Spear phishing and The Art of War
Spear phishing has quickly become one of the hottest and most dangerous cyberattacks around the world. The numbers vary based on how costs are counted and crimes are categorized, but the IC3 reported that businesses suffered over $48 million in phishing-related losses in the year 2018 (pdf). The numbers are much higher when you consider that Business Email Compromise (BEC), corporate data breach, and other types of crimes that can be related to phishing attacks are categorized separately.
Spear phishing has quickly become one of the hottest and most dangerous cyberattacks around the world. The numbers vary based on how costs are counted and crimes are categorized, but the IC3 reported that businesses suffered over $48 million in phishing-related losses in the year 2018 (pdf). The numbers are much higher when you consider that Business Email Compromise (BEC), corporate data breach, and other types of crimes that can be related to phishing attacks are categorized separately. The Anti-Phishing Working Group reports that SaaS and webmail site credentials are among the most frequent targets, and that “Phishing against Social Media targets grew every quarter of the year, doubling over the course of 2019.” The 2020 Verizon Data Breach Investigations Report (DBIR) shows that 81% of cyber-espionage attacks involve phishing.
With so much cybercrime and so much at stake for the victims, it's interesting to review the advice given by legendary military strategist Sun Tzu (or others). Although most of us are not going to engage in actual cyberwarfare operations, we are all defending ourselves from criminals who are constantly attacking our companies, service providers, governments, and even us as individuals. With a small change in perspective, these classic lessons from The Art of War can help us understand how to build a proactive defense against spear phishing and other attacks.
Know yourself, know the enemy
[perfectpullquote align="right" bordertop="false" cite="" link="" color="#0077c8" class="" size=""] Knowing the fail points in your business processes is as important as knowing how a criminal may attack.[/perfectpullquote]
One of the basics in IT security is to know the state of your own defenses against the current attacks and vulnerabilities. When Austrian airplane parts maker FACC was hit with spear phishing in early 2016, spear-phishing had already been making headlines for several years. RSA, Lockheed Martin, and Ubiquiti Networks are just a few of the big names who fell victim to this crime. It's unlikely that the IT security professionals for FACC were unfamiliar with spear phishing, but it's clear that they didn't realize the vulnerabilities in their business processes. An email that impersonated CEO Walter Stephan asked an employee to transfer money for a fake acquisition project, and the employee complied. Knowing the fail points in your business processes is as important as knowing how a criminal may attack.
Change represents opportunity
There are a couple of ways to think about this, so let's start with the perspective of the Ukranian power grid attackers back in 2015. Prior to this attack, we had already seen malicious firmware attack physical machinery, so this particular form of destruction was not new. However, the emerging success of spear phishing attacks meant that there were new opportunities for infiltration (SANS pdf). Ultimately this broader change in cybercrime inspired a successful means of attack.
Let's flip this around and take a look from the victim's perspective. From this perspective, opportunities were lost because changes went unnoticed. The attackers had access to the system for more than six months prior to the power outage. This was a period of time where attackers harvested credentials, created new accounts, manipulated privileges, set up command & control, established VPNs, and moved laterally through the system to gather as much information as possible. This attack resulted in hundreds of system abnormalities that might have been picked up with a robust monitoring process. The changes were not detected, and multiple opportunities to stop the attack were lost.
Timing is essential
When it comes to a zero-day exploit or a seasonal or event-related attack, the window of opportunity is everything. One of the best examples of this precept is the Pawn Storm spear-phishing attacks of 2016. Pawn Storm is an aggressive cyberespionage group that is at least 12 years old at the time of this writing. It has been known by many different names, including Fancy Bear, APT28, and Sofacy.
In 2016, Pawn Storm had been running a spear-phishing attack against specific high-profile victims, with the goal of exploiting Adobe and Windows vulnerabilities. These vulnerabilities would allow Pawn Storm to download multiple files to the victim's network. The vendors were eventually made aware of these vulnerabilities and immediately worked to patch these flaws. When Pawn Storm realized it had only a small window of opportunity left to use the custom tools it created for this attack, the group immediately increased attacks on the public to take advantage of the time they had left.
While it may be true that companies rely on vendors to issue patches and prevent zero-day vulnerabilities, study after study shows that companies just don't apply the patches when they should. In this survey, over half of the respondents who reported a breach attributed it to a vulnerability for which a patch was available but not applied. Over a third of these knew they were vulnerable before the attack.
Choose your battles
I'll leave you with this final edict from The Art of War. IT professionals have multiple "battles" to fight each day. You have to prioritize patching, stay current on threats, identify rogue IT that comes into your network, manage user accounts and access levels, configure and test your data backups, train and support end-users, and so much more. Each of these tasks can spawn larger tasks and bring unexpected conflicts and misunderstandings between internal teams. No one wants to deal with that. But the choice is clear: either fight the internal communication and policy battles to secure your business or fight the external battle that some unknown threat actor brings to you. If you haven't fallen victim to a spear-phishing attack or data breach yet, then this choice is still yours to make.