Spear phishing is one of the top threats plaguing enterprises today, often resulting in severe financial losses and theft of intellectual property. In high-profile cases, it can damage a company’s reputation and brands, resulting in executive firings and decreases in stock prices. Organizations seeking to protect themselves from these threats need to develop a full-spectrum defense to effectively combat these highly targeted attacks. A comprehensive approach couples employee education and testing with technology solutions tailored to detecting the specific characteristics of spear phishing.
1. The Most Insidious Attack
Of all the attack techniques that menace enterprises today, highly targeted spear phishing emails are probably the most insidious and the hardest to stop.
Email is such a common and trusted form of business communication that employees are extremely susceptible to spear phishing. In a recent study conducted by Vanson Bourne for Cloudmark, of those organizations that tested their employees’ responses to spear phishing attacks, more than nine out of ten (94%) admitted that some employees had failed recent tests.
Detection by conventional technical means is also problematic. Most cyberattacks can be identified based on known indicators of compromise (IOCs) such as domains associated with spammers and cybercriminals, email links to malicious or data gathering web sites, or attached files that contain previously discovered malware. But highly targeted spear phishing attacks are hand-crafted to be unrecognizable: they come from purpose-created domains, with unique personalized messages, and often with no tell-tale “known bad” attachments or previously seen “call to action” URLs.
Highly targeted spear phishing attacks have been the opening salvo used in many of the most devastating system compromises and data breaches ever observed, including the recent cyberheists at J.P. Morgan Chase, Target, Anthem, eBay and Sony.1
Yet there are ways to stop spear phishing attacks. These solutions build on threat intelligence and add innovative context analysis and behavioral learning technology that can identify dangerous emails—without relying on signatures, known indicators of compromise, or text seen in earlier phishing messages.
This paper describes how highly targeted spear phishing attacks work and why they are so hard to identify. It also provides an overview of new detection technology that can stop spear phishing before it reaches the inbox.
1 “J.P. Morgan Hacked Because Malware Infects Employee PC,” KnowBe4 Security Awareness Training Blog, August 28, 2014; “Target Breach: Phishing Attack Implicated,” Dark Reading, February 13, 2014; “Anthem Breach: Phishing Attack Cited,” Bank Info Security, February 9, 2015; “What Data Breaches Teach Us About the Future of Malware,” PC World, June 9, 2014; “Sony Hackers Used Phishing Emails to Breach Company Networks,” TripWire, April 22, 2015
Intelligent Spear Phishing Protection: Stopping Highly Targeted Attacks
A TECHTARGET WHITE PAPER
2. How Highly Targeted Spear Phishing Attacks Work
Highly targeted spear phishing attacks typically start with a hacker crafting a unique email tailored to a specific individual or group in a targeted enterprise. The most common prey are members of the IT staff, the financial staff, salespeople, CEOs and other executives.
The email often includes personal information and usually appears to come from a trusted partner, vendor, colleague or authority figure. Because the email contains no indicators of compromise, it passes through the antispam, antivirus, and sandboxing detection layers of a conventional secure email gateways (SEG). This increases the chances that it will be opened by an unsuspecting employee.
After sidestepping conventional detection layers, the deceptive email uses social engineering techniques to manipulate the victim.
Typical approaches at this stage include:
• Credentials discovery: Fooling the victim into supplying credentials that the hacker can use to access systems and applications on the network, and eventually to steal credit card and bank account numbers, protected personal information about employees and customers, intellectual property, and other valuable information assets.
• Malware deployment: Inducing the victim to open an attachment that installs malware, or to go to a website where malware is downloaded to their computer or mobile device.
• Direct monetization via wire fraud: Convincing the victim to wire funds to a bank account controlled by the attacker. This type of attack is also known as a CEO spoof or a Business Email Compromise (BEC).
Tactics can include:
• Urgent requests: Providing direct, time-sensitive instructions and demanding an urgent response via email.
• Instructions to download software: Sending the employee to a compromised web site to download a file or app to be used for a business process.
• Impersonation: A communication pretending to be from the company’s CEO or CFO demanding that funds be wired to an overseas bank immediately.
Although the wire fraud ploy sounds easy to detect, it can be very successful with the right backstory. In one incident a series of emails appearing to come from a company CEO instructed the treasurer to wire $17 million to make a sensitive acquisition in China (where the company was, in fact, planning to expand). In another instance, members of a corporation’s finance department were deceived into transferring almost $47 million to accounts controlled by hackers.
