View
1
Download
0
Category
Preview:
Citation preview
A SANS WhitepaperWritten by Jerry Shenk
December 2015
Sponsored by Proofpoint
©2015 SANS™ Institute
SANS Spearphishing Survival Guide
Organizations are constantly under attack. Nearly every week comes a news headline
of another breach affecting millions of people. Organizations that experience
“small” breaches spend hundreds of thousands of dollars on forensic examinations,
infrastructure upgrades and identity monitoring. Those that get hit by a large breach
spend millions.
The majority of those threats still arrive by email in the form of weaponized file
attachments, malicious links, wire-transfer fraud and credential phishing. In most cases,
attackers deploy email-borne attacks that target specific individuals and fool them into
believing they are from someone they do business with or someone in authority who
knows them. Often, attackers gather the information they need to pull off these sorts
of phishing attacks over social media, where employees share significant amounts of
personal and contextual information. Just as often, employees leak information over
mobile applications that make it easier for criminals to target their attacks.
While most antivirus, anti-malware and email security systems are good at catching
traditional mass email phishing attacks with known malicious attachments, links
and content, they are not catching the most sophisticated targeted attacks on email
recipients. These types of attacks, called spearphishing, gather information on high-
value targets who have direct access to company financial or customer information.1
Using social media, mobile apps and other sources of information (such as a company
website), criminals can make connections between business associates and third
parties in order to craft emails that look like they come from someone the targets work
with—and neither network-based nor email-based security tools are catching them
consistently. The emails are so well crafted that even well-trained, sophisticated users are
likely to click their malicious URLs or weaponized attachments (malicious attack files).
SANS ANALYST PROGRAMSANS Spearphishing Survival Guide1
Executive Summary
1 “Spear Fishing Definition,” TechTarget, March 2011, http://searchsecurity.techtarget.com/definition/spear-phishing
Executive Summary (CONTINUED)
SANS ANALYST PROGRAM2
For example, the infamous 2011 breach of RSA Security that resulted in the loss of its
SecurID tokens was almost a perfect example of a believable spearphishing exploit: It
targeted human resources personnel with the subject line “2011 Recruitment Plan” and
appeared to originate from a recruitment firm the HR department was familiar with. Only
eight emails were sent, but one person in HR opened the Excel attachment, titled “2011
Recruitment Plan.xls.”2 The SecurID fiasco cost RSA $66 million, including costs to replace
tokens, monitor customers and handle other fallout.3
It is not just the emails the attackers craft that are becoming more sophisticated;
attackers are also deploying techniques such as polymorphism and changing their
malicious payloads or links to avoid detection. In its 2015 Global Phishing Survey, the
Anti-Phishing Working Group identified nearly 124,000 unique phishing attacks against
569 different institutions.4 Those attacks resolved to 95,321 unique malicious domains.
These malicious domains are usually obfuscated to avoid blacklist detection through
URL shortening, polymorphism (changing attack patterns and signatures) and other
means, making it difficult for email security systems to detect them. When malware
and sender information continually changes, it can be difficult to keep users away from
dangerous attachments or malicious URLs that can immediately infect an organization’s
network with malware, especially when the security program relies solely on signatures
of known bad attachments and senders.
In the case of mobile apps, spearphishing may be even more difficult to detect.
According to an article in Wired, mobile users are checking email constantly, but their
screens are too small to tell when their email and text messages are fake (for example,
whether or not they come from the domain they claim to be coming from).5 Mobile users
are also mixing personal email apps with business email apps and even using public
Wi-Fi to collect their email, thus creating new attack surfaces and making it more difficult
for traditional network-based and email security systems to detect attacks and block
spearphishing attacks from executing.
SANS Spearphishing Survival Guide
2 “Lessons Learned from DigiNotar, Comodo and RSA Breaches,” SecurityWeek, Nov. 17, 2011, www.securityweek.com/lessons-learned-diginotar-comodo-and-rsa-breaches
3 “RSA SecurID Breach Cost $66 Million,” InformationWeek, July 28, 2011, www.darkreading.com/attacks-and-breaches/rsa-securid-breach-cost-$66-million/d/d-id/1099232?
