The problem: spearphishing
Spearphishing is a top attack vector used by cyber adversaries today. Consists of fraudulent emails that appear to be legitimate which target specific organizations, groups, or individuals to gain access to information systems. Targeted spear phishing also leverages social engineering which includes research about specific targets of interest. Organizations rely on email connectivity with the outside to function and thus is an entry into a potential target’s environment that bypasses many of the legacy security stack.
Tychon’s Chief Technology Officer Travis Rosiek offers tips for enterprises on how to analyze former phishing attacks to improve defenses against future attacks, such as creating a database of captured phishing emails to learn tactics, who is being targeted and what information was used for social engineering.
User awareness training
User awareness training is critical, but not a silver bullet to mitigating the effects of spearphishing. Conducting routine spearphishing drills with disclosure of results to the organization is an effective way to the culture of an organization and makes users more aware of threats via inbound email.
Most likely targets/victims
Organizations should identify who are the most likely targets of spearsphishing based on their role (CXO, legal, research team, etc.) or what they have access to (e.g. system administrators). Implement strict role based access control based on employee data access and limit their exposure to untrusted emails, websites, and systems. Adversaries will likely target low hanging fruit ( e.g. HR, claims processing, etc.), groups teams with frequent interaction and information sharing to the outside world.
Ever vigilant
An email can come at any point of the day or night and from any sender with a wide range of malicious payloads or URLs. Users must never let their guard down and should be very conscientious every email they receive. Organizations are only as strong as their weakest link and in many cases, their weakest user.
Constantly broadcast to all users, tips for spear phishing hygiene. Ensure spam filters are up to date. Be extra sensitive of emails from Finance, Banking, HR and Utility emails. Double-check e-mail address to ensure domain matches sending organization. Hover over links to ensure domain for links matches sending organization. If questioning the safety of a link, research the link online and directly browse to the topic mentioned in the email instead of clicking link.
Advanced analytics and protection
Leveraging industry-leading technology can help screen and mitigate emails into an organizations. Develop password security policy that includes expiration and complexity. Ensure advanced antivirus is installed and up to date. Deploy and maintain advanced spam filters.
Deploy web security platforms to mitigate users clicking on malicious URLs embedded in emails. Ensure sensitive company information has been encrypted. Make sure patches and updates are current. Disable HTML for e-mails.
Goal: assume everyone clicks
Organizations should come to terms with the reality that a malicious email will be opened and clicked on frequently, no matter how much training. Adversaries have become very skilled at crafting compelling emails to click on. With this assumption, organizations must now have a plan to act on a malicious email that was clicked. Rapidly identify who sent the email, where did it go, who was it forwarded to, what was the payload or URL, and did anyone open the payload or visit the URL?
Being able to rapidly diagnose and determine the scope of the activity will greatly minimize impacts to the organization and expedite the response time.
Rapid triage and response
Leveraging capabilities that enable rapid search across systems and emails from a historical perspective will help an organization quickly determine the depth and breadth of a spearsphishing campaign, identify impacted systems, users, and information are critical to scoping a spearphising attack.
Identifying whether the malicious payload was sent from your organization to an external organization is another major concern. Leveraging capabilities to accurately and rapidly take corrective action based on the scope of the attack are critical when trying to keep the impacts and costs of a breach low.