






Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Spear Pishing Attack prevention
Typology: Study Guides, Projects, Research
1 / 10
This page cannot be seen from the preview
Don't miss anything!







By Oyewumi Olatunji Kazeem A paper presented on How to prevent spear-phishing from being successful? This threat considers both technological solutions that prevent access to systems by successful spear-phishing attacks as well as ways to limit the success of fraudsters, spies and criminals to obtain target information via social engineering.
Phishing Overview Throughout the centuries, identity theft has always been high on a criminal’s agenda. By gaining access to someone else’s personal data and impersonating them, a criminal may pursue a crime in near anonymity. In today’s 21st century world, electronic identity theft has never been easier. The name on the (electronic) street is phishing; the process of tricking or socially engineering an organizations customers into imparting their confidential information for nefarious use. Riding on the back of mass mailings such as spam, or using bots to automatically target victims, any online business may find phishers masquerading as them and targeting their customer base.. Phishing scams have been escalating in number and sophistication with every month that goes by. A phishing attack today now targets audience sizes that range from mass- mailings to millions of e-mail addresses around the world, to highly targeted groups of customers that have been enumerated through security faults in small clicks-and-mortar retail websites. Using a multitude of attack vectors ranging from man-in-the-middle attacks and key loggers, to complete re- creation of a corporate website, phishers can easily fool customers into submitting personal, financial and password data. With various experts extolling proprietary additions or collaborative an improvement to core message delivery protocols such as SMTP, organizations may feel that they must wait for third- party fixes to become available before finding a solution to phishing. While the security failures within SMTP are indeed a popular exploit vector for phishers, there is an increasing array of communication channels available for malicious message delivery. As with most criminal enterprises, if there is sufficient money to be made through phishing, other message delivery avenues will be sought – even if the holes in SMTP are eventually closed (although this is unlikely to happen within the next 3-5 years).
Introduction Phishing is a form of email deception used by a range of adversaries in an attempt to obtain sensitive information or cause disruption to an organization’s business operations. Spear Phishing is a more targeted version of phishing where an adversary conducts online reconnaissance against an individual or organization in order to construct an email which appears to be of significant interest to those targeted. The email is designed to persuade the target individual to open a file attachment or click on a website link. In doing so, malicious software (or malware) is executed, designed to exploit and compromise the individual’s IT device. Spear Phishing email attacks are persistent and often have a high success rate as they are able to bypass traditional security defences and exploit vulnerable software.
1.2. Phishing History The word “phishing” originally comes from the analogy that early Internet criminals used e-mail lures to “phish” for passwords and financial data from sea of Internet users. The use of “ph” in the terminology is partly lost in the annals of time, but most likely linked to popular hacker naming conventions such as “phreaks” which traces back to early hackers who were involved in “phreaking”
UNDERSTANDING THE THREAT Due to an organization’s reliance on email and internet connectivity, there is no guaranteed way to stop a determined intruder from accessing a business network. Reliance on email and the internet brings vulnerabilities which must be recognized and addressed appropriately. The IT security community has assessed that Spear Phishing is a remarkably effective cyber-attack technique and its use to gain access to business systems is unlikely to decline in the near future. Phishing attacks rely upon a mix of technical deceit and social engineering practices. In the majority of cases, the phisher must persuade the victim to intentionally perform a series of actions that will provide access to confidential information. Communication channels such as e-mail, web-pages, IRC and instant messaging services are popular. In all cases, the phisher must impersonate a trusted source (such as the helpdesk of their bank, automated support response from their favorite online retailer, etc.) for the victim to believe. In 2007, the most successful phishing attacks continue to be initiated via e- mail with the phisher impersonating the sending authority (such as spoofing the source e-mail address and embedding appropriate corporate logos within the e-mail). For example, the victim
would look to obtain when conducting a Spear Phishing attack; this information includes staff contact details, organization charts, job descriptions and technical information such as IP addresses, project names and software versions in use within an organization. To construct a successful Spear Phishing attack, an adversary requires a target email address. Using search engines, an adversary will look for online profiles which contain contact details of a target individual. If an email address is not within the contact information, an adversary may attempt to guess the address, by trying a common format such as [email protected]. Adversaries will often send Spear Phishing emails to a range of plausible email addresses to determine a valid address. CPNI has published guidance, entitled Online Reconnaissance – How your internet profile can be used against you which describe this scenario in further detail_._ 1
Construction and delivery of Spear Phishing emails After conducting online reconnaissance an adversary now has enough information to create a Spear Phishing email. The email will include all information discovered through the reconnaissance phase and contain an attachment or website link which is of interest to the target. The adversary will then attempt to alter the email to make it appear as if the message was sent from a trusted contact of the target individual. An email which appears to be from a trusted contact increases the likelihood of a successful compromise. Attachments contained within Spear Phishing emails will appear as a common file type such as .rtf or .pdf. The name will be of interest to the target, e.g.’ pay award.PDF’ When the attachment is opened embedded malicious software is executed designed to compromise the target’s IT device.
