There are multiple ways spear phishing attacks can be foiled. While it is best to stop the phishing emails from reaching your colleagues in the first place, stopping the attack at any point will “break the attack chain”. Good security technology, good security practice, and good security training are all helpful stopping spear phishing.
Two members of a multi-national cyber-crime syndicate are targeting you and your organization. We will call them Vlad and Kim for the sake of this example. Kim is an ace programmer and has written a new ransomware variant. Vlad’s specialty is social engineering. They have gathered some information on some your colleagues working in your organization. They have names, email addresses, and job titles. They want to infect your organization with ransomware and collect.
Here are three tactics they might try to infiltrate your organization and how a different security control could stop them:
Vlad sends emails directly to individuals with the attached malware disguised as a pdf file. The file seems to be an free industry report that looks like it came from an organization in your industry. Sometimes an email from one person to another is hard for a spam filter to catch, because it is easier to make a single email look legitimate than it is to make 1,000,000 emails look legitimate. Fortunately, most good spam filters have anti-virus and reputation technology that may flag the attachment or where it came from. If that fails, a good anti-malware agent on the client computer may also catch the attachment – especially if it has “sandboxing” technology which executes a new attachment in the cloud and reviews it for malware. Hopefully for your business, one of these technologies caught the attachment.
If the pdf file disguise failed, Kim embedded his ransomware in a web page script that exploits a browser vulnerability. Vlad adds the script to a web page meant to look like something legitimate. He then sends your colleagues an email with a link to the site. One of your colleagues is interested in the subject of the email and does not read it carefully before clicking on the link. Fortunately, you keep track of your organization’s computers and keep the browsers up to date so that vulnerability is closed.
Kim and Vlad are getting frustrated that their attempts are thwarted, but Kim thinks he can break in directly if he has an account. Vlad builds a web page that looks like your web mail portal and makes it look like a password change process. He sends it to your users in an email that looks like a helpdesk request with instructions to reset their password. When your users get the emails they remember some training you gave them a month ago. One user notices that Vlad used her formal name Rebecca instead of Becky which seemed unusual so she called you about the email. The second person remembered that you repeatedly remind people to be suspicious of anyone or anything asking for their passwords, and they have never gotten a request like this from IT before. The third person clicks on the link but sees that your company’s web address is not “.com” but has a different suffix, so he gets suspicious. Thankfully, no one in your company is affected by this attempt either.
While the examples in this short story are simplistic for the sake of brevity, the point remains: there are many different ways a strong security program can help combat spear phishing and every other cyber threat. At CSB, we work with our customers to implement the Center for Internet Security’s 20 Critical Security Controls. A practical prioritized list of 20 controls that can help an organization of any size improve their cyber security readiness.