Persistent targeted attacks against the government, financial
services, manufacturing and critical infrastructure take on many
characteristics. Attackers can have different backgrounds and
motivations, and the tools they use can range from commodity malware to
zero-day exploits.
One characteristic that’s consistent
throughout most of these campaigns against high profile organizations is
the initial means of infiltration—spear phishing.
Nine times out of 10, attackers walk into an organization right
through the front door of its Exchange Server, crafting convincing email
messages purportedly from a trusted source that either trick the victim
into opening an infected attachment or visiting a website where
credentials are stolen, or malware is surreptitiously installed on the
visitor’s machine. In any event, the
first wave of the targeted attack kicks off from a lowly email.
Even
the most security conscious organizations in the world such as RSA
Security, which was infiltrated nearly two years ago by hackers after
the source code of its flagship
SecurID authentication token, are liable to fall victim to a spear phishing message. Why? Because spear phishing works.
Spear phishing as a craft has improved
tenfold over what it was a half-decade ago when messages were shady
even to the untrained eye. The grammar in the messages was bad, the
spelling even worse. Sometimes company logos were out of date, and
messages just wouldn’t pass the smell test. Now it’s nigh impossible to
sniff out phony messages from the real deal. Humans trust email as a
platform, and that’s their first downfall, experts say.
“Most
organizational management and security teams understand what spear
phishing is. The problem is they do not know how, or do not have the
time and resources, to teach people what phishing is and how to detect
or defend against it,” said
Lance Spitzner,
a SANS Institute instructor and inventor of the honeypot. “As such,
they continue to be highly vulnerable to spear phishing attacks.”
Spitzner
is a big proponent of awareness training inside organizations, training
them not only what phishing attacks look like, but what to do if
they’re phished.
“Spear phishing works because people have not
been trained on how to detect such attacks. Even if they do fall victim,
if people can figure out after the fact they did something wrong and
then report it right away, this is still a win,” Spitzner said. “If you
teach people even the basics that email is an attack platform, and
simple steps to detect common attacks, you can still have a dramatic
impact.”
Enterprises, however, are losing that fight.
A Trend Micro research paper
revealed that 91 percent of targeted attacks observed between February
and September of this year involved spear phishing. Attackers involved
in
nation-state sponsored APT-style attacks
prefer spear phishing as a means for reaching high-ranking executives
or technology managers with privileged access to high-value systems.
The
majority of spear phishing messages (94 percent), meanwhile, contain
malicious yet common file types as attachments, i.e., PDFs, Excel
spreadsheets or Word documents. Rarely are executable files send via
email attachments since most security systems will detect these; if they
are sent, they’re usually compressed and sent in a password-protected
archive file such as .zip or .rar.
“People normally share files
(e.g., reports, business documents, and resumes) in the corporate or
government setting via email,” the Trend Micro report said. “This may be
due to the fact that downloading off the Internet in such a setting is
frowned upon. That is why a higher number of spear-phishing emails with
attachments are sent to targets in the corporate or government sector. “
Government
agencies and activist groups are the most targeted via spear phishing,
Trend Micro said. Most often, members of these types of organizations
have some type of biographical information available online either on
agency websites or social media pages, treasure troves for attackers
mining for organizational data to be used in social engineering.
“In
a lot of cases, these emails are not true spear phishing. The attacker
may simply customize the ‘From’ address to match the victim organization
or include the company name in the subject line,” Spitzner said. “The
state of awareness is so poor that even basic spear phishing is
effective. Long story short, it does not take a lot of time.”
Prior
to a spear phishing campaign, attackers invest time doing
reconnaissance prior to an infiltration. They scour social media sites,
or purchase stolen information underground to profile an organization
and understand exactly whom they want to target with a phishing message.
This person would have access to systems or files of most interest to a
particular mission.
Once inside, victims are often infected with a
remote access Trojan (RAT) that gives an attacker a persistent backdoor
into a network. The RAT can communicate with the attacker and send back
system information, legitimate credentials and more that would allow
the infiltrator to pivot from system to system until they land on the
information they’re after.
“Our findings highlight how spear
phishing aids APT attacks because of the vast amount of information
available at the touch of our fingertips,” Trend Micro said.
“Organizations should strive to improve their existing defenses and take
into careful consideration what types of and how much information they
make available online.”
Spear phishing is a different animal than a
generic spam campaign pushing illicit pharmaceuticals, for example
Spitzner said the best defense is continuous training inside an
organization.
“We patch computers at least once a month, so too
should you teach people in your awareness program. Far too many
organizations take a compliance approach and teach people only once a
year,” Spitzner said. “
Active internal phishing assessments also work well. You do not need to spend a lot of money on these.”
A
recent private summit sponsored by RSA Security also pointed to the
effectiveness of people-focused breach prevention programs.
“Many
of the preventative security measures discussed at the Summit focused on
people, not systems,” RSA said in a report on the summit. “Delegates
generally observed a trend toward treating internal employees as ‘a less
trusted space."
Bron:
Threatpost
