Recent Posts

Recent Blog Posts

The PhishLabs Blog

Introducing the Defensive Framework for Spear Phishing

Posted by Stacy Shelley on Sep 24, '15

Spear phishing is the preferred attack method for advanced threat actors. Well-crafted spear phishing attacks easily slip past layers of defenses and target the only vulnerability that cannot be patched – people. The vast majority of headline data breaches in recent years have all begun with spear phishing attacks.  If your organization has intellectual property, customer data, or critical systems that are valuable, your employees are being targeted with spear phishing emails.

Employees are not just being targeted, they’re also being successfully exploited at an alarming rate. Spear phishing emails are exceedingly effective. On average, employees open links or attachments in one out of every five spear phishing emails. This means that a well-crafted spear phishing campaign targeting at least five employees will almost always result in a compromised user. 

Spear phishing is not a new security problem. So why is spear phishing still one of the most effective cyber-attack methods? To answer that question, consider the defenses that are often in place to protect against spear phishing attacks:

Email and Web Filtering

Nearly every organization has technology in place to scrub spam and other high-volume email threats out of incoming email traffic. Solutions range from basic filtering from email service providers to anti-spam modules in network security appliances to dedicated email and web security gateways. Using signatures and varying degrees of heuristic analysis, these security tools are efficient at blocking spam and other widespread, high-volume malicious content delivered via email.

Payload Analysis (Advanced Malware Protection)

Many organizations have placed payload analysis appliances in their networks to detect malicious code delivered via spear phishing emails. These systems operate in-line and use specialized sandboxing environments to execute attachments and links in order to detect malicious behavior. Content that exhibits suspicious behavior can be alerted on, quarantined, or blocked. These tools are effective at spotting customized malware, with the notable exception of malware equipped with anti-sandboxing techniques. 

Phishing Awareness Training

Inevitably, some spear phishing emails will make it through perimeter cyber defenses and land in the inboxes of employees. To get the recipient to open a malicious link or attachment, the email must be enticing enough to overcome the recipient’s wariness. Awareness training increases the wariness of your employee population and can increase behaviors that make them less susceptible to phishing attacks, such as not opening unexpected attachments and confirming authenticity for urgent requests. Phishing awareness training is essential to reducing incidents. However, no amount of security awareness training can eliminate human error. 

Security Information and Event Management (SIEM)

Spear phishing is used to gain an initial foothold within a targeted organization. From the initial compromised system (patient zero), advanced adversaries attempt to expand their presence and move laterally through the network in pursuit of their objective. Using SIEM tools, security analysts can monitor massive volumes of event and log data from network security devices, servers, and hosts. Filtering and correlation rules process this “haystack” of data to spot threats that have penetrated the perimeter.  

Network Traffic Analysis

Advanced threat actors will often utilize customized tradecraft that easily evades signature-based detection. Instead of using signatures, network traffic analysis tools attempt to detect advanced attacks by establishing a baseline of traffic patterns within a network environment and highlighting deviations from the norm.   

Network and Host Forensics

Maintaining presence while evading detection is a hallmark of advanced threats. Network and host forensics tools perform deep inspection in search of indicators of compromise (IoCs) that are too subtle or buried too deeply in systems to be detected in real-time at scale. These tools most often come into play long after a data breach to determine the full scope of compromise and support remediation. 

We Need a Better Way to Stop Phishing

Billions of dollars have been invested in these tools and in the processes that surround them. Yet, it still takes 205 days on average for a data breach to be discovered from the time they are initially compromised. It is reasonable to assume that attackers have long since achieved their objectives by the time most compromises are found. These attacks, which in most cases start with spear phishing, go unrecognized until it is far too late. 


Figure 1. Data source: Mandiant M-Trends 2011-2014

In fact, most organizations first learn of a data breach not from their security tools and their processes, but from a third party. Sixty-nine percent of data breaches are discovered by entities outside of the breached organization2, such as the FBI and the major payment card brands. 

Clearly, the current approach to stopping spear phishing is not working. But it’s not due to a lack of technology or tools. Organizations are investing more in security today than ever before. The problem is two-fold.  

First, defensive layers that help protect against spear phishing attacks operate and are managed in silos.  Information and intelligence is not flowing between them, which limits their effectiveness at recognizing and stopping the advanced attacks that traverse them. These layers need to be managed as a cohesive system. Instead, they are managed as point solutions. No one is managing them as a system, so exploitable gaps go unnoticed until after a major incident. 

Second, the human expertise needed to effectively combat spear phishing attacks is often overlooked or underestimated. Automated defenses can efficiently handle activity that is clearly “black or white”. But advanced spear phishing attacks exploit the “gray” areas between known bad and known good. Human expertise, analysis, and decision-making is essential to counter these attacks.

The Defensive Framework for Spear Phishing

To help security leaders strategically improve their defensive posture, we have created a framework that spans relevant security layers from the start of an attack to its resolution. When applied, this framework helps organizations: 

  • Align security layers from end-to-end,
  • Assess which security layers are working and which are not,
  • Focus on performance metrics that matter,
  • Drive resource allocation and investment in the areas that yield the highest risk reduction,
  • Reduce the frequency of security incidents and prevent major data breaches. 

The framework consists of four critical phases supported by robust intelligence flows. 


Figure 2. Spear Phishing Defense framework

Up next in this blog series is “Preventing Payload Delivery via Spear Phishing.” 

The full framework with recommended defenses and example KPIs can be downloaded at A one-page reference card is also available at

Topics: Spear Phishing

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Subscribe to Email Updates

Posts by Topic

see all