SlideShare a Scribd company logo

Spear Phishing

- Mark - Fullbright
- Mark - Fullbright

Spear phishing is a targeted form of phishing where adversaries conduct online research about individuals and organizations to craft personalized phishing emails. These emails often contain malicious attachments or links that install malware when opened. Spear phishing has a high success rate because targets are more likely to open emails that appear personalized. Organizations can reduce spear phishing risks through security awareness training for employees and technical defenses like firewalls, software patching, and limiting administrative privileges.

Education
1 of 7
Download to read offline
SPEAR PHISHING UNDERSTANDING THE THREAT SEPTEMBER 2013 Due to an organisation’s reliance on email and internet connectivity, there is no guaranteed way to stop a determined intruder from accessing a business network. Reliance on email and the internet brings vulnerabilities which must be recognised and addressed appropriately. The IT security community has assessed that Spear Phishing is a remarkably effective cyber-attack technique and its use to gain access to business systems is unlikely to decline in the near future. This paper describes how Spear Phishing attacks work, the likelihood of being targeted and the steps an organisation can take to manage the business risks. Key points      Spear Phishing is a targeted form of email deception. Most targeted attacks against an organisation begin with a Spear Phishing email. Spear Phishing has a high success rate and its use as a means of attack looks set to continue. Successful attacks can result in exploitation or compromise of individual devices and organisational networks. This can have significant implications for an organisation. The risk from Spear Phishing can be reduced through good educational awareness and effective technical controls. Disclaimer Reference to any specific commercial product, process or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation or favour by CPNI. The views and opinions of authors expressed within this document shall not be used for advertising or product endorsement purposes. To the fullest extent permitted by law, CPNI accepts no liability for any loss or damage (whether direct, indirect or consequential, and including but not limited to, loss of profits or anticipated profits, loss of data, business or goodwill) incurred by any person and howsoever caused arising from or connected with any error or omission in this document or from any person acting, omitting to act or refraining from acting upon, or otherwise using the information contained in this document or its references. You should make your own judgment as regards use of this document and seek independent professional advice on your particular circumstances. Page 1 of 7
Introduction Phishing is a form of email deception used by a range of adversaries in an attempt to obtain sensitive information or cause disruption to an organisation’s business operations. Spear Phishing is a more targeted version of phishing where an adversary conducts online reconnaissance against an individual or organisation in order to construct an email which appears to be of significant interest to those targeted. The email is designed to persuade the target individual to open a file attachment or click on a website link. In doing so, malicious software (or malware) is executed, designed to exploit and compromise the individual’s IT device. Spear Phishing email attacks are persistent and often have a high success rate as they are able to bypass traditional security defences and exploit vulnerable software. Reconnaissance An adversary will use information sources (free and subscription-based) to build background knowledge of a target individual or organisation. This information found online is called Open Source Intelligence (OSINT) and the process of collecting it is known as Reconnaissance. Organisations share information across the internet via their public website or social media sites. This information may be published by themselves or by their business partners. An adversary will aim to acquire as much information about a target as possible, as the more information they have available, the greater the chance the Spear Phishing email will be seen as a legitimate communication. Research conducted as part of CPNI OSINT studies included investigation into online information relating to a number of participating companies. This highlighted the information an adversary would look to obtain when conducting a Spear Phishing attack; this information includes staff contact details, organisation charts, job descriptions and technical information such as IP addresses, project names and software versions in use within an organisation. To construct a successful Spear Phishing attack, an adversary requires a target email address. Using search engines, an adversary will look for online profiles which contain contact details of a target individual. If an email address is not within the contact information, an adversary may attempt to guess the address, by trying a common format such as firstname.surname@companyx.com. Adversaries will often send Spear Phishing emails to a range of plausible email addresses to determine a valid address. CPNI has published guidance, entitled Online Reconnaissance – How your internet profile can be used against you which describes this scenario in further detail.1 1 See CPNI guidance on Online Reconnaissance www.cpni.gov.uk/advice/cyber/online-reconnaissance Page 2 of 7
Construction and delivery of Spear Phishing emails After conducting online reconnaissance an adversary now has enough information to create a Spear Phishing email. The email will include all information discovered through the reconnaissance phase and contain an attachment or website link which is of interest to the target. The adversary will then attempt to alter the email to make it appear as if the message was sent from a trusted contact of the target individual. An email which appears to be from a trusted contact increases the likelihood of a successful compromise. Attachments contained within Spear Phishing emails will appear as a common file type such as .rtf or .pdf. The name will be of interest to the target, e.g.’ pay award.PDF’ When the attachment is opened embedded malicious software is executed designed to compromise the target’s IT device. Figure 1 - Top spear-phishing email attachment file types (Trend Micro 2012) Links within Spear Phishing emails will direct a target individual to a website which, when accessed, will execute malicious software. A common method for an adversary to disguise a compromised website is to compress the address, so it is displayed in a shortened format such as http://tinyurl.com/companyx. Websites which are compromised appear authentic by having the same design and structure as legitimate websites. It is possible that a legitimate website could also be compromised further increasing the chance of a successful attack. When malicious software is successfully accessed via an attachment or website link, it will seek to exploit vulnerabilities in a target operating system or web browser. Figure 2 describes the stages in a Spear Phishing attack and how the adversary will look to exploit an organisation’s network. Page 3 of 7
