Avoiding the Spearphisher's Barb
ON JUNE 1, 2009, the State Department’s Cyber Threat Analysis Division (CTAD) received and analyzed an e-mail message sent from a columnist at National Journal, a political magazine for Washington insiders. The message was addressed to five employees at the department’s Division of Ocean Affairs, Office of the Special Envoy for Climate Change. The e-mail’s subject line read “China and Climate Change,” along with a PDF attachment named the same thing. The body of the e-mail contained nothing out of the ordinary and was written on matters of interest to the five recipients. The e-mail, however, wasn’t from the columnist, and it was anything but typical.
Examining the e-mail’s PDF attachment, CTAD analysts discovered malicious code embedded within. Known as the Poison Ivy Remote Administration Tool, the malware was designed to exploit a vulnerability in Abode’s PDF reader that would have allowed hackers to remotely control the users’ systems and gain access to sensitive information. Fortunately, the users targeted by this cyberattack were using patched versions of the Adobe software and thus were protected.
That cyberattack—which came to light through the WikiLeaks documents—failed, but many other attacks using that same tactic, known as spearphishing, succeed.
Spearphishing is the art of sending emails directly to identified subjects who will be tricked into opening attachments, clicking on links, or downloading malware because they think the e-mail is from a known and trusted source. Often the e-mail relates to a topic of personal interest and bears none of the hallmarks of spam or malware.
Cybersecurity experts say spearphishing is on the rise, and it’s difficult to defend against, because the attackers go to great lengths to craft well-researched emails that exploit recipients’ trust.
The primary defense is awareness. Companies must, therefore, educate employees on the threat of spearphishing, while IT departments must keep system security up-to-date and implement the right policies to catch a breach if it occurs.
THIS LURE’S FOR YOU
In a run-of-the-mill phishing attack, the attacker uses an electronic message—typically an e-mail, but it could be an instant message or a Facebook or Twitter post—to fool the recipient into doing something. Traditionally the attack is designed to trick victims into clicking on a link that takes them to a site where malware surreptitiously downloads onto their computer, or the site may get them to provide sensitive personal information, like log-in credentials or payment card information. This is what security experts call social engineering, where the attacker uses e-mail and maybe a fake Web site to establish trust and manipulate victims into doing something, says John Bumgarner, chief technology officer for the U.S. Cyber Consequences Unit, a nonprofit research institute.
In one of the more popular phishing ploys, a cybercriminal sends a mass e-mail that looks like it’s from an established bank or a credit card company. The message, doctored with the appropriate corporate logo, will instruct the recipient to click on the link to take care of some important business. Typically, the link takes the recipient to a fake Web page made to look like a genuine bank or credit-card company’s site and asks the visitor to login or provide sensitive information. If the visitor complies, the cyberthief gains sensitive information he can use to defraud the victim.
Phishing attacks like these are hit or miss, because they are indiscriminately sent to masses of recipients. The attacker has no foreknowledge of where the recipients actually do their banking or hold their credit cards. They simply play a numbers game: hoping that enough email recipients are Bank of America or American Express customers, for example, to make their con worthwhile.
Spearphishing, however, refines that process. In many cases, attackers not only make the e-mail seem like it’s from a trusted source, but they also carefully craft the content to add an air of authenticity, to pique the recipient’s curiosity, or to elicit an emotional response. By doing so, the spearphisher has doubled-down on the social engineering aspect of the con. When emotional responses are engaged, a person will be less cautious.
In September, Symantec’s MessageLabs, which provides messaging and Web security services, identified a string of sophisticated spearphishing attacks targeting employees of retail firms. One of the cases cited illustrates how the emotional hook works.
In that attack, 50 recipients received an e-mail that looked like it came from one of their company’s senior human resources executives. Attached to the e-mail was a malicious PDF file called “new_salaries_2011.” According to MessageLabs’ October intelligence report, the attackers knew that recipients would be enticed to open it not only because it ostensibly came from a trusted executive, but also because it promised a tasty morsel of information: next year’s salaries.
Opening the PDF file would put a backdoor Trojan onto the recipient’s computer, “with the potential for the attacker, in due course, to help themselves to valuable or sensitive personal and corporate data,” noted the report.
Spearphishers narrow their aim to reel in big phish—or what the attackers call whales—who have access to sought-after intellectual property or intelligence. To do this, the spearphisher does background research on the target. With the advent of social networking Web sites like Facebook and LinkedIn, it isn’t hard for a hacker to learn a lot about an intended target.
“A lot of the spearphishing that we’re seeing, the actors doing it seem to know who the [target] is, who his boss is, and what project they’re working on already,” says Jim Harris, the FBI’s acting unit chief for Cyber Criminal Unit II. “The only thing they’re missing is the secret data off the network that they can’t get to.”
They get that missing data when they get the target to help them put malware on the network by opening the attachment, for example.
The spearphisher will also try to use what’s called a zero-day exploit, which means they have malware that targets a software vulnerability not known to the software developer or security firms yet. In these cases, not only will the e-mail get past the gateway, but if the recipient is fooled by the message, the malicious payload will slip onto the company network undetected and be able to carry out its mission.
