Spear phishing continues to be the most successful means of gaining entry to an enterprise network and to valuable business or personal data. According to the latest Verizon Data Breach Investigations Report, two-thirds of all cyber-espionage-style incidents used phishing as the vector. According to a recent study by the Ponemon Institute, the costs of such a breach continue to increase, whether it is legal costs, loss of reputation, customer defections, or other direct and indirect effects.
For the digital enterprise, loss of sensitive data means loss of customer trust and is a threat to future growth. Combating this problem requires an integrated prevent, detect, and respond capability comprising user readiness, anti-malware sensors at the network and endpoints, and well-rehearsed detection and response security operations processes. Combining this capability into an effective security architecture increases speed of response and improves cyber resilience.
Phishing is a difficult threat to defend against because it uses multiple vectors and can take advantage of a user’s work or personal life, or a combination of both, to increase the chance of success. Spear phishing targeted at a specific department or individual is even more difficult because the attackers often build a target profile, based on public and social media information, to gain inside knowledge of work relationships or job functions. This enables them to craft campaigns that appear authentic to the targets, increasing the likelihood of getting that critical click-through.
Increasing user training to identify phishing attempts, respond appropriately, and report them to security operations is the critical first line of defense and greatly reduces the chance of exploitation. Current statistics say we need to do much better in this area. It only takes about 80 seconds from the time a user clicks on the bait in a spear-phishing email until data exfiltration begins, according to Verizon’s Data Breach Investigations Report.
Shoring Up Cyber Defenses
Many enterprises rely solely on their endpoint security tools to catch these attacks. However, given the level of sophistication we are seeing -- along with the human design of the attacks -- an enterprise must no longer view endpoint security as a commodity but rather as an essential component in cyberdefense. Combating malware delivered through phishing requires additional endpoint sensor capabilities that identify, prevent, and analyze unknown behaviors.
For example, application whitelisting on end-user devices stops advanced and zero day attacks from infecting the system by preventing unauthorized code execution, protecting memory, and blocking attempts to exploit a whitelisted app before it gains a foothold and impacts the business. Application whitelisting is listed as a Quick Win in the SANS Critical Security Controls list and the Australian Government Top 4 Mitigating Controls cybersecurity guidance. According to Australian Signals Directorate Deputy Director Steve Day, attackers have not stolen any sensitive data from government networks because of their adoption of the Top 4 mitigating controls.
Since email and the Web are the most common delivery vectors for advanced malware, gateway sensors integrated with threat intelligence and malware analysis capabilities are important to amplify the protection gained by user readiness and improved endpoint security. This integration of sensors, analytics, and intelligence increases the speed of decision at the point of attack. Additionally, gateway sensor integration with other layers of defense increases effectiveness. For example, when a user reports a phishing attempt or their endpoint security identifies a malicious file, promptly exchanging intelligence on indicators of attack enables defenses at the Internet boundary to block future attacks from getting through, possibly to a user who would have not recognized them as attacks. This step helps prevent attacks targeting groups of users such as finance users with credentials for key databases.
Finally, if some malware gets delivered and manages to exploit one or more devices, Security Operations provides the critical detection and response capability. Once the infection is validated, whether from a user report, sandbox analysis, or shared intelligence, the prepared incident response plan is executed.
Having prepared response actions significantly reduces time to contain the attack. For example, one group would immediately search the gateway, email, and host logs to identify any other potentially affected systems. Another would analyze the file or link to expose the malicious behavior, exfiltration type, and targets. They would then determine if the existing controls are sufficient to contain the attack and prevent exfiltration, or whether additional actions such as system or network quarantines are necessary. Increasingly, these workflows are being predefined and automated through integrations between sensors, analytics, and SIEM (security information and event management). In a recent study, this real-time SIEM has been shown to shorten response to seconds or minutes, in pace with modern attack timeframes.
Executing the fundamentals consistently leads to an improved security posture. The SANS Institute’s Critical Security Controls and Quick Wins provide an excellent resource for security controls that provide real-world effectiveness. These tools focus on prioritizing what works and on processes that have demonstrated their effectiveness against the latest threats. Your security strategy should be reviewed to ensure effectiveness against targeted attacks such as spear phishing.
Balanced security capability, defense in depth, integrated countermeasures, and a threat-intelligence strategy are the critical steps necessary to defend your business from spear-phishing attacks. Implementing these recommended solutions can increase your capability to prevent more attacks early and detect and contain infections faster, making your business more resilient.