Stages involved in a Spear Phishing attack CPNI uses the Cyber Kill chain developed by Lockheed Martin2 as a representation of the stages involved in an effective cyber-attack. For a Spear Phishing attack to be successful, the following stages are present:  Reconnaissance: In the reconnaissance phase an adversary browses websites, downloads PDFs, and learns about the internal structure of a target organisation.  Weaponization: In this phase the adversary places malicious code into a delivery vehicle such as an attachment or website.  Delivery: The delivery phase involves the transfer of malicious content to the target in some form. In the case of Spear Phishing this is via email. Figure 2 - Spear Phishing stages 2 www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-DrivenDefense.pdf Page 4 of 7
Business impact Successful Spear Phishing attacks can have significant implications for organisations. The more serious implications of becoming the target of a cyber-attack are listed below: Theft of sensitive information: An adversary may steal commercially useful information such as trade secrets, merger and acquisition plans, engineering designs, software codes or details of research programmes. This could result in the loss of competitive advantage and have significant financial consequences. Sabotage: Once on a network, an adversary may seek to delete or alter data with the aim of disrupting business operations. Depending on the access level gained, they could make changes to company data, log files, configuration settings, and user passwords or alter code for applications running on the network. Secondary use of compromised machines: An adversary can use a compromised machine to conduct attacks against other individuals or networks. This may involve sending Spear Phishing emails to contacts from a compromised user account. This can cause reputational damage to the initial victim organisation, as its customers and suppliers will initially attribute these communications to the sending organisation. Incident response and recovery costs: Investigating and recovering from a compromise can be expensive and time-consuming. The cost will depend on how long the network has been compromised and the steps needed to prevent the risk of an adversary simply being able to reestablish a presence on the network. Page 5 of 7
How to defend against Spear Phishing attacks In order to successfully reduce the risks posed by Spear Phishing attacks, organisations should seek to achieve a good balance of educational awareness and effective technical controls. CPNI endorses the Critical Security Controls3 as an effective way to protect against Spear Phishing and other cyberattacks. This section presents the most relevant Critical Security Controls for defending against Spear Phishing Security awareness training: An important measure in defending against Spear Phishing attacks is ensuring a high level of security awareness amongst staff. Employees should be educated about the changing nature of Spear Phishing attacks. An adversary will look to exploit an employee’s lack of security awareness. There are some questions an employee can ask when receiving an email with a suspicious link or attachment.  Who is the sender? Can the employee verify it has definitely come from them and is it someone from whom they would expect to receive emails on this subject?  Is the style of writing consistent with the sender? Does anything appear unusual about the tone, spelling or urgency of the email?  Is the request out of the ordinary (e.g. to open a file the user wasn’t expecting)?  Have other colleagues received a similar email? These questions can begin to help employees identify Spear Phishing emails. When training staff, it is important to make them aware of company policies regarding communications and security. Organisations can look to design their own training package to educate their staff on the threat posed from Spear Phishing using commercially available tools. In the training package, if a user does click on a link or open an attachment in a test email, they will be taken through to a training area that helps them gain a better understanding, making them less susceptible to attacks in the future. A number of anti-phishing tools are also available to alert users to phishing content contained within websites and emails. These tools offer an advanced level of protection above traditional IT security defences. Boundary defence: Malicious code generated from Phishing emails will exploit systems which can reach across the internet. To control the flow of traffic through network borders, organisations should use multi-layered boundary defences such as firewalls, proxies, demilitarised (DMZ) perimeter networks, and networkbased IPS and IDS. It is also critical to filter both inbound and outbound traffic to look for any anomalies that may suggest malicious activity. 3 Critical Security Controls www.cpni.gov.uk/advice/cyber/Critical-controls/ Page 6 of 7
Controlled use of administrative privileges: Organisations should aim to minimise administrative privileges and only use administrative accounts where required. If a privileged user opens a malicious attachment or accesses a website with embedded malicious content, malware will be deployed to their IT system with the adversary assuming administrative privileges. With elevated rights, an adversary can install malware and establish a foothold within the network faster than with standard user access rights. Continuous vulnerability assessment and remediation: Most Spear Phishing emails aim to exploit known vulnerabilities in software. It is therefore vital to ensure that all systems and software are up to date with the latest patches4. Patches should be applied to software that is most likely to be targeted by an adversary. It is important that all types of infrastructure are patched, including laptops, mobile devices, desktops, servers, switches and routers. This way, even if a compromised attachment or link is opened, the malware will not be executed. For further information on any of the topics discussed in this paper visit www.cpni.gov.uk 4 A patch is a small piece of software that is used to correct a problem with a software program or an operating system. Page 7 of 7

