1. No category

The CISO`s Guide to Spear Phishing Defense

WHITE PAPER
The CISO’s Guide to Spear Phishing
Defense
A strategic framework to protect against spear phishing
The CISO’s Guide to Spear Phishing Defense
Advanced Attackers Exploit People
Spear phishing is the preferred attack method for advanced threat actors. Well-crafted spear phishing
attacks easily slip past layers of defenses and target the only vulnerability that cannot be patched --people. The vast majority of headline data breaches in recent years have all begun with spear phishing
attacks. If your organization has intellectual property, customer data, or critical systems that are
valuable, your employees are being targeted with spear phishing emails.
91 percent of targeted attacks use spear phishing1.
Employees are not just being targeted, they’re also being exploited at an alarming rate. Spear phishing
emails are exceedingly effective. On average, employees open links or attachments in one out of every
five spear phishing emails. This means that a well-crafted spear phishing campaign targeting at least five
employees will almost always result in a compromised user.
If defending against spear phishing attacks is not already top priority for your security team, it should be.
This paper establishes a framework for implementing and managing an effective program for spear
phishing defense. After reviewing this white paper, security leaders will understand:




Why many organizations fail to stop spear phishing attacks
The essential components of a mature spear phishing defense capability
How to align defenses to counter targeted attacks
How to evaluate program performance with meaningful Key Performance Indicators (KPIs)
1 Spear-Phishing Email: Most Favored APT Attack Bait, Trend Micro
+1.877.227.0790
[email protected]
Page 2
Copyright 2015 PhishLabs. All Rights Reserved.
The CISO’s Guide to Spear Phishing Defense
The Status Quo Approach to Defending Against Spear Phishing
Spear phishing is not a new security problem. So why is spear phishing still one of the most effective
cyber-attack methods? To answer that question, consider the defenses that are often in place to protect
against spear phishing attacks:
Email and Web Filtering
Nearly every organization has technology in place to scrub spam and other high-volume email threats out
of incoming email traffic. Solutions range from basic filtering from email service providers to anti-spam
modules in network security appliances to dedicated email and web security gateways. Using signatures
and varying degrees of heuristic analysis, these security tools are efficient at blocking spam and other
widespread, high-volume malicious content delivered via email.
Payload Analysis (Advanced Malware Protection)
Many organizations have placed payload analysis appliances in their networks to detect malicious code
delivered via spear phishing emails. These systems operate in-line and use specialized sandboxing
environments to execute attachments and links in order to detect malicious behavior. Content that
exhibits suspicious behavior can be alerted on, quarantined, or blocked. These tools are effective at
spotting customized malware, with the notable exception of malware equipped with anti-sandboxing
techniques.
Phishing Awareness Training
Inevitably, some spear phishing emails will make it through perimeter cyber defenses and land in the
inboxes of employees. To get the recipient to open a malicious link or attachment, the email must be
enticing enough to overcome the recipient’s wariness. Awareness training increases the wariness of your
employee population and can increase behaviors that make them less susceptible to phishing attacks,
such as not opening unexpected attachments and confirming authenticity for urgent requests. Phishing
awareness training is essential to reducing incidents. However, no amount of security awareness training
can eliminate human error.
Security Information and Event Management (SIEM)
Spear phishing is used to gain an initial foothold within a targeted organization. From the initial
compromised system (patient zero), advanced adversaries attempt to expand their presence and move
laterally through the network in pursuit of their objective. Using SIEM tools, security analysts can monitor
massive volumes of event and log data from network security devices, servers, and hosts. Filtering and
correlation rules process this ‘‘haystack’’ of data to spot threats that have penetrated the perimeter.
+1.877.227.0790
[email protected]
Page 3
Copyright 2015 PhishLabs. All Rights Reserved.
The CISO’s Guide to Spear Phishing Defense
Network Traffic Analysis
Advanced threat actors will often utilize customized tradecraft that easily evades signature-based
detection. Instead of using signatures, network traffic analysis tools attempt to detect advanced attacks
by establishing a baseline of traffic patterns within a network environment and highlighting deviations
from the norm.
