Spear Phishing is one of the most fundamental threats to the security of organizations today.
As we’ve discussed before, this is largely because of the nature of the Spear Phishing attack — it exploits human emotion and exploits it to introduce new vulnerabilities to even the most air-tight information security infrastructure.
So long as people make up organizations, security teams are likely to continue to face the challenges presented by these human errors.
By understanding the anatomy of a spear phishing attack, we properly structure a “Defense Stack” to create redundancies in our security that are not susceptible to the shortcomings of human error.
We first need to know how Attackers will attempt their attacks, and what they’ll be after when they do.
This article covers:
- Spear Phishing Attackers Tactics
- Mediums & Methods
- Their Objectives
- The Anatomy of a Spear Phishing Attack
- Six Steps of Spear Phishing Attacks
- The Layers of the Defense Stack
- External Data Privacy
- Team Training
- Email Cyber Security
- Multi-Factor Authentication
- Information Security Protocols
- Building Your Own Spear Phishing “Stack”
Spear Phishing Attack Tactics:
Attackers often use a few common spear phishing methods to achieve their aims.
Spear Phishers Mediums & Methods:
What will they do to try to breach your organization?
- Personally Identifiable Information (PII) and External Data Research: The distinct tactic of all spear phishing attacks. Attackers source and use personal information to disguise their attacks and exploit their victims.
- Impersonation: Sometimes, attackers impersonate a legitimate contact, either internal or external to the organization, in an attempt to deliver a payload. This as well can lend legitimacy to whatever message they send.
- Conversation “Jacking”: Often relying upon already compromised credentials, or visibility into ongoing conversations, attackers will jump into an ongoing thread of emails attempting to redirect a payment to themselves. In fact, it’s common that attackers to gain access to an email long before they ever launch an attack if they do at all. Instead, they will monitor covertly until they identify the right moment to deploy their attack.
- Business Email Compromise (BEC): Attackers attempt to compromise the credentials of a legitimate company email address. This can increase the ability of attackers to deliver additional payloads or allow them to access more secure and sensitive platforms.
- Blackmail: Attackers gain some form of leverage over an individual, or attempt to gain leverage, or make threats of some form of leverage. The aim is ultimately to exploit this leverage over an individual to compromise them. Difficult to defend against, if attackers have already acquired some means to leverage blackmail against a team member. Strong proactive security and minimized External Data Exposure reduce these risks.
Spear Phishing Attack Types:
What will they do once they’ve breached your team or organization?
- Theft: Monetary gain is the purported incentive for up to 94% of all cyber attacks, theft being the most direct route.
- Espionage: Sometimes attackers glean the most valuable information simply through covert monitoring. By watching email accounts over long periods of time, or extracting and downloading email history (particularly for high-level executives) attackers can cause significant damage and secure financial payoffs.
- Credential Compromising: Through one email account, attackers stand to compromise credentials for dozens of others or other business platforms. Alternatively, using password resets might provide them access to further sensitive platforms, “chaining” their compromises until they have the access they need (such as banking logins.)
- Ransomware: The most infamous cyber attacks in recent years, ransomware attacks are not so commonly deployed directly through phishing or spear phishing, though it certainly happens. goes here %
- Customized Attacks: Most often, the specifics of any given attack are completely unique to the ways that an attacker identifies to exploit a business. They may employ many or all possible endpoints. For example, Business Email Compromise attacks are commonly used as a stepping stone to another attack.
The Anatomy of a Spear Phishing Attack
Step 1: Reconnaissance. The process of identifying and selecting target organizations.
Step 2: Identifying Weaknesses. Scanning individuals’ PII and External Data to identify possible avenues of attack.
Step 3: Target Research. Developing detailed profiles on specific targets.
Step 4: Crafting The Message. Attackers will use the details they’ve uncovered in Steps 1 – 4 to develop a highly specific and surreptitious message designed to achieve some threat outcome.
Step 5: Delivering the Payload. The Intrusion Attempt is made. Attackers often seek credentials and logins, less commonly, they attempt to deliver malware or ransomware directly through links.