4 “Global Phishing Survey: Trends and Domain Name Use in 2H2014,” Anti-Phishing Working Group, May 27, 2015, http://internetidentity.com/wp-content/uploads/2015/05/APWG_Global_Phishing_Report_2H_2014.pdf
5 “Spear Phishing: A Modern Threat to Mobile Devices,” Wired, Sept. 26, 2013, http://insights.wired.com/profiles/blogs/spear-phishing-a-modern-threat-to-mobile-devices - axzz3uKfhQRUS
Executive Summary (CONTINUED)
SANS ANALYST PROGRAM3
These new attack surfaces and more sophisticated threats require updated functionality
and processes to protect organizations against advanced spearphishing, including the
ability to:
• Block mass email attacks in order to detect specific, targeted attacks as indicators
of more serious compromise by a knowledgeable enemy
• Identify high-value human targets based on their role and the applications and
data they have access to
• Identify targets who click things they shouldn’t
• Intelligently respond to specific targeted attacks, including the ability to:
- Scan the actual URLs, to determine whether the website is hosting malicious
content, before a user is granted access
- Sandbox suspect URLs and attachments to test their payloads before users are
allowed to execute them
- Identify employees who fall victim to the lures for education
• Improve through self-learning (for example, the ability to automatically update
email security and malware detection systems to include new signatures)
• Continuously improve the collection of threat intelligence and data analysis
This paper describes these and other capabilities for preventing advanced email attacks
from succeeding.
SANS Spearphishing Survival Guide
Advanced Phishing Attacks Revealed
SANS ANALYST PROGRAM4
Spearphishers have several motivators for breaking into organizations, and all of them
have to do with high-value targets and data: criminal operations seeking profits, nation-
states interested in causing disruption, and industrial spies or politically motivated groups
seeking to damage the target in some way. Spearphishing is a common means to this end
and usually takes a specific trajectory, starting with gathering information on high-value
targets, which is quite often gathered from information divulged through users’ social
media and mobile applications. Knowing this attack progression is critical intelligence
that should help detect, defend against and respond to advanced email attacks.
Attack Progression
Advanced email attacks usually follow a common progression, or “kill chain,” of events
that email security intelligence should acknowledge and make use of in order to stop
attacks before they cause damage. The attack steps include the following:
1. Gathering information on targets. Spearphishing starts with identifying key,
high-value individuals in the company to target. These are usually people in
HR (who have access to valuable employee data), finance (with access to wire
transfer accounts), customer service or billing (with valuable customer financial
data) and IT (they make mistakes, too, and those mistakes can be a jackpot for the
attacker), as well as key personnel at email service providers, where more email
accounts can be harvested (such as what happened in the infamous Epsilon case,
which affected 75 large email clients in 20116). These people are targets because
their credentials and the applications they have access to are of most value.
In targeted email attacks, the attackers have likely learned about their targets
and their roles through company announcements or social media such as
LinkedIn, Facebook and Twitter, where employees are divulging information
about their projects and possibly even collaborating with peers and partners.
Associations are critical to attackers who want to create convincing emails that
seem to originate from someone the target already knows or does business with.
Attackers may also be sitting on wireless networks at coffee shops, catching
personal email or business email sent from employees’ mobile devices. This may
get them access credentials, departmental information on the employees and
associations between personal and business contacts that the employee would
likely accept a link or attachment from. And even access to a lower-level account
can be a win for the attacker because once inside the company, higher-level
access can be collected.
