Spear Phishing Attacks Why They are Successful and How to Stop Them



Similar documents
SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

SPEAR-PHISHING ATTACKS

The Federal CISO Dilemma. You have to do FISMA. You must defend against cyber threats.

White Paper. Why Next-Generation Firewalls Don t Stop Advanced Malware and Targeted APT Attacks

Securing Cloud-Based

REPORT FIREEYE ADVANCED THREAT REPORT 1H 2012 SECURITY REIMAGINED

FireEye Advanced Threat Report 1H 2012

Protecting Your Data, Intellectual Property, and Brand from Cyber Attacks

Advanced Targeted Attacks

Cybersecurity Strategies for Small to Medium-sized Businesses

CISO Guide to Next Generation Threats

White Paper. Advantage FireEye. Debunking the Myth of Sandbox Security

WHITE PAPER ADVANCED TARGETED ATTACKS: How to Protect Against the New Generation of Cyber Attacks SECURITY REIMAGINED

5 Design Principles for Advanced Malware Protection

Today s New Breed of -based Cyber Attacks and What it Takes to Defend Against Them

Fighting Advanced Threats

Protecting Data From the Cyber Theft Pandemic. A FireEye Whitepaper - April, 2009

Thinking Locally, Targeted Globally

The Advanced Cyber Attack Landscape

Advanced Persistent Threats

SECURITY REIMAGINED. FireEye Network Threat Prevention Platform. Threat Prevention Platform that Combats Web-based Cyber Attacks

Defending Against Cyber Attacks with SessionLevel Network Security

QUARTERLY REPORT 2015 INFOBLOX DNS THREAT INDEX POWERED BY

What SMBs Don t Know Can Hurt Them Perceptions vs. Reality in the New Cyber Threat Landscape

WHITE PAPER. THINKING LOCALLY, TARGETED GLOBALLY: New Security Challenges for State and Local Governments SECURITY REIMAGINED

The Ostrich Effect In Search Of A Realistic Model For Cybersecurity

WEBTHREATS. Constantly Evolving Web Threats Require Revolutionary Security. Securing Your Web World

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Defending Against. Phishing Attacks

Top 10 Anti-fraud Tips: The Cybersecurity Breach Aftermath

2012 Bit9 Cyber Security Research Report

Advanced Threat Protection with Dell SecureWorks Security Services

The Next Generation IPS

Finding Security in the Cloud

Big Threats for Small Businesses

Networking for Caribbean Development

Advanced Persistent Threats

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

Stop advanced targeted attacks, identify high risk users and control Insider Threats

ADVANCED PERSISTENT THREATS AND OTHER ADVANCED ATTACKS:

Managing Web Security in an Increasingly Challenging Threat Landscape

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Advanced Persistent. From FUD to Facts. A Websense Brief By Patrick Murray, Senior Director of Product Management

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Protecting Your Organisation from Targeted Cyber Intrusion

Lorem ipsum dolor sit amet sit consectetur adipisicing doloret Protecting Against Advanced Malware and Targeted APT Attacks

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

24/7 Visibility into Advanced Malware on Networks and Endpoints

White paper. Phishing, Vishing and Smishing: Old Threats Present New Risks

Trends in Advanced Threat Protection

Perspectives on Cybersecurity in Healthcare June 2015

WHITEPAPER. How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware

DETECTING THE ENEMY INSIDE THE NETWORK. How Tough Is It to Deal with APTs?

Unknown threats in Sweden. Study publication August 27, 2014

Advanced Security Methods for efraud and Messaging

Why Device Fingerprinting Provides Better Network Security than IP Blocking. How to transform the economics of hacking in your favor

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

Covert Operations: Kill Chain Actions using Security Analytics

SPEAR PHISHING UNDERSTANDING THE THREAT

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Why a Network-based Security Solution is Better than Using Point Solutions Architectures

The Hillstone and Trend Micro Joint Solution

Modern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth

Big Data Analytics in Network Security: Computational Automation of Security Professionals

SPEAR PHISHING AN ENTRY POINT FOR APTS

Trend Micro Hosted Security Stop Spam. Save Time.

Advanced Cyber Threats in State and Local Government

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

Choose Your Own - Fighting the Battle Against Zero Day Virus Threats

Breaking the Cyber Attack Lifecycle

WHAT EVERY CEO, CIO AND CFO NEEDS TO KNOW ABOUT CYBER SECURITY.

