cisos guide to spear phishing defense - informationsecurity · the essential components of a mature...

WHITE PAPER

The CISO’s Guide to Spear Phishing Defense

A strategic framework to protect against spear phishing


+1.877.227.0790 [email protected] Copyright 2015 PhishLabs. All Rights Reserved.

Advanced Attackers Exploit People Spear phishing is the preferred attack method for advanced threat actors. Well-crafted spear phishing attacks easily slip past layers of defenses and target the only vulnerability that cannot be patched --- people. The vast majority of headline data breaches in recent years have all begun with spear phishing attacks. If your organization has intellectual property, customer data, or critical systems that are valuable, your employees are being targeted with spear phishing emails.

91 percent of targeted attacks use spear phishing1.

Employees are not just being targeted, they’re also being exploited at an alarming rate. Spear phishing emails are exceedingly effective. On average, employees open links or attachments in one out of every five spear phishing emails. This means that a well-crafted spear phishing campaign targeting at least five employees will almost always result in a compromised user. If defending against spear phishing attacks is not already top priority for your security team, it should be. This paper establishes a framework for implementing and managing an effective program for spear phishing defense. After reviewing this white paper, security leaders will understand:

Why many organizations fail to stop spear phishing attacks The essential components of a mature spear phishing defense capability How to align defenses to counter targeted attacks How to evaluate program performance with meaningful Key Performance Indicators (KPIs)

1 Spear-Phishing Email: Most Favored APT Attack Bait, Trend Micro



The Status Quo Approach to Defending Against Spear Phishing Spear phishing is not a new security problem. So why is spear phishing still one of the most effective cyber-attack methods? To answer that question, consider the defenses that are often in place to protect against spear phishing attacks: Email and Web Filtering Nearly every organization has technology in place to scrub spam and other high-volume email threats out of incoming email traffic. Solutions range from basic filtering from email service providers to anti-spam modules in network security appliances to dedicated email and web security gateways. Using signatures and varying degrees of heuristic analysis, these security tools are efficient at blocking spam and other widespread, high-volume malicious content delivered via email. Payload Analysis (Advanced Malware Protection) Many organizations have placed payload analysis appliances in their networks to detect malicious code delivered via spear phishing emails. These systems operate in-line and use specialized sandboxing environments to execute attachments and links in order to detect malicious behavior. Content that exhibits suspicious behavior can be alerted on, quarantined, or blocked. These tools are effective at spotting customized malware, with the notable exception of malware equipped with anti-sandboxing techniques. Phishing Awareness Training Inevitably, some spear phishing emails will make it through perimeter cyber defenses and land in the inboxes of employees. To get the recipient to open a malicious link or attachment, the email must be enticing enough to overcome the recipient’s wariness. Awareness training increases the wariness of your employee population and can increase behaviors that make them less susceptible to phishing attacks, such as not opening unexpected attachments and confirming authenticity for urgent requests. Phishing awareness training is essential to reducing incidents. However, no amount of security awareness training can eliminate human error. Security Information and Event Management (SIEM) Spear phishing is used to gain an initial foothold within a targeted organization. From the initial compromised system (patient zero), advanced adversaries attempt to expand their presence and move laterally through the network in pursuit of their objective. Using SIEM tools, security analysts can monitor massive volumes of event and log data from network security devices, servers, and hosts. Filtering and correlation rules process this ‘‘haystack’’ of data to spot threats that have penetrated the perimeter.



Network Traffic Analysis Advanced threat actors will often utilize customized tradecraft that easily evades signature-based detection. Instead of using signatures, network traffic analysis tools attempt to detect advanced attacks by establishing a baseline of traffic patterns within a network environment and highlighting deviations from the norm. Network and Host Forensics Maintaining presence while evading detection is a hallmark of advanced threats. Network and host forensics tools perform deep inspection in search of indicators of compromise (IoCs) that are too subtle or buried too deeply in systems to be detected in real-time at scale. These tools most often come into play long after a data breach to determine the full scope of compromise and support remediation.

We Need a Better Way to Stop Phishing Billions of dollars have been invested in these tools and in the processes that surround them. Yet, it still takes 205 days on average for a data breach to be discovered from the time they are initially compromised. It is reasonable to assume that attackers have long since achieved their objectives by the time most compromises are found. These attacks, which in most cases start with spear phishing, go unrecognized until it is far too late.

