Spear phishing remains one of the most common and effective targeted cyber attacks. In this blog, we’ll discuss what it is, how it works, and what can help protect from spear phishing threats. We’ll explain how next-generation endpoint detection and response (EDR) solutions can combat this threat, and share some examples of how they can offer deeper insights.
What is Spear Phishing?
Spear phishing attacks are delivered through email with the goal of either infecting devices with malware, or stealing important information like passwords and personal data like Social Security Numbers. Unlike phishing, in which spammers send millions of mass, impersonal emails to try and lure in anyone who will click on a bad link, spear phishing emails are designed to sound much more legitimate, and are used to target specific groups or individuals within an organization, often with the goal of getting access to sensitive information, systems or networks, or to intellectual property. They’re often the origin of data breaches.
Spear phishing emails will often appear to come from someone you know inside the organization. Attackers often use spoofed emails, in which they impersonate a known email address, to make it appear that they’re coming from your agency director, your direct boss or a colleague. It will typically contain personalized content and a believable request to sound genuine. This social engineering characteristic is what makes spear phishing so troublesome.
Phishing attempts as a whole are on the rise, and with the abundance of personal and professional information available to cyber criminals, spear phishing has become increasingly effective. The massive shift to a remote workforce during the past year and a half of the global COVID-19 pandemic has also given threat actors more opportunities to launch effective phishing and spear phishing attacks, especially with the increased need for email communications, as employees may no longer be sitting side-by-side in their cubicles and offices to do their work.
According to the New Future of Work Report, a scholarly deep dive into understanding the impact of remote work published earlier this year, 80 percent of security professionals surveyed said they’d encountered increased security threats since the shift to remote work began. Of these, 62 percent said phishing campaigns had increased more than any other cyber threat. The FBI reported that phishing was the most common type of cybercrime in 2020, with more than 11 times as many phishing complaints in 2020 compared to 2016.
How Does Spear Phishing Work?
Spear phishing relies on an attacker’s ability to make an email seem genuine. This means attackers do their research before attempting a campaign. A quick Google or LinkedIn search can reveal enough information about a person (job title, who they report to, what their role is) to craft a message that will prompt an employee to follow the directions in it, making it harder to avoid spear phishing
These directions can request the recipient take a variety of actions. An email might ask for a direct reply with confidential agency information or include a request to wire funds, include a link or attachment that prompts malware to be installed on a device, or send the recipient to a website where they are prompted to enter personal information such as a username and password. The website may mimic a legitimate website that employees frequently use, such as Office 365 or a human resources application.
Ultimately, it is much easier to deliver an attack that relies on human “error” than it is to hack into a system. For this reason, it’s important to have protections in place that give you visibility into and alerts on suspicious behavior, and to train employees to spot suspicious emails or social media links.
How Next Generation Endpoint Detection and Response Protects Against Spear Phishing
When a phishing or spear phishing attack is successful at getting malware or ransomware to an employee’s device, you’ve got less than 30 minutes on average to prevent it from moving laterally to other machines. So, 24×7 response capability to begin response action in 10 minutes or less is essential to surviving an attack.
Next-generation EDR solutions constantly monitor and record what is happening on endpoints. This offers visibility into malicious activities across the devices connected to your network. If there’s any suspicious behavior (i.e., an application is attempting to open another application it normally wouldn’t) the EDR will send an alert.
Since the Motorola Solutions ActiveEye cybersecurity platform integrates with multiple EDR providers, we can easily pull all these alerts into our platform. This makes it easy to correlate endpoint activity with network and cloud security alerts, and to provide you a consolidated view of your entire cyber security environment. We also incorporate insights from third-party threat intelligence partners to detect and prevent threats faster, as well as security data from cloud applications and infrastructure, and from your “traditional” IT networks.
Visualizing the Attack Chain
If the EDR solution detects patently malicious activity (i.e., suspicious files attempting to run) it will block it. Additionally, it can show quick and easy attack chain visualizations. This can help you understand the attacker’s path to prevent similar attacks.
For example, let’s look at an attack that starts with someone opening an email and then opening a compromised Excel attachment. This in turn invokes a malicious macro in Excel, which then invokes PowerShell. The EDR solution could block PowerShell immediately because it attempted to launch malware.
This is important when looking at the associated TTPs (tactics, techniques, and procedures) that attackers can use to get into networks, and it’s a prime example of how they’re constantly innovating when it comes to spear-phishing campaigns. This attack embedded malware, and it also weaponized known good pieces of software — like Excel spreadsheets — in an attempt to evade any signature-based prevention.
The EDR solution’s continuous, centralized recording saw all of this activity in real time, applied prevention when the suspicious became inherently malicious, and escalated the alert to administrators accordingly. This allowed them to take remediation steps right away.
Alternatively, consider a situation in which an attacker sends a spear phishing email prompting the end user to visit a website that’s been created to look legitimate and input their credentials. If an attacker is able to successfully harvest user credentials, the EDR solution is there to monitor, alert on, and prevent any malicious activity that then occurs — even when it is under the guise of a legitimate login. If the attacker tries to pull malicious code from online and run it locally after logging into the endpoint, they’d be blocked.
Or, suppose they attempt to set up a scheduled task that automatically makes outbound network connections to the attacker’s home IP address. An alert would fire in the EDR solution, and in turn show up in our ActiveEye security portal. This would allow you or our security operations center (SOC) analysts to immediately see and evaluate the malicious nature of that activity and launch a full-scale investigation.
Malware and ransomware variants change quickly, but phishing and spear phishing are still the most effective ways to deliver them. Security analysts need a broad security background to interpret what is going on to identify new indicators, search for them across all systems, and apply blocking measures. Having staff that is experienced in responding to these types of threats is essential to surviving an attack and mitigating the damage.
If you’re concerned about spear phishing and other advanced threats that may impact your organization, a next-gen EDR endpoint protection platform offers a lot of advantages over traditional antivirus. However, there’s a lot to consider. Although these solutions offer advanced features, you’ll need to consider the cost of hiring or training someone to manage whichever solution you choose.
You should also be prepared to handle a potentially large volume of alerts if there are a lot of connected devices in your environment, and to spend some time up front on fine-tuning the solution. Ensuring that your operating system is up-to-date, applying regular security patches and implementing two-factor authentication for applications and network access are also important steps you can take to protect against phishing and other cyber threats.
The average cost of recovering from a ransomware attack is far greater than putting proper endpoint security and 24/7 monitoring in place. Many organizations, particularly public safety organizations and state and local governments, have realized that a managed security services solution enables them to secure their endpoints more effectively while lowering operational costs and demonstrating a faster return on their next-gen EDR investment.
To learn more, read Considering Next-Gen Endpoint Security? Where to Start or contact us for a demo of our endpoint security services.