Recommended

Spear Phishing 101
Spear Phishing 101Spear Phishing 101
Spear Phishing 101
Sendio
 
Spear phishing attacks-by-hari_krishna
Spear phishing attacks-by-hari_krishnaSpear phishing attacks-by-hari_krishna
Spear phishing attacks-by-hari_krishna
Raghunath G
 
Fire eye spearphishing
Fire eye spearphishingFire eye spearphishing
Fire eye spearphishing
Zeno Idzerda
 
P H I S H I N G
P H I S H I N GP H I S H I N G
P H I S H I N G
bensonoo
 
Phishing technology
Phishing technologyPhishing technology
Phishing technology
Preeti Papneja
 
Analyzing Social and Stylometric Features to Identify Spear phishing Emails
Analyzing Social and Stylometric Features to Identify Spear phishing EmailsAnalyzing Social and Stylometric Features to Identify Spear phishing Emails
Analyzing Social and Stylometric Features to Identify Spear phishing Emails
Cybersecurity Education and Research Centre
 
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScanHow to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan
ControlScan, Inc.
 
A presentation on Phishing
A presentation on PhishingA presentation on Phishing
A presentation on Phishing
Creative Technology
 

Recommended

Spear Phishing 101
Spear Phishing 101Spear Phishing 101
Spear Phishing 101
Sendio
 
Spear phishing attacks-by-hari_krishna
Spear phishing attacks-by-hari_krishnaSpear phishing attacks-by-hari_krishna
Spear phishing attacks-by-hari_krishna
Raghunath G
 
Fire eye spearphishing
Fire eye spearphishingFire eye spearphishing
Fire eye spearphishing
Zeno Idzerda
 
P H I S H I N G
P H I S H I N GP H I S H I N G
P H I S H I N G
bensonoo
 
Phishing technology
Phishing technologyPhishing technology
Phishing technology
Preeti Papneja
 
Analyzing Social and Stylometric Features to Identify Spear phishing Emails
Analyzing Social and Stylometric Features to Identify Spear phishing EmailsAnalyzing Social and Stylometric Features to Identify Spear phishing Emails
Analyzing Social and Stylometric Features to Identify Spear phishing Emails
Cybersecurity Education and Research Centre
 
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScanHow to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan
ControlScan, Inc.
 
A presentation on Phishing
A presentation on PhishingA presentation on Phishing
A presentation on Phishing
Creative Technology
 
Phishing ppt
Phishing pptPhishing ppt
Phishing ppt
shindept123
 
Phishing and hacking
Phishing and hackingPhishing and hacking
Phishing and hacking
Md. Mehadi Hassan Bappy
 
Phishing ppt
Phishing pptPhishing ppt
Phishing ppt
shindept123
 
Phishing
PhishingPhishing
Phishing
North Carolina State University
 
What is Phishing and How can you Avoid it?
What is Phishing and How can you Avoid it?What is Phishing and How can you Avoid it?
What is Phishing and How can you Avoid it?
Quick Heal Technologies Ltd.
 
Phishing
PhishingPhishing
Phishing
SaurabhKantSahu1
 
Phishing & Pharming
Phishing & PharmingPhishing & Pharming
Phishing & Pharming
Devendra Yadav
 
Email phishing and countermeasures
Email phishing and countermeasuresEmail phishing and countermeasures
Email phishing and countermeasures
Jorge Sebastiao
 
Anti phishing
Anti phishingAnti phishing
Anti phishing
Shethwala Ridhvesh
 
Different Types of Phishing Attacks
Different Types of Phishing AttacksDifferent Types of Phishing Attacks
Different Types of Phishing Attacks
SysCloud
 
Phishing Attack : A big Threat
Phishing Attack : A big ThreatPhishing Attack : A big Threat
Phishing Attack : A big Threat
sourav newatia
 
