SANS Spearphishing Survival Guide

A SANS Whitepaper Written by Jerry Shenk December 2015

Sponsored by Proofpoint

©2015 SANS™ Institute Executive Summary

Organizations are constantly under attack. Nearly every week comes a news headline of another breach affecting millions of people. Organizations that experience “small” breaches spend hundreds of thousands of dollars on forensic examinations, infrastructure upgrades and identity monitoring. Those that get hit by a large breach spend millions.

The majority of those threats still arrive by email in the form of weaponized file attachments, malicious links, wire-transfer fraud and credential phishing. In most cases, attackers deploy email-borne attacks that target specific individuals and fool them into believing they are from someone they do business with or someone in authority who knows them. Often, attackers gather the information they need to pull off these sorts of phishing attacks over social media, where employees share significant amounts of personal and contextual information. Just as often, employees leak information over mobile applications that make it easier for criminals to target their attacks.

While most antivirus, anti-malware and email security systems are good at catching traditional mass email phishing attacks with known malicious attachments, links and content, they are not catching the most sophisticated targeted attacks on email recipients. These types of attacks, called spearphishing, gather information on high- value targets who have direct access to company financial or customer information.1 Using social media, mobile apps and other sources of information (such as a company website), criminals can make connections between business associates and third parties in order to craft emails that look like they come from someone the targets work with—and neither network-based nor email-based security tools are catching them consistently. The emails are so well crafted that even well-trained, sophisticated users are likely to click their malicious URLs or weaponized attachments (malicious attack files).

1 “Spear Fishing Definition,” TechTarget, March 2011, http://searchsecurity.techtarget.com/definition/spear-phishing SANS ANALYST PROGRAM 1 SANS Spearphishing Survival Guide Executive Summary (CONTINUED)

For example, the infamous 2011 breach of RSA Security that resulted in the loss of its SecurID tokens was almost a perfect example of a believable spearphishing exploit: It targeted human resources personnel with the subject line “2011 Recruitment Plan” and appeared to originate from a recruitment firm the HR department was familiar with. Only eight emails were sent, but one person in HR opened the Excel attachment, titled “2011 Recruitment Plan.xls.”2 The SecurID fiasco cost RSA $66 million, including costs to replace tokens, monitor customers and handle other fallout.3

It is not just the emails the attackers craft that are becoming more sophisticated; attackers are also deploying techniques such as polymorphism and changing their malicious payloads or links to avoid detection. In its 2015 Global Phishing Survey, the Anti-Phishing Working Group identified nearly 124,000 unique phishing attacks against 569 different institutions.4 Those attacks resolved to 95,321 unique malicious domains. These malicious domains are usually obfuscated to avoid blacklist detection through URL shortening, polymorphism (changing attack patterns and signatures) and other means, making it difficult for email security systems to detect them. When malware and sender information continually changes, it can be difficult to keep users away from dangerous attachments or malicious URLs that can immediately infect an organization’s network with malware, especially when the security program relies solely on signatures of known bad attachments and senders.

In the case of mobile apps, spearphishing may be even more difficult to detect. According to an article in Wired, mobile users are checking email constantly, but their screens are too small to tell when their email and text messages are fake (for example, whether or not they come from the domain they claim to be coming from).5 Mobile users are also mixing personal email apps with business email apps and even using public Wi-Fi to collect their email, thus creating new attack surfaces and making it more difficult for traditional network-based and email security systems to detect attacks and block spearphishing attacks from executing.

2 “Lessons Learned from DigiNotar, Comodo and RSA Breaches,” SecurityWeek, Nov. 17, 2011, www.securityweek.com/lessons-learned-diginotar-comodo-and-rsa-breaches 3 “RSA SecurID Breach Cost $66 Million,” InformationWeek, July 28, 2011, www.darkreading.com/attacks-and-breaches/rsa-securid-breach-cost-$66-million/d/d-id/1099232? 4 “Global Phishing Survey: Trends and Domain Name Use in 2H2014,” Anti-Phishing Working Group, May 27, 2015, http://internetidentity.com/wp-content/uploads/2015/05/APWG_Global_Phishing_Report_2H_2014.pdf 5 “Spear Phishing: A Modern Threat to Mobile Devices,” Wired, Sept. 26, 2013, http://insights.wired.com/profiles/blogs/spear-phishing-a-modern-threat-to-mobile-devices - axzz3uKfhQRUS SANS ANALYST PROGRAM 2 SANS Spearphishing Survival Guide Executive Summary (CONTINUED)

