How to Protect against the Threat of
Spearphishing Attacks
Author – Randy Abrams
Overview
NSS Labs’ researchers have identified spearphishing as the most common targeted method sophisticated attackers use to compromise high-‐value targets. Where classic phishing takes a net-‐casting approach in its use of email — not unlike a low-‐end spam campaign — spearphishing uses social engineering techniques to create a more
targeted invitation to click on a link or an attachment contained in a message. A recipient who follows the link may be invited to provide a user name and password or other personal information, or malware may be silently installed on the target’s computer.
Phishing and spearphishing attacks both begin with an email and rely on end-‐user cooperation — obtained via social engineering — to advance the attack. The protections used to repel untargeted phishing attacks will repel the overwhelming majority of spearphishing attacks.
The most effective defenses are user education and training that help end users avoid behaviors that enable successful phishing attacks. Technologies like antivirus tools and endpoint protection platforms (EPPs) have shown only mixed results in defending against exploits, and it is clear that a reliance on purely technological solutions is likely to be ineffective
NSS Labs Findings
• Spearphishing has become the most common mode of targeted attack used by sophisticated attackers against high-‐value targets.
• User education is an essential component of spearphishing defensive strategies.
• The use of simulated phishing attacks is a useful tool to educate end users about appropriate security behaviors, measure the effectiveness of that education and identify knowledge gaps.
• Up-‐to-‐date web browsers and operating systems (OSs) represent a critical layer in defenses against spearphishing attacks, especially those that leverage exploit payloads. Recent NSS Labs tests have revealed that anti-‐phishing protections in later versions of browsers have improved detection of phishing attacks. However, these protections are not a significant obstacle for a determined spearphisher.
• Reputation systems can decrease exposure to a wide range of phishing attacks. File reputation systems in particular make exploit-‐driven spearphishing attacks significantly more difficult for the attacker.
• Multifactor authentication systems can help to mitigate damages when spearphishing attacks succeed.
NSS Labs Recommendations
• Educate users with an emphasis on behavioral practices that prevent successful phishing. Use simulated spearphishing attacks to educate end users about appropriate security behaviors and measure the success of the organization’s education efforts.
• Make education a continuing habit in the workplace.
• Raise awareness amongst employees of spearphishing attacks in the news to help maintain vigilance. • Ensure that the most current versions of web browsers are deployed.
• Leverage patch management tools where possible. • Consider deploying endpoint protection tools.
• Consider deploying digital rights management (DRM) and/or data loss prevention (DLP) technologies to prevent sensitive data from leaking as a result of credential theft.
• Use Authenticated SMTP to prevent an attacker from spoofing the email of internal users.
• Employ network access controls (NAC) to limit the amount of data to which a successful attacker will gain access.
• Deploy multifactor authentication for employees with access to highly sensitive data (which in some cases will be all employees).
• Disable unused or unneeded software (for example, disable Java when it is not required,) and consider alternative PDF viewers.
• Employ whitelisting and blacklisting solutions for web access where possible.
Table of Contents
Overview ... 1
NSS Labs Findings ... 1
NSS Labs Recommendations ... 2
Analysis ... 4
The Deadliest Catch – We’re All Seafood ... 4
Phishing and Spearphishing – The Crucial Difference ... 4
The Best Defenses — Prevention and Education ... 5
Behavioral Issues in Defending against Spearphishing ... 6
Technological Issues in Defending against Spearphishing Attacks ... 6
Glossary ... 8
Reading List ... 9
Contact Information ... 10
Analysis
The Deadliest Catch – We’re All Seafood
Spearphishing began to come into its own as far back as 2005. The timing is likely due in part to two significant events. Findings by the United States Military Academy that 80% of West Point cadets fell for spearphishing attacks were widely publicized in 2004. The Anti-‐Phishing Working Group included spearphishing in its agenda for the first time in 2004 as well. Spearphishing attacks are often the beachhead of a targeted persistent attack (TPA), a type of attack that NSS Labs has identified as the most serious threat to enterprises today. Spearphishing is also heavily implicated in the less common, but widely hyped and misidentified advanced persistent threat (APT) attack. A number of successful spearphishing attacks hit the headlines in the last year:
• In March 2011, an RSA employee succumbed to a spearphishing attack that exploited an Adobe Flash vulnerability and ultimately cost over 66 million dollars in replacement SecurID tokens alone. Data stolen in this attack was also subsequently used to launch attacks against other major corporations, such as Lockheed Martin.
