A large number of attacks need successful spear phishing as necessary precursor. To me spear phishing falls into the larger group of “semantic attacks”. For example, semantic attacks can deceive us into assigning the wrong meaning to an email and the actions or information requested therein. Eventually we believe that what we are doing is all right while in reality we help the attacker. –Stuxnet then took this a notch further by deceiving engineers into believing that everything was all right while in reality there was havoc all over.
Anyways, back to phishing. Spear Phishing deceives users to believe that the text (eMail) in front of them comes from a source trustworthy enough to obtain sensitive information. Voila.
Spear phishing is not new and has been here for at least a decade. I think we all remember the time when we first received these badly crafted eMails that were allegedly from the so-called “Nigeria-Connection”. The narrative was usually around some rich person that was stuck in the jungle with 5 million dollar in cash and without petrol; ready to send us 10% of the cash if he could eventually get to some petrol by using our credit card and bank details.
After this rich man, that we did not know, a time started where these emails were crafted around names that we knew. Suddenly it was a friend of ours mentioned by name who was stuck. –That was somewhat deceiving, especially in case this friend had really been on Holiday or on a safari even by the time we received the eMail. But anyhow, these eMails all suffered from bad wording and bad grammar and in my opinion never did a good job to deceive people.
To date, probably by dwelling big data, the “quality” of spear phishing emails has improved by orders of magnitude. The texts are perfect, the names and sender addresses are correct and sometimes even the context. For example we might just build a house and the spear phishing email may seem to come from our contractor asking us to confirm something sensitive by phone. Without examining for example the eMail headers it can be at times rather difficult to judge whether this is a legimail (read: legitimate eMail) or not.
So how can IT help? What security controls should be brought into place? Below are some ideas & components of a successful defense strategy.
Governance. Don’t ignore the end user. Don not tell them “no”, but use the business code of conduct, acceptable use policies and training & awareness campaigns to tell them how.
Gateway based defenses. Most spam filters are reputation based or do a combination of reputation based analysis and lexical analysis. In fact a good spam filter will weed out the vast majority of spear phishing emails plus most emails with virus attachments since frequently both originate from senders with bad IP reputation.
- Do not accept email that should only originate from inside your networks. Even if it is convenient for some road warriors and home working personnel, eMail that has a sender address from the own company should only be accepted from internal mail servers. That already limits the number of deceptions that you can fall for.
- Suppress all attachment types that are not business related at your place. Good candidates are for example executable, DLL, everything that can be compiled, .pps, etc..
Email classification & labeling. To counter deception it is a very helpful security control to let every eMail have a label so that users see at first look whether an eMail was originating from the inside or from the outside.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.