Partner Perspectives  Connecting marketers to our tech communities.
11:30 AM
Mo Cashman
Mo Cashman
Partner Perspectives
Connect Directly

Cyber Resilience And Spear Phishing

Balanced security capability, defense in depth, integrated countermeasures, and a threat-intelligence strategy are critical to defending your business from spear-phishing attacks.

Spear phishing continues to be the most successful means of gaining entry to an enterprise network and to valuable business or personal data. According to the latest Verizon Data Breach Investigations Report, two-thirds of all cyber-espionage-style incidents used phishing as the vector. According to a recent study by the Ponemon Institute, the costs of such a breach continue to increase, whether it is legal costs, loss of reputation, customer defections, or other direct and indirect effects.

For the digital enterprise, loss of sensitive data means loss of customer trust and is a threat to future growth. Combating this problem requires an integrated prevent, detect, and respond capability comprising user readiness, anti-malware sensors at the network and endpoints, and well-rehearsed detection and response security operations processes. Combining this capability into an effective security architecture increases speed of response and improves cyber resilience.

Phishing is a difficult threat to defend against because it uses multiple vectors and can take advantage of a user’s work or personal life, or a combination of both, to increase the chance of success. Spear phishing targeted at a specific department or individual is even more difficult because the attackers often build a target profile, based on public and social media information, to gain inside knowledge of work relationships or job functions. This enables them to craft campaigns that appear authentic to the targets, increasing the likelihood of getting that critical click-through.

Increasing user training to identify phishing attempts, respond appropriately, and report them to security operations is the critical first line of defense and greatly reduces the chance of exploitation. Current statistics say we need to do much better in this area. It only takes about 80 seconds from the time a user clicks on the bait in a spear-phishing email until data exfiltration begins, according to Verizon’s Data Breach Investigations Report.

Shoring Up Cyber Defenses

Many enterprises rely solely on their endpoint security tools to catch these attacks. However, given the level of sophistication we are seeing -- along with the human design of the attacks -- an enterprise must no longer view endpoint security as a commodity but rather as an essential component in cyberdefense. Combating malware delivered through phishing requires additional endpoint sensor capabilities that identify, prevent, and analyze unknown behaviors.

For example, application whitelisting on end-user devices stops advanced and zero day attacks from infecting the system by preventing unauthorized code execution, protecting memory, and blocking attempts to exploit a whitelisted app before it gains a foothold and impacts the business. Application whitelisting is listed as a Quick Win in the SANS Critical Security Controls list and the Australian Government Top 4 Mitigating Controls cybersecurity guidance. According to Australian Signals Directorate Deputy Director Steve Day, attackers have not stolen any sensitive data from government networks because of their adoption of the Top 4 mitigating controls.

Since email and the Web are the most common delivery vectors for advanced malware, gateway sensors integrated with threat intelligence and malware analysis capabilities are important to amplify the protection gained by user readiness and improved endpoint security. This integration of sensors, analytics, and intelligence increases the speed of decision at the point of attack. Additionally, gateway sensor integration with other layers of defense increases effectiveness. For example, when a user reports a phishing attempt or their endpoint security identifies a malicious file, promptly exchanging intelligence on indicators of attack enables defenses at the Internet boundary to block future attacks from getting through, possibly to a user who would have not recognized them as attacks. This step helps prevent attacks targeting groups of users such as finance users with credentials for key databases.

Finally, if some malware gets delivered and manages to exploit one or more devices, Security Operations provides the critical detection and response capability. Once the infection is validated, whether from a user report, sandbox analysis, or shared intelligence, the prepared incident response plan is executed.

Having prepared response actions significantly reduces time to contain the attack. For example, one group would immediately search the gateway, email, and host logs to identify any other potentially affected systems. Another would analyze the file or link to expose the malicious behavior, exfiltration type, and targets. They would then determine if the existing controls are sufficient to contain the attack and prevent exfiltration, or whether additional actions such as system or network quarantines are necessary. Increasingly, these workflows are being predefined and automated through integrations between sensors, analytics, and SIEM (security information and event management). In a recent study, this real-time SIEM has been shown to shorten response to seconds or minutes, in pace with modern attack timeframes.

Executing the fundamentals consistently leads to an improved security posture. The SANS Institute’s Critical Security Controls and Quick Wins provide an excellent resource for security controls that provide real-world effectiveness. These tools focus on prioritizing what works and on processes that have demonstrated their effectiveness against the latest threats. Your security strategy should be reviewed to ensure effectiveness against targeted attacks such as spear phishing.

Balanced security capability, defense in depth, integrated countermeasures, and a threat-intelligence strategy are the critical steps necessary to defend your business from spear-phishing attacks. Implementing these recommended solutions can increase your capability to prevent more attacks early and detect and contain infections faster, making your business more resilient.

Mo Cashman has over 15 years' experience designing, implementing and managing cyber security solutions for large government and enterprise customers globally. In his current role, Mo advises large customers in Government, Finance and Critical Infrastructure on security ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Government Shutdown Brings Certificate Lapse Woes
Curtis Franklin Jr., Senior Editor at Dark Reading,  1/11/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-01-17
** DISPUTED ** An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only...
PUBLISHED: 2019-01-17
A spoofing vulnerability exists when a Skype for Business 2015 server does not properly sanitize a specially crafted request, aka "Skype for Business 2015 Spoofing Vulnerability." This affects Skype.
PUBLISHED: 2019-01-17
A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team.
PUBLISHED: 2019-01-17
An information disclosure vulnerability exists when Team Foundation Server does not properly handle variables marked as secret, aka "Team Foundation Server Information Disclosure Vulnerability." This affects Team.
PUBLISHED: 2019-01-17
Multiple command injection vulnerabilities in NeDi before 1.7Cp3 allow authenticated users to execute code on the server side via the flt parameter to Nodes-Traffic.php, the dv parameter to Devices-Graph.php, or the tit parameter to drawmap.php.