What is a phishing attack
What is a phishing attackWhat is a phishing attack
What is a phishing attack
AariyaRathi
 
Phishing - A modern web attack
Phishing - A modern web attackPhishing - A modern web attack
Phishing - A modern web attack
Karthik
 
Phishing ppt
Phishing pptPhishing ppt
Phishing ppt
Sanjay Kumar
 
Phishing attack seminar presentation
Phishing attack seminar presentation Phishing attack seminar presentation
Phishing attack seminar presentation
AniketPandit18
 
Phishing
PhishingPhishing
Phishing
Sagar Rai
 
Phishing
PhishingPhishing
Phishing
Jayaseelan Vejayon
 
PPT on Phishing
PPT on PhishingPPT on Phishing
PPT on Phishing
Pankaj Yadav
 
Phishing
PhishingPhishing
Phishing
Archit Mohanty
 
Phishing exposed
Phishing exposedPhishing exposed
Phishing exposed
tamfin
 
IRJET- Phishing and Anti-Phishing Techniques
IRJET- Phishing and Anti-Phishing TechniquesIRJET- Phishing and Anti-Phishing Techniques
IRJET- Phishing and Anti-Phishing Techniques
IRJET Journal
 
Research Paper on Spreading Awareness About Phishing Attack Is Effective In R...
Research Paper on Spreading Awareness About Phishing Attack Is Effective In R...Research Paper on Spreading Awareness About Phishing Attack Is Effective In R...
Research Paper on Spreading Awareness About Phishing Attack Is Effective In R...
IRJET Journal
 

More Related Content

What's hot

Phishing exposed
Phishing exposedPhishing exposed
Phishing exposed
tamfin
 

What's hot (20)

Phishing ppt
Phishing pptPhishing ppt
Phishing ppt
 
Phishing and hacking
Phishing and hackingPhishing and hacking
Phishing and hacking
 
Phishing ppt
Phishing pptPhishing ppt
Phishing ppt
 
Phishing
PhishingPhishing
Phishing
 
What is Phishing and How can you Avoid it?
What is Phishing and How can you Avoid it?What is Phishing and How can you Avoid it?
What is Phishing and How can you Avoid it?
 
Phishing
PhishingPhishing
Phishing
 
Phishing & Pharming
Phishing & PharmingPhishing & Pharming
Phishing & Pharming
 
Email phishing and countermeasures
Email phishing and countermeasuresEmail phishing and countermeasures
Email phishing and countermeasures
 
Anti phishing
Anti phishingAnti phishing
Anti phishing
 
Different Types of Phishing Attacks
Different Types of Phishing AttacksDifferent Types of Phishing Attacks
Different Types of Phishing Attacks
 
Phishing Attack : A big Threat
Phishing Attack : A big ThreatPhishing Attack : A big Threat
Phishing Attack : A big Threat
 
What is a phishing attack
What is a phishing attackWhat is a phishing attack
What is a phishing attack
 
Phishing - A modern web attack
Phishing - A modern web attackPhishing - A modern web attack
Phishing - A modern web attack
 
Phishing ppt
Phishing pptPhishing ppt
Phishing ppt
 
Phishing attack seminar presentation
Phishing attack seminar presentation Phishing attack seminar presentation
Phishing attack seminar presentation
 
Phishing
PhishingPhishing
Phishing
 
Phishing
PhishingPhishing
Phishing
 
PPT on Phishing
PPT on PhishingPPT on Phishing
PPT on Phishing
 
Phishing
PhishingPhishing
Phishing
 
Phishing exposed
Phishing exposedPhishing exposed
Phishing exposed
 

Similar to Spear Phishing

E Mail Phishing Prevention and Detection
E Mail Phishing Prevention and DetectionE Mail Phishing Prevention and Detection
E Mail Phishing Prevention and Detection
ijtsrd
 
A Novel Approach for Phishing Emails Real Time Classification Using K-Means A...
A Novel Approach for Phishing Emails Real Time Classification Using K-Means A...A Novel Approach for Phishing Emails Real Time Classification Using K-Means A...
A Novel Approach for Phishing Emails Real Time Classification Using K-Means A...
IJECEIAES
 
A FRAMEWORK FOR SECURING EMAIL ENTRANCES AND MITIGATING PHISHING IMPERSONATIO...
A FRAMEWORK FOR SECURING EMAIL ENTRANCES AND MITIGATING PHISHING IMPERSONATIO...A FRAMEWORK FOR SECURING EMAIL ENTRANCES AND MITIGATING PHISHING IMPERSONATIO...
A FRAMEWORK FOR SECURING EMAIL ENTRANCES AND MITIGATING PHISHING IMPERSONATIO...
IJNSA Journal
 