3. How Highly Targeted Spear Phishing Attacks Evade Conventional Defenses
How do highly targeted spear phishing attacks evade conventional front-line defenses against broader phishing attacks?
Generic phishing attacks that are sent indiscriminately to a large number of recipients can be filtered out by traditional email security solutions. These solutions can detect mass attacks by using techniques such as matching the source of emails against domains and
2
2 See “Impostors bilk Omaha’s Scoular Co. out of $17.2 million,” Omaha.com, and “Fraudsters duped this company into handing over $40 million,” Fortune
IP addresses known to be used by spammers and cybercriminals, verifying authentication metadata, and checking email headers and text for previously seen phishing attack content.
But hackers can bypass these defenses by composing unique emails, avoiding crude obfuscation tricks, and registering new domains for specific attacks. Purpose-registered domains can be configured with valid Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) values in DNS, allowing them to pass metadata tests by the SEG.
Antivirus solutions can detect malware in attachments, either through signatures or by running suspect files in a “sandbox.” However, the perpetrators of targeted phishing attacks can avoid detection by creating unique versions of malware that fool signature-based defenses and are specially crafted to bypass sandboxing. They can also use attack methods that don’t require attachments.
User awareness training is a vital component of any cybersecurity program (Figure 1). However, it is clearly not a completely reliable defense against targeted phishing attacks. Careful hackers learn how to avoid obviously fake subject lines, impersonal greetings, faulty grammar and suspicious attachments.
In addition, many employees ignore awareness training; according to the Verizon 2015 Data Breach Investigations Report, 23% of recipients open phishing emails and 11% click on attachments.
In the recent Vanson Bourne study of 300 companies in the UK and US, a study that focused solely on spear phishing, 44% of busi-nesses said they considered employees as their biggest vulnerability in combatting spear phishing attacks.
The challenge to IT security groups can be stated this way: If the attacker goes to the trouble of designing a unique spear phishing email, and does not include any attachments that can be identified as malware, how can email protection programs recognize it?
3
Figure 1: Phishing awareness poster. Source: Umass Amherst Information Technology.
Published under Creative Commons License.
3 “2015 Verizon Data Breach Investigations Report,” Verizon, 2015
4. Intelligent Spear Phishing Protection
Fortunately, there are solutions to this challenge. Comprehensive protection against the threat of spear phishing is possible with a three-part response
Part 1: Use context analysis and behavioral learning to detect unique but anomalous spear phishing emailsArguably the most important advance in protecting against highly targeted phishing attacks is the use of context analysis and behavioral learning to identify emails that deviate from normal email paths and typical behaviors for the specific enterprise, or for specific groups within the enterprise.
Email traffic received by any enterprise falls into certain patterns, including patterns related to:
• Common sources (e.g., domains used by suppliers, customers and colleagues)
• Typical paths for message delivery through the Internet from particular sources
• Typical entry points into the corporate network
• Metadata in email headers
• Text and images in the body of emails
• Attachment types (or lack of attachments) By observing email traffic for a period of time, an intelligent spear phishing protection solution can create virtual maps of normal email sources and paths for the enterprise (or subsets of the enterprise). It can also use advanced behavioral and technical learning techniques to create baselines of expected metadata, text strings, images, attachments and other variables.
When the initial observation period is complete, the solution can use the maps and the baselines to detect emails that deviate, even in subtle and previously unobservable ways, from the norms for that enterprise (or the subset).
For example, an email might be flagged if it:
• Contains sudden deviations in message formatting or metadata, for example a change in the client mail user agent, format, language, message salutation or signature.
• Appears to come from a supplier, but includes an attached file of a type never previously received from that source.
• Comes from a sender unknown to the recipient and contains social engineering language and influence tactics.
• Purports to come from the CEO, but with an email address and path different from those used by any previous messages from the CEO.
In other words, it will be detected if it is anomalous relative to other emails typically received by the recipient.
This is a radically different approach from that used by conventional defenses against spam and mass phishing attacks.
Part 2: Employ email threat intelligence to identify attack infrastructure and target education to the users most at riskThreat intelligence about spam and phishing, such as domains and IP addresses associated with attacks, helps to detect and deflect many spear phishing campaigns. Threat intelligence can also discourage hackers by forcing them to register new domains and set up
4
new web servers for each new attack. This may not be a defense against all adversaries, but it will convince the less dedicated to look for easier targets.
