Every CISO, in every industry, is aware that spear phishing can be a problem – a big one – despite millions of dollars invested in (necessary) layers of technology defenses. In May 2016, CSO Online reported ANOTHER three firms were hit by targeted phishing attacks – attacks that stole employees W2 data. I guarantee all of these firms had security devices in place on their networks. These attacks were a form of social engineering that bypasses traditional security technologies and much can be done to help enlist employees to be part of any company’s overall defense. Many CISO’s have done just that - taken steps to ensure their employees are aware and work to reduce the likelihood of opening a malicious email. But, this still isn’t solving the spear phishing problem. Companies have been conducting varying degrees of security awareness training for years. But, the attacks are still happening and they are successful in spite of the training. So, what is a well-intentioned CISO to do? Give up? Train more? Find a better training approach?
Part of the answer is yes; organizations do need to up their game when it comes to training employees. It isn’t enough to have employees sit through periodic computer-based training sessions. To be consistently good at recognizing phishing attacks, they need a continuous training program focused on the phishing techniques that are most likely to be used against them. The best approach to this is to frequently launch simulated phishing attacks against employees and deliver high-impact training to the individuals that prove themselves susceptible to the types of attacks being simulated.
But, employees are only one part of the equation when it comes to spear phishing. Once employees are aware of what a suspicious or malicious email looks like they should be encouraged and enabled to report it. Chances are that other employees also got the same email. Simply deleting leaves the door open for other employees to fall victim, potentially compromising sensitive information or leading to a nasty malware infection (such as ransomware).
But who should the employee report these emails to? The already overwhelmed and (likely) short-staffed IT security or operations team? This is absolutely the right team to take action, as long as they are equipped and resourced around-the-clock to identify whether the attack is targeted or not, how to reverse engineer malware, how to identify the underlying attack infrastructure components and mitigate them, and how to extract useful intelligence to prevent further damage.
Taking action against these targeted emails that do make it to employees’ inboxes – and get reported – will allow the company to avoid further damage or compromise altogether. Having context, Indicators of Compromise (IOCs), and insight on how any individual attack works will help the company protect the rest of the organization.
But, the critical proactive step is to avoid as many spear phishing emails and other advanced threats as possible.
There are plenty of intelligence feeds out there that you can subscribe to, and companies often subscribe to several. The issue there is that most feeds contain a lot of the same open source data, so when you subscribe to multiple feeds, you are paying for redundant data - and lots of noise.
When it comes to spear phishing protection, you need specific intelligence - knowledge of what spear phishing attacks are currently out in the wild. Intelligence that is gathered in near real-time from expert investigations into active spear phishing campaigns so that you can use it to update your various security defenses to block or alert you when these threat come knocking at your door.
These three components– training, mitigation, and intelligence – individually will help. But, when it comes to spear phishing the whole is greater than the sum of its parts.