Similar to Spear Phishing (20)

IRJET- Phishing and Anti-Phishing Techniques
IRJET- Phishing and Anti-Phishing TechniquesIRJET- Phishing and Anti-Phishing Techniques
IRJET- Phishing and Anti-Phishing Techniques
 
Research Paper on Spreading Awareness About Phishing Attack Is Effective In R...
Research Paper on Spreading Awareness About Phishing Attack Is Effective In R...Research Paper on Spreading Awareness About Phishing Attack Is Effective In R...
Research Paper on Spreading Awareness About Phishing Attack Is Effective In R...
 
CERT STRATEGY TO DEAL WITH PHISHING ATTACKS
CERT STRATEGY TO DEAL WITH PHISHING ATTACKSCERT STRATEGY TO DEAL WITH PHISHING ATTACKS
CERT STRATEGY TO DEAL WITH PHISHING ATTACKS
 
phishing-infographic
phishing-infographicphishing-infographic
phishing-infographic
 
Study on Phishing Attacks and Antiphishing Tools
Study on Phishing Attacks and Antiphishing ToolsStudy on Phishing Attacks and Antiphishing Tools
Study on Phishing Attacks and Antiphishing Tools
 
E Mail Phishing Prevention and Detection
E Mail Phishing Prevention and DetectionE Mail Phishing Prevention and Detection
E Mail Phishing Prevention and Detection
 
Cyber security.docx
Cyber security.docxCyber security.docx
Cyber security.docx
 
Protecting Corporete Credentials Against Threats 4 48159 wgw03071_usen
Protecting Corporete Credentials Against Threats 4 48159 wgw03071_usenProtecting Corporete Credentials Against Threats 4 48159 wgw03071_usen
Protecting Corporete Credentials Against Threats 4 48159 wgw03071_usen
 
PHISHING PROTECTION
PHISHING PROTECTION PHISHING PROTECTION
PHISHING PROTECTION
 
A Novel Approach for Phishing Emails Real Time Classification Using K-Means A...
A Novel Approach for Phishing Emails Real Time Classification Using K-Means A...A Novel Approach for Phishing Emails Real Time Classification Using K-Means A...
A Novel Approach for Phishing Emails Real Time Classification Using K-Means A...
 
Cybercrime - An essential guide from Thawte
Cybercrime - An essential guide from ThawteCybercrime - An essential guide from Thawte
Cybercrime - An essential guide from Thawte
 
A FRAMEWORK FOR SECURING EMAIL ENTRANCES AND MITIGATING PHISHING IMPERSONATIO...
A FRAMEWORK FOR SECURING EMAIL ENTRANCES AND MITIGATING PHISHING IMPERSONATIO...A FRAMEWORK FOR SECURING EMAIL ENTRANCES AND MITIGATING PHISHING IMPERSONATIO...
A FRAMEWORK FOR SECURING EMAIL ENTRANCES AND MITIGATING PHISHING IMPERSONATIO...
 
Why Passwords are not strong enough
Why Passwords are not strong enoughWhy Passwords are not strong enough
Why Passwords are not strong enough
 
Phishing: Analysis and Countermeasures
Phishing: Analysis and CountermeasuresPhishing: Analysis and Countermeasures
Phishing: Analysis and Countermeasures
 
Phishing: Analysis and Countermeasures
Phishing: Analysis and CountermeasuresPhishing: Analysis and Countermeasures
Phishing: Analysis and Countermeasures
 
Edu 03 assingment
Edu 03 assingmentEdu 03 assingment
Edu 03 assingment
 
Amir bouker
Amir bouker Amir bouker
Amir bouker
 
Email threat detection and mitigation
Email threat detection and mitigationEmail threat detection and mitigation
Email threat detection and mitigation
 
A LITERATURE REVIEW ON PHISHING EMAIL DETECTION USING DATA MINING
A LITERATURE REVIEW ON PHISHING EMAIL DETECTION USING DATA MININGA LITERATURE REVIEW ON PHISHING EMAIL DETECTION USING DATA MINING
A LITERATURE REVIEW ON PHISHING EMAIL DETECTION USING DATA MINING
 
Software Frauds or Ethical Issues.ppt
Software Frauds or Ethical Issues.pptSoftware Frauds or Ethical Issues.ppt
Software Frauds or Ethical Issues.ppt
 

More from - Mark - Fullbright

CFPB Consumer Reporting Companies 2019
CFPB Consumer Reporting Companies 2019CFPB Consumer Reporting Companies 2019
CFPB Consumer Reporting Companies 2019
- Mark - Fullbright
 