Advanced persistent threat. Compounding the problem, spearphishing is often part of what computer security experts call an advanced persistent threat, which is when a group of sophisticated computer hackers—often backed by criminal organizations or nation-states—target a particular network and will not stop until they gain access.
“If one attack fails, another one will be tried—again and again,” Ernst & Young reported in April 2010. After the attackers have established a foothold in the network, they will remain there until they are discovered, collecting sensitive information for as long as possible.
Spearphishers “tend to be deeper pocketed because they have specific targets in mind,” explains Chris Larsen, head security researcher for Blue Coat Systems. “They’re willing to spend the money they need to make their attack successful. So those are the guys [who] are going out on the hacker forums, shopping for zero-day exploits.”
The rise of spearphishing has left companies scrambling for defenses. Too often, however, companies believe they can purchase an off-the-shelf security solution to provide total security, says Larsen. But spearphishers aren’t werewolves, so there isn’t a silver bullet.
While software helps, it is only part of the solution. The other layers needed for a more comprehensive defensive program are employee training, data compartmentalization, and IT staff who know how to spot suspicious activity in the network logs, experts say.
School the phish. Employees are usually the weakest link in the security chain, according to Harris. If employees receive a spoofed e-mail from a trusted source, they won’t think twice before opening the malicious document attached to it, especially if they don’t know any danger exists. Thus, one of the primary steps companies can take to guard against spearphishing is to establish a program for educating employees about how to recognize the lure and the hook.
Companies “need to have a better system within their corporations to train employees to identify the signatures of a potential phishing attack and to report those things,” says Bumgarner.
For example, employees need to know that hackers can easily poison links, says David Morgan, a cybersecurity expert at Booz Allen Hamilton who consults with the U.S. government.
“I can create a link that reads gooddomain.com, but, underneath, my code says maliciousdomain.com,” Morgan explains. “When you click that link, it’s going to take you to maliciousdomain.com. However, if you copy and paste gooddomain.com into the browser, you’re going to go to gooddomain.com, not the underlying link in the code.”
Thus, one simple precaution is to teach employees to copy and paste e-mailed links into their Web browser.
To avoid clicking on malicious links in Facebook, Twitter, or Gmail messages accessed through their Web browser, employees should be taught to let their mouse hover over a link to reveal the link’s actual address. In most browsers, the real Web address will appear in the lower left-hand side of the browser when the mouse’s cursor makes contact with it, says Morgan. The user can then simply check to make sure the addresses match.
Cybercriminals can, however, create links that are harder to differentiate. The best way to avoid falling victim to this more sophisticated type of attack is to hand-type the link’s Web address into the browser, recommends Irfan Saif, cybersecurity expert at Deloitte & Touche LLP.
“It’s just as easy to take two more seconds to pull up a Web browser and type it in and protect yourself,” he adds, “particularly if you’re going to go to a Web site or a resource that requires credentials.”
For added protection, Saif recommends browser plug-ins, which can warn a user that a Web site they’re about to visit may be malicious. But it’s important to remember that these tools aren’t perfect either. “There are [malicious links] that fall through the cracks,” notes Morgan.
Employees must also be trained to eye e-mail attachments with skepticism. Spearphishers often dress them up to look like business-critical information sent by people they trust, like colleagues and upper management. In these instances, companies must urge vigilance and train employees to exercise common sense before opening attachments.
When receiving an attachment, employees should do a quick risk assessment, advises Morgan. They should ask themselves if they expected an e-mail from this person, and if anything about the message seems strange, like misspellings or strange phrasing. Often an easier solution, he says, is for employees to call the sender and ask if they sent it. In today’s business world, almost every e-mail signature includes the sender’s contact information. Use it: it’s better to be safe than sorry.
Internally, upper management can encourage this type of behavior by notifying employees when important documentation will be sent via e-mail, Morgan notes. This will put employees on notice that they should be skeptical of the authenticity of any e-mail attachment that purports to be from management but for which they haven’t received prior notice.
To teach employees these spearphishing defensive practices, companies should develop scenario-based training programs and instructional videos, plus refresher training to reinforce these protocols, says Bumgarner.
Compliance testing is also important. Bumgarner remembers one security test he devised years ago where he sent a company’s employees an e-mail enticing them to click on the link within. If recipients clicked on it, a warning message appeared on their screens telling them they had been hacked. An audit trail allowed the manager or IT personnel running the compliance program to track down offenders and chastise them for not following protocol.
But the program will fail if violators get nothing more than a slap on the wrist. “When it comes down to it, the individual user needs to be held responsible for following the rules set in place for following links or opening unknown attachments when they’re not sure where they came from,” Morgan says. And there must be consequences for failure to do so.
Filters. Software can’t catch everything but it can catch some suspicious activity, so companies need to install some of these defensive programs that in combination will help to block malware attachments at the gateway and to detect malware where it manages to get into the network.
For example, Symantec’s hosted service division, called Symantec.cloud, has developed technology for malware and spam filtering. The technology, which is called Skeptic, works by spotting suspicious activity that cybercriminals leave behind when they do their dirty work.
