Editor’s note: Tom Chapman is a former Navy intelligence officer who now serves as director of cyber operations at cybersecurity firm Edgewave.
If terrorists ever orchestrate a cyberattack against the U.S., the odds are 9 in 10 that spear-phishing will be the first step of their assault. The same technique that has breached Sony, Anthem, Target, the Pentagon and thousands of organizations every year, spear-phishing is used in some 91 percent of cyberattacks, according to the security firm Micro Trend. We can either spread awareness of spear-phishing now or suffer the consequences later.
Spear-phishing, like phishing, involves emailing a malicious link or file. Whereas phishers send mass emails in hopes of stealing credit card information, Social Security numbers and login credentials from as many people as possible, spear-phishers are more precise. They usually target one or few individuals at an organization, and they conduct extensive research in order to craft a very personal and convincing email. The spear-phisher has a very specific and often more sinister objective than the phisher.
Spear-phishing is based on the premise that slipping through a side entrance is easier than breaking down the front door.
As groups like ISIS become more tech-savvy and recruit members from Western countries, they will gain the ability to conduct effective spear-phishing attacks. What they will attempt to do inside corporate or government systems is hard to say. Hacking the controls for nuclear power plants, traffic systems and other vital infrastructure after a spear-phishing breach requires significant skill, but that skill level is increasingly common.
To prevent spear-phishing attacks against our government, companies, friends and family, we all need to understand the mechanics behind these assaults. With this shared knowledge, we can then take collective measures to reduce the likelihood and consequences of spear-phishing.
The spear-phisher’s playbook
Spear-phishing is based on the premise that slipping through a side entrance is easier than breaking down the front door. When you picture spear-phishing, Swordfish or other hacker movies are the wrong image – we’re not dealing with cyber geniuses who bang away on the keyboard until they control the entire network. Effective spear-phishers are really social engineers. They are experts at appearing to be someone you know and trust.
Let’s say I want to attack good old Acme Corporation. First, I would look up everything I could find out about Acme – who works there, what they do, the latest news, etc. I examine its website, public records, social media, news article and whatever else I can find. My target is probably someone with administrator access to the company network – generally, someone in IT.
IT people are easy to identify. Even if I couldn’t find them on LinkedIn or Acme’s website, I could pretend to be a customer with an issue, send an email to tech support and ask for an IT admin to call me.
Once I have my target(s) – let’s say it’s Jane Smith in IT – I dissect her network. What LinkedIn groups is she part of? Who does Jane communicate with most often on Facebook? What do public records turn up? What are her hobbies and interests? Based on this exhaustive research, I craft an email Jane is likely to open and click.
If, for example, she’s active in a LinkedIn group about cybersecurity, I’d join that group, copy their exact branding and perhaps send an email that invites Jane to discuss spear-phishing (oh the irony…). Of course, the “LinkedIn” link will either direct her to a malware site or download an embedded, executable file onto her computer. This malware allows me to steal her Acme network credentials.
Spear-phishing can affect an entire organization – or country – by targeting just a few individuals.
With some luck, I gained access to Acme’s network. With sufficient skill, I could siphon data or even take control of Acme’s widget production systems. In fact, last year, a spear-phishing attack on a German steel plant did just that and shut down some of its production systems.
If you work in IT, consider yourself a spear-phisher’s bulls-eye. If you’re not in IT, consider what else makes you a target. In February, for instance, spear-phishers convinced a controller at Omaha-based Scoular to wire $17.2 million to a bank in China. In a case where cyber terrorists are trying to control industrial equipment, they may go after personnel who use those systems.
Fighting back against spear-phishers
Spear-phishing can affect an entire organization – or country – by targeting just a few individuals. To prevent spear-phishing, everyone in an organization has to share the responsibilities of defense. Effective spear-phishing defense has three components:
Email filtering with a human touch
The first line of defense against spear-phishing is a good spam filter. Essentially, filters analyze and score emails based on the server, the sender’s reputation, spelling and other criteria. However, most filters are black and white – if the score is above X points, it goes through. If it’s below X, spam folder.
Top filters are only 99 percent accurate, which sounds reassuring until you consider that the business world sends and receives 108.7 billion emails per day, according to The Radicati Group, a technology research firm. In other words, over 1 billion business emails per day will be misidentified. Of course, spear-phishers understand how filters work and attempt to trick them.
This is why I recommend using a filter that acknowledges a gray zone around X and uses real human beings to evaluate these ambiguous cases. Human beings can make observations and catch red flags that machines currently can’t.
Spear-phishing is preventable if employees know how to identify and avoid it. Teach people to be skeptical of all emails. More specifically, train people to:
- Avoid clicking email links. If your LinkedIn group sends an email about a new discussion topic, don’t click. Go to your URL bar and manually visit LinkedIn if you wish to contribute.
- Hold their mouse over hyperlinks to see where they actually direct. A foreign country code, like .ru or .cn, should tip you off that something’s fishy.
- Never, ever email passwords or banking information, no matter how safe it looks.
- Immediately contact IT if they open or click something suspicious. Depending on the case, changing the username and password is sufficient. Other times, IT must delete the account.
24/7 network monitoring
Last year, the Sony hackers were able to steal hundreds of terabytes of data; that should have never happened. If IT personnel were monitoring the network, this activity would have been impossible to miss.
In the cyber era, national defense is still a collective effort.
IT must monitor data logs for anomalies 24/7. If 10 GB of data are flowing to China at 2 a.m., that’s suspicious. Someone needs to follow up. Also, IT should monitor outbound traffic flow. If the company is sending out an unusually high volume of emails, that could be a red flag, too.
Don’t let IT fall into the trap of believing that expensive software will make the organization safe. With spear-phishing, cybersecurity solutions are just like security cameras – they can record the real-time events, but they won’t prevent robbers from walking out with all your data. Human beings have to take action.
Although spear-phishing primarily has been used to steal information and money, it’s the technique most likely to initiate a violent cyberterrorism attack. The government cannot prevent spear-phishing attacks in the private sector, but private industrial systems can be used to cripple the economy, paralyze infrastructure and take innocent lives.
Therefore, as tech and business leaders, we owe it to our teams, our communities and our countries to raise awareness of spear-phishing and to address this threat within our organizations. In the cyber era, national defense is still a collective effort.