FISMA and SANS Critical Security Controls Driving Compliance

Report. Phishing Deceives the Masses: Lessons Learned from a Global Assessment

Defense Against the Dark Arts: Finding and Stopping Advanced Threats

Commissioned Study. SURVEY: Web Threats Expose Businesses to Data Loss

Protecting PoS Environments Against Multi-Stage Attacks

The need to protect against file-based attacks

Conducting an Phishing Campaign

How To Prevent Hacker Attacks With Network Behavior Analysis

GOING BEYOND BLOCKING AN ATTACK

State of the Phish 2015

A Trend Micro White Paper April Countering the Advanced Persistent Threat Challenge with Deep Discovery

Comprehensive Advanced Threat Defense

Malware & Botnets. Botnets

Advanced Threats: The New World Order

End to End Security do Endpoint ao Datacenter

Reinventing Network Security Vectra s cyber-security thinking machine delivers a new experience in network security

Data Center security trends

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Migration Project Plan for Cisco Cloud Security

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

Top five strategies for combating modern threats Is anti-virus dead?

Unified Threat Management: The Best Defense Against Blended Threats

How We're Getting Creamed

Securing Office 365 with Symantec

Cybersecurity Kill Chain. William F. Crowe, CISA, CISM, CRISC, CRMA September 2015 ISACA Jacksonville Chapter Meeting August 13, 2015

Protecting Point-of-Sale Environments Against Multi-Stage Attacks

white paper Malware Security and the Bottom Line

ENABLING FAST RESPONSES THREAT MONITORING

Malware. Stopping cyberattacks. Sponsored by

Transcription:

White Paper Spear Phishing Attacks Why They are Successful and How to Stop Them Combating the Attack of Choice for Cybercriminals

White Paper Contents Executive Summary 3 Introduction: The Rise of Spear Phishing Email Attacks 3 The Reason for the Growth in Spear Phishing: It Works 5 Spear Phishing Examples and Characteristics 5 RSA: A Case Study in Spear Phishing and an APT 6 The Solution: Next Generation Threat Protection 7 Conclusion 8 FireEye, Inc. Spear Phishing Attacks Why They are Successful and How to Stop Them 2

Executive Summary There s been a rapid and dramatic shift from broad, scattershot attacks to advanced targeted attacks that have had serious consequences for victim organizations. Some of the most famous advanced targeted attacks, such as the attack on RSA, on HBGary Federal, and Operation Aurora all used spear phishing. The increased use of spear phishing is directly related to the fact that it works, as traditional security defenses simply do not stop these types of attacks. This paper provides a detailed look at how spear phishing is used within advanced targeted attacks. It will provide an overview of spear phishing, its characteristics, and a notable attack case study. Finally, the paper looks at the key capabilities organizations need in order to effectively combat these emerging and evolving threats. Introduction: The Rise of Spear Phishing Email Attacks Generally speaking, phishing emails are exploratory attacks in which criminals attempt to obtain victims sensitive data, such as personally identifiable information and/or network access credentials. These attacks open the door for further infiltration into the network. Phishing typically involves both social engineering and technical trickery to deceive victims into opening attached files, clicking on embedded links, and revealing sensitive information. Figure 1: Common tactics used in phishing emails FireEye, Inc. Spear Phishing Attacks Why They are Successful and How to Stop Them 3

Spear phishing is a more targeted version of phishing attacks that combines tactics such as victim segmentation, email personalization, sender impersonation, and other techniques to bypass email filters and trick targets into clicking a link or opening an attachment. Whereas a phishing attack may blanket an entire database of email addresses, spear phishing targets specific individuals within specific organizations. By mining social networks, for example, the personalization and impersonation used in the spear phishing emails can be extremely accurate and compelling. Once a link is clicked or attachment opened, the foothold in the network is established allowing spear phishers to move forward with the advanced targeted attack. Spear phishing attacks need to be seen within the context of advanced targeted attacks, otherwise known as advanced persistent threat (APT) attacks. Today, sophisticated cybercriminals (and nationstates) conduct APT attacks through the use of advanced malware and sustained, multi-vector, multi-stage attacks to reach a particular objective. For most APT attacks, the objective is to gain long-term access to an organization s sensitive networks, data, and resources. Figure 2: Falsified Web site used to fool users into revealing credentials and personally identifiable information FireEye, Inc. Spear Phishing Attacks Why They are Successful and How to Stop Them 4

