spear phishing – an entry point for apts...spear phishing is a targeted email scam with the sole...

7
SPEAR PHISHING – AN ENTRY POINT FOR APTS threattracksecurity.com ©2015 ThreatTrack, Inc. All rights reserved worldwide.

Upload: others

Post on 27-May-2020

4 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: SPEAR PHISHING – AN ENTRY POINT FOR APTS...Spear phishing is a targeted email scam with the sole purpose of obtaining unauthorized access to sensitive data. These attacks will use

SPEAR PHISHING – AN ENTRY POINT FOR APTS

threattracksecurity.com ©2015 ThreatTrack, Inc. All rights reserved worldwide.

Page 2: SPEAR PHISHING – AN ENTRY POINT FOR APTS...Spear phishing is a targeted email scam with the sole purpose of obtaining unauthorized access to sensitive data. These attacks will use

A number of industry and vendor studies support the fact that spear phishing is a primary means by which Advanced Persistent threat (APT) attackers infiltrate target networks. In fact, one such report found 91% of the attacks they analyzed involved spear-phishing emails. Being able to detect and block emails delivering malicious content though email file attachments and external web links is critical in the fight against targeted advanced attacks.

INTRODUCTION

Page 3: SPEAR PHISHING – AN ENTRY POINT FOR APTS...Spear phishing is a targeted email scam with the sole purpose of obtaining unauthorized access to sensitive data. These attacks will use

3

SPEAR PHISHING – AN ENTRY POINT FOR APTs

Unlike broad phishing campaigns like the Nigerian 419 scams, spear phishing is a targeted email campaign to specific persons or roles within specific organizations. It is the attempt to acquire sensitive information for malicious intent by masquerading as a trustworthy entity.

Phishing Ingredients:Phishing emails typically contain the following attack mechanisms:

The EmailEmail is the number one threat vector for all organizations. In a spear-phishing attack, a targeted recipient is lured to either download a seemingly harmless file attachment or to click a link to a malware or an exploit-laden site.

The File and/or Link In a typical APT attack the downloaded file (via the attachment or website) installs the malware and then accesses a malicious command-and-control (C&C)

server to await further instructions from a remote user. It will also hide the malicious activity by opening a seemingly innocuous file when the malware runs.

Social EngineeringSpear Phishing attacks use familiarity as their first weapon in the attack. They know something about you – your email address, your name – and use it to gain your confidence and to induce you (the target) to use the two above mechanisms. They may also try to gather additional important confidential information for further malicious activity by inducing you to reply to the email.

WHAT IS SPEAR PHISHING?

“94% of targeted emails use malicious file attachments”

Page 4: SPEAR PHISHING – AN ENTRY POINT FOR APTS...Spear phishing is a targeted email scam with the sole purpose of obtaining unauthorized access to sensitive data. These attacks will use

4

SPEAR PHISHING – AN ENTRY POINT FOR APTs

The ThreatSecure Email solution was specifically designed to address the types of attacks such as spear phishing that use email as their primary delivery mechanism. It has strong analysis capabilities to detect suspicious email through both static and behavioral analysis as well as a highly trained machine-learning engine. The product addresses all potential attack mechanisms of spear phishing:

Phishing Attack Mechanisms and ThreatSecure: Malicious LinksThe ThreatSecure Email has a very extensive and current blacklist of malicious urls. This list is derived from ThreatTrack’s own best-of-breed ThreatIQ threat data service used by many other large security vendors, which aggregates malware data continuously from its own products, its partners’ data, and other important

malware information sites. This information is updated on the ThreatSecure appliance on a continuous basis and is used as a reputational score on every link within the email. If the link scores high the email is usually quarantined. Email attachmentsThreatSecure Email is capable of scoring the risk of documents, executables and archived files using machine learning, static analysis using multiple sourced signatures, and behavioral analysis using the best-of-breed sandboxes.

Social Engineering Most social engineering efforts involve a request in an email to open a document or visit a site, either one of which may contain some malware. In this case, the ThreatSecure product addresses these vectors using the techniques above.

HOW DOES THREATSECURE EMAIL ADDRESS SPEAR PHISHING?

Page 5: SPEAR PHISHING – AN ENTRY POINT FOR APTS...Spear phishing is a targeted email scam with the sole purpose of obtaining unauthorized access to sensitive data. These attacks will use

5

SPEAR PHISHING – AN ENTRY POINT FOR APTs

In addition, the ThreatSecure Email console has a powerful analytics view that is designed explicitly to help in identifying the targets of attacks such as spear phishing campaigns.

As an example, Figure 1 shows the console has a graphical view of the “top ten targets” that shows the persons that have been most targeted with suspicious emails within a date range. This graph allows a security analyst to drill down into any target on the list and view the details of the emails involved. Evidence of persistent attacks can be uncovered using the views’ filters and time lines. Often, the resulting data of this analysis may be able to be used in other security systems such as a SIEM and IPS to block the sources of further attacks.

Figure1: Powerful Analytics Show Targeted individuals and Groups

POWERFUL ANALYTICS

Page 6: SPEAR PHISHING – AN ENTRY POINT FOR APTS...Spear phishing is a targeted email scam with the sole purpose of obtaining unauthorized access to sensitive data. These attacks will use

Spear phishing is a targeted email scam with the sole purpose of obtaining unauthorized access to sensitive data. These attacks will use vectors of attached files, links within the email, and social engineering traps. The ThreatSecure Email product is explicitly designed to:

1. Provide detection and prevention of all three of these mechanisms

2. Provide its customers’ with analytics tools to investigate in more detail the sources of these attacks

3. Use its inferred information with other security systems to inhibit and block further attacks from the same sources

SUMMARY

Page 7: SPEAR PHISHING – AN ENTRY POINT FOR APTS...Spear phishing is a targeted email scam with the sole purpose of obtaining unauthorized access to sensitive data. These attacks will use

SPEAR PHISHING – AN ENTRY POINT FOR APTs

To learn more about ThreatTrack Security call +1-855-885-5566 or visit www.ThreatTrackSecurity.com.

The information and content in this document is provided for informational purposes only and is provided “as is” with no warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement. ThreatTrack Security, Inc. is not liable for any damages, including any consequential damages, of any kind that may result from the use of this document. The information is obtained from publicly available sources. Though reasonable effort has been made to ensure the accuracy of the data provided, ThreatTrack Security, Inc. makes no claim, promise or guarantee about the completeness, accuracy, relevancy or adequacy of information and is not responsible for misprints, out-of-date information, or errors. ThreatTrack Security, Inc. makes no warranty, express or implied, and assumes no legal liability or responsibility for the accuracy or completeness of any information contained in this document. All products mentioned are trademarks or registered trademarks of their respective companies.

ThreatTrack Security specializes in helping organizations identify and stop Advanced Persistent Threats (APTs), targeted attacks and other sophisticated malware designed to evade the traditional cyber defenses deployed by enterprises and government agencies around the world. With more than 300 employees worldwide and backed by Insight Venture Partners and Bessemer Venture Partners, the company develops advanced cybersecurity solutions that Expose, Analyze and Eliminate the latest malicious threats, including its ThreatSecure advanced threat detection and remediation platform, ThreatAnalyzer malware behavioral analysis sandbox, ThreatIQ real-time threat intelligence service, and VIPRE business antivirus endpoint protection.

ABOUT THREATTRACK SECURITY