Spearphishing Best Practices

What is the biggest threat to your company’s network? Look in the mirror. A huge percentage of recent high profile attacks, including those perpetrated on Epsilon, RSA, the Oak Ridge Laboratories in Tennessee, and the Gmail accounts of government officials—not to mention Operation SHADY Rat—are suspected to be based on spearphishing, a devious social engineering technique that tricks many email and social networking users—even sophisticated users like you—into providing the perpetrator with access to the company network.

Like regular phishing, spearphishing uses emails to get the recipient to divulge sensitive information, such as passwords, or click on an attachment or bogus URL. Clicking typically triggers the downloading of Trojans or other malware that opens back doors used by the perpetrators to move further through the target network and steal lots of sensitive data. These attacks can persist for months without the target’s awareness. Once they are discovered, it can be very difficult to determine the extent of the damage.

Unlike regular phishing, spearphishing attacks target a small number of carefully chosen high value users, often addressing the victim by name, spoofing sender email addresses of known employees or partner organizations, and harnessing information and jargon seemingly only company staffers would know. Many have used intimidation tactics or a sense of urgency to make the victim feel he or she doesn’t have any choice except to do what they say. Recently social networking sites have been harnessed for spearphishing as well. Incidents have shown that even security aware employees fall victim to these attacks, even when they’re warned about specific threats in advance.

Technology can be used to combat spearphishing and its consequences (see Building a Better Shady RAT Trap: Security Connected Framework), but even the best technology must be supplemented by security best practices, including education, policy, and response.

Education Any spearphishing education program should not only explain spearphishing tactics and proper best practices to users, it should also include periodic, ongoing mock spearphishing drills that demonstrate to employees how easily they can be fooled. Publicize the results, and consider speaking to employees who fall for the drill to cause a low level of embarrassment as well as some kind of small reward for those that don’t. Any education should teach specific measures employees should take if they suspect they have been targeted. Make sure new employees are educated as soon as possible. 

Policy Make it a known company policy not to collect employee information internally via email, attachments, or links contained in emails or to divulge information to partners via emails. Employees should not divulge any user name or password information to any caller claiming to be from the help desk or high level office ever, unless they know the caller personally or return the call at a known corporate extension. Spell out what types of information should absolutely never be divulged via personal Gmail or other email, blogs, tweets, or other social networking channels.

Response Have a detailed incident response plan in place that spells out specific actions to be taken after an incident in order to determine the scope of the attack, limit the damage, and maintain appropriate records for forensics purposes. The plan should not only spell out the actions, but also the employees responsible for taking those actions.

Technology plays a role in preventing and limiting the effects of spearphishing, but technology cannot substitute for employee savvy and preparedness

Tags: Shady RAT, Spearphishing