The Reason for the Growth in Spear Phishing: It Works Advanced targeted attacks using spear phishing aren t an anomaly; they represent a clear shift in the approach of cybercriminals. Increasingly, criminals are moving from massive phishing attacks to spear phishing on a much smaller, more targeted scale because it has proven very effective. A recent study¹ uncovered the following findings: Between 2010 and 2011, annual returns for mass email-based attacks fell from $1.1 billion to $500 million. During that same period, spam volume fell from 300 billion messages per day to 40 billion. During the same period, spear phishing attacks increased by a factor of three. Spear phishing emails had an open rate of 70 percent, compared with an open rate of just three percent for mass spam emails. Further, 50 percent of recipients who open spear phishing emails also click on enclosed links, which is 10 times the rate for mass mailings. Compared to broad-based emails, spear phishing costs 20 times more per individual targeted. However, the average return from each spear phishing victim is 40 times more than that of phishing. A spear phishing campaign comprised of 1,000 messages is likely to generate 10 times the revenue of a phishing mailing targeting 1 million individuals. Spear Phishing Examples and Characteristics Following are some of the key characteristics of advanced targeted spear phishing attacks: Blended/multi-vector threat. Spear phishing uses a blend of email spoofing, zero-day application exploits, dynamic URLs, and drive-by downloads to bypass traditional defenses. Leverages zero-day vulnerabilities. Advanced spear phishing attacks leverage zero-day vulnerabilities in browsers, plug-ins, and desktop applications to compromise systems. Multi-staged attack. The initial exploit of systems is the first stage of an APT attack that involves further stages of malware outbound communications, binary downloads, and data exfiltration. Lack characteristics of spam. Spear phishing email threats are targeted, often on an individualized basis, so they don t bear a resemblance to the high-volume, broadcast nature of traditional spam. This means reputation filters are unlikely to flag these messages minimizing the likelihood of spam filters catching them. 1 http://www.scmagazine.com/crooks-opt-for-spear-phishing-despite-higher-upfront-cost/article/206586/ FireEye, Inc. Spear Phishing Attacks Why They are Successful and How to Stop Them 5

RSA: A Case Study in Spear Phishing and an APT The attacks targeting RSA, the security division of EMC Corp., in 2011 provide a very clear picture of the way spear phishing can set the stage for a devastating and incredibly far-reaching assault on a corporation and its customers. The assault began with spear phishing attacks that sent targeted users an email with a Microsoft Excel file attachment that leveraged a zero-day flaw in Adobe Flash. It is clear that not only was RSA the focus of the attack, but only four individuals within RSA were the recipients of the malicious emails. It took just one user to open the email and attachment, which downloaded a Trojan onto the user s PC. This successful spear phishing attack was part of a much more complex advanced targeted attack. With this malware installed on the victim s PC, criminals were able to search the corporate network, harvest administrator credentials, and ultimately gain access to a server housing proprietary information on the SecurID two-factor authentication platform. The attack didn t end there. In fact, all this was a precursor to the ultimate objective: Gaining entry to the networks of RSA s customers, focusing on those in the defense industrial base. With the stolen data, the criminals then targeted numerous high-profile SecurID customers, including defense contractors Lockheed Martin, L-3, and Northrop Grumman. The takeaway for enterprises is that this example makes clear that even seemingly rudimentary attacks may be just the first in a series of advanced, coordinated, and devastating crimes. In addition, advanced targeted attacks against seemingly low level resources or employees without particularly sensitive roles or permissions can still open the door to vital information and huge consequences. Figure 3: RSA spear phishing email used to launch targeted APT attack FireEye, Inc. Spear Phishing Attacks Why They are Successful and How to Stop Them 6

