InfoSec Awareness: Spear-phishing

Spear-phishing is increasingly being used to penetrate systems as the preliminary stage of an Advanced Persistent Threat (APT) attack, to create a point of entry into the organisation. Employees are targeted with emails containing information personal to them. The unsuspecting employee opens an attachment within the email, or downloads a linked file, which executes and silently installs an APT on a network node within the enterprise.

Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data. Spear phishing attempts are not typically initiated by “random hackers” but are more likely to be conducted by perpetrators out for financial gain, trade secrets or military information.If a single employee falls for the spear phisher’s ploy, the attacker can masquerade as that individual and use social engineering techniques to gain further access to sensitive data.

With recent findings that 91% of APT attacks begin with spear-phishing emails and cyber-criminals are targeting mobile devices using personal data gleaned from social networks.Trust has eroded in the face of increased spear-phishing and other legitimate-appearing messages based on sophisticated social engineering. Reliable email security requires real-time threat analysis methods that coordinate with web, mobile and other defenses.

Attacks such as Flame14, Zeus15, Stuxnet16 and Red October17 were often delivered as the result of highly targeted spear-phishing messages sent to select individuals or groups. Many of these attacks have a long shelf life. By constructing new emails, cybercriminals can use the same malware repeatedly for several years with only minor changes.
How CISOs can handle this?

Employee or user education and continuous programs on Infosec awareness would go a long way in building defences against social engineering, phishing, spoofing attacks. A formalised BYOD policy or guidelines, well circulated do’s and dont’s for all users on the net work would support the efforts.