Data source: Mandiant M-Trends 2012-2013



In fact, most organizations first learn of a data breach not from their security tools and their processes, but from a third party. Sixty-nine percent of data breaches are discovered by entities outside of the breached organization2, such as the FBI and the major payment card brands. Clearly, the current approach to stopping spear phishing is not working. But it’s not due to a lack of technology or tools. Organizations are investing more in security today than ever before. The problem is two-fold. First, defensive layers that help protect against spear phishing attacks operate and are managed in silos. Information and intelligence is not flowing between them, which limits their effectiveness at recognizing and stopping the advanced attacks that traverse them. These layers need to be managed as a cohesive system. Instead, they are managed as point solutions. No one is managing them as a system, so exploitable gaps go unnoticed until after a major incident. Second, the human expertise needed to effectively combat spear phishing attacks is often overlooked or underestimated. Automated defenses can efficiently handle activity that is clearly ‘‘black or white’’. But advanced spear phishing attacks exploit the ‘‘gray’’ areas between known bad and known good. Human expertise, analysis, and decision-making is essential to counter these attacks. To overcome this challenge, security leaders need to a strategic management framework that aligns defenses and security resources for the purpose of stopping phishing attacks.

2 Verizon DBIR 2015



The Defensive Framework for Spear Phishing To help security leaders strategically manage their defensive posture, we have created a framework that spans relevant security layers from the start of an attack to its resolution. When applied, this framework helps organizations:

Align security layers from end-to-end, Assess which security layers are working and which are not, Focus on performance metrics that matters, Drive resource allocation and investment in the areas that yield the highest risk reduction, Reduce the frequency of security incidents and prevent major data breaches.

The framework consists of four critical phases supported by robust intelligence flows.

Phase 1: Prevent The objective of the Prevent phase is to minimize the risk of an attack payload being delivered to the targeted user’s inbox and being executed.

Recommended Defenses Security measures applied in this phase include those designed to block email and web-based attacks in-line. Email and web content filtering tools as well as payload analysis systems (e.g. advanced malware protection and network sandboxing tools) that operate in near real-time can prevent payload delivery via spear phishing. Security awareness training that focuses on spear phishing reduces user propensity to click URLs or attachments. When an advanced attack succeeds in evading preventative security tools, effective security awareness training reduces the risk of the delivered payloads being executed by users.

Prevent Minimize risk of attack

payload delivery

Detect See the attacks that

evade prevention

Analyze Understand tradecraft

and threat context

Mitigate Stop the attack and

remove threat

Intelligence Flows



Sample Key Performance Indicators To manage the Prevent phase and assess effectiveness, consider the following key performance indicators. Collecting these KPIs from real-world data is ideal; however, capturing KPI data during simulated testing is a viable option. Percentage of phishing emails delivered How many phishing emails are being blocked compared to the number that reach user inboxes? This indicates how effective your content filtering and payload analysis tools are at automatically stopping attacks in-line. False positive and negative rates How many legitimate emails are being blocked? How many phishing emails are going unblocked? This indicates how accurately your email security tools identify and block attacks. Generally, decreases in false positive and false negative rates are an indication of improvement. Growing rates would indicate that current tools need to be better tuned or additional controls should be considered. Phishing email click rate How many phishing emails are being clicked or opened? What is the click rate? This indicates how well your phishing awareness training program reduces your employees’ propensity to fall victim to phishing emails. No amount of awareness training will completely eliminate users clicking on phishing emails. Each organization will have a floor for this KPI that indicates peak performance. An effective phishing awareness training program will consistently reduce the percentage of phishing emails clicked until the organization’s floor is reached.

Phase 2: Detect While desirable, blocking all threats in the Prevent phase is not achievable. Inevitably, a portion of email-based attacks will exhibit characteristics too similar to legitimate business activity to block or quarantine them prior to delivery into user inboxes. The objective of the Detect phase is to see these attacks that reach user inboxes and recognize them as a potential threat.

Recommended Defenses Several security measures that support the Prevent phase also can be applied to the Detect phase. Payload analysis tools, for example, can provide alerting for potential threats where the confidence in the activity being truly malicious is not high enough to warrant blocking the email. More mature phishing



awareness training programs that drive employees to report suspicious emails and provide streamlined avenues for them to do so also support the detection of spear phishing emails. After a user’s end point has been compromised via spear phishing, Security Information and Event Management (SIEM) and Network Traffic Analysis tools can be used to spot suspicious events and trigger investigation into potential threats. Many other network security layers can also provide detection value after the initial compromise as the adversary moves laterally within the network in pursuit of their objective. Detection via these tools is often dependent on the adversary taking actions that exceed thresholds of normal behavior within networks or that are easily recognizable indications of a compromise (such as connection attempts to known command and control servers).

