Persistent targeted attacks against the government, financial services, manufacturing and critical infrastructure take on many characteristics. Attackers can have different backgrounds and motivations, and the tools they use can range from commodity malware to zero-day exploits.
One characteristic that’s consistent throughout most of these campaigns against high profile organizations is the initial means of infiltration—spear phishing.
Nine times out of 10, attackers walk into an organization right through the front door of its Exchange Server, crafting convincing email messages purportedly from a trusted source that either trick the victim into opening an infected attachment or visiting a website where credentials are stolen, or malware is surreptitiously installed on the visitor’s machine. In any event, the first wave of the targeted attack kicks off from a lowly email.
Even the most security conscious organizations in the world such as RSA Security, which was infiltrated nearly two years ago by hackers after the source code of its flagship SecurID authentication token, are liable to fall victim to a spear phishing message. Why? Because spear phishing works.
Spear phishing as a craft has improved tenfold over what it was a half-decade ago when messages were shady even to the untrained eye. The grammar in the messages was bad, the spelling even worse. Sometimes company logos were out of date, and messages just wouldn’t pass the smell test. Now it’s nigh impossible to sniff out phony messages from the real deal. Humans trust email as a platform, and that’s their first downfall, experts say.
“Most organizational management and security teams understand what spear phishing is. The problem is they do not know how, or do not have the time and resources, to teach people what phishing is and how to detect or defend against it,” said Lance Spitzner, a SANS Institute instructor and inventor of the honeypot. “As such, they continue to be highly vulnerable to spear phishing attacks.”
Spitzner is a big proponent of awareness training inside organizations, training them not only what phishing attacks look like, but what to do if they’re phished.
“Spear phishing works because people have not been trained on how to detect such attacks. Even if they do fall victim, if people can figure out after the fact they did something wrong and then report it right away, this is still a win,” Spitzner said. “If you teach people even the basics that email is an attack platform, and simple steps to detect common attacks, you can still have a dramatic impact.”
Enterprises, however, are losing that fight. A Trend Micro research paper revealed that 91 percent of targeted attacks observed between February and September of this year involved spear phishing. Attackers involved in nation-state sponsored APT-style attacks prefer spear phishing as a means for reaching high-ranking executives or technology managers with privileged access to high-value systems.
The majority of spear phishing messages (94 percent), meanwhile, contain malicious yet common file types as attachments, i.e., PDFs, Excel spreadsheets or Word documents. Rarely are executable files send via email attachments since most security systems will detect these; if they are sent, they’re usually compressed and sent in a password-protected archive file such as .zip or .rar.
“People normally share files (e.g., reports, business documents, and resumes) in the corporate or government setting via email,” the Trend Micro report said. “This may be due to the fact that downloading off the Internet in such a setting is frowned upon. That is why a higher number of spear-phishing emails with attachments are sent to targets in the corporate or government sector. “
Government agencies and activist groups are the most targeted via spear phishing, Trend Micro said. Most often, members of these types of organizations have some type of biographical information available online either on agency websites or social media pages, treasure troves for attackers mining for organizational data to be used in social engineering.
“In a lot of cases, these emails are not true spear phishing. The attacker may simply customize the ‘From’ address to match the victim organization or include the company name in the subject line,” Spitzner said. “The state of awareness is so poor that even basic spear phishing is effective. Long story short, it does not take a lot of time.”
Prior to a spear phishing campaign, attackers invest time doing reconnaissance prior to an infiltration. They scour social media sites, or purchase stolen information underground to profile an organization and understand exactly whom they want to target with a phishing message. This person would have access to systems or files of most interest to a particular mission.
Once inside, victims are often infected with a remote access Trojan (RAT) that gives an attacker a persistent backdoor into a network. The RAT can communicate with the attacker and send back system information, legitimate credentials and more that would allow the infiltrator to pivot from system to system until they land on the information they’re after.
“Our findings highlight how spear phishing aids APT attacks because of the vast amount of information available at the touch of our fingertips,” Trend Micro said. “Organizations should strive to improve their existing defenses and take into careful consideration what types of and how much information they make available online.”
Spear phishing is a different animal than a generic spam campaign pushing illicit pharmaceuticals, for example Spitzner said the best defense is continuous training inside an organization.
“We patch computers at least once a month, so too should you teach people in your awareness program. Far too many organizations take a compliance approach and teach people only once a year,” Spitzner said. “Active internal phishing assessments also work well. You do not need to spend a lot of money on these.”
A recent private summit sponsored by RSA Security also pointed to the effectiveness of people-focused breach prevention programs.
“Many of the preventative security measures discussed at the Summit focused on people, not systems,” RSA said in a report on the summit. “Delegates generally observed a trend toward treating internal employees as ‘a less trusted space.’”