How to Avoid Targeted "Spear Phishing" Attacks

Updated: August 11, 2010

First read this Focus brief I wrote: 35 Steps to Protect Yourself from Cyber Espionage. It provides technical advice from the defense department of Australia. Aside from these operational steps you should also:

1. Be aware that the attacker is going to use your social network connections to get to you. This is how Google was compromised late last year. Key employees are identified and their friends and connections on Facebook, Linkedin, etc. are targeted. If anyone has hundreds of social links the odds approach 100% that one of them protects their accounts with simple to guess passwords (abc123, 123456, password). Once those accounts are compromised messages are sent to the target from their friend's account making it highly likely that they will see the message, open it, and even click on a provided link.

2. While you can exhort your employees not to fall for these attacks it is guaranteed that someone will eventually be tricked into clicking on a malicious link. This is why you must deploy content-URL filtering at your gateway. This capability is bundled with most UTM devices and has become very cost effective. They receive a constant stream of malicious URLs through a subscription service and block access to them. So even if someone clicks on a known bad link they are blocked from accessing it. Most of these products also check the URL real time for malicious content and block that too.

3. But spear phishing can be very sophisticated. The malicious URL can be completely unique and the malware used can be new; as it was in the Google attacks. A gateway will not stop it from getting in. Luckily that gateway also provides a second line of defense. Post-infection it will block access to the command and control servers that the infected machine will attempt to connect to. The alerts the UTM generates can help you track down the offending machine/user and get it re-imaged.

4. Finally, one of the more recent threats it the targeting of your financial team in an attempt to discover login credentials for your business accounts. You must find a bank that provides strong authentication to access those accounts, usually in the form of a one time password token. And you must forbid your team from accessing those accounts from outside your network because there are banking Trojans designed to hijack a session and pilfer bank accounts while the authorized user is logged in.

Today's attacks do not stop with technology. Assailants can and will attempt to hire, bribe, or blackmail your people to infiltrate your organization.

Featured Research