Spear Phishing: A Technical Case Study for XDR

What is Spearphishing?

Spear phishing is a social engineering tactic adversaries use in targeted attacks where they send emails purported to be from someone known or trusted by the target–such as a coworker or established organization–to trick them into revealing confidential information like account credentials or as an enticement to click on a malicious link or download a tainted document.

The techniques can also be applied by way of SMS text messages or direct phone calls from spoofed phone numbers or through other communications platforms like social media by way of compromised accounts where the victim’s contacts and connection are at risk.

Between July 2020 and July 2021, 65% of organizations indicated they were targeted by a spear phishing attack, while about half (51%) witnessed the number of spear phishing incidents increase during that period, noted KnowBe4, with 57% of organizations encountering a spear phishing attack weekly or daily. Slightly fewer than half (45%) of organizations experienced the same volume of spear phishing, while just 4% said that the number of attacks decreased.

Why Spear Phishing is a Concern

According to GBHackers, there are four reasons why spear phishing should be a serious concern for organizations, and these include:

Spear Phishing Tactics are Increasing in Sophistication

Threat actors used to rely only on .ZIP archives and malicious Office documents to propagate malware via spear phishing emails, which robust email security measures could easily spot. Today, attackers are using uncommon file formats for malicious attachments and abusing cloud services like Google Drive or Dropbox to host phishing-related landing pages. 

In using these tactics, attackers increase the chances of their spear phishing email evading detection and ending up in the inbox of their target. Another means of perpetrating a spear phishing attack that is likely to see real-world instances before long is the use of deepfakes to impersonate individuals via audio and/or video formats. 

Deepfakes are a machine-aided synthetic media technology used to generate or manipulate text and video that can appear quite realistic to the untrained eye. They have the potential for considerable implications across culture, geopolitics, and security. There are three forms of deepfakes:

  • Mimicking fakes: is a technique where a video of one person is superimposed on a target video using AI to enhance and mask the manipulation. Think of this as an advanced “green screen” process that effectively lets one person do all the talking while it appears to be someone else, right down to movements and gestures.
  • Generative fakes: this technique also employs AI algorithms. In this case, they are used to completely synthesize new audio and video from existing materials to produce ultra-realistic content, as seen in the video from MIT above.
  • Generative text fakes: this more common technology uses AI applications such as the OpenAI GPT-3 to allow computers to generate text content on almost any subject that is incredibly close to actual human writing.

Each of these applications posse a separate and distinct threat on their own if misused. Still, in combination, they have the potential to produce “generative personas” that will be extremely difficult to distinguish from the real thing in the near future.

Anyone Can Be the Target of (or Impersonated in) Spear Phishing Attacks

Those who conduct spear phishing attacks increasingly target or impersonate Directors, C-suite Executives, and even CEOs. Indeed, this form of spear phishing even has its own term—whaling

Malicious actors can leverage a successful whaling incident to compromise a high-level employee or executive’s email account they can then leverage to conduct follow-up attacks across the organization. Deepfakes will undoubtedly add a whole new dimension to this, given how easy it is to obtain images and videos of individuals through social media postings and the availability of public records online.

Spear Phishing is on the Rise Following COVID

The COVID-19 pandemic has impacted a lot of things, one of which is enabling threat actors to carry out their spear-phishing attacks more effectively. First, COVID provided them with new lures such as notices of economic stimulus payments and local vaccine availability that they leveraged in going after their targets. 

Second, it forced many organizations to adopt remote/hybrid work models where many employees connect to the corporate network from home. In this setting, people are less likely to follow the security best practices they learned while at the office and may be more inclined to click on a suspicious email attachment in a home setting.

Traditional Security Tools Just Don’t Cut It

Spam filtering and email security can go a long way towards defending against spear phishing attacks–but, as noted above, spear phishing attacks are growing in sophistication, and threat actors are modifying their tactics to circumvent those conventional safeguards.

Traditional antivirus and endpoint protection tools are notoriously ineffective against polymorphic and repacked malware and stand no chance against zero-day exploits and advanced techniques like fileless attacks and living-off-the-land attacks that leverage legitimate programs already present on the target network. 

Since your organization’s email defenses can miss indicators of a spear phishing attack, it is highly advisable that the endpoint and network defenses are adequate to catch the more clever means of compromising an environment.

Defending Against Spear Phishing Attacks

Organizations can reduce the risk posed by spear phishing attacks by assuring they have email security tools in place and updated to the latest versions, and a robust employee security awareness training program. Still, these precautions alone are not enough to protect an organization against a determined attacker who needs just one target in an organization to click when they shouldn’t.

The challenge is that not every spear phishing attack is identified when the initial attempts to compromise targets in the organization occur. Worse yet, a successful spear phishing attack can result in the adversary gaining an initial foothold in the network. From there additional stages of the attack can be undertaken that can often go undetected for some time. 

Sure, the organization probably has a whole array of other security tools generating a steady stream of alerts that require time for an analyst to triage, investigate, and attempt to reconcile with other alerts to determine if they are witnessing an actual security event–and all of this takes time. But time is the critical factor here, and reducing the mean time to detection and remediation (MttD and MttR) are the true measures of success for an organization’s security program.

Security teams require a platform that allows them to eliminate the noise and alert fatigue involved in manually doing all of this heavy lifting to find out if there is a legitimate issue to be addressed. They need a solution that allows them to take an operation-centric approach where detections are more reliable and come earlier by correlating that email security telemetry with other telemetry from across the network like endpoints, user personas, application suites, cloud workloads, and more to enhance continuous threat monitoring and detection efforts and leverage automated response options to identify and end malicious operations earlier in the attack sequence. 

They can find these capabilities and more by deploying an Extended Detection and Response (XDR) solution. Unlike more traditional EPP, EDR, NGAV, and other tools, an XDR solution can cut through the noise and deliver better efficiency through the automated generation of context-rich correlations that leverage all of an organization’s security telemetry from across disparate sources to quickly answer the question are we under attack? 

This frees security professionals from needing to gather and correlate that telemetry manually—and from needing to chase down a deluge of alerts that could turn out to be false positives, but only after a lengthy investigation. An AI-driven XDR solution can also automate responses for known malicious activity or provide detailed remediation playbooks for analysts to engage with just a click from anywhere they are working.

Advanced XDR solutions can also take spear phishing defense one step further by mapping what is observed in the environment to the MITRE ATT&CK framework to better understand other tactics, techniques, and procedures leveraged in a spear phishing attack. Mapping to the MITRE ATT&CK framework allows an AI-driven XDR solution to quickly discern the steps and substeps that make up an attacker’s combined behaviors to reveal the entire attack timeline and narrative from root cause to every affected asset.

So how do you want your security teams to spend their time, chasing alerts or disrupting malicious operations? 

Cybereason is dedicated to teaming with defenders to end attacks on the endpoint, across the enterprise, to everywhere the battle is taking place. Learn more about Cybereason AI-driven  XDR here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Anthony M. Freed
About the Author

Anthony M. Freed

Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.

All Posts by Anthony M. Freed