• United States



by David Geer

State-of-the-art spear phishing and defenses

Aug 11, 20146 mins
Advanced Persistent ThreatsCybercrimeData and Information Security

Likelihood, severity support paying upfront for that ounce of prevention

The number of phishing sites was up 10.7-percent as of Q1 this year (over last year) while at the same time almost 32.7-percent of PCs globally were infected with malware, including adware and spyware, indicating that phishing is an increasing issue for the enterprise, according to a report from the Anti-Phishing Working Group of the Internet Engineering Task Force.

It’s not hard to infer from this data and the recurring information breach headlines that the risks of these attacks are quickly climbing to the upper-right corner of the Risk Impact/Probability Chart.

[Raising awareness quickly: A brief overview on phishing]

Those familiar with this tool know that as the likelihood of the risk occurring and the severity of the risk when it does happen go up in unison, the risk becomes a critical risk.

To deal with the critical risk of today’s spear phishing maneuvers, let’s dissect the state-of-the-art in spear phishing then present technologies that work to shield the enterprise.

Spear phishing tactics today

“Attackers are getting smarter,” says Tom Gorup, Security Operations Center Manager, Rook Security. Instead of counting on online translation applications to write the contents of spear phishing emails in proper English, the attackers may actually be English. They are not making the spelling and grammatical errors as much as they used to.

Attackers have long used bogus domains like to pose as, for example, to briefly fool the human eye and trick employees into clicking on links in spear phishing emails. According to Gorup, today, attackers use third-party providers to purchase and host those domain imposters, making it more difficult for enterprises that own the real domain to purchase the fake ones or take them down.

When an attacker buys and hosts such a domain through such a service, the service provider and not the attacker is the domain owner. This protects the attacker against easy exposure via Who Is lookups. “We have to go to the service provider and jump through hoops to purchase the domain from them,” says Gorup.

Attackers are also using tools such as website copiers like HTTrack to clone sites, making it easier to pull together phishing email graphics and drive-by malware sites for the attacks that look like the genuine site. “Attackers have spoofed PayPal emails that look like they came from PayPal,” says Gorup. The attackers made employees think that the emails came from someone who purchased their item on eBay.

[11 tips to stop spear-phishing]

Attackers are also making phishing email content increasingly tempting by making employees think a message is from upper management and requires their immediate response. Information about who management is and who employees are is widely available on the Internet on social media sites.

Anti-phishing points of defense

“The first point of defense is to block domain names similar to yours at the perimeter,” says Gorup. These domain names include any derived by replacing characters in the real domain with similar lettering. Try to be exhaustive in using as many similar lookalike domains as you can. “These types of domains can easily fool some of the most cautious users. This defense mechanism will help prevent users on your network from surfing to these sites,” says Gorup. 

There is an additional layer of protection available by blocking these types of sites in your email management system. The block shouldn’t be just for inbound emails from the domain, but if the domain is linked or mentioned in the email. “Preventing these emails from ever making it into your users’ inboxes is a sure way to help mitigate risk,” says Gorup. 

Enterprises should continue their research into sinkhole and botnet domains in order to update their black lists. Maintaining blacklists and blocking user access to them is foundational to stopping known bad sites and the attacks that spread them.

According to Joan Pepin, CISO, Sumo Logic, use web proxies to ensure users cannot get to blacklisted sites. “These must be transparent proxies or employees will simply adjust their browser settings to skip around the proxy. Make sure to route people through the web proxy,” says Pepin. The black list must be complete and the proxy software must be up to date.

[3 steps to identify a potential phishing email] 

While this will limit the enterprise’s exposure, the trouble with spear phishing is that attackers use payloads that no one has detected yet and sites that no one has blacklisted yet. “Attackers know that security researchers will reverse engineer the malware payload and write a signature for it. And because these criminal hackers are going after your enterprise and data in particular, they will craft something especially for you that they have not used on anyone else,” says Pepin. That staves off detection methods that are based on signatures.

Detection and response during an attack

For detection during an attack, know what the signs are. “If information security sees a dozen enterprise hosts reaching out to the same URL in a four hour time span, there may be a spear phishing email going around. You need to research the URL and look at trending data to see what is going on,” says Gorup.

In most cases, an attack is there to exfiltrate data from the victim computer. A data-loss prevention (DLP) tool and appropriate labeling of meta data describing the confidentiality levels of the data will help determine when a high-risk attack is in play. These approaches are cost prohibitive for most organizations except perhaps smaller organizations. Some enterprises may consider DLP cost prohibitive due to the person–hours necessary to label the data with meta data, says Gorup.

[Spear phishing poses threat to industrial control systems] 

“What we hope is that the IDS fires up and detects anomalous or specific activity when malware from a spear phishing attack installs,” says Pepin. When this happens, security should know to follow the logs and remediate the problem. Look at real-time log information, says Pepin; sit up a console and pull up mail logs, DHCP logs, and other logs and determine the path of entry and whether there is any lateral movement from that point.

When responding, don’t make changes to the affected host. Rather, take it off the network and leave the email intact on the host system in order to retrieve full headers for forensics.