This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
The nature of how cyber attacks start is changing. Today's malicious actors are not merely opportunistic, they know what information they want and who to target to get at it. For example, the 2014 breach at JP Morgan reportedly began when an IT employee opened a specially-crafted email and was tricked into providing credentials to a vulnerable internal machine. Attackers used the privileges of that person's credentials to move around the network until they were able to find and exfiltrate 83 million records in one of the largest data breaches of the year.
Dave Jevans, co-founder of the Anti-Phishing Working Group, says sophisticated spear phishing schemes like this one will become more common. "It's highlighting a fundamental change we're seeing in the phishing landscape." While broad-based phishing is declining, the real risk is an increase in attacks on specific people. Attackers are using spear phishing techniques to get past perimeter defenses, then using that as a jumping-off point into the rest of the enterprise, stealing data, breaching systems, and even spreading out to vendors connected to that enterprise.
Spear phishing uses social engineering techniques to get the targeted victims to act. Security firm Symantec has reported an increase in a particular scam where emails were sent, often to a recipient working in the finance department of a company, requesting payment by credit card or the completion of a wire transfer. The sender details were sometimes faked or made to look like they had come from the CEO or another high-ranking member of the victim’s company. Money transfer details were either sent in an attachment, or required the victim to email back and request them. Numerous companies have fallen victim to this type of scam, with overall dollar losses running into the millions.
It's hard for traditional message abuse filtering solutions to block these types of messages. Spear phishing messages typically don't match the patterns of high volume broad-based spam and phishing messages, and thus they have a better chance at slipping through the filters. Unfortunately, because they are so targeted, they have the potential to do the most amount of damage.
The threat protection company Cloudmarkjust released a new product that it claims is specifically designed to defend against spear phishing attacks. Cloudmark Trident works in tandem with existing security email gateways, so you don’t need to replace anything. Trident uses behavior patterns of senders and receivers as well as the context (but not the content) of messages to detect suspicious mail. It doesn't rely on sandboxing or payload scanning.
Once Trident is implemented it needs about two weeks to learn the company's email sending patterns and behaviors to develop a baseline. It learns how individuals send and receive messages, and overall how messages are sent both externally and internally within the organization. Then it continues to evolve and learn to better understand patterns as they change over time.
For example, a company's CEO might typically send his email from his laptop or his mobile device, during certain times of day, from various geographic regions. The messages usually take three hops before they are received by the intended recipients, and vice versa when the CEO is receiving messages. Trident looks at the various parameters and meta data about the messages to build the baseline. But Trident also takes into account the CEO travels and his email parameters will be different when he's on the road.
Cloudmark also uses domain and IP reputation information that its own global threat network has amassed. The solution can take into account, for example, whether a domain has just been registered, which can be an indicator of message abuse. Bad actors often register a lookalike domain in an attempt to deceive a recipient, say, "cloudnark.com" as opposed to "cloudmark.com".
Message context also can be an important clue to anomalous email. There are certain types of language contexts that occur when the message is a spear phishing attack. This, coupled with other signs, mark the message as suspicious.
In full operational mode, Trident looks at the normal sending patterns and detects when someone is pretending to be some other entity. Consider the example of wire fraud given above. A phisher pretending to be the company CFO sends a message to an accountant to wire money to an external account. Trident can detect things about the message that show it is different than normal messages that go from the true CFO to an employee, and so the message is flagged as suspicious. From there it can be quarantined, further investigated or discarded. The important thing is that it is discovered and the targeted victim is prevented from acting on the harmful message.
Every organization, and the people within the organization, have different sending patterns. This is why the learning period after implementation is so key to the effectiveness of the solution. Cloudmark claims Trident is the first comprehensive technology approach to use behavioral analysis and context to defend against spear phishing.
The solution can be deployed for key members of an organization, but ideally it would be deployed for every user because, basically, anyone can be a target of a spear phishing attack. The dashboard can show who the top departments or workers are that are being targeted, and what types of messages they are being hit with most frequently. This information can be used to tailor anti-phishing training to the people who are targeted most often.
Deployment involves installing an agent layer behind the security email gateway that does the usual spam filtering, sandboxing and quarantining. Trident's logic runs in the cloud. The solution just pulls the meta data from the message and does the comparison to the baseline behavior. When suspicious behavior is detected, the message can be stopped before it ever reaches the intended recipient.
Imagine if that message sent to the JP Morgan employee could have been weeded out. The breach could have been prevented, and 83 million account holders could have been spared the pain of having their data stolen.