• Also in March 2011, mass email marketing company Epsilon, the victim of a TPA that lasted for months, was finally breached as the result of a spearphishing attack that included a link to a malicious website that installed malware on internal systems. Epsilon sends marketing emails on behalf of several Fortune 500 enterprises, and the breach compromised millions of email addresses belonging to customers of those companies. The emails addresses were then used for commercial gain in spam runs, phishing, and spearphishing attacks. • Over 400 Web domains hosted by GoDaddy were compromised in September 2011. Reportedly, the various
domain logon credentials were stolen in spearphishing attacks directed at domain owners and admins who appear in registry listings.
• May 2012 saw the Industrial Control Systems Cyber Emergency Response Team (ICS-‐CERT) publish a warning concerning spearphishing attacks aimed at the natural gas pipeline industry. The advisory included
information that the spearphishing attacks appeared to come from trusted internal sources.
• In June 2012, an unsuccessful spearphishing attack against industrial consulting firm Digital Bond revealed additional attacks against the Japan Network Information Center, the Hong Kong University of Science and Technology, various US defense contractors, and several others. Again, the email Digital Bond received appeared to come from an employee.
• More recently in July 2012, 8 million email addresses were leaked from Gamigo, including email addresses from IBM, Allianz, Siemens, Deutsche Bank, and ExxonMobil. Massive data leaks from a variety of companies have resulted in both credential-‐ and exploit-‐based spearphishing attacks.
Phishing and Spearphishing – The Crucial Difference
Classic phishing attacks do not focus on the identity of a specific target. Instead, they try to acquire as much data as they can from as many users as they can. The attacker’s goal is to acquire credential information that can be used to turn a profit, or to install malware that can capture credentials and other information. Credentials for online gaming accounts, for example, allow an attacker to sell virtual items for real cash, while access to email and social networking accounts enable attackers to engage in a variety of profitable activities, ranging from spamming, to blackmail, to impersonation attacks.
Spearphishing attacks, by contrast, target specific companies, high-‐profile organizations, and high value individuals. As a result, they can be far more damaging, even devastating. The attacker prepares by collecting, aggregating and correlating information about the target organization and the people associated with it. The information that is publicly available on LinkedIn, Facebook, Google+ and Twitter profiles not only enables the attacker to identify an individual’s contact information, but also offers a considerable amount of information about his or her role and responsibilities. The attacker can build extensive personal and professional profiles, including the targets’ likes and dislikes, social and professional contacts, preferred hangouts and daily routines. By correlating the data from several targets, the attacker can even build a map of the organization’s structure. Spearphishing attacks follow two distinct methodologies:
• The standard method is to deceive the target into providing credentials, such as network login information or database, email or social networking passwords. These types of attacks can be defended by educating end users and by deploying standard security products.
• The second, more dangerous, method is to deceive users into opening documents, applications or Web pages that exploit vulnerabilities in order to plant malware – data stealers or backdoors – on the user’s endpoint, from where it can spread throughout the network. These attacks are much more difficult to protect against. Unlike the emails used in standard phishing attacks, the emails offer little more than the title of a document or application to suggest that something is wrong. An attachment containing malware may arrive from a
legitimate source that has been hacked. A legitimate website may have been compromised and its usual content replaced with content designed to deliver a Trojan.
The Best Defenses — Prevention and Education
The most effective defense against all manner of phishing attacks — both standard phishing and spearphishing — is prevention. Technical solutions typically are limited in effectiveness when dealing with social problems. The most effective defense against social engineering attacks is education, and most people learn best by doing. This makes the simulated phishing attack one of the most effective methods of education. When an end user falls victim to phishing — even a fake one — the attack stops being a hypothetical concern and becomes a teachable moment. Moreover, a simulated attack measures the effectiveness of an organization’s efforts in security education, and identifies those end users who need additional instruction.
Simulated phishing attacks can be extremely valuable tools for education and prevention, but only if some essential guidelines are followed:
• Never collect confidential data. Passwords, social security numbers and other personally identifiable
information that an end user may have given away in a simulated attack are not necessary to confirm that the end user has engaged in risky behavior. Moreover, any such data that is collected becomes a liability, because the organization has an obligation to ensure the safety of the data, and the collection of some personal data in this way may in fact be illegal.
• Never embarrass the user who falls victim to the simulated attack. The objective of this exercise is not to shame end users, but to instill confidence and a sense of accomplishment as they learn that they can improve their security practices both on the job and in their personal lives. A better approach than shaming users who fall victim to the simulated attack is to praise those who don’t, and patiently explain the mistakes or missed clues that contribute to failure.
• Make it personal. As much as is economically feasible, personalize the attack emails. Users need to understand how convincing and believable a targeted phishing attack really is.