These new attack surfaces and more sophisticated threats require updated functionality and processes to protect organizations against advanced spearphishing, including the ability to: • Block mass email attacks in order to detect specific, targeted attacks as indicators of more serious compromise by a knowledgeable enemy • Identify high-value human targets based on their role and the applications and data they have access to • Identify targets who click things they shouldn’t • Intelligently respond to specific targeted attacks, including the ability to: - Scan the actual URLs, to determine whether the website is hosting malicious content, before a user is granted access - Sandbox suspect URLs and attachments to test their payloads before users are allowed to execute them - Identify employees who fall victim to the lures for education • Improve through self-learning (for example, the ability to automatically update email security and malware detection systems to include new signatures) • Continuously improve the collection of threat intelligence and data analysis

This paper describes these and other capabilities for preventing advanced email attacks from succeeding.

SANS ANALYST PROGRAM 3 SANS Spearphishing Survival Guide Advanced Phishing Attacks Revealed

Spearphishers have several motivators for breaking into organizations, and all of them have to do with high-value targets and data: criminal operations seeking profits, nation- states interested in causing disruption, and industrial spies or politically motivated groups seeking to damage the target in some way. Spearphishing is a common means to this end and usually takes a specific trajectory, starting with gathering information on high-value targets, which is quite often gathered from information divulged through users’ social media and mobile applications. Knowing this attack progression is critical intelligence that should help detect, defend against and respond to advanced email attacks.

Attack Progression

Advanced email attacks usually follow a common progression, or “kill chain,” of events that email security intelligence should acknowledge and make use of in order to stop attacks before they cause damage. The attack steps include the following:

1. Gathering information on targets. Spearphishing starts with identifying key, high-value individuals in the company to target. These are usually people in HR (who have access to valuable employee data), finance (with access to wire transfer accounts), customer service or billing (with valuable customer financial data) and IT (they make mistakes, too, and those mistakes can be a jackpot for the attacker), as well as key personnel at email service providers, where more email accounts can be harvested (such as what happened in the infamous Epsilon case, which affected 75 large email clients in 20116). These people are targets because their credentials and the applications they have access to are of most value.

In targeted email attacks, the attackers have likely learned about their targets and their roles through company announcements or social media such as LinkedIn, Facebook and Twitter, where employees are divulging information about their projects and possibly even collaborating with peers and partners. Associations are critical to attackers who want to create convincing emails that seem to originate from someone the target already knows or does business with. Attackers may also be sitting on wireless networks at coffee shops, catching personal email or business email sent from employees’ mobile devices. This may get them access credentials, departmental information on the employees and associations between personal and business contacts that the employee would likely accept a link or attachment from. And even access to a lower-level account can be a win for the attacker because once inside the company, higher-level access can be collected.

6 “Epsilon Fell To Spear-Phishing Attack,” InformationWeek, April 11, 2011, www.darkreading.com/attacks-and-breaches/epsilon-fell-to-spear-phishing-attack/d/d-id/1097119 SANS ANALYST PROGRAM 4 SANS Spearphishing Survival Guide Advanced Phishing Attacks Revealed (CONTINUED)

2. Creating convincing emails. With information about their targets and their targets’ associations, attackers then craft the emails so that they seem legitimate enough to get intended targets to open an attachment or click a link. Gone are the days when language, linking and other issues made it easy to detect a phish. Spearphishers can create emails so realistic that they appear to come from a trusted source and ask for information that the source would normally request. For example, a recent article on CSO’s website7 told about an extremely well-written phishing email that would have worked if the comptroller hadn’t noticed that the CEO signed off as “Richard” when he always used “Dick.” Everything else was right—details, grammar, even inside information about the company. Fortunately in this case, the phish failed, meaning it was a win for the intended victim, who happened to be educated enough to notice the difference in the signature.

3. Hiding their origin. Attackers can spoof email sender addresses to make it look as if the email came from a trusted domain, and they employ other methods of obfuscating the email’s malicious intent from users and security systems. Return addresses and links can render almost perfectly when the user puts the cursor over the address or link. For example, the attackers may have hacked a legitimate domain and sent the email from there. Or they might open their own domain with a very similar URL as the trusted source they’re trying to impersonate. For example, attackers can make it look as if the email came from www.mycompany.com by creating a domain with a single character off in the URL, such as www.myconpany.com, that are difficult to notice, particularly in the case of email on mobile devices where the screens are small and visibility difficult. Such URLs, if newly registered and minimally used, will often bypass network- and email-scanning systems because there is no existing blacklist for them.