Figure 1 - Top spear-phishing email attachment file types (Trend Micro 2012)
Links within Spear Phishing emails will direct a target individual to a website which, when accessed, will execute malicious software. A common method for an adversary to disguise a compromised website is to compress the address, so it is displayed in a shortened format such as http://tinyurl.com/companyx. Websites which are compromised appear authentic by having the same design and structure as legitimate websites. It is possible that a legitimate website could also be compromised further increasing the chance of a successful attack. When malicious software is successfully accessed via an attachment or website link, it will seek to exploit vulnerabilities in a target operating system or web browser. Figure 2 describes the stages in a Spear Phishing attack and how the adversary will look to exploit an organization’s network.
Stages involved in a Spear Phishing attack CPNI uses the Cyber Kill chain developed by Lockheed Martin2 as a representation of the stages involved in an effective cyber-attack. For a Spear Phishing attack to be successful, the following stages are present:
Figure 2 - Spear Phishing stages
Successful Spear Phishing attacks can have significant implications for organisations. The more serious implications of becoming the target of a cyber- attack are listed below: Theft of sensitive information: An adversary may steal commercially useful information such as trade secrets, merger and acquisition plans, engineering designs, software codes or details of research programs. This could result in the loss of competitive advantage and have significant financial consequences.
Sabotage: Once on a network, an adversary may seek to delete or alter data with the aim of disrupting business operations. Depending on the access level gained, they could make changes to company data, log files, configuration settings, and user passwords or alter code for applications running on the network.
Secondary use of compromised machines: An adversary can use a compromised machine to conduct attacks against other individuals or networks. This may involve sending Spear Phishing emails to contacts from a
These questions can begin to help employees identify Spear Phishing emails. When training staff, it is important to make them aware of company policies regarding communications and security. Organizations can look to design their own training package to educate their staff on the threat posed from Spear Phishing using commercially available tools. In the training package, if a user does click on a link or open an attachment in a test email, they will be taken through to a training area that helps them gain a better understanding, making them less susceptible to attacks in the future. A number of anti-phishing tools are also available to alert users to phishing content contained within websites and emails. These tools offer an advanced level of protection above traditional IT security defenses.
Boundary defense: Malicious code generated from Phishing emails will exploit systems which can reach across the internet. To control the flow of traffic through network borders, organizations should use multi-layered boundary defenses such as firewalls, proxies, demilitarised (DMZ) perimeter networks, and network-based IPS and IDS. It is also critical to filter both inbound and outbound traffic to look for any anomalies that may suggest malicious activity.
Controlled use of administrative privileges: Organizations should aim to minimize administrative privileges and only use administrative accounts where required. If a privileged user opens a malicious attachment or accesses a website with embedded malicious content, malware will be deployed to their IT system with the adversary assuming administrative privileges. With elevated rights, an adversary can install malware and establish a foothold within the network faster than with standard user access rights.
