Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
6/29/2015
11:30 AM
Mo Cashman
Mo Cashman
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
50%
50%

Cyber Resilience And Spear Phishing

Balanced security capability, defense in depth, integrated countermeasures, and a threat-intelligence strategy are critical to defending your business from spear-phishing attacks.

Spear phishing continues to be the most successful means of gaining entry to an enterprise network and to valuable business or personal data. According to the latest Verizon Data Breach Investigations Report, two-thirds of all cyber-espionage-style incidents used phishing as the vector. According to a recent study by the Ponemon Institute, the costs of such a breach continue to increase, whether it is legal costs, loss of reputation, customer defections, or other direct and indirect effects.

For the digital enterprise, loss of sensitive data means loss of customer trust and is a threat to future growth. Combating this problem requires an integrated prevent, detect, and respond capability comprising user readiness, anti-malware sensors at the network and endpoints, and well-rehearsed detection and response security operations processes. Combining this capability into an effective security architecture increases speed of response and improves cyber resilience.

Phishing is a difficult threat to defend against because it uses multiple vectors and can take advantage of a user’s work or personal life, or a combination of both, to increase the chance of success. Spear phishing targeted at a specific department or individual is even more difficult because the attackers often build a target profile, based on public and social media information, to gain inside knowledge of work relationships or job functions. This enables them to craft campaigns that appear authentic to the targets, increasing the likelihood of getting that critical click-through.

Increasing user training to identify phishing attempts, respond appropriately, and report them to security operations is the critical first line of defense and greatly reduces the chance of exploitation. Current statistics say we need to do much better in this area. It only takes about 80 seconds from the time a user clicks on the bait in a spear-phishing email until data exfiltration begins, according to Verizon’s Data Breach Investigations Report.

Shoring Up Cyber Defenses

Many enterprises rely solely on their endpoint security tools to catch these attacks. However, given the level of sophistication we are seeing -- along with the human design of the attacks -- an enterprise must no longer view endpoint security as a commodity but rather as an essential component in cyberdefense. Combating malware delivered through phishing requires additional endpoint sensor capabilities that identify, prevent, and analyze unknown behaviors.

For example, application whitelisting on end-user devices stops advanced and zero day attacks from infecting the system by preventing unauthorized code execution, protecting memory, and blocking attempts to exploit a whitelisted app before it gains a foothold and impacts the business. Application whitelisting is listed as a Quick Win in the SANS Critical Security Controls list and the Australian Government Top 4 Mitigating Controls cybersecurity guidance. According to Australian Signals Directorate Deputy Director Steve Day, attackers have not stolen any sensitive data from government networks because of their adoption of the Top 4 mitigating controls.

Since email and the Web are the most common delivery vectors for advanced malware, gateway sensors integrated with threat intelligence and malware analysis capabilities are important to amplify the protection gained by user readiness and improved endpoint security. This integration of sensors, analytics, and intelligence increases the speed of decision at the point of attack. Additionally, gateway sensor integration with other layers of defense increases effectiveness. For example, when a user reports a phishing attempt or their endpoint security identifies a malicious file, promptly exchanging intelligence on indicators of attack enables defenses at the Internet boundary to block future attacks from getting through, possibly to a user who would have not recognized them as attacks. This step helps prevent attacks targeting groups of users such as finance users with credentials for key databases.

Finally, if some malware gets delivered and manages to exploit one or more devices, Security Operations provides the critical detection and response capability. Once the infection is validated, whether from a user report, sandbox analysis, or shared intelligence, the prepared incident response plan is executed.

Having prepared response actions significantly reduces time to contain the attack. For example, one group would immediately search the gateway, email, and host logs to identify any other potentially affected systems. Another would analyze the file or link to expose the malicious behavior, exfiltration type, and targets. They would then determine if the existing controls are sufficient to contain the attack and prevent exfiltration, or whether additional actions such as system or network quarantines are necessary. Increasingly, these workflows are being predefined and automated through integrations between sensors, analytics, and SIEM (security information and event management). In a recent study, this real-time SIEM has been shown to shorten response to seconds or minutes, in pace with modern attack timeframes.

Executing the fundamentals consistently leads to an improved security posture. The SANS Institute’s Critical Security Controls and Quick Wins provide an excellent resource for security controls that provide real-world effectiveness. These tools focus on prioritizing what works and on processes that have demonstrated their effectiveness against the latest threats. Your security strategy should be reviewed to ensure effectiveness against targeted attacks such as spear phishing.

Balanced security capability, defense in depth, integrated countermeasures, and a threat-intelligence strategy are the critical steps necessary to defend your business from spear-phishing attacks. Implementing these recommended solutions can increase your capability to prevent more attacks early and detect and contain infections faster, making your business more resilient.

Mo Cashman has over 15 years' experience designing, implementing and managing cyber security solutions for large government and enterprise customers globally. In his current role, Mo advises large customers in Government, Finance and Critical Infrastructure on security ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1874
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protection mechanisms on the web-ba...
CVE-2019-1875
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface. The vulnerability is due to insufficient validation of user-supplied input by t...
CVE-2019-1876
PUBLISHED: 2019-06-20
A vulnerability in the HTTPS proxy feature of Cisco Wide Area Application Services (WAAS) Software could allow an unauthenticated, remote attacker to use the Central Manager as an HTTPS proxy. The vulnerability is due to insufficient authentication of proxy connection requests. An attacker could exp...
CVE-2019-1878
PUBLISHED: 2019-06-20
A vulnerability in the Cisco Discovery Protocol (CDP) implementation for the Cisco TelePresence Codec (TC) and Collaboration Endpoint (CE) Software could allow an unauthenticated, adjacent attacker to inject arbitrary shell commands that are executed by the device. The vulnerability is due to insuff...
CVE-2019-1879
PUBLISHED: 2019-06-20
A vulnerability in the CLI of Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient validation of user-supplied input at the CLI. An attacker could exploi...