7 “Near-flawless Social Engineering attack spoiled by single flaw,” CSO, Oct. 8, 2015, www.csoonline.com/article/2990471/social-engineering/near-flawless-social-engineering-attack-spoiled-by-single-flaw.html SANS ANALYST PROGRAM 5 SANS Spearphishing Survival Guide Advanced Phishing Attacks Revealed (CONTINUED)

4. Delivering the payload. The link will send the user to a malicious URL or compromised reputable domain that takes the user’s credentials as he or she logs in. The target of the attack usually predicts the payload. For example, attackers seeking to collect financial system credentials will lead users to log into what the users believe is the company’s commercial bank account to collect their access credentials and infiltrate the account on their own to transfer funds from wire accounts. The spearphishers may also just want to use the target to infiltrate the company, such as in the case of a malicious attachment, where advanced malware enters the organization and starts searching for credentials across any department it is able to access.

5. Avoiding detection. The attack tries to hide itself throughout the process. Methods that attackers use to avoid detection include polymorphism and shortened or obfuscated URLs to prevent blacklist detection. Once an attacker has successfully gotten malware onto an enterprise’s network, the malware can do any number of things, such as ensuring that it survives a reboot, giving attackers remote access, turning off detection software or providing the attacker administrative access to the entire network.

Figure 1 illustrates the path of most advanced email attacks.

Creating Delivering convincing the payload emails

Gathering Avoiding information Detection on targets Attack Progression

Figure 1. Advanced Email Attack Progression

SANS ANALYST PROGRAM 6 SANS Spearphishing Survival Guide Protection and Prevention

Organizations need to deploy protections that recognize these email-based attack steps and wrap that into their cyberthreat intelligence, security information and event management (SIEM) system and/or response systems for detection and response.

The logical place to start is to minimize the attack surface to prevent opportunistic attacks, which is the desired outcome of the Center for Internet Security’s Critical Security Controls and other security frameworks.8 In the case of mobile and social media, the first steps toward reducing these attack surfaces are employee education and monitoring for misuse. Shoring up vulnerabilities in email systems and endpoints will also reduce your attack surface.

To prevent and respond to attacks, monitoring is key. Advanced spearphishing gets To prevent and around network-based anti-malware and antivirus systems because of the sophisticated respond to attacks, targeting and hiding tactics they use, as discussed previously in this paper. Therefore, email scanning and file and data analysis are also critical components of an advanced monitoring is key. protection system. Email monitoring should detect known and unknown malicious sender URLs, links and attachments even before they reach the end user. If they do manage to reach the end user, then the email system should test malicious links and attachments in a secure (sandboxed) environment before the user is allowed to click the message links or attachments.

Because spearphishing threats indicate a serious problem occurring in the enterprise, the scanning should also provide insight into the reason the receiver was targeted and the motives of the sender. Ultimately, a classification system should emerge on potential targets that would continuously update itself with new information and be used to detect weak points, secure them and circle around to reduce attack surface.

8 The Critical Security Controls for Effective Cyber Defense, Version 6.0, Center for Internet Security, www.cisecurity.org/critical-controls SANS ANALYST PROGRAM 7 SANS Spearphishing Survival Guide Protection and Prevention (CONTINUED)

Email Analysis Methods

Monitoring email for signs of trouble is generally done in three ways: inline analysis, which looks at network traffic flow; mail flow analysis, which monitors mail passing through a mail server; and endpoint security, which puts tools like antivirus and junk email filters on the client. These options typically are signature-based, though some analyze IP addresses, formatting irregularities and other characteristics of the email transfer that might look suspicious.

Network Monitoring

Inline email analysis is typically done with an IDS/IPS or a dedicated appliance, usually where Internet traffic enters or leaves the network. Often, the appliance scans other traffic in addition to email. These devices are good at detecting oddities in the network traffic, but they are typically not optimized to process inside the email, looking for content that would suggest malicious intent or evaluating email attachments.

Email Monitoring

Email analysis for malicious links and attachments often runs on the main mail server or on a scanning mail server that sits in front of the corporate mail server. Such a scanning system is located either on-site or at the vendor location (as a cloud-based service). In the cloud-based scenario, unwanted mail should be prevented from entering the organization’s network at all, which also makes it more difficult for attackers to identify the corporate email server to look up targets and associations between targets.