Sample Key Performance Indicators To manage the Detect phase and assess effectiveness, consider the following key performance indicators. Collecting these KPIs from real-world data is ideal; however, capturing KPI data during simulated testing is a viable option. Percentage of phishing emails reported How many phishing emails are being reported as a percentage of the total that are reaching user inboxes? This indicator shows how effective your phishing awareness training program is at driving employees to report phishing emails they receive. The higher the percentage, the stronger your network of human ‘‘sensors.’’ Time-to-detect compromises What is the duration of time between when an email-delivered payload is executed and when the compromise is discovered? This is an indication of your capability to quickly recognize attacks. Reducing this duration can significantly improve your chances of stopping a breach in progress and limiting the damage. False positive and false negative rates How many benign emails are being flagged as malicious? How many phishing emails land in user inboxes and go undetected or unreported? This indicates how well your tools and training programs are tuned to email-based threats targeting the organization. The lower the rates of false positives and false negatives, the higher the likelihood of detecting spear phishing threats before they lead to major security incidents.



Phase 3: Analyze Once an attack is detected, it needs to be analyzed to determine the best mitigation strategy. The objective of the Analyze phase is to quickly establish sufficient threat context to drive the appropriate next action. Detected attacks need to be triaged in near real-time to ensure that the threats that pose the most risk are prioritized for analysis. That analysis then needs to extract indicators of compromise (IOCs) and establish sufficient threat context rapidly to disrupt threats before critical systems and data are compromised

Recommended Defenses Analysis of spear phishing attacks and the tradecraft delivered requires a combination of human expertise, malware analysis tools, and threat intelligence systems. To rapidly triage spear phishing attacks, threat analysts need to be available 24/7. Malware analysis tools are required to dissect tradecraft delivered via phishing emails and extract indicators of compromise (IOCs) for attack mitigation. Threat analysts should also have access to threat intelligence systems with larger data collections of external attack events, campaigns, targets, and actors to establish more complete attack context and provide adequate situational awareness.

Sample Key Performance Indicators To manage the Analyze phase and assess effectiveness, consider the following key performance indicators. Collecting these KPIs from real-world data is ideal; however, capturing KPI data during simulated testing is a viable option. Time-to-assess Once detected, how long does it take to triage attacks and prioritize threat analysis? This indicates how quickly you identify the high-risk threats that require in-depth analysis prior to successful mitigation. Organizations with a low time-to-assess are able to consistently mitigate threats earlier in the attack process, which reduces the impact and cost of the security incidents. Time-to-context Once detected, how long does it take to develop sufficient threat context to effectively mitigate the attack? This is a measure of how long it takes to extract IOCs and provide intelligence on relevant techniques, tactics, and procedures (TTPs) to support complete mitigation of the threat. Lower time-to-context enables faster mitigation by incident responders and reduces the impact of security incidents.



Completeness of context Does the analysis consistently include all of the information needed to effectively mitigate the threat? The analysis process should have a defined a set of information requirements for attacks that warrant in-depth analysis to ensure that threat analysts provide incident responders with the necessary information. Deliverables from threat analysts should be compared to these information requirements to determine a quality rating for completeness of context.

Phase 4: Mitigate Armed with IOCs and context, appropriate steps should be taken to eradicate the threat. The objective of the Mitigate phase is to disrupt the attack progress and completely remove the adversary’s presence within the environment. Further steps should also be taken to investigate and disrupt the adversary’s infrastructure outside of your environment, such as command and control systems. This infrastructure is most often located on legitimate systems that have been compromised by the adversary for use in attack campaigns. As such, they can often be shut down to further impact attack capabilities. Also, the infrastructure can be examined and monitored to source high value intelligence.

