Spear phishing and The Art of War

Print Friendly, PDF & Email

Spear phishing has quickly become one of the hottest and most dangerous cyberattacks around the world.  The numbers vary based on how costs are counted and crimes are categorized, but the IC3 reported that businesses suffered over $48 million in phishing-related losses in the year 2018 (pdf).  The numbers are much higher when you consider that Business Email Compromise (BEC), corporate data breach, and other types of crimes that can be related to phishing attacks are categorized separately.  The Anti-Phishing Working Group recently reported that phishing attacks on SaaS and webmail services doubled in Q4 of 2018, and the 2018 Verizon Data Breach Investigation Report (DBIR) states that an average of 4% of the targets in a phishing campaign will fall for the attack.  According to the same report, the company has only 16 minutes until someone in that 4% will act on the scam.  It will be another 12 minutes before someone reports the attack to the IT team.  The numbers get really crazy when you bring mobile attacks into the mix.  You can get details on these in the 2019 Verizon DBIR.

DYK: An average of 4% of the targets of a #SpearPhishing attack fall victim to the scam in the first 16 minutes of the attack. #DBIR @VZDBIRClick To Tweet

With so much cybercrime and so much at stake for the victims, it's interesting to review the advice given by legendary military strategist Sun Tzu (or others).  Although most of us are not going to engage in actual cyberwarfare operations, we are all defending ourselves from criminals who are constantly attacking our companies, service providers, governments, and even us as individuals.  With a small change in perspective, these classic lessons from The Art of War can help us understand how to build a proactive defense against spear phishing and other attacks.

Know yourself, know the enemy

Knowing the fail points in your business processes is as important as knowing how a criminal may attack.

One of the basics in IT security is to know the state of your own defenses against the current attacks and vulnerabilities.  When Austrian airplane parts maker FACC was hit with spear phishing in early 2016, spear-phishing had already been making headlines for several years.  RSA, Lockheed Martin, and Ubiquiti Networks are just a few of the big names who fell victim to this crime.  It's unlikely that the IT security professionals for FACC were unfamiliar with spear phishing, but it's clear that they didn't realize the vulnerabilities in their business processes.  An email that impersonated CEO Walter Stephan asked an employee to transfer money for a fake acquisition project, and the employee complied.   Knowing the fail points in your business processes is as important as knowing how a criminal may attack.

Change represents opportunity

There are a couple of ways to think about this, so let's start with the perspective of the Ukranian power grid attackers back in 2015.  Prior to this attack, we had already seen malicious firmware attack physical machinery, so this particular form of destruction was not new.  However, the emerging success of spear phishing attacks meant that there were new opportunities for infiltration (SANS pdf).  Ultimately this broader change in cybercrime inspired a successful means of attack.

The success of the relatively new #SpearPhishing attack technique presented new opportunities for the 2015 Ukranian power grid attackers. Spear phishing was one of the primary tools they used to infiltrate the system.Click To Tweet

Let's flip this around and take a look from the victim's perspective.  From this perspective, opportunities were lost because changes went unnoticed.  The attackers had access to the system for more than six months prior to the power outage.   This was a period of time where attackers harvested credentials, created new accounts, manipulated privileges, set up command & control, established VPNs, and moved laterally through the system to gather as much information as possible.   This attack resulted in hundreds of system abnormalities that might have been picked up with a robust monitoring process.  The changes were not detected, and multiple opportunities to stop the attack were lost.

Over 200,000 businesses use Barracuda's solutions to protect against cybersecurity threats. Run a free scan to get a comprehensive report of your cybersecurity risk profile.

Timing is essential

When it comes to a zero-day exploit or a seasonal or event related attack, the window of opportunity is everything.  One of the best examples of this precept is the Pawn Storm spear phishing attacks of 2016.  Pawn Storm is an aggressive cyberespionage group that is at least 12 years old at the time of this writing.  It has been known by many different names, including Fancy Bear, APT28, and Sofacy.

In 2016, Pawn Storm had been running a spear phishing attack against specific high-profile victims, with the goal of exploiting Adobe and Windows vulnerabilities.  These vulnerabilities would allow Pawn Storm to download multiple files to the victim's network.   The vendors were eventually made aware of these vulnerabilities and immediately worked to patch these flaws.  When Pawn Storm realized it had only a small window of opportunity left to use the custom tools it created for this attack, the group immediately increased attacks on the public to take advantage of the time they had left.

While it may be true that companies rely on vendors to issue patches and prevent zero-day vulnerabilities, study after study shows that companies just don't apply the patches when they should.  In this survey, over half of the respondents who reported a breach attributed it to a vulnerability for which a patch was available but not applied.  Over a third of these knew they were vulnerable before the attack.

When it comes to a zero-day exploit or a seasonal or event related attack, the window of opportunity is everything. Click To Tweet

Choose your battles

I'll leave you with this final edict from The Art of War.  IT professionals have multiple “battles” to fight each day.  You have to prioritize patching, stay current on threats, identify rogue IT that comes into your network, manage user accounts and access levels, configure and test your data backups, train and support end-users, and so much more.   Each of these tasks can spawn larger tasks and bring unexpected conflict and misunderstandings between internal teams.  No one wants to deal with that.  But the choice is clear:  either fight the internal communication and policy battles to secure your business or fight the external battle that some unknown threat actor brings to you.  If you haven't fallen victim to a spear phishing attack or data breach yet, then this choice is still yours to make.

Scroll to top