2018 Privacy & Data Security Report
2018 Privacy & Data Security Report2018 Privacy & Data Security Report
2018 Privacy & Data Security Report
- Mark - Fullbright
 
Consumer Sentinel Network Data Book 2018
Consumer Sentinel Network Data Book 2018 Consumer Sentinel Network Data Book 2018
Consumer Sentinel Network Data Book 2018
- Mark - Fullbright
 
The Geography of Medical Identity Theft
The Geography of Medical Identity TheftThe Geography of Medical Identity Theft
The Geography of Medical Identity Theft
- Mark - Fullbright
 
Consumer Sentinel Data Book 2017
Consumer Sentinel Data Book 2017Consumer Sentinel Data Book 2017
Consumer Sentinel Data Book 2017
- Mark - Fullbright
 

More from - Mark - Fullbright (20)

ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019
 
IC3 2019 Internet Crime Report
IC3 2019 Internet Crime ReportIC3 2019 Internet Crime Report
IC3 2019 Internet Crime Report
 
Police, Protesters, Press, 2020
Police, Protesters, Press, 2020Police, Protesters, Press, 2020
Police, Protesters, Press, 2020
 
2020 Data Breach Investigations Report (DBIR)
2020 Data Breach Investigations Report (DBIR)2020 Data Breach Investigations Report (DBIR)
2020 Data Breach Investigations Report (DBIR)
 
FCPA Guidance 2020
FCPA Guidance 2020FCPA Guidance 2020
FCPA Guidance 2020
 
Consumer Sentinel Network Data Book 2019
Consumer Sentinel Network Data Book 2019Consumer Sentinel Network Data Book 2019
Consumer Sentinel Network Data Book 2019
 
CFPB Consumer Reporting Companies 2019
CFPB Consumer Reporting Companies 2019CFPB Consumer Reporting Companies 2019
CFPB Consumer Reporting Companies 2019
 
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...
 
2018 IC3 Report
2018 IC3 Report2018 IC3 Report
2018 IC3 Report
 
2019 Data Breach Investigations Report (DBIR)
2019 Data Breach Investigations Report (DBIR)2019 Data Breach Investigations Report (DBIR)
2019 Data Breach Investigations Report (DBIR)
 
2018 Privacy & Data Security Report
2018 Privacy & Data Security Report2018 Privacy & Data Security Report
2018 Privacy & Data Security Report
 
Consumer Sentinel Network Data Book 2018
Consumer Sentinel Network Data Book 2018 Consumer Sentinel Network Data Book 2018
Consumer Sentinel Network Data Book 2018
 
Credit Score Explainer
Credit Score ExplainerCredit Score Explainer
Credit Score Explainer
 
The Geography of Medical Identity Theft
The Geography of Medical Identity TheftThe Geography of Medical Identity Theft
The Geography of Medical Identity Theft
 
Consumer Sentinel Data Book 2017
Consumer Sentinel Data Book 2017Consumer Sentinel Data Book 2017
Consumer Sentinel Data Book 2017
 
Protecting Personal Information: A Guide for Business
Protecting Personal Information: A Guide for BusinessProtecting Personal Information: A Guide for Business
Protecting Personal Information: A Guide for Business
 
Data Breach Response: A Guide for Business
Data Breach Response: A Guide for BusinessData Breach Response: A Guide for Business
Data Breach Response: A Guide for Business
 
2017 Data Breach Investigations Report
2017 Data Breach Investigations Report2017 Data Breach Investigations Report
2017 Data Breach Investigations Report
 
Consumer Sentinel Network Data Book for January 2016 - December 2016
Consumer Sentinel Network Data Book for January 2016 - December 2016Consumer Sentinel Network Data Book for January 2016 - December 2016
Consumer Sentinel Network Data Book for January 2016 - December 2016
 
Consumer Sentinel Data Book 2015
Consumer Sentinel Data Book 2015Consumer Sentinel Data Book 2015
Consumer Sentinel Data Book 2015
 

Recently uploaded

Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
ZurliaSoop
 

Recently uploaded (20)

This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the Classroom
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptx
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptx
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
Plant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptxPlant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptx
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 