SANS Spearphishing Survival Guide
6 “Epsilon Fell To Spear-Phishing Attack,” InformationWeek, April 11, 2011, www.darkreading.com/attacks-and-breaches/epsilon-fell-to-spear-phishing-attack/d/d-id/1097119
Advanced Phishing Attacks Revealed (CONTINUED)
SANS ANALYST PROGRAM5
2. Creating convincing emails. With information about their targets and
their targets’ associations, attackers then craft the emails so that they seem
legitimate enough to get intended targets to open an attachment or click
a link. Gone are the days when language, linking and other issues made it
easy to detect a phish. Spearphishers can create emails so realistic that they
appear to come from a trusted source and ask for information that the source
would normally request. For example, a recent article on CSO’s website7 told
about an extremely well-written phishing email that would have worked if
the comptroller hadn’t noticed that the CEO signed off as “Richard” when he
always used “Dick.” Everything else was right—details, grammar, even inside
information about the company. Fortunately in this case, the phish failed,
meaning it was a win for the intended victim, who happened to be educated
enough to notice the difference in the signature.
3. Hiding their origin. Attackers can spoof email sender addresses to make
it look as if the email came from a trusted domain, and they employ other
methods of obfuscating the email’s malicious intent from users and security
systems. Return addresses and links can render almost perfectly when the
user puts the cursor over the address or link. For example, the attackers may
have hacked a legitimate domain and sent the email from there. Or they
might open their own domain with a very similar URL as the trusted source
they’re trying to impersonate. For example, attackers can make it look as if the
email came from www.mycompany.com by creating a domain with a single
character off in the URL, such as www.myconpany.com, that are difficult to
notice, particularly in the case of email on mobile devices where the screens
are small and visibility difficult. Such URLs, if newly registered and minimally
used, will often bypass network- and email-scanning systems because there is
no existing blacklist for them.
SANS Spearphishing Survival Guide
7 “Near-flawless Social Engineering attack spoiled by single flaw,” CSO, Oct. 8, 2015, www.csoonline.com/article/2990471/social-engineering/near-flawless-social-engineering-attack-spoiled-by-single-flaw.html
Advanced Phishing Attacks Revealed (CONTINUED)
SANS ANALYST PROGRAM6
4. Delivering the payload. The link will send the user to a malicious URL or
compromised reputable domain that takes the user’s credentials as he or she
logs in. The target of the attack usually predicts the payload. For example,
attackers seeking to collect financial system credentials will lead users to log into
what the users believe is the company’s commercial bank account to collect their
access credentials and infiltrate the account on their own to transfer funds from
wire accounts. The spearphishers may also just want to use the target to infiltrate
the company, such as in the case of a malicious attachment, where advanced
malware enters the organization and starts searching for credentials across any
department it is able to access.
5. Avoiding detection. The attack tries to hide itself throughout the process.
Methods that attackers use to avoid detection include polymorphism and
shortened or obfuscated URLs to prevent blacklist detection. Once an attacker
has successfully gotten malware onto an enterprise’s network, the malware
can do any number of things, such as ensuring that it survives a reboot, giving
attackers remote access, turning off detection software or providing the attacker
administrative access to the entire network.
Figure 1 illustrates the path of most advanced email attacks.
Figure 1. Advanced Email Attack Progression
SANS Spearphishing Survival Guide
Attack Progression
GatherinG information on tarGets
CreatinG ConvinCinG
emails
DeliverinG the payloaD
avoiDinG DeteCtion
Protection and Prevention
SANS ANALYST PROGRAM7
Organizations need to deploy protections that recognize these email-based attack
steps and wrap that into their cyberthreat intelligence, security information and event
management (SIEM) system and/or response systems for detection and response.
The logical place to start is to minimize the attack surface to prevent opportunistic
attacks, which is the desired outcome of the Center for Internet Security’s Critical
Security Controls and other security frameworks.8 In the case of mobile and social
media, the first steps toward reducing these attack surfaces are employee education and
monitoring for misuse. Shoring up vulnerabilities in email systems and endpoints will
also reduce your attack surface.
To prevent and respond to attacks, monitoring is key. Advanced spearphishing gets
around network-based anti-malware and antivirus systems because of the sophisticated
targeting and hiding tactics they use, as discussed previously in this paper. Therefore,
email scanning and file and data analysis are also critical components of an advanced
protection system. Email monitoring should detect known and unknown malicious
sender URLs, links and attachments even before they reach the end user. If they do
manage to reach the end user, then the email system should test malicious links and
attachments in a secure (sandboxed) environment before the user is allowed to click the
message links or attachments.
