Defenders had their hands full fending off zero-day attacks in 2017, with the EternalBlue and EternalRomance exploits—part of the cyber toolset reportedly stolen from the U.S. government—fueling the spread of two massive ransomware campaigns, WannaCry and NotPetya.
Yet, the most serious threat to companies—targeted attacks—used a much simpler, and yet effective, technique: Spear phishing. And it remains a popular mode of attack. The latest edition of Symantec's Internet Security Threat Report, which found that 71% of the targeted attacks detected by the company last year used spear phishing to nab the targeted user's credentials.
"When we are talking about a targeted attack, and you want to go after a specific person, phishing really works well," said Kevin Haley, director of product management for Symantec's Security Technology and Response group. "So why go through the trouble of trying to use a zero day? Why try to set up a website? Why try to do something elaborate and expensive and difficult, when you can send an e-mail and it is going to work?"
While recent mass attacks have focused on distributing crypto-mining, ransomware and banking Trojans, the most serious ones are targeted with attackers generally seeking to gather intelligence or steal intellectual property from their victims. And they involve far fewer custom tools to carry out their campaigns.
Nine out of ten targeted attackers last year sought to gain intelligence on their victims, according to the ISTR. About 11% aimed to disrupt operations while 9% seemingly were after financial gain, the report found. The numbers add up to more than 100%, because 15 percent of attackers have more than one motive.
In addition, spear phishing was the attack vector of choice, with 71 percent using targeted phishing attacks as a way to gain credentials.
This Is Not Your Father’s Phishing Kit
Spear phishing is a different beast than mass phishing. Mass phishing attacks have largely gone the way of spam, becoming an ever-present annoyance. However, generally, they have a very low success rate. Similar to spamming, phishing attacks have a very low percentage chance of success and, with current Bayesian learning and other clustering algorithms, can be detected quite quickly.
While massive phishing campaigns still take place, they are not cost-effective for attackers. If a cyber criminal wants to gain access to a specific site, the preferred method is to buy a large database of usernames and passwords from the breach of another site and try every single one on the targeted service, according to Haley. Indeed, Symantec found that you can buy 500,000 account credentials—consisting of e-mail addresses and passwords—from a data breach for $90.
"All I have to do is spend that 90 bucks, use an easily available tool, and I'm going to get — in a certain percentage of cases — the log-in and password for the account," Haley said. "It's trivial, so why should I go through all the effort of setting up a phishing attack?”
In addition, mass phishing attacks have a very short lifecycle. Most are taken down within a day.
In contrast, spear phishing attacks are almost impossible to detect, said Guy-Vincent Jourdan, associate professor of electrical engineering and computer science at the University of Ottawa.
"The takedown time is really short," he said. "If you get curious and click on a link in a phishing attack, chances are that Google is already blocking it. There is still a window of time, of course, but we are quite good at detecting those attacks."
Fending Off Spear Phishers
Spear phishing sneaks under the digital radar by only targeting one person—or at most, a few people—with a tailored attack that uses personal information and legitimate business reasons to trick workers into opening attachments or logging into a fake website.
Companies should focus on hardening their infrastructure and workforce against social engineers, because attackers will continue to use the cheap and simple method. Here are four ways that companies can continue to prepare.
Keep Training Users
Security awareness training has taken off in the past five years, and while it is not foolproof, it continues to be a good investment. More educated workers can will not only be less likely to click on phishing e-mails, but can be an additional way of detecting suspicious e-mail messages.
"Organizations spent a lot of time training their users on identifying and reporting phishing attacks—keep at it, it is important," Symantec's Haley said. "While you are going to see less of them [phishing attacks] broadly attacking your users, when someone is specifically targeting you … those attacks are a lot more damaging then a random phishing attack that ends up in someone's mailbox."
In addition, research has found that workers who fall for one phishing attack are more likely to fall for future phishing attacks, so identifying these weak links in your security and providing additional training is important.
Use Tools to Scan E-mails for Signs of Maliciousness
It's an axiom of security: Someone will always click. For that reason, companies also need to invest in tools to identify suspicious e-mails, University of Ottawa's Jourdan said.
"Of course, education, education, education, but we need to be looking at the e-mails as well," he said. Yet, spear phishing is not an easy problem to solve. "We are so good at detecting mass phishing because we have so much data. With spear phishing, we don't have that."
Machine learning and artificial intelligence can help. While educating human workers to treat e-mail with suspicion, machine pattern recognition can approach the problem much more rationally and be updated to account for the latest techniques, raising the defensive walls for all workers.
Use multi-factor authentication to reduce impact
Companies should also prepare for the worst and expect that users will give away their credentials. Adding an additional factor of authentication will make it that much harder for an attacker to use credentials to compromise an account, Jourdan said.
"The entire problem is that — if you provide information, like your bank account — it is over," he said. "But it should not be. If you have two or three factors authentication, there should be a lot more protection, so that it should not be so easy, when you screw up once, to be able to access the account."
Turn Off Unused Dual-Use Tools
Finally, companies should be aware of the most common techniques and payloads used on newly-compromised systems. Currently, attackers tend to "live off the land," using tools already found on a compromised system rather than their installing their own to evade detection.
"For the attacker, it's 'Why should I create a piece of malware, when I can use PowerShell?'" Symantec's Haley said. "It will be harder to detect and it will do exactly what I want."
Companies that take a multi-faceted approach to not only try to prevent phishing attacks, but to detect and respond to attackers that get through their defenses, have the greatest chance to limit the damage from a successful attack.