Spear Phishing Emails – Can You Really Prevent Them?

By now, many organizations are familiar – though, hopefully not as a result of direct experience – with general phishing attacks. These are the kind of attacks that try and trick employees into opening seemingly ordinary-looking emails that, in fact, contain malware.

Unfortunately, cyber criminals, adversaries and nation-states are well aware that many organizations are on guard against general phishing attacks — and so they’ve taken things to a new level with spear-phishing attacks.

What are Spear Phishing Attacks?

In the “real world”, spear fishing is the practice of trying to fish with a spear or some similarly-shaped object. Unlike other kinds of fishing, spear fishing is not a general approach: it’s focused, targeted and aimed at one specific fish at a time.

In the same light, spear phishing attacks use personal information – such as name, job title or other data that isn’t difficult at all for adversaries to find – to lull unsuspecting victims into letting down their guard, and assume that the email they’re about to open or the attachment they’re about to download is meant for them and therefore harmless; when in truth, it’s laden with malware. (For a look at the anatomy of a real spear phishing attack, read our blog post: “Spear-Phishing with Mandiant APT Report”).

The Problem with On-Premises Prevention

Spear-phishing is not a new threat on the malware landscape. Most organizations know that it’s “out there” (again, hopefully by reading blogs like this rather than experiencing an attack), and as a result they’re relying on on-premises prevention solutions to spot malware and thwart attacks. However, what these organizations don’t know, is that such a system cannot work 100% of the time.

That’s because, as noted by PC World, these kind of solutions can fail to prevent malware when:

• It’s downloaded from a link clicked by a user inside the firewall
• It’s embedded in a fake update to an application
• It attempts to gain entry to the network through multiple entry points (remote employees, partners, customers)

And since spear-phishing attempts are fundamentally designed to trick people into clicking what appear to be legitimate links, and to pay no attention to seemingly typical software updates, the bottom-line is that organizations that rely on conventional or “next generation” on-premises security products – such as anti-viruses, firewalls, IPS, IDS and Secure Web Gateways – are exposed and vulnerable.

From Prevention to Detection

Despite the grim reality that on-premises security products can’t stop 100% of the malware deployed by spear-phishing attacks, the news isn’t bad – because there is a way to regain the advantage over adversaries and stay safe: shift the emphasis from prevention to detection.

A solution for APT that emphasizes detection – and not prevention – goes beyond scanning infection vectors, and instead focuses on whether unexpected or unauthorized communication is taking place using an organization’s IP address or web interface domain within a botnet traffic.

If communication is indeed detected, the APT protection system immediately informs the organization that a malware infection exists, even if that particular malware’s signature was previously unknown — again, because it’s not relying on signatures (like a conventional or “next generation” prevention tool does). Rather, it’s focusing on actual, real-time communication between an organization’s machine and an adversary’s; communication that is typically exchanged beyond the infection vector, which is where malware embeds itself to launch persistent attacks that can last for months — or even years — before it’s even spotted, let alone neutralized.

At the same time, because the detection is 100% evidenced-based, there are no false positives. Only a true infection triggered by unauthorized malware communication sounds the alarm.

APT Protection: An Opportunity and an Obligation

Ultimately, the key thing that organizations must keep in mind if they want to avoid being victimized by a sophisticated spear phishing attack, is that on-premises prevention solutions — regardless of how “constantly updated” they may be — cannot work 100% of the time.

However, when they deploy a cloud-based solution for APT that emphasizes detection rather than prevention, they seize an opportunity – and fulfill an obligation – to keep their organization safe, their employees compliant, and their reputation secure.

And in today’s dangerous malware threat landscape, there’s really no way to put a price on that.