Network and Host Forensics
Maintaining presence while evading detection is a hallmark of advanced threats. Network and host
forensics tools perform deep inspection in search of indicators of compromise (IoCs) that are too subtle
or buried too deeply in systems to be detected in real-time at scale. These tools most often come into
play long after a data breach to determine the full scope of compromise and support remediation.
We Need a Better Way to Stop Phishing
Billions of dollars have been invested in these tools and in the processes that surround them. Yet, it still
takes 205 days on average for a data breach to be discovered from the time they are initially
compromised. It is reasonable to assume that attackers have long since achieved their objectives by the
time most compromises are found. These attacks, which in most cases start with spear phishing, go
unrecognized until it is far too late.
Data source: Mandiant M-Trends 2012-2013
+1.877.227.0790
[email protected]
Page 4
Copyright 2015 PhishLabs. All Rights Reserved.
The CISO’s Guide to Spear Phishing Defense
In fact, most organizations first learn of a data breach not from their security tools and their processes,
but from a third party. Sixty-nine percent of data breaches are discovered by entities outside of the
breached organization2, such as the FBI and the major payment card brands.
Clearly, the current approach to stopping spear phishing is not working. But it’s not due to a lack of
technology or tools. Organizations are investing more in security today than ever before. The problem is
two-fold.
First, defensive layers that help protect against spear phishing attacks operate and are managed in silos.
Information and intelligence is not flowing between them, which limits their effectiveness at recognizing
and stopping the advanced attacks that traverse them. These layers need to be managed as a cohesive
system. Instead, they are managed as point solutions. No one is managing them as a system, so
exploitable gaps go unnoticed until after a major incident.
Second, the human expertise needed to effectively combat spear phishing attacks is often overlooked or
underestimated. Automated defenses can efficiently handle activity that is clearly ‘‘black or white’’. But
advanced spear phishing attacks exploit the ‘‘gray’’ areas between known bad and known good. Human
expertise, analysis, and decision-making is essential to counter these attacks.
To overcome this challenge, security leaders need to a strategic management framework that aligns
defenses and security resources for the purpose of stopping phishing attacks.
2 Verizon DBIR 2015
+1.877.227.0790
[email protected]
Page 5
Copyright 2015 PhishLabs. All Rights Reserved.
The CISO’s Guide to Spear Phishing Defense
The Defensive Framework for Spear Phishing
To help security leaders strategically manage their defensive posture, we have created a framework that
spans relevant security layers from the start of an attack to its resolution. When applied, this framework
helps organizations:
 Align security layers from end-to-end,
 Assess which security layers are working and which are not,
 Focus on performance metrics that matters,
 Drive resource allocation and investment in the areas that yield the highest risk reduction,
 Reduce the frequency of security incidents and prevent major data breaches.
The framework consists of four critical phases supported by robust intelligence flows.
Prevent
Detect
Analyze
Mitigate
Minimize risk of attack
payload delivery
See the attacks that
evade prevention
Understand tradecraft
and threat context
Stop the attack and
remove threat
Intelligence Flows
Phase 1: Prevent
The objective of the Prevent phase is to minimize the risk of an attack payload being delivered to the
targeted user’s inbox and being executed.
Recommended Defenses
Security measures applied in this phase include those designed to block email and web-based attacks inline. Email and web content filtering tools as well as payload analysis systems (e.g. advanced malware
protection and network sandboxing tools) that operate in near real-time can prevent payload delivery via
spear phishing. Security awareness training that focuses on spear phishing reduces user propensity to
click URLs or attachments. When an advanced attack succeeds in evading preventative security tools,
effective security awareness training reduces the risk of the delivered payloads being executed by users.
+1.877.227.0790
[email protected]
Page 6
Copyright 2015 PhishLabs. All Rights Reserved.
The CISO’s Guide to Spear Phishing Defense
Sample Key Performance Indicators
To manage the Prevent phase and assess effectiveness, consider the following key performance
indicators.