Email threat intelligence on spear phishing can also contribute to user awareness training by helping IT departments target their education and support to the users who are most at risk, either because of their job role or due to the number of attacks they experience.
Part 3: Implement real-time spear phishing reporting to identify, display and monitor anomalous emails and high risk targets New ways of viewing data in real time can improve the ability of security professionals and employees to see and act on spear phishing campaigns as they happen—and stop attacks in midstream.
Reporting tools can give security teams visibility into emails that carry malware and malicious links as well as emails that do not carry a payload. State of the art detection can also alert users when an email is suspected of being a spear phishing attack.
Task-focused dashboards and logging enable security professionals to monitor high-risk employees and spear phishing emails. Flagging emails as suspicious because of their content, path or anomalous characteristics can help employees think first before responding to potentially damaging messages.
5. Implementing Intelligent Spear Phishing Protection: Cloudmark Trident®
Cloudmark Trident® is the industry’s first comprehensive, intelligent spear phishing solution for real-time protection against spear phishing attacks.
Next-generation context analysis and behavioral learningCloudmark Trident complements existing email security solutions such as secure email gateways and host antivirus products, but goes far beyond them in its ability to detect unique spear phishing emails and provide a deeper level of protection against highly targeted attacks.
Cloudmark Trident uses innovative behavioral learning techniques to analyze real email traffic and create virtual maps of normal behaviors, as well as baselines of expected metadata, text strings, images, attachments and other variables for a specific enterprise.
It then uses these maps and baselines to detect emails that are anomalous relative to other emails collected by the recipient. This makes Cloudmark Trident the industry’s first comprehensive spear phishing solution capable of identifying dangerous emails without relying on attachments to analyze, or on known indicators of compromise or text seen in previous spear phishing messages.
Global threat intelligenceCloudmark Trident leverages email threat intelligence from the Cloudmark Global Threat Network, a database with more than three million unique reporters and sensors on the Internet, data on 15 million unique IP addresses, and information about 1.4 billion spam emails daily. More than 12% of the world’s email passes through the Cloudmark network, making it the largest commercially available source of intelligence about the email threat landscape.
This up-to-the-minute threat intelligence helps Cloudmark Trident identify emails sent from suspicious domains and IP addresses, and links in emails to dangerous web sites. Besides helping block conventional phishing attacks, it forces hackers to create new infrastructure for every attack, which discourages all but the most obstinate.
5
6
Real-time reporting: Dashboards that monitor spear phishing attacks as they happenCloudmark Trident provides a spear phishing dashboard that administrators and analysts can use to monitor high risk areas and drill-down to investigate spear phishing attacks. Security professionals can see which users are most at risk, and which are currently being attacked. These insights enable them to prioritize resources to most effectively anticipate, verify and block attacks as well as to alert users about suspicious emails.
Integration into existing email and security infrastructures
Cloudmark Trident complements existing email and security solutions. It can be configured to scan emails out of band, after they pass through a secure email gateway, and generate alerts when suspicious emails are detected. Alternately, it can be deployed inline, between the SEG and the mailbox server, where it can quarantine emails before they reach users.
Alerts can be sent to IT security and email administrators, to end users, and to security information and event management (SIEM) systems.
6. Summary: How to Stop Spear Phishing Attacks
Traditional security defenses that rely on known indicators of compromise were never designed to address spear phishing and have failed to adequately protect against the threat.
Attackers have learned to exploit those weaknesses. Attacks can be crafted to fool even the most alert users. Consequently, spear phishing attacks have succeeded in launching the most serious data breaches on record - leading to loss of employee productivity, damage to brands’ and companies’ reputations, executive firings, and decreases in stock prices.
Conventional phishing defenses need to be complemented by new solutions aimed specifically at detecting and stopping spear phishing in real time. These next generation tools use context analysis and behavioral learning to create virtual maps of normal email traffic and baselines of expected metadata, text strings, images, attachments and other variables for a specific enterprise. These virtual maps and baselines can then be used to detect emails that are anomalous relative to other emails collected by the recipient, providing a 360 degree barrier to spear phishing attacks.
For more information, or to see Cloudmark Trident® in action, visit Cloudmark.com
Figure 2: Cloudmark Trident’s reporting dashboard enables security professionals to monitor high-risk areas and detect see which users are being attacked.
