Preparing for the Next Spear Phishing Attack

By Eric Milam, Martin Bos ·

If you need proof that any organization can be hacked, even the most secure ones, just do an Internet search for “spear phishing attacks.” You might be shocked at the number of public and private entities that have announced they have been victims of this increasingly common type of attack. And those are just the ones that have admitted it openly. A recent study by Accuvant partner Trend Micro noted that spear phishing is the most favored advanced persistent threat attack bait. So, why are these attacks so prevalent?

With the growing sophistication of information security strategies and technologies, it has become more difficult for attackers to break through an organization’s perimeter defenses and steal sensitive data. Enter: spear phishing, an email spoofing fraud attempt that targets individuals or groups within an organization, seeking unauthorized access to confidential data. Unlike general phishing campaigns that promise you riches from the Prince of Nigeria, spear phishing attacks are not typically initiated by “random attackers” but by perpetrators looking for financial gain, trade secrets, or military information.

Spear phishing attacks can be very effective in large part because of the relative ease of creating legitimate-looking emails that bypass email security mechanisms. The emails are tailored to make sense to an individual or a group by including, for example, company-related information such as insurance or 401(k) details. Another reason these attacks are often successful is that organizations focus primarily on securing their inbound email traffic but not outbound, or egress, traffic. Spear phishing attacks take advantage of this vulnerability by sending emails to individuals who may click on a link that, for example, introduces a malware into the network. That malware could enable the attacker to get a foot hold within the organization and provide the ability to “look around” for sensitive information to steal.

Since spear phishing targets individuals, it is important to conduct security awareness training so employees are mindful of these types of attacks. However, because an attack can target many individuals simultaneously which significantly increases the likelihood that one will fall victim, education alone is not nearly enough. It’s critical for security organizations to take responsibility for these occurrences and not rely solely on individuals to distinguish between legitimate and malicious emails. User awareness should be just one part of a layered security approach that includes:

  • The use of spear phishing when performing assessments of security controls.This tests every single stage of a network – from individual users’ computers to an outbound connection to the Internet – and highlights which devices are working properly and which ones need to be replaced.
  • Network segmentation, which “sandboxes” a group (e.g., human resources) within its own environment and limits the areas of the network that the group can access.Doing this for each business unit within an organization can greatly decrease the attack surface and mitigate the amount and type of data that an attacker can obtain if a specific group is infected.
  • Strict outbound egress filtering.If an organization does get infected, egress filtering has a greater potential to stop communications back to the control system.
  • Multi-factor authentication,which limits the exposure on the outside of the network if an attacker is able to obtain a user’s credentials via spear phishing.
It’s critical for every organization to develop a layered security approach that includes mechanisms to specifically protect against spear phishing. This proactive approach can help to combat what has become the most prevalent kind of Internet attack. So, are you ready for when that next strike comes?