Behavioral Issues in Defending against Spearphishing
The first aspect of user education is to teach users how to identify phishing attacks. This can include identifying bad URLs, grammatical and typographical errors (“typos”) in emails, improper requests for information, and other giveaways. In a spearphishing attack, for example, something as innocuous-‐looking as an atypical salutation or signature may be the only identifying irregularity.
A more important educational approach – one that is used far too rarely – involves the teaching of correct behavior. It is the user’s response to a phishing email that determines whether the phishing attack succeeds or fails. There are two simple rules that can be taught that will cause virtually every credential-‐oriented phishing attack, targeted or not, to fail:
• Never accept a request for a password via electronic communication (including email messages and telephone calls). There is no such thing as a legitimate request for a password in an email or a telephone call that has not been initiated by the end user. For this reason, it is crucial that internal IT departments do not unwittingly encourage the exact behavior they are trying to prevent. IT personnel should, for example always attempt to resolve problems without requiring the end user to provide their password. If it becomes necessary for IT support personnel to obtain a password, the best practice is to have the user change the password before providing it, and then change it as soon as tech support no longer needs it. In some cases, the IT person may need to ask for a password over the phone in response to a support request from a user. If this happens, the support person must explain to the user that he or she should never divulge password to anyone unless it was the user who initiated the call. In all cases, the user should be reminded to change the password when the support call is complete.
• Never log on to a website via a link in an email (or a text message received on a mobile device). Most social networking services work hard to encourage their users to engage in precisely the types of behaviors that will result in successful phishing attacks. And well-‐constructed spearphishing attacks are extremely difficult for even highly skilled security professionals to detect. For this reason, opening links directly from emails and text messages must be avoided. For example, a user who receives a notice from LinkedIn should be instructed to open a web browser separately, navigate to the LinkedIn site and log in. If the email is legitimate, the contact request or other information will be in the LinkedIn email/notification system.
When end users learn to follow these two simple rules – not to give up credentials in response to emails or in response to links sent through electronic communications – virtually all credential-‐based attacks will be foiled, whether they are identified as malicious or not.
Technological Issues in Defending against Spearphishing Attacks
Behavioral issues are the most important components of successful defenses against phishing – and spearphishing – but there are some technological issues that also need to be addressed.
Web browsers: The need to use current versions of web browsers is – or should be – self-‐evident. Unfortunately, even today many organizations are unable to move away from Microsoft Internet Explorer (IE) 6, because they are still using business-‐critical legacy applications that are compatible only with the older browser. Analysis of the
2009 Operation Aurora attack showed that even Google and other major enterprises were still using IE 6, even though it was already long-‐obsolete. The companies using the obsolete browser not only lacked modern phishing protection, but also hosted vulnerable software that facilitated the dropping of backdoors on their networks. Ultimately the Operation Aurora attackers used spearphishing attacks to exploit vulnerabilities in the obsolete browser and unpatched applications.
There was a time when Windows-‐based computers were the only ones that appeared to require endpoint security. In part, this was due to poorly implemented security in the Microsoft OS, as well as malware writers’ lack of interest and skill in attacking other OSs. However, Microsoft has dramatically improved the Windows security model, and as a result, the most common attacks are now against platform-‐independent third-‐party applications such as Java, Flash and Adobe Acrobat and Reader. It is important to note that credential-‐based attacks have never been platform-‐dependent, so the OS is not a factor in whether or not a user falls victim to a phishing attack. Additional layers of protection, such as EPPs, may be deployed to help defend against some exploit-‐based attacks. However, NSS Labs testing has shown that most EPP software is not effective enough to be relied upon completely in defending against exploit-‐based threats such as web-‐hosted drive-‐by attacks.
Access controls: A broad range of network access control (NAC) strategies, ranging from user permissions to air gaps between networks containing critical data, can protect against phishing attacks. The appropriate strategy for any organization depends on variables such as the type and value of data being protected and the size and geographical diversity of the organization itself.
• DRM and DLP are complementary technologies that combine to limit access to data. DLP tends to focus on restricting access and detecting when sensitive data is leaving secured locations. DLP controls can prevent a successful attacker from accessing sensitive data to which the victim of the attack did not need access, as well as detect attempts to transfer sensitive data. DRM is designed to keep data encrypted when it is not being accessed on approved devices with proper credentials. Encrypting data at rest on the network can render it useless once it has left the network illegitimately.
• Multifactor authentication can add a significant obstacle to all kinds of phishing attacks. In effect, DRM is often an implementation of two-‐factor authentication combined with encryption. Using a second authentication mechanism for access to critical databases, financial accounts and data with legally protected status can significantly strengthen an organization’s defenses.