Continuous vulnerability assessment and remediation: Most Spear Phishing emails aim to exploit known vulnerabilities in software. It is therefore vital to ensure that all systems and software are up to date with the latest patches4. Patches should be applied to software that is most likely to be targeted by an adversary. It is important that all types of infrastructure are patched, including laptops, mobile devices, desktops, servers, switches and routers. This way, even if a compromised attachment or link is opened, the malware will not be executed.
Inbound email sandboxing:
Deploy a solution that checks the safety of an emailed link when a user clicks on it. This protects against a new phishing tactic that I've seen from cybercriminals. Bad guys send a brand new URL in an email to their targets to get through the organization's email security. The other tactic is when they inject malicious code into the website right after delivery of the email URL. This URL will get past any standard spam solution.
Real-time analysis and inspection of your web traffic:
First, stop malicious URLs from even getting to your users' corporate inboxes at your gateway. Even if you have inbound email sandboxing for your corporate email, some users might click on a malicious link through a personal email account, like Gmail. In that case, your corporate email spear-phishing protection is unable to see the traffic. Bottom line: your web security gateway needs to be intelligent, analyze content in real time, and be 98 percent effective at stopping malware.
WAYS YOU CAN MODIFY EMPLOYEE BEHAVIOR
Pen-test your organization:
Employees are critical to your security success, spear-phishing defense and ability to prevent a data breach. Below are five ways you can turn them into security advocates.
One of the best ways people create new behaviors is by making a mistake and being corrected. It's time to put your black hat on. Select a group of folks from each major department and send them targeted spear-phishing emails using an outside email address. Use only information you can locate on their social media sites (Facebook, Twitter, LinkedIn, etc.). For example, you see they like a local sports team. Send them information about a local happy hour that supports the team. When they click on the link, inform them that they have been phished and communicate best practices in a positive way.
Change how your message is communicated:
Some people learn visually, others learn audibly and for many, it's a combination of both. Change how your security message is delivered to employees. Start with a monthly email, webinar and Intranet post. Switch it up with in-person trainings and videos. Using these different mediums will help your message resonate with more employees. Remember, you will need to communicate a message multiple times for it to stick.
Make security relevant to Stakeholders:
Just asking employees to watch out for suspicious-looking emails doesn't drive home the urgency of spear-phishing. Rip it from the headlines. When a large company makes headlines for a data breach, because an employee opened an infected email, immediately communicate how something like that could happen to your employee base. It's well-timed, newsworthy and will be on your executives' radar.
since anti-malware vendors address different threats at different times, using multiple scan engines will help detect new outbreaks much faster. It is important to distinguish between multi-scanning and simply using multiple antivirus engines. When using multi-scanning technology, performance is greatly enhanced and potential conflicts between different engines are avoided.
Sanitize Email Attachments As a precautionary measure, it is highly recommended to change the format of incoming email attachments in order to remove any possible embedded threats that may go undetected by antivirus engines. Many spear phishing emails include malicious Word or PDF attachments. By changing the format of a Word document to PDF and vice versa, scripts and other possible threats are automatically removed.
Limit Email Attachment Types
By blocking potentially dangerous email attachment types such as .exe files and scripts, it is more difficult for malware to spread. It is also important to verify the attachment file type, so that .exe files that are renamed as .txt files do not get through the company’s filters.
In addition to improving your email security measures, you must also make sure that your employees are aware of possible spear phishing attacks. A warned employee might be able to spot that something is out of the ordinary. Finally, if you make sure that your data is segregated and encrypted, even if the attackers get an employee to click on a malicious email attachment, data encryption, and segregation can ensure that your data is still safe, regardless of the intrusion.
By using Policy Patrol Security for Exchange, that includes Metascan’s powerful multi-scanning and data sanitization technologies, companies can significantly improve their protection against spear phishing attacks.
In Conclusion there is no straight Jacket way of preventing Spear Phishing attack as the attack vector is not peculiar. Attacker adopted different way of attacking but all bore down to Reconnaissance or Social Engineering of the attack target. As Social Engineering is the major way of attacking the Target. Human Orientation and effective training on social engineering can not be over- emphasis.