Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
6/29/2015
11:30 AM
Mo Cashman
Mo Cashman
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
50%
50%

Cyber Resilience And Spear Phishing

Balanced security capability, defense in depth, integrated countermeasures, and a threat-intelligence strategy are critical to defending your business from spear-phishing attacks.

Spear phishing continues to be the most successful means of gaining entry to an enterprise network and to valuable business or personal data. According to the latest Verizon Data Breach Investigations Report, two-thirds of all cyber-espionage-style incidents used phishing as the vector. According to a recent study by the Ponemon Institute, the costs of such a breach continue to increase, whether it is legal costs, loss of reputation, customer defections, or other direct and indirect effects.

For the digital enterprise, loss of sensitive data means loss of customer trust and is a threat to future growth. Combating this problem requires an integrated prevent, detect, and respond capability comprising user readiness, anti-malware sensors at the network and endpoints, and well-rehearsed detection and response security operations processes. Combining this capability into an effective security architecture increases speed of response and improves cyber resilience.

Phishing is a difficult threat to defend against because it uses multiple vectors and can take advantage of a user’s work or personal life, or a combination of both, to increase the chance of success. Spear phishing targeted at a specific department or individual is even more difficult because the attackers often build a target profile, based on public and social media information, to gain inside knowledge of work relationships or job functions. This enables them to craft campaigns that appear authentic to the targets, increasing the likelihood of getting that critical click-through.

Increasing user training to identify phishing attempts, respond appropriately, and report them to security operations is the critical first line of defense and greatly reduces the chance of exploitation. Current statistics say we need to do much better in this area. It only takes about 80 seconds from the time a user clicks on the bait in a spear-phishing email until data exfiltration begins, according to Verizon’s Data Breach Investigations Report.

Shoring Up Cyber Defenses

Many enterprises rely solely on their endpoint security tools to catch these attacks. However, given the level of sophistication we are seeing -- along with the human design of the attacks -- an enterprise must no longer view endpoint security as a commodity but rather as an essential component in cyberdefense. Combating malware delivered through phishing requires additional endpoint sensor capabilities that identify, prevent, and analyze unknown behaviors.

For example, application whitelisting on end-user devices stops advanced and zero day attacks from infecting the system by preventing unauthorized code execution, protecting memory, and blocking attempts to exploit a whitelisted app before it gains a foothold and impacts the business. Application whitelisting is listed as a Quick Win in the SANS Critical Security Controls list and the Australian Government Top 4 Mitigating Controls cybersecurity guidance. According to Australian Signals Directorate Deputy Director Steve Day, attackers have not stolen any sensitive data from government networks because of their adoption of the Top 4 mitigating controls.

Since email and the Web are the most common delivery vectors for advanced malware, gateway sensors integrated with threat intelligence and malware analysis capabilities are important to amplify the protection gained by user readiness and improved endpoint security. This integration of sensors, analytics, and intelligence increases the speed of decision at the point of attack. Additionally, gateway sensor integration with other layers of defense increases effectiveness. For example, when a user reports a phishing attempt or their endpoint security identifies a malicious file, promptly exchanging intelligence on indicators of attack enables defenses at the Internet boundary to block future attacks from getting through, possibly to a user who would have not recognized them as attacks. This step helps prevent attacks targeting groups of users such as finance users with credentials for key databases.

Finally, if some malware gets delivered and manages to exploit one or more devices, Security Operations provides the critical detection and response capability. Once the infection is validated, whether from a user report, sandbox analysis, or shared intelligence, the prepared incident response plan is executed.

Having prepared response actions significantly reduces time to contain the attack. For example, one group would immediately search the gateway, email, and host logs to identify any other potentially affected systems. Another would analyze the file or link to expose the malicious behavior, exfiltration type, and targets. They would then determine if the existing controls are sufficient to contain the attack and prevent exfiltration, or whether additional actions such as system or network quarantines are necessary. Increasingly, these workflows are being predefined and automated through integrations between sensors, analytics, and SIEM (security information and event management). In a recent study, this real-time SIEM has been shown to shorten response to seconds or minutes, in pace with modern attack timeframes.

Executing the fundamentals consistently leads to an improved security posture. The SANS Institute’s Critical Security Controls and Quick Wins provide an excellent resource for security controls that provide real-world effectiveness. These tools focus on prioritizing what works and on processes that have demonstrated their effectiveness against the latest threats. Your security strategy should be reviewed to ensure effectiveness against targeted attacks such as spear phishing.

Balanced security capability, defense in depth, integrated countermeasures, and a threat-intelligence strategy are the critical steps necessary to defend your business from spear-phishing attacks. Implementing these recommended solutions can increase your capability to prevent more attacks early and detect and contain infections faster, making your business more resilient.

Mo Cashman has over 15 years' experience designing, implementing and managing cyber security solutions for large government and enterprise customers globally. In his current role, Mo advises large customers in Government, Finance and Critical Infrastructure on security ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17475
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
CVE-2020-0255
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-14353
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-17464
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-17473
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.