• Authenticated SMTP and digital signatures can be used to make it far more difficult for an attacker to impersonate other employees in the organization. Digitally signed emails can add another level of trust. However, it is a considerable investment in education to teach employees how to verify a digital certificate. Unused or unneeded software. Any software installed on an end user’s computer – even security software – is a potential attack vector. Java, for example, has risen to the top of the “exploited software” list, a fact verified by NSS Labs own research. Many organizations install Java but do not actually use it for any business functions. Eliminating this and other unused software decreases the attack surface and reduces the burden of patch management.
Although vulnerabilities in Microsoft Office products are still occasionally encountered, the PDF, once considered the safe alternative to Word, has been the more exploited format and the choice of attackers in recent years. Disabling JavaScript in Adobe Reader and Adobe Acrobat, using a different PDF renderer, and disabling thumbnail previews in Windows can all help organizations avoid common exploit-‐driven phishing attacks.
Blacklisting and whitelisting. File-‐based whitelisting is one of the most powerful defenses against exploit-‐driven attacks, but it can also be one of the most expensive options in terms of increased management and reduced flexibility. For equipment accessing highly sensitive data, application whitelisting should be considered.
Deployment can be organization-‐wide or limited to critical systems. Traditional antimalware software is essentially a blacklisting solution that is affordable, but far less secure than whitelisting. For Internet access, whitelisting and blacklisting solutions can be useful complements to traditional security products. A variety of companies offer web filtering solutions that augment the protections offered by modern browsers. In specific situations, whitelisting websites can prove to be both manageable and cost-‐effective.
Integrated email spam filters (blacklisting) can significantly reduce the number of successful attacks. In the famous RSA breach, the spearphishing emails had actually been deposited into the spam folders. Had this not been the case, the compromise could have been far worse. It did not, of course, prevent one employee from retrieving the malicious email from the spam folder – once again the focus is on user education.
Reputational tools that block websites not meeting defined trust levels can add a level of security without the extreme limitations of a pure whitelisting model.
Glossary
Phishing: The use of electronic communications – usually email – to trick computer users into giving up information they would not otherwise divulge
Spearphishing: Phishing attacks in which the attackers focus on specific targets – individuals or organizations – and use exploits to compromise the target without being detected
Whaling: Spearphishing attacks that target high-‐level decision-‐makers – for example, corporate officers or senior executives – of major organizations
Reading List
The Targeted Persistent Attack (TPA) — When the Thing That Goes Bump in the Night Really Is the Bogeyman
http://www.nsslabs.com/blog/2012/08/the-‐targeted-‐persistent-‐attack.html
© 2012 NSS Labs, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the authors.
Please note that access to or use of this report is conditioned on the following: 1. The information in this report is subject to change by NSS Labs without notice.
2. The information in this report is believed by NSS Labs to be accurate and reliable at the time of publication, but is not guaranteed. All use of and reliance on this report are at the reader’s sole risk. NSS Labs is not liable or responsible for any damages, losses, or expenses arising from any error or omission in this report.
3. NO WARRANTIES, EXPRESS OR IMPLIED ARE GIVEN BY NSS LABS. ALL IMPLIED WARRANTIES, INCLUDING IMPLIED
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-‐INFRINGEMENT ARE DISCLAIMED AND EXCLUDED BY NSS LABS. IN NO EVENT SHALL NSS LABS BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL OR INDIRECT
DAMAGES, OR FOR ANY LOSS OF PROFIT, REVENUE, DATA, COMPUTER PROGRAMS, OR OTHER ASSETS, EVEN IF ADVISED OF THE POSSIBILITY THEREOF.
4. This report does not constitute an endorsement, recommendation, or guarantee of any of the products (hardware or software) tested or the hardware and software used in testing the products. The testing does not guarantee that there are no errors or defects in the products or that the products will meet the reader’s expectations, requirements, needs, or
specifications, or that they will operate without interruption.
5. This report does not imply any endorsement, sponsorship, affiliation, or verification by or with any organizations mentioned in this report.
6. All trademarks, service marks, and trade names used in this report are the trademarks, service marks, and trade names of their respective owners.
Contact Information
NSS Labs, Inc.206 Wild Basin Rd Building A, Suite 200 Austin, TX 78746 USA +1 (512) 961-‐5300 [email protected] www.nsslabs.com
This analyst brief was produced as part of NSS Labs’ independent testing information services. Leading products were tested at no cost to the vendor, and NSS Labs received no vendor funding to produce this analyst brief.