Spear Phishing

  • 1. SPEAR PHISHING UNDERSTANDING THE THREAT SEPTEMBER 2013 Due to an organisation’s reliance on email and internet connectivity, there is no guaranteed way to stop a determined intruder from accessing a business network. Reliance on email and the internet brings vulnerabilities which must be recognised and addressed appropriately. The IT security community has assessed that Spear Phishing is a remarkably effective cyber-attack technique and its use to gain access to business systems is unlikely to decline in the near future. This paper describes how Spear Phishing attacks work, the likelihood of being targeted and the steps an organisation can take to manage the business risks. Key points      Spear Phishing is a targeted form of email deception. Most targeted attacks against an organisation begin with a Spear Phishing email. Spear Phishing has a high success rate and its use as a means of attack looks set to continue. Successful attacks can result in exploitation or compromise of individual devices and organisational networks. This can have significant implications for an organisation. The risk from Spear Phishing can be reduced through good educational awareness and effective technical controls. Disclaimer Reference to any specific commercial product, process or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation or favour by CPNI. The views and opinions of authors expressed within this document shall not be used for advertising or product endorsement purposes. To the fullest extent permitted by law, CPNI accepts no liability for any loss or damage (whether direct, indirect or consequential, and including but not limited to, loss of profits or anticipated profits, loss of data, business or goodwill) incurred by any person and howsoever caused arising from or connected with any error or omission in this document or from any person acting, omitting to act or refraining from acting upon, or otherwise using the information contained in this document or its references. You should make your own judgment as regards use of this document and seek independent professional advice on your particular circumstances. Page 1 of 7
  • 2. Introduction Phishing is a form of email deception used by a range of adversaries in an attempt to obtain sensitive information or cause disruption to an organisation’s business operations. Spear Phishing is a more targeted version of phishing where an adversary conducts online reconnaissance against an individual or organisation in order to construct an email which appears to be of significant interest to those targeted. The email is designed to persuade the target individual to open a file attachment or click on a website link. In doing so, malicious software (or malware) is executed, designed to exploit and compromise the individual’s IT device. Spear Phishing email attacks are persistent and often have a high success rate as they are able to bypass traditional security defences and exploit vulnerable software. Reconnaissance An adversary will use information sources (free and subscription-based) to build background knowledge of a target individual or organisation. This information found online is called Open Source Intelligence (OSINT) and the process of collecting it is known as Reconnaissance. Organisations share information across the internet via their public website or social media sites. This information may be published by themselves or by their business partners. An adversary will aim to acquire as much information about a target as possible, as the more information they have available, the greater the chance the Spear Phishing email will be seen as a legitimate communication. Research conducted as part of CPNI OSINT studies included investigation into online information relating to a number of participating companies. This highlighted the information an adversary would look to obtain when conducting a Spear Phishing attack; this information includes staff contact details, organisation charts, job descriptions and technical information such as IP addresses, project names and software versions in use within an organisation. To construct a successful Spear Phishing attack, an adversary requires a target email address. Using search engines, an adversary will look for online profiles which contain contact details of a target individual. If an email address is not within the contact information, an adversary may attempt to guess the address, by trying a common format such as firstname.surname@companyx.com. Adversaries will often send Spear Phishing emails to a range of plausible email addresses to determine a valid address. CPNI has published guidance, entitled Online Reconnaissance – How your internet profile can be used against you which describes this scenario in further detail.1 1 See CPNI guidance on Online Reconnaissance www.cpni.gov.uk/advice/cyber/online-reconnaissance Page 2 of 7
  • 3. Construction and delivery of Spear Phishing emails After conducting online reconnaissance an adversary now has enough information to create a Spear Phishing email. The email will include all information discovered through the reconnaissance phase and contain an attachment or website link which is of interest to the target. The adversary will then attempt to alter the email to make it appear as if the message was sent from a trusted contact of the target individual. An email which appears to be from a trusted contact increases the likelihood of a successful compromise. Attachments contained within Spear Phishing emails will appear as a common file type such as .rtf or .pdf. The name will be of interest to the target, e.g.’ pay award.PDF’ When the attachment is opened embedded malicious software is executed designed to compromise the target’s IT device. Figure 1 - Top spear-phishing email attachment file types (Trend Micro 2012) Links within Spear Phishing emails will direct a target individual to a website which, when accessed, will execute malicious software. A common method for an adversary to disguise a compromised website is to compress the address, so it is displayed in a shortened format such as http://tinyurl.com/companyx. Websites which are compromised appear authentic by having the same design and structure as legitimate websites. It is possible that a legitimate website could also be compromised further increasing the chance of a successful attack. When malicious software is successfully accessed via an attachment or website link, it will seek to exploit vulnerabilities in a target operating system or web browser. Figure 2 describes the stages in a Spear Phishing attack and how the adversary will look to exploit an organisation’s network. Page 3 of 7
