Spear phishing – threat vectors highlight new realities

Not knowing when, where or how phishing and ransomware attacks might succeed in tricking end-users into downloading malware on to their endpoint devices and bypass perimeter defenses exacts a great toll on cybersecurity professionals. 

“The only real defense is to continually back up data to make sure pristine copies of critical data are always available,” highlighted by author and blogger Mike Vizard for Barracuda. “How long that malware lies dormant on an endpoint or when it might start attempting to encrypt or steal data is anybody’s guess. It’s that level of uncertainty that starts to gnaw at the confidence of the average cybersecurity professional.”

This hard truth has led Jonathan Tanner, software engineer at Barracuda Networks, to suggest the ‘human firewall’ as the most effective line of defense. “In a world where organizations have vendors jumping in front of each other to deploy their ‘best-of-breed’ security solutions at HQ and everywhere else, the only thing between your company and a ransomware attack could be whether or not your users click or don’t click on a malicious link,” he said.

You’ve got mail

Tanner has detailed some of the criminals’ real phishing attempts in a blog post. He also reported that Barracuda blocked over 1.5 million phishing emails with 10,000 unique phishing attempts in May 2018 and 1.7 million phishing emails with over 2,000 unique attempts before the end of June. 

In April 2017, business email compromise (BEC) duped Southern Oregon University into sending a wire payment of US$1.9 million to fraudsters instead of its contractor. A similar attack at France-based industrial equipment manufacturer Etna Industrie sent emails and phone calls purportedly from the company’s CEO instructing an accountant to transfer €500,000 to bank accounts abroad.

These examples represent just the tip of the iceberg but they certainly underscore the need for employees to be properly trained to stay safe online. Promoting proper due diligence to bolster security defenses, Osterman Research, through a study commissioned by Barracuda,urges companies to conduct a thorough audit of current security and compliance environment; establish detailed and thorough policies; implement best practices for users to follow; provide adequate security awareness training that is commensurate with the risk associated with each role; and deploy alternatives to employee-managed tools and services. 

Employees, especially senior executives, are more likely to be the target of a BEC attack. They should be made aware of the risks associated with oversharing information via email and social media. In the case of Etna Industrie, an employee who deals with sensitive financial information should have an alternative method of contacting the CEO to verify any request to transfer money.

Put simply, effective email security isn’t necessarily as much about the tools to stop threats, as poor employee behavior. All respondents to an email security study in 2018 by Dimensional Research and Barracuda unanimously say end-user training is important. 

Real-world lessons

“We’re also seeing that it’s important for organizations to offer users more than just a traditional classroom-style approach,” observed Dennis Dillman, vice president of Product Management at Barracuda Networks. “Being able to scale training, move quickly, and be offered at the convenience of each employee could make all the difference in an effective program.”

To enable real-time spear phishing and cyber fraud defense, Barracuda is already harnessing machine learning and artificial intelligence (AI) capabilities to augment human precautions. The cloud-based Barracuda Sentinel, in particular, combines an AI engine that stops spear phishing attacks in real time; domain fraud visibility using the Domain-based Message Authentication, Reporting and Conformance (DMARC) protocol to guard against domain spoofing and brand hijacking; and fraud simulation training for high-risk individuals who might have access to sensitive information or the ability to authorize or send payments.

When any phishing email tries to bait the recipient into engaging in dialog and into believing that the attacker is a colleague, the AI engine seeks and detects red flags and signals such as a different reply-to address, an email address that spoofs the company’s domain, or any language that requests a favor or action in the message. It also learns each user’s unique communications patterns via integration with platforms such as Office 365, and analyzes multiple classifiers to map the social networks of every individual inside the company. 

Another Barracuda tool leverages continuous simulated phishing attack training in improving the security awareness of employees. Barracuda PhishLine guards against every facet of social-engineering threats by training employees to understand the latest attack techniques, recognize subtle clues, and help stop email fraud, data loss and brand damage. 

Secondly, it embeds learning into business processes by launching customized simulations that test and reinforce good user behavior. The computer-based training includes a wide array of easy-to-use, customizable content in the PhishLine Content Center Marketplace as well as rich reporting and analytics capabilities to provide visibility.

“It’s a numbers game,” highlighted Asaf Cidon, vice president of Content Security Services at Barracuda Networks. “The more attempts that are made, the better chances the attackers have of running off with your money. It takes one successful attack to cause significant financial and reputational harm.”

This is a QuestexAsia feature commissioned by Barracuda Networks.