Collecting these KPIs from real-world data is ideal; however, capturing KPI data during simulated testing
is a viable option.
Percentage of phishing emails delivered
How many phishing emails are being blocked compared to the number that reach user inboxes? This
indicates how effective your content filtering and payload analysis tools are at automatically stopping
attacks in-line.
False positive and negative rates
How many legitimate emails are being blocked? How many phishing emails are going unblocked? This
indicates how accurately your email security tools identify and block attacks. Generally, decreases in false
positive and false negative rates are an indication of improvement. Growing rates would indicate that
current tools need to be better tuned or additional controls should be considered.
Phishing email click rate
How many phishing emails are being clicked or opened? What is the click rate? This indicates how well
your phishing awareness training program reduces your employees’ propensity to fall victim to phishing
emails. No amount of awareness training will completely eliminate users clicking on phishing emails.
Each organization will have a floor for this KPI that indicates peak performance. An effective phishing
awareness training program will consistently reduce the percentage of phishing emails clicked until the
organization’s floor is reached.
Phase 2: Detect
While desirable, blocking all threats in the Prevent phase is not achievable. Inevitably, a portion of emailbased attacks will exhibit characteristics too similar to legitimate business activity to block or quarantine
them prior to delivery into user inboxes. The objective of the Detect phase is to see these attacks that
reach user inboxes and recognize them as a potential threat.
Recommended Defenses
Several security measures that support the Prevent phase also can be applied to the Detect phase.
Payload analysis tools, for example, can provide alerting for potential threats where the confidence in the
activity being truly malicious is not high enough to warrant blocking the email. More mature phishing
+1.877.227.0790
[email protected]
Page 7
Copyright 2015 PhishLabs. All Rights Reserved.
The CISO’s Guide to Spear Phishing Defense
awareness training programs that drive employees to report suspicious emails and provide streamlined
avenues for them to do so also support the detection of spear phishing emails.
After a user’s end point has been compromised via spear phishing, Security Information and Event
Management (SIEM) and Network Traffic Analysis tools can be used to spot suspicious events and trigger
investigation into potential threats. Many other network security layers can also provide detection value
after the initial compromise as the adversary moves laterally within the network in pursuit of their
objective. Detection via these tools is often dependent on the adversary taking actions that exceed
thresholds of normal behavior within networks or that are easily recognizable indications of a
compromise (such as connection attempts to known command and control servers).
Sample Key Performance Indicators
To manage the Detect phase and assess effectiveness, consider the following key performance indicators.
Collecting these KPIs from real-world data is ideal; however, capturing KPI data during simulated testing
is a viable option.
Percentage of phishing emails reported
How many phishing emails are being reported as a percentage of the total that are reaching user inboxes?
This indicator shows how effective your phishing awareness training program is at driving employees to
report phishing emails they receive. The higher the percentage, the stronger your network of human
‘‘sensors.’’
Time-to-detect compromises
What is the duration of time between when an email-delivered payload is executed and when the
compromise is discovered? This is an indication of your capability to quickly recognize attacks. Reducing
this duration can significantly improve your chances of stopping a breach in progress and limiting the
damage.
False positive and false negative rates
How many benign emails are being flagged as malicious? How many phishing emails land in user inboxes
and go undetected or unreported? This indicates how well your tools and training programs are tuned to
email-based threats targeting the organization. The lower the rates of false positives and false negatives,
the higher the likelihood of detecting spear phishing threats before they lead to major security incidents.
+1.877.227.0790
[email protected]
Page 8
Copyright 2015 PhishLabs. All Rights Reserved.
The CISO’s Guide to Spear Phishing Defense
Phase 3: Analyze
Once an attack is detected, it needs to be analyzed to determine the best mitigation strategy. The
objective of the Analyze phase is to quickly establish sufficient threat context to drive the appropriate next
action.
