The very respected Verizon Data Breach Investigations Report frequently reports that most internal breaches are noticed by external parties. In most cases that’s because the external party was also compromised for years, and during its forensics investigation it noticed that its data or attackers were coming or going to another company as a staging point.
I’ve consulted at a few customers where the bad guy has been in the company for so long that the malware they were placing was part of the company’s gold image -- that is, every new computer included malicious software. I’ve seen Trojans and malware programs that were allowed to spread for years because the IT staff assumed it was a necessary software component placed by some other group within the same organization. Hackers love these sorts of assumptions.
Your attacker is not afraid of getting caught
It used to be that a phisher would get into your company, steal money or information, and be gone as soon as possible. Getting in and out as quickly as possible meant minimizing the chances of being caught, identified, and prosecuted.
Today’s attacker is likely based in a foreign country where your legal jurisdiction and warrants don’t work. You can even identify (using legal evidence) the hacking firm, its hackers, and its physical address to their local authorities, and nothing is likely to happen.
In most of the attacks I’ve been called in to remediate in the past 10 years, the hackers don’t run once they are found. To be sure, they don’t want to be found, but once they are, they hack even more freely and blatantly, as if the restraints have been pulled off.
Remediation ends up being a cat-and-mouse game where the mouse has all the advantages. At first you don’t know what they’ve compromised and how many ways they can get back in. And it all likely started because someone opened up a spearphishing email.
What you can do
Remediation begins with educating all employees about the new reality of spearphishing attacks. Everyone should know that the old-style phishing emails, full of typos and promises of unearned millions, are no longer your main worry. Explain how the new spearphishing emails are handcrafted by professional criminal gangs that know exactly how to tailor their work to seem like a legitimate email coming from someone your colleagues trust.
Employees should be told to always ask for independent confirmation (such as a phone call or IM) before clicking and running any executable or opening any unexpected document. A quick confirmation is simply due diligence today. Tell employees to report anything suspicious. If they accidentally executed anything that they later became suspicious about, they should report it as well. It is important to remove the stigma and embarrassment of being fooled. Let them know that anyone, even security experts, can be tricked today, given the sophistication of the attacks.
Many companies aggressively test their employees with fake phishing attempts. These attempts should use phishing email templates that are more sophisticated and less like the phishing attempts of the past. Keep testing individual employees until you get a very low percentage of easily compromised employees. If you do it right, you’ll have your employees questioning any unexpected emails asking for credentials or to execute programs. Having employees question your legitimate emails is a welcome symptom of a good education program.
Lastly, if a spearphishing attempt is successful in your company, use the actual phish email and the compromised employee’s testimony (if they are well liked and trusted) to help teach others about today’s spearphishing environment. Anything that brings the new lessons front and center is welcome.
The key to prevention is getting everyone to see that today’s spearphishing email is not what they were used to in the past.
Related articles
- 10 security technologies destined for the dustbin
- Be paranoid: 10 terrifying extreme hacks
- 6 hard truths security pros must learn to live with
- 7 warning signs an employee has gone rogue
- 10 security mistakes that will get you fired
- Deep Dive: 11 sure signs you've been hacked -- and how to fight back
- Deep Dive: How to rethink security for the new world of IT
- 7 sneak attacks used by today's most devious hackers
- True tales of (mostly) white-hat hacking
- 14 dirty IT tricks, security pros edition
- 6 lessons learned about the scariest security threats
- IT's 9 biggest security threats
- 9 popular IT security practices that just don't work
- 10 crazy IT security tricks that actually work
This story, "10 reasons why phishing attacks are nastier than ever" was originally published by InfoWorld.