The system should be capable of scanning the message body, email attachments and URLs, both inbound to and outbound from recipients. This analysis should be based on a number of things, including to/from addresses, time of day, domain information/ destination URL, email content and headers. It should include the capability to pull suspect mail aside and examine it more thoroughly before allowing it to move on to the recipient. With advancements in polymorphism and URL obfuscation, the system will need to be able to scan inbound email in near real time and parse the mail so that it can send clean messages forward and send malicious messages to a secure, sandboxed environment to test the link or URL and then take actions based on findings.

Since spearphishing relies on finding and exploiting users and apps of value, it is important that the email security system also keep intelligence on valuable targets (users, systems and data) around which to wrap extra protections. For example, the email system should share intelligence with data loss prevention (DLP) systems to protect sensitive outbound data but also to identify targets sending that work with valuable data.

SANS ANALYST PROGRAM 8 SANS Spearphishing Survival Guide Protection and Prevention (CONTINUED)

Email analysis at the endpoint is important, too, particularly in the case of mobile users. Antivirus software on the endpoint can also scan every message, looking for malicious content. Email security on the endpoint, usually accompanied by an agent, should provide all the scanning capability listed above as requests from mobile devices attempt to access the email system. This means that email security at the endpoint would be best if it could integrate with network access control (NAC) or other access systems to scan the endpoints for violations of policy, vulnerabilities and security status before email is downloaded to the mobile device.

Better yet, keep the email on the internal server and do not let it store on mobile devices. Note that because targeted attacks are designed to evade most endpoint antivirus discovery, email server and application protections are the critical impact point that controls should focus on.

File Analysis

A detection system for advanced threats should be able to identify files that are known and analyze those that are unknown. Analyzing against a blacklist of known bad files can cut down on the noise, allowing for the detection of advanced spearphishing attempts that go unnoticed amid other attacks that are easier to detect. The system would identify and remove malicious files quickly in a process that is repeatable whenever new instances of the same malicious file attachments are detected by the email security system. But that only takes care of known problems.

A second layer of analysis is needed when unknown files attempt to execute on the system. At time of delivery or attempted execution, these files should be screened and segmented into a secure zone, where they are sandboxed and executed to determine their payloads. Should those payloads display signs of malware, they are further examined. Files identified as malicious are added to the blacklist of known bad files. Once added to the blacklist, they can be used for detecting and blocking the same or similar files in the future.

SANS ANALYST PROGRAM 9 SANS Spearphishing Survival Guide Protection and Prevention (CONTINUED)

URL and IP Address Analysis

Keeping up with changes to URL and IP classifications is not easy. Just recently, an Internet Storm Center diary entry9 noted that the website for GM trucks was hosting the Nuclear exploit kit (EK). The site looks quite innocent when checked with a browser appliance, and it probably had been clean a week earlier. Criminals are constantly scanning the Internet looking for legitimate sites that can be hijacked and used to compromise unsuspecting visitors. An advanced threat detection system needs to be able to constantly reclassify URLs and IP addresses as they go from good to bad and back again.

In addition to monitoring URLs that are being used throughout the organization, the system should monitor IP addresses of senders. This often involves vendor-managed databases that list known good and known bad classifications of both URLs and IP addresses. These lists should accept updates automatically as new Blocking Malicious URLs malicious attachments and URLs are found. Often this function is Some URLs and IP addresses should be blocked all the performed through cloud-based services, on-premise equipment or time. It is quite common for organizations to try to block both. The key is that the URLs and IP addresses are examined before the all pornography sites, for example, by blacklisting their user has a chance to click the links. URLs. Similarly, entire groups of related IP addresses can be blocked, if you have no reason to ever accept IP addresses Data analysis. Stored email on mobile devices is a treasure trove for coming in from China, for example. attackers. Therefore, it is important that the system work with DLP to determine sensitivity of data types, enforce rules such as encryption of stored data and data emailed off the devices and report when sensitive data tries to leave the organization via email.

Analysis of high-value targets. The system should also provide intelligence on users of value to the organization based on their titles, systems they access and the data that would be impacted should spearphishers access those high-value systems. Additional analysis may be needed for the highest-value targets, such as what mention they get on the company websites, what social media use they’re prone to and how they normally access email.

Together, these email security defenses will catch a lot of malicious activity. Nonetheless, email analysis alone is not enough; it should be coupled with outbound network monitoring, activity monitoring and user security awareness training. In addition, email analysis should integrate with internal and third-party threat intelligence data, whitelisting and blacklisting policies and network security reports (IDS/IPS/firewalls) to reduce false positives and block new advanced attacks that email systems alone might not detect.

