Protecting Your Organization from Spear-Phishing

Good news: This might be the only thing you read this week that doesn't talk about Apple's product announcements! Instead, I want to cover another hot news topic, the computer-based attacks (note that I refuse to use the cyber- prefix) on a number of major American corporations.

Are you at risk? It's hard to say because there are so many conflicting accounts of the attacks. Understandably, many of the victims are keeping quiet; their silence aids the investigations now taking place by various parts of the US government and by private consultants retained for their specific expertise in computer security. However, a few common threads are visible enough to warrant talking about.

First, it appears that the attacks were initiated by email: Targeted messages were sent to victims. The Christian Science Monitor reported this week that three major oil companies were targeted by spear-phishing attacks in which fake email messages were carefully crafted to look legitimate ("US oil industry hit by cyberattacks: Was China involved?"). The phishing messages contained a link to a malicious website that exploited one or more vulnerabilities to drop a Trojan on the victim's machine. Once infected, that machine could then be remotely controlled by the attacker and used as a springboard for further attacks.

This is essentially the same pattern that attackers used to break into Google, Adobe, and a number of other companies. How can you protect yourselves?

Here's the sad truth: A sufficiently motivated attacker with enough resources will get in anywhere they want. Security experts talk about "advanced persistent threats," or APTs, as the major bugaboo they worry about. That's because APT is code for "nation-state level attackers": well-funded, with access to expert talent and huge resources. If you're targeted by an adversary at this level, it's extremely difficult to protect yourself.

Because this column focuses on email, I want to point out a couple of areas worth your attention. First is that the attacks didn't send malware in email, so conventional scanning couldn't catch the spear-phishing messages. The malware was dropped separately. Up-to-date desktop antivirus software might have helped prevent some of these attacks, although some exploited previously unknown vectors. However, alert employees noticed and reported the spear-phishing messages in at least one case mentioned in the CSM article. A useful defense, then, is to redouble your efforts to train your organization about how to detect phishing messages.

Another way to protect yourself is to watch for unusual patterns of data flowing out of your organization. For the most part, individual computers on your network will have predictable patterns of outbound traffic. A good monitoring solution—which includes watching for unusual patterns of email messages—can help alert you to attacks before the attacker walks off with your crown jewels.

It's likely that these kinds of targeted expert attacks will continue. Being aware of the threat is a good way to start protecting your organization.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.