The Solution: Next Generation Threat Protection Today, organizations need a new generation of security system, one that detects and blocks the advanced targeted attack techniques that include spear phishing. The following are more details on the FireEye solution to effectively stop advanced targeted attacks. Offers a cohesive, integrated solution across threat vectors FireEye provides organizations integrated protection across Web and email attack vectors used in an advanced targeted attack. For example, stopping spear phishing requires capabilities for discovering a Web-based attack in real-time, tracing the attack to the initial phishing email that spawned the attack, and then doing the analysis required to determine if others within the organization have also been targeted. This kind of real-time cyber response is the only way to diffuse advanced targeted attacks. Organizations are using FireEye solutions because they offer real-time analysis of URLs in emails, email attachments, and Web objects to accurately determine whether they re malicious or not. This is a critical requirement for guarding against spear phishing and other email-based attacks because zero-day tactics easily circumvent signature-based and reputation-based analysis. Further, to effectively defend corporate networks, organizations need systems that inspect across many protocols and throughout the protocol stack, including the network layer, operating systems, applications, browsers, and plug-ins like Flash. Delivers signature-less, dynamic security that thwarts zero-day exploits FireEye solutions provide dynamic, real-time exploit analysis of email attachments and URLs, rather than just comparing bits of code to signatures or relying on reputations. This signature-less analysis is critical to defending against advanced tactics because it all starts with zero-day exploits. With exploit detection, it is possible to stop the advanced malware embedded in attachments as well as malware hosted on dynamic, fast-changing domains. Guards against malicious code installs and block callbacks In addition to exploit detection, FireEye also identifies whether suspicious attachments and other objects are malicious. Further, resulting callback communications are inspected to identify if they are malicious in nature. This includes monitoring outbound host communications over multiple protocols in real-time to determine if the communications indicate an infected system is on the network. Callbacks can be stopped based on the unique characteristics of the communication protocols employed, rather than just the destination IP or domain name. Once malicious code and its communications are flagged, the ports, IP addresses, and protocols must be blocked in order to halt any transmissions of sensitive data. This prevents the further download of malware binary payloads and the lateral spread inside the organization. FireEye, Inc. Spear Phishing Attacks Why They are Successful and How to Stop Them 7

Yields timely, actionable threat intelligence and malware forensics Once advanced malware has been analyzed in detail, the information gathered needs to be fully leveraged. FireEye customers are able to use this information for a number of purposes: FireEye systems fingerprint the malicious code to auto-generate protection data and identify compromised systems to prevent the infection from spreading. Forensics researchers can run files individually through automated offline tests to confirm and dissect malicious code. Information can be shared through unified intelligence systems that keep other experts and organizations current. Conclusion Multi-vectored, multi-stage attacks have been extremely effective for penetrating today s networks despite $20 billion invested annually in IT security. As part of advanced targeted attacks, spear phishing is growing increasingly prevalent because it is so effective. Criminals will continue to leverage spear phishing so long as organizations maintain a status quo level of security that has proven no match for spear phishing. To thwart these advanced targeted attacks, organizations need next-generation threat protection that protects across multiple threat vectors and addresses every stage of an attack. By integrating Web and email security, guarding against inbound malicious binaries and malware callbacks, and leveraging signature-less, dynamic code execution to detect zero-day exploits, FireEye offers the next-generation threat protection necessary to stop advanced targeted attacks. With FireEye, organizations have real-time, contextual views of both Web and email-based threats. A Webbased, zero-day attack can be detected in real-time and stopped. The attack is then traced back to the initial spear phishing email that spawned the attack to determine if others within the organization have also been targeted. This kind of context-aware security analysis is the only way to get timely, actionable information about advanced targeted attacks and how they can be stopped. FireEye, Inc. Spear Phishing Attacks Why They are Successful and How to Stop Them 8

About FireEye, Inc. FireEye is the leader in stopping advanced targeted attacks that use advanced malware, zero-day exploits, and APT tactics. FireEye s solutions supplement traditional and next-generation firewalls, IPS, antivirus and gateways, which cannot stop advanced threats, leaving security holes in networks. FireEye offers the industry s only solution that detects and blocks attacks across both Web and email threat vectors as well as latent malware resident on file shares. It addresses all stages of an attack lifecycle with a signature-less engine utilizing stateful attack analysis to detect zero-day threats. Based in Milpitas, California, FireEye is backed by premier financial partners including Sequoia Capital, Norwest Venture Partners, and Juniper Networks. 2012 FireEye, Inc. All rights reserved. FireEye is a trademark of FireEye, Inc. All other brands, products, or service names are or may be trademarks or service marks of their respective owners. WP.SP.032012 FireEye, Inc. Spear Phishing Attacks Why They are Successful and How to Stop Them 9 FireEye, Inc. 1390 McCarthy Blvd. Milpitas, CA 95035 408.321.6300 877.FIREEYE (347.3393) info@fireeye.com www.fireeye.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information