Recommended Defenses In addition to intelligence from the Analyze phase, effective mitigation requires an incident response plan, incident responders, and the application of appropriate forensics tools. Organizations should have an incident response plan in place that has specific steps to address incidents that involve spear phishing, such as immediately working to identify all users exposed to the email as part of the initial scoping of the incident. Organizations should also ensure that they have adequate access to incident responders, either on staff or under a retainer agreement with an incident response firm. Intelligence from analyzing the tradecraft and associated threat context should be incorporated into network and host forensics tools to find all IOCs present within the environment. Many experienced incident responders prefer a ‘‘close all doors at once’’ tactic for removal instead of remediating systems as they are found. With this tactic, responders wait until all instances of adversary presence are discovered, and then remove all tradecraft and remediate all vulnerabilities in a single effort.

Sample Key Performance Indicators To manage the Analyze phase and assess effectiveness, consider the following key performance indicators.



Collecting these KPIs from real-world data is ideal; however, capturing KPI data during simulated testing is a viable option. Note: Incident response is a mature security discipline with a wide range of KPIs recommended by standards organizations such as NIST, ISO/IEC, and others. The suggestions below reflect those frequently used in practice. Time-to-containment How long does it take to contain the threat and therefore prevent further compromise? A low time-to-containment time limits the cost and overall impact of a security incident. Time-to-removal How long does it take to remove all instances of an adversary’s presence in the environment? With persistent adversaries, this can be difficult as they always seek to maintain a discrete foothold from which they can resume their attack once conditions return to normal. Cost per incident What does the average cost to the organization of experiencing and responding to this security incident? The cost of an incident is often a function of the scope, duration, and sophistication of the adversary. A lower cost per incident indicates improvement in containing and removing threats. There are many models available for assessing various hard and soft costs associated with a security incident. See CERT for examples: https://www.cert.org/incident-management/csirt-development/resources-incident-handling-cost-models.cfm.

Intelligence Flows Key to making the above phases perform at a peak level is getting useful intelligence out of each phase and feeding it across the entire system. This improves each phase, in turn making the whole more effective at reducing the impact of spear phishing. At a minimum, a linear flow is needed to support phase dependencies. For example, Analyze and Mitigate phases require information from the Detect phase. Mature organizations go further though, using intelligence from latter phases to improve prevention and detection. As an example, information derived from analyzing phishing emails that reach user inboxes can be applied to email filtering and other preventative tools to block similar emails earlier in the attack process. This yields a much more efficient overall system.



Conclusion and Next Steps Despite billions of dollars invested in security, spear phishing attacks are still very difficult to stop. Defenses operate in silos and are managed as point solutions, limiting their effectiveness at identifying and stopping advanced spear phishing. Additionally, organizations underestimate the human expertise required to quickly assess and counter the advanced attacks that circumvent automated defenses. Security leaders can improve this situation by adopting and applying the framework described in this paper. This framework helps leaders implement and manage a cohesive program that protects against spear phishing attacks systematically, as opposed to a range of uncoordinated, independent defenses. Using the framework, leaders can also identify resource gaps and make strategic plans to drive down their risk over time. As a starting point, security leaders should take the following steps:

1. Download a copy of the framework to use as a reference 2. Perform an inventory of defensive layers and KPIs 3. Use the framework to assess gaps



Related Resources Webcast: A New Approach to Fighting Spear Phishing Data Sheet: Spear Phishing Protection Spear Phishing Defense Framework Reference Card

About PhishLabs PhishLabs is the leading provider of 24/7 cybersecurity services that protect against the exploitation of people to compromise systems and steal data. PhishLabs combines proprietary technology, intelligence, and human expertise to rapidly detect, analyze, and stop targeted cyberattacks before they impact organizations. To learn more about PhishLabs, visit www.phishlabs.com. PhishLabs Spear Phishing Protection is a 24/7/365 service that provides expert analysis and rapid mitigation of targeted phishing attacks. With Spear Phishing Protection, organizations can ensure that targeted attacks are countered before the compromise of intellectual property, critical systems, and other information assets. To learn more about Spear Phishing Protection, visit https://www.phishlabs.com/enterprise-security/spear-phishing-protection/.

Follow PhishLabs @phishlabs

www.linkedin.com/company/phishlabs google.com/+PhishlabsTeam

©2015 Copyright Ecrime Management Strategies, Inc. All rights reserved. PhishLabs and the PhishLabs logo are trademarks or registered trademarks of Ecrime Management Strategies, Inc. in the United States and in other countries. All other trademarks referenced are the property of their respective owners.

cisos guide to spear phishing defense - informationsecurity · the essential components of a mature...

Documents