  • 4. Stages involved in a Spear Phishing attack CPNI uses the Cyber Kill chain developed by Lockheed Martin2 as a representation of the stages involved in an effective cyber-attack. For a Spear Phishing attack to be successful, the following stages are present:  Reconnaissance: In the reconnaissance phase an adversary browses websites, downloads PDFs, and learns about the internal structure of a target organisation.  Weaponization: In this phase the adversary places malicious code into a delivery vehicle such as an attachment or website.  Delivery: The delivery phase involves the transfer of malicious content to the target in some form. In the case of Spear Phishing this is via email. Figure 2 - Spear Phishing stages 2 www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-DrivenDefense.pdf Page 4 of 7
  • 5. Business impact Successful Spear Phishing attacks can have significant implications for organisations. The more serious implications of becoming the target of a cyber-attack are listed below: Theft of sensitive information: An adversary may steal commercially useful information such as trade secrets, merger and acquisition plans, engineering designs, software codes or details of research programmes. This could result in the loss of competitive advantage and have significant financial consequences. Sabotage: Once on a network, an adversary may seek to delete or alter data with the aim of disrupting business operations. Depending on the access level gained, they could make changes to company data, log files, configuration settings, and user passwords or alter code for applications running on the network. Secondary use of compromised machines: An adversary can use a compromised machine to conduct attacks against other individuals or networks. This may involve sending Spear Phishing emails to contacts from a compromised user account. This can cause reputational damage to the initial victim organisation, as its customers and suppliers will initially attribute these communications to the sending organisation. Incident response and recovery costs: Investigating and recovering from a compromise can be expensive and time-consuming. The cost will depend on how long the network has been compromised and the steps needed to prevent the risk of an adversary simply being able to reestablish a presence on the network. Page 5 of 7
  • 6. How to defend against Spear Phishing attacks In order to successfully reduce the risks posed by Spear Phishing attacks, organisations should seek to achieve a good balance of educational awareness and effective technical controls. CPNI endorses the Critical Security Controls3 as an effective way to protect against Spear Phishing and other cyberattacks. This section presents the most relevant Critical Security Controls for defending against Spear Phishing Security awareness training: An important measure in defending against Spear Phishing attacks is ensuring a high level of security awareness amongst staff. Employees should be educated about the changing nature of Spear Phishing attacks. An adversary will look to exploit an employee’s lack of security awareness. There are some questions an employee can ask when receiving an email with a suspicious link or attachment.  Who is the sender? Can the employee verify it has definitely come from them and is it someone from whom they would expect to receive emails on this subject?  Is the style of writing consistent with the sender? Does anything appear unusual about the tone, spelling or urgency of the email?  Is the request out of the ordinary (e.g. to open a file the user wasn’t expecting)?  Have other colleagues received a similar email? These questions can begin to help employees identify Spear Phishing emails. When training staff, it is important to make them aware of company policies regarding communications and security. Organisations can look to design their own training package to educate their staff on the threat posed from Spear Phishing using commercially available tools. In the training package, if a user does click on a link or open an attachment in a test email, they will be taken through to a training area that helps them gain a better understanding, making them less susceptible to attacks in the future. A number of anti-phishing tools are also available to alert users to phishing content contained within websites and emails. These tools offer an advanced level of protection above traditional IT security defences. Boundary defence: Malicious code generated from Phishing emails will exploit systems which can reach across the internet. To control the flow of traffic through network borders, organisations should use multi-layered boundary defences such as firewalls, proxies, demilitarised (DMZ) perimeter networks, and networkbased IPS and IDS. It is also critical to filter both inbound and outbound traffic to look for any anomalies that may suggest malicious activity. 3 Critical Security Controls www.cpni.gov.uk/advice/cyber/Critical-controls/ Page 6 of 7
  • 7. Controlled use of administrative privileges: Organisations should aim to minimise administrative privileges and only use administrative accounts where required. If a privileged user opens a malicious attachment or accesses a website with embedded malicious content, malware will be deployed to their IT system with the adversary assuming administrative privileges. With elevated rights, an adversary can install malware and establish a foothold within the network faster than with standard user access rights. Continuous vulnerability assessment and remediation: Most Spear Phishing emails aim to exploit known vulnerabilities in software. It is therefore vital to ensure that all systems and software are up to date with the latest patches4. Patches should be applied to software that is most likely to be targeted by an adversary. It is important that all types of infrastructure are patched, including laptops, mobile devices, desktops, servers, switches and routers. This way, even if a compromised attachment or link is opened, the malware will not be executed. For further information on any of the topics discussed in this paper visit www.cpni.gov.uk 4 A patch is a small piece of software that is used to correct a problem with a software program or an operating system. Page 7 of 7