Step 6: Data Breach and Post-Data Breach. The intrusion attempt is successful, the organization is breached, and attackers steal, destroy, or otherwise cause damage to the company.
Diversifying Defense Against All Steps Yields Better Outcomes
To defend against Steps 1 – 4 (Pre-Intrusion,) teams implement proactive security measures. They attempt to disrupt attacks before they start.
Defense against Steps 5 & 6 is all about real-time and post-breach mitigations. These are designed to stop attack attempts or mitigate the damages of breaches that are successful.
Interestingly, the majority of traditional cyber security solutions focus on late stages – namely, stopping intrusion attempts and mitigation of damage from successful breaches. This perhaps overlooks the proactive defenses that could be implemented in earlier stages.
All steps can be successfully mitigated, and with a properly diversified Threat Defense Stack, organizational Spear Phishing risk can be almost entirely eliminated.
The Complete Spear Phishing Defense Stack:
A proper Spear Phishing defense should mitigate or hinder the ability of attackers to cause damage across each stage of an attack.
Properly defending against spear phishing attacks requires redundancies. A mix of proactive and mitigating defense tactics means that your organization will be more resistant to a breach, and well-protected in case an attack is successful.
Resilient Spear Phishing Defense Stacks should use a mix of 5 defense layers. These should be considered in order of defense priority –from proactive threat prevention all the way to damage control:
- External Data Privacy: How can we eliminate our employee’s external data to reduce attack opportunities?
- Team Training: How can we properly train our team to recognize and report possible attacks when they come?
- Email Cyber Security (”Inbox Level” Security): How can we use tools to eliminate the bulk of “low-level” attack attempts?
- Multi-Factor Authentication: How can we secure our accesses in case of a credential exposure?
- Internal Informational Security Protocols: How can we structure our information security protocols to mitigate the damage if we are finally breached?
Through the rest of this article, we’ve detailed further how each defense layer is addressed by organizations, with basic or more advanced solutions and tools.
By building an adequate defense at each layer, Cyber Security teams can be confident they have a comprehensive stack that represents a “complete defense” against spear phishing attacks.
External Data Privacy
The first line of a good defense. Prevent attacks and attack attempts by reducing overall attack attempts.
Spear Phishers target specific companies for attack for 2 reasons:
- Your company presents some significant payoffs for successful attackers.
- Your company (or its team) is or appears particularly vulnerable.
The payoff risk is inherent to some business types. 71% of attacks on large organizations and 96% of attacks on all organizations were motivated by financial gain.
Attacks in recent years disproportionately target companies with sensitive IP, valuable secure data (like healthcare companies), or management of significant funds.
To adequately mitigate attack attempts, efforts are well invested in controlling how much their team’s personal information is or appears vulnerable.
The best way to achieve this is with great External Data Privacy measures. Reducing your teams’ offsite personal information exposures, and the data that brokers and other parties collect on them has compounding benefits.
In early attack stages, lower visibility of your team across the surface-level web reduces the likelihood you’ll be targeted. Furthermore, the elimination of your employee’s personal information also significantly hampers the ability of bad actors to craft sufficiently personalized Spear Phishing messages.
The fastest growing new Privacy Solution, Privacy Bee identifies security threats across the web, surfacing them to you, and takes action on your behalf to eliminate threats.
Email Cyber Security:
Email defense solutions come in a variety of shapes and sizes. At the minimum level, organizational defense requires proper DMARC authentication to ensure email impersonators are filtered out.
Beyond DMARC, there are a host of email providers and solutions that can bolster your inbox defenses.
Email Authentication (DMARC, DKIM, SPF)
Best practice, nearly mandatory protocols for all organization email structures.
Proactive Defense. Protects against Intrusion Attempts and Impersonation.
A must-have setup for modern email configurations. Authentication lends legitimacy to all outgoing emails and improves delivery rates. Spam and basic phishing attempts will be blocked.
Not a sophisticated defense, these are more of “best practice protocols.” A majority of modern organizations have already implemented them.
- Widespread industry standard
- Relatively simple to configure
- Lends legitimacy and credibility to all team emails
- Unsophisticated, not likely to prevent major attacks.
