How to Use Cyber Deception Technology to Block Targeted Phishing Campaigns

Cyber Deception for Spear Phishing

In these uncertain times, CISOs are having to deal with an entirely new security profile for their organisations. The ability to control every security facet on end users’ machines has been loosened considerably. So, the challenge is: how can a CISO realign their security strategy to deal with the altered risk profile they face? Let’s use spear phishing as a simple example to illustrate the point of how old threats present a different challenge regarding the new operating environment.

Spear Phishing: Business as Usual

Spear phishing is a targeted type of attack that, unlike general phishing attacks, does not rely on a spam campaign. Instead, the victims are carefully selected. The first step in the process is to craft emails that appear believable, realistic and that will appeal to the recipient. The attackers may have spent some time in conducting open source research on their intended victims. A good source for this type of information are social media accounts including professional networking sites. This type of research allows the attacker to build a detailed profile of the recipient, including spoofing emails that appear to originate from a co-worker or a direct senior manager. According to Cofense (formerly PhishMe Cofense.com) 91% of cyber-attacks begin with a spear phishing attack. That is how prevalent these types of attacks are now. One may see varying figures on the exact number from different reports, but generally there is nothing less than 80%. Now, digging a little further, as said in “State of The Phish Report 2019” of Proofpoint, we can see that 83% of information security professionals have experienced phishing attacks in 2018. In 2019 the Verizon data breach investigation report listed phishing as the leading cause of data breaches in that year. So how does the current operating environment for business make this threat even more virulent?

New Risk Profiles

Many organisations have been forced to move rapidly to a remote working profile. This results in different security challenges for the individuals having to work from home. The most important one, is that people now have to work in isolation from fellow team members. Add to this, that it is natural to relax a little more when working in an informal atmosphere —the risk of clicking on an email that appears to be from a legitimate source will increase exponentially. It is also worth noting that 78% of known cyber espionage incidents involved phishing according to Verizon “2019 Data Breach Investigations Reports”. 87% of the incidents involved “the installation and use of backdoors and/or C2 malware”. On top of this, we can add the current data on spear phishing attacks reported by CIO & Leader Study: “Between March 1 and March 23, Barracuda Sentinel has detected 467,825 spear phishing email attacks, and 9,116 of those detections were related to COVID-19.”

Mitigation

It is clear from the data that no matter what security may be in place, there is always the possibility that someone, somewhere in your organisation will click on a link that will result in your corporate network being compromised. You could adopt the old approach of hoping you can block everything, despite evidence to the contrary. Or you could take a dynamic approach, to meet the new security landscape that you face.

Dynamic Security

The key to ensuring that your current security posture stays ahead of the threat curve you face, is to deploy cyber deception to manipulate any attackers that are targeting your organisation. The approach is simple and requires virtually no resource requirements. So how does it work? All that your organisation has to do is work with CounterCraft. The spear phishing emails will then be detonated within our deception environment to produce a wealth of information about the attackers, which could never be sourced from anywhere else. A critical component here is that the intelligence about the spear phish campaign is delivered in real time. The intelligence is composed of both Indicators of Compromise (IOC) and Indicators of Attack (IOA). Generally speaking, whenever you receive IOCs and IOAs they lack context or relevance and are not delivered in real time. The significance of these three key characteristics is that they enable intelligence to become actionable immediately. Put simply, it is about getting the right information to the right people at the right time, to enable them to make the right decision. The right decision is ensuring that key revenue generating operations are kept stable and online without disrupting either internal stakeholders or external customers.

Real-Time Enterprise Intelligence

All the information collected by the automated deception platform delivers key insights into your adversaries. A simple rule of security is that before you deploy your security real estate, you need to understand who is trying to break into your organisation and how. Once you have that information, you can align your security real estate in the most cost-effective manner to meet that challenge. At the same time, you ensure that it is tuned to operate at its maximum efficiency and capacity. That is precisely what the CounterCraft Deception Platform delivers; real-time actionable enterprise intelligence that allows you to understand what are the tools and techniques that the attackers are using to gain access to your corporate environment. Most importantly, CounterCraft will allow you to understand the strategic objectives of your attackers. This critical piece of enterprise intelligence provides valuable insight, such as, if the attacker is a low skilled attacker or a highly organised criminal organisation looking to break into your environment and extract critical data sets.

Business Resilience

Delivering real-time enterprise intelligence that gives you granular information about how and why attackers are spearphishing your organisation or you VIPs is critical in the current business environment. With resources stretched, you cannot worry about what ‘might’ impact you. You need to know what will impact you, and how it will disrupt your business operations. With this information, the CISO can ensure that their scarce security resources are aligned perfectly to mitigate the threats that are targeting their organisation. Reduce the risk of business disruption through deception and empower your security organisation to meet the challenges of the new economic environment.

Do you want to receive a free in-depth overview of how you could leverage the CounterCraft Cyber Deception Platform to deal with the threat of spear phishing? Join our On-Demand Webinar and to get started dwith your first deception campaign, email craft@countercraft.eu to talk to one of the team about setup and implementation.

Author: Nahim Fazal, Head of Cyber Threat Intelligence

Like Jim Morrison said, this is the end. But you can...