This webinar illustrates step by step how hackers create personalized spear phishing attacks. Learn how hackers identify and research targets, how they compromise email accounts from which to send their attacks, and how they apply social engineering techniques to pressure recipients.
Watch the on-demand webinar: https://register.gotowebinar.com/register/3069259620284477709
23. The Anatomy of a Spear Phishing Attack
How Hackers Build Targeted Attacks
Watch On-Demand
Editor's Notes
\
\
To detect spear phishing, Vade Secure for Office 365 first pulls your organization’s entity model through the Microsoft API to establish the legitimate users within your company. The solution’s unsupervised anomaly detection capabilities then compare the message sender against that model to identify impersonation attempts, such as visible alias spoofing or cousin domains. In addition, Vade uses Natural Language Processing to analyze the content of the email for malicious intent and a sense of urgency. Based on this combination of suspicious sender and content, we calculate the probability of the message being spear phishing; if it's above a certain threshold, we display a fully customizable warning banner in the message alerting the user.
While you can configure the solution to move or delete spear phishing emails, the default action is displaying the banner. That’s because the risk of false positives is much higher in this context. You could conceivably receive an email from your CEO’s personal email, asking you to complete an urgent task. The decision cannot be Boolean, because it’s such a fine line between legitimate and fraud. That’s why for scenarios where we cannot be 100% sure, we involve the users by warning them that the message is highly suspicious.
How do you detect those attacks, especially when a legitimate account gets compromised?
>>Compromised accounts, cannot rely on sourced based. SP, cannot rely on fingerprinting. Need behavioral analysis based on way email has been built, purpose, and the activity of the account. To be transparent, most complicated form of attack.
How do you balance between "internal spear phishing" detection and false positive in that regard?
>>Risk is FP much higher in this context. Cannot be Boolean. Need to involve the users and warn them that it’s highly suspicious. Answer: in-message banner when we can’t be 100% sure. Warn users and admins.
Are multi-phased attack carried out in environments other than O365?
>>Yes. Not something new. But the trend is increasing for the reasons we presented earlier, with O365 becoming the main provider. One target and easier process than SP.
Do you see malware being used in multi-phased attacks?
>>2017 was the year of malware, but in 2018 we saw a steep decline in malware-based attacks. Shift to phishing and SP. Easier to send phishing or SP through insider attach than malware. With malware, you still have desktop AV.