Tools and Resources:
- Configure DKIM for your organization.
- Set up an SPF record for your organization.
- Configure DMARC for your organization.
- Learn more about DMARC.
Advanced Email Protections and Threat Intelligence Firewalls
Good for large organizations to automate the filtering of low-level phishing and spam at scale.
Proactive & Reactive Defense. A further layer of protection against intrusion attempts. Attacks that possibly “slip through” may still be mitigated by some software’s features.
More advanced software solutions attempt to automatically filter out egregious phishing threats and malicious emails. This is often achieved by comparing emails to a database of other known threats. These are useful for keeping inboxes cleaner and eliminating the lowest common denominator threats or mass phishing emails.
The main drawback to this category of defense is its reliance on prior attack databases to filter out incoming attacks. They are inherently susceptible to more sophisticated spear phishing attacks. The more manual effort put in, the less likely those attacks are to be caught and prevented by a firewall tool.
- Hands-off email filtering reduces the bulk of low-level phishing, as well as spam
- More advanced tools sometimes come with additional cyber security features in bundled platforms.
- Automated filtering relies on databases of similar and common attacks, making it a poor defense against personalized, customized Spear Phishing
The human layer is the source of both the greatest strengths and greatest challenges of cyber security infrastructures.
Phishing Simulation Testing
Widely considered a best practice for decades, phishing training has recently fallen out of favor as its efficacy has been difficult to demonstrate.
Running “test” phishing emails have been a staple practice of cyber security teams since the early ’90s. It’s easy to do and provides clean data-based feedback on the “risks” presented to an organization by its staff. It may help identify vulnerable team members, who can then hopefully receive additional resources and training to reduce risk.
In recent years, phishing training has slowed down substantially, as it’s been demonstrated to have minimal impact on real breach outcomes, as well as potentially ingraining bad habits in repeat offenders. Industry consensus is that phishing tests, at the very least, might not be worth the time, and don’t provide much protection. Most teams that still use them, do so as a part of a larger whole.
- Easy to do.
- Data-driven and demonstratable over time.
- A clear indication of some threat potentials.
- Highlights team members who might benefit from training.
- Broadly, not very effective.
- Can be poorly received by team members.
- May actually reinforce bad behaviors.
Tools & Resources:
Group Training Courses and Meetings
When training goes well, it brings all members up to date and creates widespread buy-in on the best practices.
All-hands and group trainings or meetings are best for creating accountability within departments and are helpful for establishing formal procedures. In particular, group training can be helpful for diving deeper into an understanding of spear phishing tactics, exploring how External Data is actually used by attackers, and looking at outside examples of companies like yours that were breached.
Training can be very difficult and time-consuming to implement well. Training may also function as a double-edged sword. Recently, one massive study showed that certain primed employees actually clicked more phishing links, suggesting that ineffective training might have the opposite of its intended effect, perhaps by instilling false confidence
- Creates widespread buy-in
- Long-term effective (when done well and thoroughly)
- Difficult to do well at scale
- Partial or ineffective training can be counter-productive
Phishing Defense Platforms
Training tools for teams can vary greatly in their complexity and cost. Their efficacy depends on the consistency and degree to which they’re integrated into Cyber Security protocols and across teams.
Training tools such as email integrations and alternative phishing simulations are growing in popularity to help teams recognize and resist phishing attempts.
Providers are increasingly offering more “full-service platforms” which combine in-email banners and notifications, complex simulation training, video training, and education libraries, on top of their traditional email security stacks.
- Many tools offer visual, in-email notifications to increase team awareness of potential threats
- Video libraries and support provide more constructive education than phishing simulations
- A centralized platform gives a single point of reference
- Centralized platforms and “all-in-one” security tools only function to defend at the intrusion attempt level.
- Often, these tools are treated as “complete” security, increasing vulnerability to more sophisticated attacks (like spear phishing.)
Multi-Factor Authentication defends primarily at and just beyond the “Intrusion Attempt” stage of an attack. If attackers are successful in phishing credentials to an email or sensitive platform, hope is not entirely lost. Multi-Factor Authentications, such as a typical email or text message 2FA, through the more advanced authenticator applications, can serve as a safety net for preventing unauthorized access.