Detected attacks need to be triaged in near real-time to ensure that the threats that pose the most risk
are prioritized for analysis. That analysis then needs to extract indicators of compromise (IOCs) and
establish sufficient threat context rapidly to disrupt threats before critical systems and data are
compromised
Recommended Defenses
Analysis of spear phishing attacks and the tradecraft delivered requires a combination of human
expertise, malware analysis tools, and threat intelligence systems. To rapidly triage spear phishing
attacks, threat analysts need to be available 24/7. Malware analysis tools are required to dissect
tradecraft delivered via phishing emails and extract indicators of compromise (IOCs) for attack mitigation.
Threat analysts should also have access to threat intelligence systems with larger data collections of
external attack events, campaigns, targets, and actors to establish more complete attack context and
provide adequate situational awareness.
Sample Key Performance Indicators
To manage the Analyze phase and assess effectiveness, consider the following key performance
indicators.
Collecting these KPIs from real-world data is ideal; however, capturing KPI data during simulated testing
is a viable option.
Time-to-assess
Once detected, how long does it take to triage attacks and prioritize threat analysis? This indicates how
quickly you identify the high-risk threats that require in-depth analysis prior to successful mitigation.
Organizations with a low time-to-assess are able to consistently mitigate threats earlier in the attack
process, which reduces the impact and cost of the security incidents.
Time-to-context
Once detected, how long does it take to develop sufficient threat context to effectively mitigate the
attack? This is a measure of how long it takes to extract IOCs and provide intelligence on relevant
techniques, tactics, and procedures (TTPs) to support complete mitigation of the threat. Lower time-tocontext enables faster mitigation by incident responders and reduces the impact of security incidents.
+1.877.227.0790
[email protected]
Page 9
Copyright 2015 PhishLabs. All Rights Reserved.
The CISO’s Guide to Spear Phishing Defense
Completeness of context
Does the analysis consistently include all of the information needed to effectively mitigate the threat? The
analysis process should have a defined a set of information requirements for attacks that warrant indepth analysis to ensure that threat analysts provide incident responders with the necessary information.
Deliverables from threat analysts should be compared to these information requirements to determine a
quality rating for completeness of context.
Phase 4: Mitigate
Armed with IOCs and context, appropriate steps should be taken to eradicate the threat. The objective of
the Mitigate phase is to disrupt the attack progress and completely remove the adversary’s presence
within the environment.
Further steps should also be taken to investigate and disrupt the adversary’s infrastructure outside of
your environment, such as command and control systems. This infrastructure is most often located on
legitimate systems that have been compromised by the adversary for use in attack campaigns. As such,
they can often be shut down to further impact attack capabilities. Also, the infrastructure can be
examined and monitored to source high value intelligence.
Recommended Defenses
In addition to intelligence from the Analyze phase, effective mitigation requires an incident response plan,
incident responders, and the application of appropriate forensics tools. Organizations should have an
incident response plan in place that has specific steps to address incidents that involve spear phishing,
such as immediately working to identify all users exposed to the email as part of the initial scoping of the
incident. Organizations should also ensure that they have adequate access to incident responders, either
on staff or under a retainer agreement with an incident response firm.
Intelligence from analyzing the tradecraft and associated threat context should be incorporated into
network and host forensics tools to find all IOCs present within the environment. Many experienced
incident responders prefer a ‘‘close all doors at once’’ tactic for removal instead of remediating systems as
they are found. With this tactic, responders wait until all instances of adversary presence are discovered,
and then remove all tradecraft and remediate all vulnerabilities in a single effort.
Sample Key Performance Indicators
To manage the Analyze phase and assess effectiveness, consider the following key performance
indicators.
+1.877.227.0790
[email protected]
Page 10
Copyright 2015 PhishLabs. All Rights Reserved.
The CISO’s Guide to Spear Phishing Defense
Collecting these KPIs from real-world data is ideal; however, capturing KPI data during simulated testing
is a viable option.
Note: Incident response is a mature security discipline with a wide range of KPIs recommended by standards
organizations such as NIST, ISO/IEC, and others. The suggestions below reflect those frequently used in
practice.