Because spearphishing threats indicate a serious problem occurring in the enterprise,
the scanning should also provide insight into the reason the receiver was targeted and
the motives of the sender. Ultimately, a classification system should emerge on potential
targets that would continuously update itself with new information and be used to
detect weak points, secure them and circle around to reduce attack surface.
SANS Spearphishing Survival Guide
To prevent and
respond to attacks,
monitoring is key.
8 The Critical Security Controls for Effective Cyber Defense, Version 6.0, Center for Internet Security, www.cisecurity.org/critical-controls
Protection and Prevention (CONTINUED)
SANS ANALYST PROGRAM8
Email Analysis Methods
Monitoring email for signs of trouble is generally done in three ways: inline analysis,
which looks at network traffic flow; mail flow analysis, which monitors mail passing
through a mail server; and endpoint security, which puts tools like antivirus and junk
email filters on the client. These options typically are signature-based, though some
analyze IP addresses, formatting irregularities and other characteristics of the email
transfer that might look suspicious.
Network Monitoring
Inline email analysis is typically done with an IDS/IPS or a dedicated appliance, usually
where Internet traffic enters or leaves the network. Often, the appliance scans other
traffic in addition to email. These devices are good at detecting oddities in the network
traffic, but they are typically not optimized to process inside the email, looking for
content that would suggest malicious intent or evaluating email attachments.
Email Monitoring
Email analysis for malicious links and attachments often runs on the main mail server or
on a scanning mail server that sits in front of the corporate mail server. Such a scanning
system is located either on-site or at the vendor location (as a cloud-based service).
In the cloud-based scenario, unwanted mail should be prevented from entering the
organization’s network at all, which also makes it more difficult for attackers to identify
the corporate email server to look up targets and associations between targets.
The system should be capable of scanning the message body, email attachments and
URLs, both inbound to and outbound from recipients. This analysis should be based
on a number of things, including to/from addresses, time of day, domain information/
destination URL, email content and headers. It should include the capability to pull
suspect mail aside and examine it more thoroughly before allowing it to move on to
the recipient. With advancements in polymorphism and URL obfuscation, the system
will need to be able to scan inbound email in near real time and parse the mail so that it
can send clean messages forward and send malicious messages to a secure, sandboxed
environment to test the link or URL and then take actions based on findings.
Since spearphishing relies on finding and exploiting users and apps of value, it is
important that the email security system also keep intelligence on valuable targets
(users, systems and data) around which to wrap extra protections. For example, the
email system should share intelligence with data loss prevention (DLP) systems to
protect sensitive outbound data but also to identify targets sending that work with
valuable data.
SANS Spearphishing Survival Guide
Protection and Prevention (CONTINUED)
SANS ANALYST PROGRAM9
Email analysis at the endpoint is important, too, particularly in the case of mobile users.
Antivirus software on the endpoint can also scan every message, looking for malicious
content. Email security on the endpoint, usually accompanied by an agent, should
provide all the scanning capability listed above as requests from mobile devices attempt
to access the email system. This means that email security at the endpoint would be best
if it could integrate with network access control (NAC) or other access systems to scan
the endpoints for violations of policy, vulnerabilities and security status before email is
downloaded to the mobile device.
Better yet, keep the email on the internal server and do not let it store on mobile devices.
Note that because targeted attacks are designed to evade most endpoint antivirus
discovery, email server and application protections are the critical impact point that
controls should focus on.
File Analysis
A detection system for advanced threats should be able to identify files that are known
and analyze those that are unknown. Analyzing against a blacklist of known bad files can
cut down on the noise, allowing for the detection of advanced spearphishing attempts
that go unnoticed amid other attacks that are easier to detect. The system would
identify and remove malicious files quickly in a process that is repeatable whenever
new instances of the same malicious file attachments are detected by the email security
system. But that only takes care of known problems.