Multi-Factor is a staple in most organizational structures these days, but it is often implemented sporadically. Not all employees like it, and some may even disable it, as it can present minor inconveniences.
- An additional layer of defense to prevent unauthorized or illegitimate access
- Easy to set up and relatively easy to manage
- Widely understood and cheap or free to use
- 2FA is relatively easy to circumvent.
- Lost authentication codes access can present headaches for non-technically savvy teams
Well-Enforced Information Security Protocols
In the event of a successful attack, the best mitigation strategy is to have pre-empted damages by siloing accesses and reducing the possibility of attack chains.
The current going rates suggest that between 50% and about 76% of organizations will be breached by some kind of phishing attack in their lifetimes. Recognizing this reality, it becomes critical to ask: assuming I’ve done all I can to prevent an attack, how can I reduce the impact of an attack if one is successful?
This is where good information security protocols, enforced and planned across the entire life cycle of sensitive company data, show their merit. Key considerations relevant to Spear Phishing which should be addressed by good Informational Security Protocols include:
- Do employees have unnecessary permissions or logins, presenting unnecessary security risks?
- Do teams regularly reset sensitive passwords, and manage their credentials securely?
- Is network security tight, preventing the likelihood that successful spear phishing attacks could lead to other breaches?
- Properly managed, a good company InfoSec protocol can significantly mitigate the damages caused by breaches.
- Even if low-level or middle-level employees are breached, their accounts may present no significant threat to the organization, and regular audits can catch exposures or breaches (particularly BEC) and stop them from unfolding into greater problems.
- Enforcing protocols across large organizations requires strong and diligent management by IT and Cyber Security teams.
- 100% of teams that were breached in 2022 had cybersecurity investments and 82% of successful attacks involved the human layer.
- It’s more likely than not that if your team is breached through Spear Phishing, it will be because attackers circumvented typical protocols.
Building Your Own Spear Phishing Defense Stack
A well-rounded Spear Phishing Defense stack is designed to disrupt attackers at each potential Stage of their attack.
Disproportionately, the cyber security industry has focused on disruption and prevention at the “Intrusion Attempt” stage and mitigation after breaches.
At Privacy Bee, we believe this results in lopsided, reactive cybersecurity systems. We believe in rounding these out with proactive strategies.
|Spear Phishing Attack Stage||Defenses|
|1. Reconnaissance||External Data Privacy reduces business exposure, reducing the possibility attackers select you as an attack target.|
|2. Identify Weaknesses||External Data Privacy reduces employee exposure, reducing the motive of attackers to pursue attacks against you.|
|3. Research Target||External Data Privacy prevents attackers from collecting personal data about your teams, strengthening your defenses.|
Team Training can demonstrate how attacks unfold and improve teams’ online privacy behaviors.
|4. Crafting Message||External Data Privacy weakens the attackers’ message strength, resulting in less accurate, more identifiable attack attempts.|
Team Training can increase awareness of warning signs and reduce the likelihood of attack success.
|5. Intrusion Attempt||Email Security tools and platforms can block and/or identifies weak phishing attempts.|
Multi-Factor Authentication increases defense against credential phishing
Team Training can increase awareness of warning signs and reduce the likelihood of attack success.
|6. Data Breach||Information Security Protocols can mitigate the damages of successful breaches. Audits catch breaches in their tracks.|
Building a successful defense strategy means implementing mitigation tactics across all these stages.
While no single point of security eliminates risk, the combined strength of a strong Spear Phishing Defense Stack nearly eliminates the ability of attackers to successfully breach organizations.
Begin Implementing External Data Privacy for Free
External Data Privacy is the newest way cyber security teams around the world are taking proactive measures to reduce their organizations’ attack surface.
Privacy Bee is growing like a weed in these cyber security circles due to its ease of use and automated protection procedures.
We identify security threats before they happen across the web by giving you a clear understanding of your teams’ external data exposures. What’s more, we then take steps on your behalf to remove these data exposures, by reaching out to data brokers and other organizations and asserting your company’s right to employee privacy.