To help security leaders strategically manage their defensive posture, we have created a framework that spans relevant security layers from the start of an attack to its resolution. When applied, this framework helps organizations:
- Align security layers from end-to-end,
- Assess which security layers are working and which are not,
- Focus on performance metrics that matter,
- Drive resource allocation and investment in the areas that yield the highest risk reduction,
- Reduce the frequency of security incidents and prevent major data breaches.
The framework consists of four critical phases supported by robust intelligence flows.
In this post, we recommend defenses and key performance indicators for Phase 2: Detect.
Phase 2: Detect
While desirable, blocking all threats in the Prevent phase is not achievable. Inevitably, a portion of email-based attacks will exhibit characteristics too similar to legitimate business activity to block or quarantine them prior to delivery into user inboxes. The objective of the Detect phase is to see these attacks that reach user inboxes and recognize them as a potential threat.
Several security measures that support the Prevent phase also can be applied to the Detect phase. Payload analysis tools, for example, can provide alerting for potential threats where the confidence in the activity being truly malicious is not high enough to warrant blocking the email. More mature phishing awareness training programs that drive employees to report suspicious emails and provide streamlined avenues for them to do so also support the detection of spear phishing emails.
After a user’s end point has been compromised via spear phishing, Security Information and Event Management (SIEM) and Network Traffic Analysis tools can be used to spot suspicious events and trigger investigation into potential threats. Many other network security layers can also provide detection value after the initial compromise as the adversary moves laterally within the network in pursuit of their objective. Detection via these tools is often dependent on the adversary taking actions that exceed thresholds of normal behavior within networks or that are easily recognizable indications of a compromise (such as connection attempts to known command and control servers).
Sample Key Performance Indicators
To manage the Detect phase and assess effectiveness, consider the following key performance indicators.
Collecting these KPIs from real-world data is ideal; however, capturing KPI data during simulated testing is a viable option.
Percentage of phishing emails reported
How many phishing emails are being reported as a percentage of the total that are reaching user inboxes? This indicator shows how effective your phishing awareness training program is at driving employees to report phishing emails they receive. The higher the percentage, the stronger your network of human “sensors.”
What is the duration of time between when an email-delivered payload is executed and when the compromise is discovered? This is an indication of your capability to quickly recognize attacks. Reducing this duration can significantly improve your chances of stopping a breach in progress and limiting the damage.
False positive and false negative rates
How many benign emails are being flagged as malicious? How many phishing emails land in user inboxes and go undetected or unreported? This indicates how well your tools and training programs are tuned to email-based threats targeting the organization. The lower the rates of false positives and false negatives, the higher the likelihood of detecting spear phishing threats before they lead to major security incidents.
Up next in this blog series is “Analyzing Spear Phishing Attacks”The full framework with recommended defenses and example KPIs can be downloaded at http://info.phishlabs.com/the-cisos-guide-to-spear-phishing-defense. A 1-page reference card is also available at http://info.phishlabs.com/hubfs/White_Papers/Spear_Phishing_Defense_Framework.pdf