Spear phishing is a variation on phishing in which hackers send emails to targeted people of interest. Spear phishing attempts are always crafted to originate from trusted sources and are designed to help the perpetrator to obtain a foothold in a specific target environment to steal trade secrets or other classified information.
Spear phishing is a more targeted version of phishing attacks that combines tactics such as victim segmentation, email personalization, sender impersonation, and other techniques to bypass email filters and trick targets into clicking a link or opening an attachment. Email is the most common vector for spear phishing in which an e-mail appears to come from an organization that is closer to the target, e.g. a particular company, a regulatory authority, a job board, recruitment agency, accountant firm, etc.
It is always aimed at creating a false feeling of safety and trust to lead the target to opening the malicious email. One of the common methods to do this is to either precede or succeed the malicious email by another email. To understand this, let’s take an example of a Marketing Manager who has received an email with an MS Excel file as an attachment which is shortly followed by another email from a familiar company’s domain stating that “It was nice meeting you at the trade show. Please review my email sent earlier for our requirements”. Once the Marketing Manager opens up the malicious email, a foothold is established on his machine through compromising a known vulnerability in MS Excel.
Spear Phishing attacks should be seen as one of the many constituent components of Advanced Persistent Threats. Spear Phishing emails are designed to facilitate delivery of the initial payload that is then used as an entry mechanism into the target network to establish a foothold and pursue a long term motive.
Spear Phishing Attack Characteristics
Following are some of the key characteristics of advanced targeted spear phishing attacks:
Blended/multi-vector threat: Spear phishing uses a blend of email spoofing, zero-day application exploits, dynamic URLs, and drive-by downloads to bypass traditional defenses.
Leverages zero-day vulnerabilities: Advanced spear phishing attacks are more likely to leverage zero-day vulnerabilities in applications, browsers, plug-ins and desktop applications.
Multi-staged attack: The initial exploit of systems is the first stage of an APT attack that involves further stages of malware outbound communications, binary downloads, and data exfiltration.
Lack standard characteristics of spam: Spear phishing email threats are targeted, often on an individualized basis, so they don’t bear a resemblance to the high-volume, broadcast nature of traditional spam. This means reputation filters are unlikely to flag these messages minimizing the likelihood of spam filters catching them.
The key defense against email based spear phishing attempts is real-time based dynamic analysis of URLs in emails, email attachments, and Web objects to accurately determine whether they’re malicious or not. This is a critical requirement for guarding against spear phishing and other email-based attacks because zero-day tactics easily circumvent signature-based and reputation-based analysis. Further, to effectively defend corporate networks, systems that inspect across many protocols and throughout the protocol stack, including the network layer, operating systems, applications, browsers, and plug-ins like Flash are required.
Spear Phishing Considerations
The following workflow highlights standard practices and techniques used for identifying, managing and handling Spear Phishing attacks:
Implement proactive measures to improve threat preparedness
- Acquire and install dynamic analysis based protection that can evaluate threats in real-time.
- Ensure that email spam filter is updated with latest definitions.
- Blacklist known phishing sites.
- Periodically review and update the blacklist
- Block emails from email id having poor reputation score or whose reputation score is below a particular threshold value.
- Monitor Host based IDS/IPS alert of unexpected system call, data access, and open ports.
- Create awareness among users NOT to click links from unauthorized / untrusted name emails and not to provide confidential information via emails. Wherever required to share, cross verify, password protect confidential doc and share password by alternate medium like phone call.
- Test preparedness via “Phishing drives” as social engineering works best with experience.
- Monitor similar subject emails or same size to more than 25 users from public or external domain.
- Use Web-gateway (Web Washer) to protect routed traffic to malicious websites (redirected if the user clicks the link).
- Do not use same password for personal and professional access.
Identification & Verification
Correctly identify the threat by monitoring and verification techniques
- User reports suspicious email having look and feel similar to internal communication or websites but coming from suspicious domains or email addresses.
- Increase in key account/privileged logins late at night/ odd hours.
- Email/SPAM filter misbehavior/maintenance activity followed by suspicious activity on the network specially related to unknown/ suspicious remote destinations.
- Email log alert to identify emails having similar subject or content and coming from external domain (public domain).
- Web content filtering logs with alerts for “access of malicious website/ URL.
- Alert for the systems within network trying to connect to remote command and control system/ malicious sites in Web Washer / IPS / Botnet Filter of the firewall.
- Check and analyze logs of email filtering solution which can examine content of emails using structural tests and malicious URL detection to single out phishing emails from spam emails.
- Verify the reputation score of the IP address:
- Monitor the suspicious IP addresses and its geo location
- Monitor if any other kind of traffic is coming from the identified suspicious IP address
- Block IP if it is not white listed and on assessment it is established that its reputation score is poor.
- Review systems / workstations from which unexpected traffic is generated to see if there any malware / virus are trying to propagate in network or trying to reach externally hosted command and controls. If continuous traffic is observed, isolate the system and investigate for possible infection.
- Discovery of Remote Access Trojan (RAT), Command and Control (C+C) packet flow outside the network, outbound custom encrypted communications / covert communication channels with external entities.
- Investigate emails which are originated from blacklisted mail servers.
- Examine emails that have URL that doesn’t match the HREF
- Examine emails that have PDF’s or Office Documents as attachments coming from abnormal email addresses
Limit the damage caused
- Block emails having IP based URLs which are hidden behind keywords (E.g. Click Here, Offer).
- If credentials are stolen, notify users and ask to change passwords for affected applications immediately.
- Send emails to users to spread awareness of the attack.
- Block phishing URL at the web gateway.
- If the system is infected with malware, then take it into separate VLAN to avoid other systems from infection.
- Monitor all traffic to and from the infected system.
- Take back-up of all files.
- Block data upload from the infected system.
- If the malicious code has been deployed through a spear phishing attack, please follow the malware response strategy.
Investigate how the attack happened and detect its origin
- Identify the malicious sites, URL, IP addresses and messages being sent or requested from the phishing link.
- In sandboxed environment identify (e.g. by clicking the link) any scripts being used.
- Review email logs to identify emails having similar subject or content and coming from external domain (public domain).
- Review web content filtering solution logs to identify access of malicious looking URL / website from systems in network.
- Monitor Host based IDS/IPS alert of unexpected system call, data access, port open.
- Check for the systems within network which is trying to connect to remote command and control system.
- Analyze email in detail for the anatomy of attack.
- If malware has been deployed as a result of a spear phishing attack, please follow malware investigation process.
Remove vulnerabilities and eliminate all causes
- Remove code/scripts installed by the attacker.
- Block URL / IP address / Malicious code at the firewall,IPS level and all security devices.
- Update patches, anti-virus and malwares and scan the system for vulnerabilities.
- Update blacklisted mail sever in email spam filter to further prevent mails delivered from this particular IP address.
- Follow malware eradication strategy steps to remove any malicious code introduced as part of the attack.
Recover from the attack and resume normal operations
- Reinstall system / Run integrity check for workstation like registry check / open services and port check/ malware scan and vulnerability scan.
- Restore all data.
- Update patches and activate all protective software’s like Antivirus/ antimalware/ Nexthink.
- Restore all systems for which integrity as affected due to the attack, from last know good backup.
- Confirm all systems and services are restored to normal operations.
Conduct post incident activities
- Perform communications (internal/external user groups, public media etc.)
- Perform forensics to identify the source of attack and motivation.
- Identify the anatomy of attack and its learning to ensure non-repeat.
- Add any identified malicious code to the signature repository and share with open and closed intelligence sources as required.