Skeptic detects “the presence of malicious code...[and] complex obfuscation techniques, where the criminals are trying to hide their code from analysis,” Wood explains. “At that stage, we may not know exactly what it is trying to do, but we know it’s bad and that we need to stop it.”
This type of filtering even blocks some zero-day exploits. “In some cases, we have blocked attacks several weeks before the vulnerability that is being exploited is even being discussed in the security community,” says Wood.
The volume of blocked e-mail has gone up dramatically over five years, probably due to a combination of more attempts and better detection. “This time last year the number that we were blocking was probably between 50 and 60 per day,” says Wood. Now, he says, it’s nearly 80 a day. Five years ago, Symantec.cloud blocked only one or two a week.
Locking down data. Data compartmentalization is another best practice companies should implement. While it won’t keep spearphishers out, it minimizes the damage they can do after compromising an employee’s machine.
The FBI’s Harris learned this lesson in the 1990s while working at IBM. During the Internet boom, he dealt with many Silicon Valley startups looking to sell computer chips to IBM. Often he was shocked to discover that, at many of those firms, every employee had access to the entire company network.
Harris routinely found that companies would put even their most sensitive documents, like unreleased product details, into shared folders accessible to anyone inside the network. The only security measure taken was to mark the document as internal-use only.
Companies can segregate their most valuable data by storing it on more than one network—a best practice the FBI follows. Imagine a company has two networks: green and red, explains Harris. The green network is used by all employees to do mundane activities, like surf the Web, and that network relies on basic security tools, such as firewalls and antivirus software, to protect it. The red network, however, is reserved for storing a company’s vital information, like products in development, and it can only be accessed by employees with a need to know and the appropriate clearance.
Ideally, the red network would have no connection to the Internet and would not accept thumb drives or software installations. For more protection, companies could also use multifactor authentication to ensure that only trusted users’ devices could connect to the red network, while making data removal impossible unless two trusted individuals consent.
That type of dedicated, heavily secured network significantly limits the damage that could be done if, say, a receptionist compromises a computer by opening up a malicious e-mail attachment, explains Harris.
Data compartmentalization makes it harder for spearphishers because it means they’ll have to find a target with credentials to access the valuable information on red and trick them to moving it to green—an enormously difficult task.
“The idea is to build significant compartment boundaries which should require manual intervention by someone who should definitely know better,” Harris says.
Log monitoring. No matter how well a company trains its employees to avoid spearphishing attacks, a committed attacker will sooner or later get someone to take the bait. As the infamous Google hack of December 2009 demonstrated, even incredibly tech savvy people with privileged access rights fall victim to spearphishing attacks.
Thus, the final line of defense is early detection and response after a breach has occurred. For that to be effective, a company’s IT department, in particular the network administrator, must be able to detect a breach.
“I have to assume…somebody is going to target people in my organization,” Larsen says. “They will fall for the message, they will click on the exploit, and they will be infected because none of my defenses caught it. So I have to assume that the bad guys have established a beachhead somewhere in my organization’s network, and that’s where I have to start the conversation of ‘What do I do?’”
The answer is to review the company’s network logs. That means knowing what’s normal for the network and what’s suspicious. (For more on log analysis, see “Zero Trust Model” by Associate Editor John Wagley in the December 2010 issue of Security Management.)
As the FBI’s Harris notes, employees generally have behavioral traits on a network. If suddenly an employee starts rooting around an area of the network that person has never been to before and sending out data, then a network administrator should be able to identify that as a red flag and investigate it.
“[Companies] cannot abdicate responsibility for what’s going on with their network, because they are the ones who are in the best position to know what’s normal for their network and their users and what is not,” says Larsen.
Morgan says it’s surprising how many network administrators don’t know how to access their network logs and find irregularities. One of the reasons companies don’t hire professional network administrators is because they don’t come cheap. But companies with sensitive data to protect should ante up, because the cost of lost data will be more than they save on salary, he observes.
Log analysis is critical as a tool for understanding what caused a breach and how the threat can be reduced by adjusting network security. “You can look at your logs a lot of the time and see exactly where [the hackers] came from, how they got in, when they got in, and where they went after they got in,” says Morgan.
When a company arms itself with information, it’s easy to shore up most network security vulnerabilities. “If I know I had a Windows 2003 server vulnerability that was unpatched and that’s how [the hackers] got in, well I need to go to Microsoft and download the patch for that,” Morgan says.
SIZE OF THE PROBLEM
Given that it’s difficult to detect spearphishing, no one knows how much of it is going on. Even murkier is its true cost in lost intellectual property and intelligence. Although estimates abound, the experts tell Security Management that it’s impossible to quantify.
Harris is extremely skeptical when he comes across spearphishing cost-estimates, because most companies either don’t report it or don’t know it occurred. “Any statistic that anybody tried to quote on that would probably be somewhat suspect,” he said, “because we don’t know.” But make no mistake, warns Bumgarner: “It’s a lot of money.”
Matthew Harwood is an associate editor at Security Management.