Cyber attacks hitting high-profile targets have recently dominated the headlines, and there is no indication the trend will slow down anytime soon. Here, Invincea Founder and CEO Anup Ghosh talks to The New New Internet about the uptick in spear phishing, what role social media play and what steps to take after an attack.
The New New Internet: It seems as if spear phishing attacks are on the rise, especially those hitting high-profile targets (IMF, Google, etc). What are some of the reasons?
Anup Ghosh: Spear phishing attacks are on the rise for two reasons: They are very low cost to create and effective at getting onto the network. Put these two together and adversaries of all types — from spammers [and] scammers to hacktivists, organized crime [and] nation-state governments — will use them often as their initial foray onto target machines and networks.
The New New Internet: Who is behind these attacks?
Anup Ghosh: The array of actors behind spear phishing attacks range from Nigerian scammers, adware affiliate marketers, to organized crime and foreign governments.
The New New Internet: What are some of the most innovative methods you’ve seen spear phishers use?
Anup Ghosh: Effective spear phishers do a lot of collection on the target ahead of time. This will often mean learning about the target through LinkedIn or Facebook, or published org charts and memoranda (for instance, in the case of government). At this point, they will craft a letter that appears to be coming from a trusted source and, if well done, copies the language, look and feel of that source. Oak Ridge National Labs employees were hit with a spear phish that appeared to come from their human resources department, for instance.
The email will often have a link to a website or an attachment. In either case, the victim is lured into clicking on the link or opening the attachment. The link takes the target to a website hosting malicious code that will either exploit a vulnerability in the browser or directly ask the user to run software — sometimes, without the user understanding that is what they are doing. Attachments are laced with malware. In either case, the target’s machine gets compromised. From there, the adversary will search the target’s machine for interesting documents, but also use it as a jumping off point to the rest of the network.
The New New Internet: What role does the use of social media play in the increase of these attacks?
Anup Ghosh: Social media is used in phishing attacks in two ways. First, social media is often used to recon or collect intel on the target, as well as to earn trust of the target by joining their circle of friends or colleagues. Second, it is also used as an infection vector by either pointing the target to a malicious link or app on their page, or by sending in email with malicious link or attachment via the social media’s email platform.
The New New Internet: What are some important steps to take after someone has become a victim of spear phishing?
Anup Ghosh: In the case of the spear phish compromising the machine, it is important to realize the adversary will often move into other machines on the network, so remediating the victim’s machine is often not enough. Training and user awareness for executives and employees that they will be targets of phishing campaigns is important. While training is important, it isn’t sufficient. You will need to protect users against spear phishing attacks by technology as well, because ultimately some percentage (between 5-20 percent) of employees will be susceptible to spear phishing even after training. A security strategy that is dependent on users making the correct security decision every time they are faced with one is not a strategy. but a hope.
The New New Internet: What are some of the best ways of stopping spear phishing attacks?
Anup Ghosh: The most effective way of stopping spear phishing attacks is to place the user in a virtual bubble so that when they are clicking on links or opening email attachments, the infection occurs in a virtual disposable machine rather than on the desktop and network. This technology is available today from Invincea and gaining traction because of its ability to protect users from themselves and the network from the users. When a user clicks on a link, the site is browsed in a virtual environment. If the site hosts malicious code, then the user and desktop are protected against that threat, while the forensics of that infection are sent to the IT security desk.
Similarly, attachments are also auto-opened in the secure virtual environment. In other words, the actions of a user do not compromise the desktop or the network, but can also be used to feed network gateways URLs that are malicious based on what happened in the virtual environment. Turn users — vulnerabilities in your network — into assets, protecting the network.
The New New Internet: How do you see the spear phishing attacks evolve in the near future?
Anup Ghosh: Spear phishing has been highly effective. They will continue to improve on their ability to mimic documents, correspondence, as well as prey on human psychology. In addition, they will continue their campaigns through driveby-downloads and exploit zero-day vulnerabilities in browsers.