down the front door when you can convince someone to hand you the keys?

Security has reached a point where breaking through technical barriers is much harder than simply tricking someone into opening the door. And that's created a fundamental economic problem.

The Economics Are Broken

Think about what organizations spend on security today. Medium to large companies easily drop millions of dollars annually on specialized security staff, endpoint protection like CrowdStrike Falcon, identity management through Okta, web application firewalls, intrusion detection systems, the list goes on and on. Hell, some companies spend more just ingesting logs into tools like Datadog than attackers spend on entire campaigns.

Now consider what it costs an attacker to run a phishing campaign against 1,000 employees. In some cases, we're talking hundreds of dollars. Maybe a few thousand for a sophisticated campaign. The math is brutal: millions in defense versus hundreds in attack.

Some phishing campaigns can get expensive, sure, and cost is always relative. But generally speaking, a dedicated attacker will spend far less to breach an organization than that organization spends trying to prevent it. It's an economic imbalance that fundamentally favors the attackers. The Solution Exists (But Has Problems)

There are solutions that actually work. Hardware security keys and FIDO2 passwordless authentication can stop phishing attacks dead in their tracks. Passkeys are another step in the right direction - they're definitely a huge security upgrade from SMS-based two-factor authentication and help solve the cost problem since they're built into devices. But their shareable nature creates a glaring weakness that dedicated attackers can exploit.

During a tour of Google's Dubai offices, I saw this in action with hardware keys - everyone had one, and it was just part of their workflow. The folks there mentioned that since they switched over, they haven't had a phishing incident. Seamless, effective, problem solved.

But here's the catch: getting an entire organization to embrace these tools is expensive and culturally challenging. One FIPS-compliant YubiKey costs $85, and each employee needs two (in case one gets lost), so you're looking at $170 per person before shipping. For a company with 1,000 employees, that's $170,000 just for the hardware, not counting deployment, training, and support costs.

Even worse, if employees see security tools as a burden that slows them down, they'll find workarounds or simply ignore the protocols. The technology works, but only when people actually use it properly. That's why this isn't just about having better tools - it's about making security feel seamless rather than like an obstacle.

The Bottom Line

Current anti-phishing solutions work when implemented properly. The problem is adoption. Until we make secure solutions as easy to use as the insecure ones, the economics will continue to favor attackers. They'll keep taking the path of least resistance, and more often than not, that path runs straight through human error.

The answer isn't to stop hardening our technical defenses. Those strong walls matter. But we can't ignore the basics either. Training employees to recognize phishing attempts and being careful about social engineering is just as important as ensuring your application doesn't have SQL injection vulnerabilities.

Until security becomes truly seamless, attackers will keep catapulting people over our carefully built walls.