intelligent spear phishing protection: stopping highly ... intelligent spear phishing protection...

Download Intelligent Spear Phishing Protection: Stopping Highly ... Intelligent Spear Phishing Protection Fortunately,

Post on 27-May-2020




0 download

Embed Size (px)


  • Spear phishing is one of the top threats plaguing enterprises today, often resulting in severe financial losses and theft of intellectual property. In high-profile cases, it can damage a company’s reputation and brands, resulting in executive firings and decreases in stock prices. Organizations seeking to protect themselves from these threats need to develop a full-spectrum defense to effectively combat these highly targeted attacks. A comprehensive approach couples employee education and testing with technology solutions tailored to detecting the specific characteristics of spear phishing.

    1. The Most Insidious Attack

    Of all the attack techniques that menace enterprises today, highly targeted spear phishing emails are probably the most insidious and the hardest to stop.

    Email is such a common and trusted form of business communication that employees are extremely susceptible to spear phishing. In a recent study conducted by Vanson Bourne for Cloudmark, of those organizations that tested their employees’ responses to spear phishing attacks, more than nine out of ten (94%) admitted that some employees had failed recent tests.

    Detection by conventional technical means is also problematic. Most cyberattacks can be identified based on known indicators of compromise (IOCs) such as domains associated with spammers and cybercriminals, email links to malicious or data gathering web sites, or attached files that contain previously discovered malware. But highly targeted spear phishing attacks are hand-crafted to be unrecognizable: they come from purpose-created domains, with unique personalized messages, and often with no tell-tale “known bad” attachments or previously seen “call to action” URLs.

    Highly targeted spear phishing attacks have been the opening salvo used in many of the most devastating system compromises and data breaches ever observed, including the recent cyberheists at J.P. Morgan Chase, Target, Anthem, eBay and Sony.1

    Yet there are ways to stop spear phishing attacks. These solutions build on threat intelligence and add innovative context analysis and behavioral learning technology that can identify dangerous emails—without relying on signatures, known indicators of compromise, or text seen in earlier phishing messages.

    This paper describes how highly targeted spear phishing attacks work and why they are so hard to identify. It also provides an overview of new detection technology that can stop spear phishing before it reaches the inbox.

    1 “J.P. Morgan Hacked Because Malware Infects Employee PC,” KnowBe4 Security Awareness Training Blog, August 28, 2014; “Target Breach: Phishing Attack Implicated,” Dark Reading, February 13, 2014; “Anthem Breach: Phishing Attack Cited,” Bank Info Security, February 9, 2015; “What Data Breaches Teach Us About the Future of Malware,” PC World, June 9, 2014; “Sony Hackers Used Phishing Emails to Breach Company Networks,” TripWire, April 22, 2015

    Intelligent Spear Phishing Protection: Stopping Highly Targeted Attacks


  • 2. How Highly Targeted Spear Phishing Attacks Work

    Highly targeted spear phishing attacks typically start with a hacker crafting a unique email tailored to a specific individual or group in a targeted enterprise. The most common prey are members of the IT staff, the financial staff, salespeople, CEOs and other executives.

    The email often includes personal information and usually appears to come from a trusted partner, vendor, colleague or authority figure. Because the email contains no indicators of compromise, it passes through the antispam, antivirus, and sandboxing detection layers of a conventional secure email gateways (SEG). This increases the chances that it will be opened by an unsuspecting employee.

    After sidestepping conventional detection layers, the deceptive email uses social engineering techniques to manipulate the victim.

    Typical approaches at this stage include:

    • Credentials discovery: Fooling the victim into supplying credentials that the hacker can use to access systems and applications on the network, and eventually to steal credit card and bank account numbers, protected personal information about employees and customers, intellectual property, and other valuable information assets.

    • Malware deployment: Inducing the victim to open an attachment that installs malware, or to go to a website where malware is downloaded to their computer or mobile device.

    • Direct monetization via wire fraud: Convincing the victim to wire funds to a bank account controlled by the attacker. This type of attack is also known as a CEO spoof or a Business Email Compromise (BEC).

    Tactics can include:

    • Urgent requests: Providing direct, time-sensitive instructions and demanding an urgent response via email.

    • Instructions to download software: Sending the employee to a compromised web site to download a file or app to be used for a business process.

    • Impersonation: A communication pretending to be from the company’s CEO or CFO demanding that funds be wired to an overseas bank immediately.

    Although the wire fraud ploy sounds easy to detect, it can be very successful with the right backstory. In one incident a series of emails appearing to come from a company CEO instructed the treasurer to wire $17 million to make a sensitive acquisition in China (where the company was, in fact, planning to expand). In another instance, members of a corporation’s finance department were deceived into transferring almost $47 million to accounts controlled by hackers.

    3. How Highly Targeted Spear Phishing Attacks Evade Conventional Defenses

    How do highly targeted spear phishing attacks evade conventional front-line defenses against broader phishing attacks?

    Generic phishing attacks that are sent indiscriminately to a large number of recipients can be filtered out by traditional email security solutions. These solutions can detect mass attacks by using techniques such as matching the source of emails against domains and


    2 See “Impostors bilk Omaha’s Scoular Co. out of $17.2 million,”, and “Fraudsters duped this company into handing over $40 million,” Fortune

  • IP addresses known to be used by spammers and cybercriminals, verifying authentication metadata, and checking email headers and text for previously seen phishing attack content.

    But hackers can bypass these defenses by composing unique emails, avoiding crude obfuscation tricks, and registering new domains for specific attacks. Purpose- registered domains can be configured with valid Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) values in DNS, allowing them to pass metadata tests by the SEG.

    Antivirus solutions can detect malware in attachments, either through signatures or by running suspect files in a “sandbox.” However, the perpetrators of targeted phishing attacks can avoid detection by creating unique versions of malware that fool signature-based defenses and are specially crafted to bypass sandboxing. They can also use attack methods that don’t require attachments.

    User awareness training is a vital component of any cybersecurity program (Figure 1). However, it is clearly not a completely reliable defense against targeted phishing attacks. Careful hackers learn how to avoid obviously fake subject lines, impersonal greetings, faulty grammar and suspicious attachments.

    In addition, many employees ignore awareness training; according to the Verizon 2015 Data Breach Investigations Report, 23% of recipients open phishing emails and 11% click on attachments.

    In the recent Vanson Bourne study of 300 companies in the UK and US, a study that focused solely on spear phishing, 44% of busi- nesses said they considered employees as their biggest vulnerability in combatting spear phishing attacks.

    The challenge to IT security groups can be stated this way: If the attacker goes to the trouble of designing a unique spear phishing email, and does not include any attachments that can be identified as malware, how can email protection programs recognize it?


    Figure 1: Phishing awareness poster. Source: Umass Amherst Information Technology.

    Published under Creative Commons License.

    3 “2015 Verizon Data Breach Investigations Report,” Verizon, 2015

  • 4. Intelligent Spear Phishing Protection

    Fortunately, there are solutions to this challenge. Comprehensive protection against the threat of spear phishing is possible with a three-part response

    Part 1: Use context analysis and behavioral learning to detect unique but anomalous spear phishing emails Arguably the most important advance in protecting against highly targeted phishing attacks is the use of context analysis and behavioral learning to identify emails that deviate from normal email paths and


View more >