9 BizCN gate actor update, SANS ISC InfoSec Forums, https://isc.sans.edu/forums/diary/BizCN+gate+actor+update/20209 SANS ANALYST PROGRAM 10 SANS Spearphishing Survival Guide Protection and Prevention (CONTINUED)

Intelligent Response

Threat intelligence from third-party vendors, the email system or the SIEM system is a good starting place for automating your response processes. Email security systems should provide their own intelligence that feeds into the SIEM system as needed and should be especially focused on targets of high value to spearphishers. These systems should combine machine analytics with self-learning so that newfound threats, such as newly malicious URLs and malicious payloads, are categorized and included in future Humans are needed detection and response platforms. It should also be shared with the larger community through third-party intelligence providers, the email security system or industry groups to make decisions, but such as Information Sharing and Analysis Centers (ISACs). automated collection If email and web security can catch malicious downloads that antivirus isn’t catching, and analysis systems then these layers should also integrate with anti-malware programs for better detection, are crucial to pulling for example. Humans are needed to make decisions, but automated collection and out actionable events. analysis systems such as SIEM, as well as the sharing of intelligence, are crucial to pulling out the actionable events.

These automated systems cannot just be plugged in and left alone; they need to be thoughtfully set up, monitored and adjusted as the network environment and the threats change. The following email security checklist should help organizations determine whether their email security is meeting the challenge of fighting today’s advanced spearphishing threats.

SANS ANALYST PROGRAM 11 SANS Spearphishing Survival Guide Email Security Checklist

The following checklist will help users think through the items that an advanced email security system should include.

Section Description 1 Current status 1.1 Rate of malicious mail still getting through (Check one.) High (25% or more) (0 points) Medium (10% to 24%) (1 point) Low (5% to 9%) (2 points) Lower (1% to 4%) (4 points) Ideal (0%) (5 points)

_____ Points awarded (5 possible)

Section Description Section Description 2 Monitoring and blocking 2 Monitoring and blocking 2.1 Monitoring system and user behavior 2.2 Monitoring system and user behavior (Check all that describe your organization’s capabilities, (Check all that describe your organization’s capabilities, then add up the total number of checkmarks.) then add up the total number of checkmarks.) Monitor user location Maintain a large pool of shared sensors to classify sites Monitor user identity Sandbox and examine unknown URLS Monitor and assess user email behaviors Block known bad sites Deploy reports and tools to help educate users and Block unknown bad sites raise awareness Block malicious links on known good sites Search based on time Whitelist known approved sites Search based on user Whitelist domain names Search based on IP address Whitelist IP addresses Search based on domain name Blacklist known sites Search based on file attachment Blacklist domain names Search based on file hash Blacklist IP addresses Search using regular expressions Regularly update malicious URL database Use automated alerts Rewrite URLs to monitor click-throughs on a per- Employ configurable parameters user basis

Use common notification formats (SMTP, SNMP, Log rewritten URLs and clicks to URLs SMS, syslog) Utilize an intuitive interface for searching and Automate actions (such as reject, quarantine and reporting report) based on policy _____ Points awarded (15 possible) _____ Points awarded (15 possible)

SANS ANALYST PROGRAM 12 SANS Spearphishing Survival Guide Email Security Checklist (CONTINUED)

Section Description 2 Monitoring and blocking 2.3 Blocking execution (Check all that describe your organization’s capabilities, then add up the total number of checkmarks.) Block known bad attachments Block unknown bad attachments Block malicious file transfers and installations Support MD5 hash Support SHA1 hash Sandbox suspect files and examine them

Prevent malware from detecting the sandbox (run sandbox process that is bare metal) Regularly update database of blocking rules Share database updates with other blocking sensors Log blocked, allowed and tested files and applications

_____ Points awarded (10 possible)

Section Description Section Description 3 Performance 3 Performance 3.1 Volume of unique URLs in scanning database 3.2 Accuracy (Check one.) Number of false positives (per 1,000 alerts) 100,000 (1 point) (Calculate by subtracting the number of false positives from 1,000, then dividing by 10. Maximum score is 10.) 250,000 (2 points) _____ Number of false negatives (per 1,000 alerts) 500,000 (4 points) (Calculate by subtracting the number of false positives from 1 million (6 points) _____ 1,000, then dividing by 10. Maximum score is 10.) 5 million (8 points) _____ Points awarded (20 possible) 10 million or more (10 points)