Time-to-containment
How long does it take to contain the threat and therefore prevent further compromise? A low time-tocontainment time limits the cost and overall impact of a security incident.
Time-to-removal
How long does it take to remove all instances of an adversary’s presence in the environment? With
persistent adversaries, this can be difficult as they always seek to maintain a discrete foothold from which
they can resume their attack once conditions return to normal.
Cost per incident
What does the average cost to the organization of experiencing and responding to this security incident?
The cost of an incident is often a function of the scope, duration, and sophistication of the adversary. A
lower cost per incident indicates improvement in containing and removing threats. There are many
models available for assessing various hard and soft costs associated with a security incident. See CERT
for examples: https://www.cert.org/incident-management/csirt-development/resources-incidenthandling-cost-models.cfm.
Intelligence Flows
Key to making the above phases perform at a peak level is getting useful intelligence out of each phase
and feeding it across the entire system. This improves each phase, in turn making the whole more
effective at reducing the impact of spear phishing.
At a minimum, a linear flow is needed to support phase dependencies. For example, Analyze and Mitigate
phases require information from the Detect phase. Mature organizations go further though, using
intelligence from latter phases to improve prevention and detection. As an example, information derived
from analyzing phishing emails that reach user inboxes can be applied to email filtering and other
preventative tools to block similar emails earlier in the attack process. This yields a much more efficient
overall system.
+1.877.227.0790
[email protected]
Page 11
Copyright 2015 PhishLabs. All Rights Reserved.
The CISO’s Guide to Spear Phishing Defense
Conclusion and Next Steps
Despite billions of dollars invested in security, spear phishing attacks are still very difficult to stop.
Defenses operate in silos and are managed as point solutions, limiting their effectiveness at identifying
and stopping advanced spear phishing. Additionally, organizations underestimate the human expertise
required to quickly assess and counter the advanced attacks that circumvent automated defenses.
Security leaders can improve this situation by adopting and applying the framework described in this
paper. This framework helps leaders implement and manage a cohesive program that protects against
spear phishing attacks systematically, as opposed to a range of uncoordinated, independent defenses.
Using the framework, leaders can also identify resource gaps and make strategic plans to drive down
their risk over time.
As a starting point, security leaders should take the following steps:
1. Download a copy of the framework to use as a reference
2. Perform an inventory of defensive layers and KPIs
3. Use the framework to assess gaps
+1.877.227.0790
[email protected]
Page 12
Copyright 2015 PhishLabs. All Rights Reserved.
The CISO’s Guide to Spear Phishing Defense
Related Resources



Webcast: A New Approach to Fighting Spear Phishing
Data Sheet: Spear Phishing Protection
Spear Phishing Defense Framework Reference Card
About PhishLabs
PhishLabs is the leading provider of 24/7 cybersecurity services that protect against the exploitation of
people to compromise systems and steal data. PhishLabs combines proprietary technology, intelligence,
and human expertise to rapidly detect, analyze, and stop targeted cyberattacks before they impact
organizations. To learn more about PhishLabs, visit www.phishlabs.com.
PhishLabs Spear Phishing Protection is a 24/7/365 service that provides expert analysis and rapid
mitigation of targeted phishing attacks. With Spear Phishing Protection, organizations can ensure that
targeted attacks are countered before the compromise of intellectual property, critical systems, and other
information assets. To learn more about Spear Phishing Protection, visit
https://www.phishlabs.com/enterprise-security/spear-phishing-protection/.
Follow PhishLabs
@phishlabs
www.linkedin.com/company/phishlabs
google.com/+PhishlabsTeam
©2015 Copyright Ecrime Management Strategies, Inc. All rights reserved. PhishLabs and the PhishLabs logo are trademarks or registered
trademarks of Ecrime Management Strategies, Inc. in the United States and in other countries. All other trademarks referenced are the property of
their respective owners.
+1.877.227.0790
[email protected]
Page 13
Copyright 2015 PhishLabs. All Rights Reserved.

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz