SANS Spearphishing Survival Guide

SANS Spearphishing Survival Guide

SANS Spearphishing Survival Guide A SANS Whitepaper Written by Jerry Shenk December 2015 Sponsored by Proofpoint ©2015 SANS™ Institute Executive Summary Organizations are constantly under attack. Nearly every week comes a news headline of another breach affecting millions of people. Organizations that experience “small” breaches spend hundreds of thousands of dollars on forensic examinations, infrastructure upgrades and identity monitoring. Those that get hit by a large breach spend millions. The majority of those threats still arrive by email in the form of weaponized file attachments, malicious links, wire-transfer fraud and credential phishing. In most cases, attackers deploy email-borne attacks that target specific individuals and fool them into believing they are from someone they do business with or someone in authority who knows them. Often, attackers gather the information they need to pull off these sorts of phishing attacks over social media, where employees share significant amounts of personal and contextual information. Just as often, employees leak information over mobile applications that make it easier for criminals to target their attacks. While most antivirus, anti-malware and email security systems are good at catching traditional mass email phishing attacks with known malicious attachments, links and content, they are not catching the most sophisticated targeted attacks on email recipients. These types of attacks, called spearphishing, gather information on high- value targets who have direct access to company financial or customer information.1 Using social media, mobile apps and other sources of information (such as a company website), criminals can make connections between business associates and third parties in order to craft emails that look like they come from someone the targets work with—and neither network-based nor email-based security tools are catching them consistently. The emails are so well crafted that even well-trained, sophisticated users are likely to click their malicious URLs or weaponized attachments (malicious attack files). 1 “Spear Fishing Definition,” TechTarget, March 2011, http://searchsecurity.techtarget.com/definition/spear-phishing SANS ANALYST PROGRAM 1 SANS Spearphishing Survival Guide Executive Summary (CONTINUED) For example, the infamous 2011 breach of RSA Security that resulted in the loss of its SecurID tokens was almost a perfect example of a believable spearphishing exploit: It targeted human resources personnel with the subject line “2011 Recruitment Plan” and appeared to originate from a recruitment firm the HR department was familiar with. Only eight emails were sent, but one person in HR opened the Excel attachment, titled “2011 Recruitment Plan.xls.”2 The SecurID fiasco cost RSA $66 million, including costs to replace tokens, monitor customers and handle other fallout.3 It is not just the emails the attackers craft that are becoming more sophisticated; attackers are also deploying techniques such as polymorphism and changing their malicious payloads or links to avoid detection. In its 2015 Global Phishing Survey, the Anti-Phishing Working Group identified nearly 124,000 unique phishing attacks against 569 different institutions.4 Those attacks resolved to 95,321 unique malicious domains. These malicious domains are usually obfuscated to avoid blacklist detection through URL shortening, polymorphism (changing attack patterns and signatures) and other means, making it difficult for email security systems to detect them. When malware and sender information continually changes, it can be difficult to keep users away from dangerous attachments or malicious URLs that can immediately infect an organization’s network with malware, especially when the security program relies solely on signatures of known bad attachments and senders. In the case of mobile apps, spearphishing may be even more difficult to detect. According to an article in Wired, mobile users are checking email constantly, but their screens are too small to tell when their email and text messages are fake (for example, whether or not they come from the domain they claim to be coming from).5 Mobile users are also mixing personal email apps with business email apps and even using public Wi-Fi to collect their email, thus creating new attack surfaces and making it more difficult for traditional network-based and email security systems to detect attacks and block spearphishing attacks from executing. 2 “Lessons Learned from DigiNotar, Comodo and RSA Breaches,” SecurityWeek, Nov. 17, 2011, www.securityweek.com/lessons-learned-diginotar-comodo-and-rsa-breaches 3 “RSA SecurID Breach Cost $66 Million,” InformationWeek, July 28, 2011, www.darkreading.com/attacks-and-breaches/rsa-securid-breach-cost-$66-million/d/d-id/1099232? 4 “Global Phishing Survey: Trends and Domain Name Use in 2H2014,” Anti-Phishing Working Group, May 27, 2015, http://internetidentity.com/wp-content/uploads/2015/05/APWG_Global_Phishing_Report_2H_2014.pdf 5 “Spear Phishing: A Modern Threat to Mobile Devices,” Wired, Sept. 26, 2013, http://insights.wired.com/profiles/blogs/spear-phishing-a-modern-threat-to-mobile-devices - axzz3uKfhQRUS SANS ANALYST PROGRAM 2 SANS Spearphishing Survival Guide Executive Summary (CONTINUED) These new attack surfaces and more sophisticated threats require updated functionality and processes to protect organizations against advanced spearphishing, including the ability to: • Block mass email attacks in order to detect specific, targeted attacks as indicators of more serious compromise by a knowledgeable enemy • Identify high-value human targets based on their role and the applications and data they have access to • Identify targets who click things they shouldn’t • Intelligently respond to specific targeted attacks, including the ability to: - Scan the actual URLs, to determine whether the website is hosting malicious content, before a user is granted access - Sandbox suspect URLs and attachments to test their payloads before users are allowed to execute them - Identify employees who fall victim to the lures for education • Improve through self-learning (for example, the ability to automatically update email security and malware detection systems to include new signatures) • Continuously improve the collection of threat intelligence and data analysis This paper describes these and other capabilities for preventing advanced email attacks from succeeding. SANS ANALYST PROGRAM 3 SANS Spearphishing Survival Guide Advanced Phishing Attacks Revealed Spearphishers have several motivators for breaking into organizations, and all of them have to do with high-value targets and data: criminal operations seeking profits, nation- states interested in causing disruption, and industrial spies or politically motivated groups seeking to damage the target in some way. Spearphishing is a common means to this end and usually takes a specific trajectory, starting with gathering information on high-value targets, which is quite often gathered from information divulged through users’ social media and mobile applications. Knowing this attack progression is critical intelligence that should help detect, defend against and respond to advanced email attacks. Attack Progression Advanced email attacks usually follow a common progression, or “kill chain,” of events that email security intelligence should acknowledge and make use of in order to stop attacks before they cause damage. The attack steps include the following: 1. Gathering information on targets. Spearphishing starts with identifying key, high-value individuals in the company to target. These are usually people in HR (who have access to valuable employee data), finance (with access to wire transfer accounts), customer service or billing (with valuable customer financial data) and IT (they make mistakes, too, and those mistakes can be a jackpot for the attacker), as well as key personnel at email service providers, where more email accounts can be harvested (such as what happened in the infamous Epsilon case, which affected 75 large email clients in 20116). These people are targets because their credentials and the applications they have access to are of most value. In targeted email attacks, the attackers have likely learned about their targets and their roles through company announcements or social media such as LinkedIn, Facebook and Twitter, where employees are divulging information about their projects and possibly even collaborating with peers and partners. Associations are critical to attackers who want to create convincing emails that seem to originate from someone the target already knows or does business with. Attackers may also be sitting on wireless networks at coffee shops, catching personal email or business email sent from employees’ mobile devices. This may get them access credentials, departmental information on the employees and associations between personal and business contacts that the employee would likely accept a link or attachment from. And even access to a lower-level account can be a win for the attacker because once inside the company, higher-level access can be collected. 6 “Epsilon Fell To Spear-Phishing Attack,” InformationWeek, April 11, 2011, www.darkreading.com/attacks-and-breaches/epsilon-fell-to-spear-phishing-attack/d/d-id/1097119 SANS ANALYST PROGRAM 4 SANS Spearphishing Survival Guide Advanced Phishing Attacks Revealed (CONTINUED) 2. Creating convincing emails. With information about their targets and their targets’ associations, attackers

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    18 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us