_____ Points awarded (10 possible)

SANS ANALYST PROGRAM 13 SANS Spearphishing Survival Guide Email Security Checklist (CONTINUED)

Section Description Section Description 3 Performance 3 Performance 3.3 Speed of analyzing and correlating large 3.4 Self-learning numbers of URLs and attachments (Check one.) (Check one.) Not able to learn or reuse newly discovered threat Unacceptable time lag (0 points) data (0 points)

Acceptable time lag (2 points) Must manually input any new threat data we discover (2 points) Imperceptible/near real time (5 points) Able to automatically catalog newly detected threat data for future reference (5 points) _____ Points awarded (5 possible)

_____ Points awarded (5 possible)

Section Description Section Description 3 Performance 3 Performance 3.5 Integration with SIEM, IDS/IPS or analytics 3.6 Usefulness of third-party intelligence (Check one.) (Check one.)

Not integrated; no other security technologies No intelligence integration (0 points) aligned with email security (0 points) Inadequate intelligence integration (1 point) Partly integrated; email security, with some third- party SIEM vendor integration and/or detection Limited use of intelligence (2 points) system (2 points) Adequate use of intelligence (4 points) Well integrated; email security partnerships with Thorough, accurate and integrated use of multiple SIEM and detection system vendors (5 points) intelligence (10 points)

_____ Points awarded (5 possible) _____ Points awarded (10 possible)

SANS ANALYST PROGRAM 14 SANS Spearphishing Survival Guide Email Security Checklist (CONTINUED)

Scoring Total Points Grade Assessment The organization is as good as it can be; the only real danger is that it might 100 A+ become complacent and not adapt quickly enough to the next mutation in advanced threats. The organization proactively monitors and blocks email-based attacks and educates users about them. While the chance of an attack getting through 92 – 99 A can never be eliminated, the organization has reduced its attack surface, integrated with detection, response and intelligence through SIEM or similar technology. Companies with this score have an excellent chance of quickly detecting any attack that does succeed. The organization has room for improvement, but it has many of the 83 – 91 B necessary email security processes in place and is largely integrated with other detection and response capabilities. The organization faces a high probability of being successfully attacked 74 – 82 C through email systems and failing to detect the attack for a significant amount of time due to lack of integration and employee training. Many of the organization’s security systems and processes, not just its email 65 – 73 D systems, are in need of review, and immediate steps should be taken to strengthen them in every area. Insufficient attention is being paid to the prevention and detection of 64 or less F attacks through email. A thorough assessment of the security program is needed to put the organization on the path to better security.

SANS ANALYST PROGRAM 15 SANS Spearphishing Survival Guide Conclusion

Today’s email security systems must be on the alert for known and unknown phishing targets, the lures attackers use and information about the links and payloads that emails contain. To do so requires a combination of tools specifically designed for email and for other network and security processes. Third-party intelligence feeds into the entire system, providing a robust ecosystem that works to prevent most email-borne payloads from getting through to the end user, keep those that do from spreading and provide unified response capabilities in case the payload does get through.

Just as important is knowing which of your employees are seen as targets of value to attackers and where those people could be leaking information that spearphishers can leverage to create their convincing emails and associations. For example, many targeted phishing attempts rely on knowledge gleaned from social media posts made by employees. Employees also use their own devices to download company email, which creates another attack surface that should be monitored.

Email, DLP, endpoint and network security need to work together to stop advanced phishers from getting to sensitive data. Centralized systems for detection and response, as well as knowledgeable personnel, are key to watching all of these things at once and connecting the dots. Buyers of advanced threat protection tools need to think through how those tools will integrate with one another and how well they handle reporting, alerting and response even as new attack surfaces and phishing techniques advance.

SANS ANALYST PROGRAM 16 SANS Spearphishing Survival Guide About the Author

Jerry Shenk currently serves as a senior analyst for the SANS Institute and is senior security analyst for Windstream Communications, working out of the company’s Ephrata, Pennsylvania, location. Since 1984, he has consulted with companies and financial and educational institutions on issues of network design, security, forensic analysis and penetration testing. His experience spans networks of all sizes, from small home-office systems to global networks. Along with some vendor-specific certifications, Jerry holds six GIAC certifications—all completed with honors—and five with Gold certifications: GCIA, GCIH, GCFW, GSNA, GPEN and GCFA. He also holds the CISSP certification.

Sponsor

SANS would like to thank this paper’s sponsor:

SANS ANALYST PROGRAM 17 SANS Spearphishing Survival Guide