A second layer of analysis is needed when unknown files attempt to execute on the
system. At time of delivery or attempted execution, these files should be screened and
segmented into a secure zone, where they are sandboxed and executed to determine
their payloads. Should those payloads display signs of malware, they are further
examined. Files identified as malicious are added to the blacklist of known bad files.
Once added to the blacklist, they can be used for detecting and blocking the same or
similar files in the future.
SANS Spearphishing Survival Guide
Protection and Prevention (CONTINUED)
SANS ANALYST PROGRAM10
URL and IP Address Analysis
Keeping up with changes to URL and IP classifications is not easy. Just recently, an Internet
Storm Center diary entry9 noted that the website for GM trucks was hosting the Nuclear
exploit kit (EK). The site looks quite innocent when checked with a browser appliance, and
it probably had been clean a week earlier. Criminals are constantly scanning the Internet
looking for legitimate sites that can be hijacked and used to compromise unsuspecting
visitors. An advanced threat detection system needs to be able to constantly reclassify
URLs and IP addresses as they go from good to bad and back again.
In addition to monitoring URLs that are being used throughout the organization, the
system should monitor IP addresses of senders. This often involves vendor-managed
databases that list known good and known bad classifications of both URLs and IP
addresses. These lists should accept updates automatically as new
malicious attachments and URLs are found. Often this function is
performed through cloud-based services, on-premise equipment or
both. The key is that the URLs and IP addresses are examined before the
user has a chance to click the links.
Data analysis. Stored email on mobile devices is a treasure trove for
attackers. Therefore, it is important that the system work with DLP to
determine sensitivity of data types, enforce rules such as encryption
of stored data and data emailed off the devices and report when sensitive data tries to
leave the organization via email.
Analysis of high-value targets. The system should also provide intelligence on users
of value to the organization based on their titles, systems they access and the data that
would be impacted should spearphishers access those high-value systems. Additional
analysis may be needed for the highest-value targets, such as what mention they get on
the company websites, what social media use they’re prone to and how they normally
access email.
Together, these email security defenses will catch a lot of malicious activity. Nonetheless,
email analysis alone is not enough; it should be coupled with outbound network
monitoring, activity monitoring and user security awareness training. In addition,
email analysis should integrate with internal and third-party threat intelligence data,
whitelisting and blacklisting policies and network security reports (IDS/IPS/firewalls) to
reduce false positives and block new advanced attacks that email systems alone might
not detect.
SANS Spearphishing Survival Guide
Blocking Malicious URLs
Some URLs and IP addresses should be blocked all the time. It is quite common for organizations to try to block all pornography sites, for example, by blacklisting their URLs. Similarly, entire groups of related IP addresses can be blocked, if you have no reason to ever accept IP addresses coming in from China, for example.
9 BizCN gate actor update, SANS ISC InfoSec Forums, https://isc.sans.edu/forums/diary/BizCN+gate+actor+update/20209
Protection and Prevention (CONTINUED)
SANS ANALYST PROGRAM11
Intelligent Response
Threat intelligence from third-party vendors, the email system or the SIEM system is a
good starting place for automating your response processes. Email security systems
should provide their own intelligence that feeds into the SIEM system as needed and
should be especially focused on targets of high value to spearphishers. These systems
should combine machine analytics with self-learning so that newfound threats, such as
newly malicious URLs and malicious payloads, are categorized and included in future
detection and response platforms. It should also be shared with the larger community
through third-party intelligence providers, the email security system or industry groups
such as Information Sharing and Analysis Centers (ISACs).
If email and web security can catch malicious downloads that antivirus isn’t catching,
then these layers should also integrate with anti-malware programs for better detection,
for example. Humans are needed to make decisions, but automated collection and
analysis systems such as SIEM, as well as the sharing of intelligence, are crucial to pulling
out the actionable events.
These automated systems cannot just be plugged in and left alone; they need to be
thoughtfully set up, monitored and adjusted as the network environment and the
threats change. The following email security checklist should help organizations
determine whether their email security is meeting the challenge of fighting today’s
advanced spearphishing threats.
SANS Spearphishing Survival Guide
Humans are needed
to make decisions, but
automated collection
and analysis systems
are crucial to pulling
out actionable events.
The following checklist will help users think through the items that an advanced email
security system should include.
SANS ANALYST PROGRAM12
Email Security Checklist
Section
1
1.1
_____
Description
Current status
Rate of malicious mail still getting through (Check one.)
High (25% or more) (0 points)
Medium (10% to 24%) (1 point)
Low (5% to 9%) (2 points)
Lower (1% to 4%) (4 points)
Ideal (0%) (5 points)
Points awarded (5 possible)
Section
2
2.1
_____
Description
Monitoring and blocking
Monitoring system and user behavior (Check all that describe your organization’s capabilities, then add up the total number of checkmarks.)
Monitor user location
Monitor user identity
Monitor and assess user email behaviors
Deploy reports and tools to help educate users and raise awareness
Search based on time
Search based on user
Search based on IP address
Search based on domain name
Search based on file attachment
Search based on file hash
Search using regular expressions
Use automated alerts
Employ configurable parameters
Use common notification formats (SMTP, SNMP, SMS, syslog)
Automate actions (such as reject, quarantine and report) based on policy
Points awarded (15 possible)
Section
2
2.2
_____
Description
Monitoring and blocking
Monitoring system and user behavior (Check all that describe your organization’s capabilities, then add up the total number of checkmarks.)
Maintain a large pool of shared sensors to classify sites
Sandbox and examine unknown URLS
Block known bad sites
Block unknown bad sites
Block malicious links on known good sites
Whitelist known approved sites
Whitelist domain names
Whitelist IP addresses
Blacklist known sites
Blacklist domain names
Blacklist IP addresses
Regularly update malicious URL database
Rewrite URLs to monitor click-throughs on a per-user basis
Log rewritten URLs and clicks to URLs
Utilize an intuitive interface for searching and reporting
Points awarded (15 possible)
SANS Spearphishing Survival Guide
Email Security Checklist (CONTINUED)
SANS ANALYST PROGRAM13
Section
2
2.3
_____
Description
Monitoring and blocking
Blocking execution (Check all that describe your organization’s capabilities, then add up the total number of checkmarks.)
Block known bad attachments
Block unknown bad attachments
Block malicious file transfers and installations
Support MD5 hash
Support SHA1 hash
Sandbox suspect files and examine them
Prevent malware from detecting the sandbox (run sandbox process that is bare metal)
Regularly update database of blocking rules
Share database updates with other blocking sensors
Log blocked, allowed and tested files and applications
Points awarded (10 possible)
Section
3
3.1
_____
Description
Performance
Volume of unique URLs in scanning database (Check one.)
100,000 (1 point)
250,000 (2 points)
500,000 (4 points)
1 million (6 points)
5 million (8 points)
10 million or more (10 points)
Points awarded (10 possible)
Section
3
3.2
_____
_____
_____
Description
Performance
Accuracy
Number of false positives (per 1,000 alerts) (Calculate by subtracting the number of false positives from 1,000, then dividing by 10. Maximum score is 10.)
Number of false negatives (per 1,000 alerts) (Calculate by subtracting the number of false positives from 1,000, then dividing by 10. Maximum score is 10.)
Points awarded (20 possible)
SANS Spearphishing Survival Guide
Email Security Checklist (CONTINUED)
SANS ANALYST PROGRAM14
Section
3
3.3
_____
Description
Performance
Speed of analyzing and correlating large numbers of URLs and attachments (Check one.)
Unacceptable time lag (0 points)
Acceptable time lag (2 points)
Imperceptible/near real time (5 points)
Points awarded (5 possible)
Section
3
3.4
_____
Description
Performance
Self-learning (Check one.)
Not able to learn or reuse newly discovered threat data (0 points)
Must manually input any new threat data we discover (2 points)
Able to automatically catalog newly detected threat data for future reference (5 points)
Points awarded (5 possible)
Section
3
3.5
_____
Description
Performance
Integration with SIEM, IDS/IPS or analytics (Check one.)
Not integrated; no other security technologies aligned with email security (0 points)
Partly integrated; email security, with some third-party SIEM vendor integration and/or detection system (2 points)
Well integrated; email security partnerships with multiple SIEM and detection system vendors (5 points)
Points awarded (5 possible)
Section
3
3.6
_____
Description
Performance
Usefulness of third-party intelligence (Check one.)
No intelligence integration (0 points)
Inadequate intelligence integration (1 point)
Limited use of intelligence (2 points)
Adequate use of intelligence (4 points)
Thorough, accurate and integrated use of intelligence (10 points)
Points awarded (10 possible)
SANS Spearphishing Survival Guide
Email Security Checklist (CONTINUED)
SANS ANALYST PROGRAM15
Total Points
100
92 – 99
83 – 91
74 – 82
65 – 73
64 or less
Grade
A+
A
B
C
D
F
ScoringAssessment
The organization is as good as it can be; the only real danger is that it might become complacent and not adapt quickly enough to the next mutation in advanced threats.
The organization proactively monitors and blocks email-based attacks and educates users about them. While the chance of an attack getting through can never be eliminated, the organization has reduced its attack surface, integrated with detection, response and intelligence through SIEM or similar technology. Companies with this score have an excellent chance of quickly detecting any attack that does succeed.
The organization has room for improvement, but it has many of the necessary email security processes in place and is largely integrated with other detection and response capabilities.
The organization faces a high probability of being successfully attacked through email systems and failing to detect the attack for a significant amount of time due to lack of integration and employee training.
Many of the organization’s security systems and processes, not just its email systems, are in need of review, and immediate steps should be taken to strengthen them in every area.
Insufficient attention is being paid to the prevention and detection of attacks through email. A thorough assessment of the security program is needed to put the organization on the path to better security.
SANS Spearphishing Survival Guide
SANS ANALYST PROGRAM16
Conclusion
Today’s email security systems must be on the alert for known and unknown phishing
targets, the lures attackers use and information about the links and payloads that emails
contain. To do so requires a combination of tools specifically designed for email and
for other network and security processes. Third-party intelligence feeds into the entire
system, providing a robust ecosystem that works to prevent most email-borne payloads
from getting through to the end user, keep those that do from spreading and provide
unified response capabilities in case the payload does get through.
Just as important is knowing which of your employees are seen as targets of value to
attackers and where those people could be leaking information that spearphishers can
leverage to create their convincing emails and associations. For example, many targeted
phishing attempts rely on knowledge gleaned from social media posts made by
employees. Employees also use their own devices to download company email, which
creates another attack surface that should be monitored.
Email, DLP, endpoint and network security need to work together to stop advanced
phishers from getting to sensitive data. Centralized systems for detection and response,
as well as knowledgeable personnel, are key to watching all of these things at once and
connecting the dots. Buyers of advanced threat protection tools need to think through
how those tools will integrate with one another and how well they handle reporting,
alerting and response even as new attack surfaces and phishing techniques advance.
SANS Spearphishing Survival Guide
Jerry Shenk currently serves as a senior analyst for the SANS Institute and is senior security analyst for
Windstream Communications, working out of the company’s Ephrata, Pennsylvania, location. Since
1984, he has consulted with companies and financial and educational institutions on issues of network
design, security, forensic analysis and penetration testing. His experience spans networks of all sizes,
from small home-office systems to global networks. Along with some vendor-specific certifications,
Jerry holds six GIAC certifications—all completed with honors—and five with Gold certifications: GCIA,
GCIH, GCFW, GSNA, GPEN and GCFA. He also holds the CISSP certification.
SANS ANALYST PROGRAM17
About the Author
Sponsor
SANS would like to thank this paper’s sponsor:
SANS Spearphishing Survival Guide
Recommended