Spear Phishing is Still Around - Fight This Evil

Last week I received an email from a reporter writing a story about how to avoid social engineering scams that trick medical staffers into clicking on an infected email link. He was looking for expert advice on how to train staffers to recognize these phishing scams, and what technology can help block infections should they fall victim to these scams. As I sat down to respond, it hit me that as fast as things evolve in IT, phishing and spear phishing still remain one of the most effective ways – if not the most - for an attacker to find their way into their target’s network. Phishing emails used to be embarrassingly easy to spot – crafted, often by non-English speakers and were riddled with typos and poor grammar. These days, phishing and especially spear phishing emails can be virtually impossible to detect. With that being the case, I wanted to share my response to the reporter, as these tips can help any organization – not just those in the healthcare industry: Social engineering scams are hard to prevent since they target the weakest point in the cyber security eco-system: people.  Awareness training for employees and other relevant people on how to identify and avoid such scams is important and can reduce the risk, but it is a process, not an event. That said, here are some general best practices: For users:

1. Only trust emails from people you know or from people in your organization – this is hard to enforce but is better than nothing.
2. Train employees to understand social media risks and report any suspicious activity they notice, such as a file that is not opening or a link that crashes the browser, a suspicious email – it is always better to be safe than sorry!
3. Use strong passwords and change them regularly – use phrases mixed with numbers and special characters instead of random strings, they tend to be longer and easier to remember. 

For IT/Security staff

1. Accept the reality that no matter what an organization does, there will always be vulnerabilities that a motivated hacker will eventually find and exploit.  Therefore, the Security Operations Center (SOC) team must adopt a post breach mindset and make sure they have the ability to detect (and contain) attacks.  
2. There are a wide variety of products that claim to detect and contain advanced attacks – due diligence is critical!  Attack detection requires automation, which requires working with a vendor that not only has great technology, but that also understands your business. Put shortlisted products through their paces. Choose your vendor partners carefully!
3. Time-to-detection is a key metric when it comes to attack detection and containment -no matter how you quantify the cost of a breach, the sooner you find it and stop it, the better.  

Here at Cybereason, our belief is that a motivated attacker will always – and we mean ALWAYS - find a way in. Therefore, the best defense against modern attacks is to invest in fast detection and containment.  Not only will you likely learn you have already been breached, but once an attacker has found a good place to burrow its malware into your network and hide, if you don’t actively hunt for the code or for anomalies, as report after report has confirmed, odds are you’re not going to find it for quite some time. That is not to say that non-technical workers do not have a responsibility to be vigilant, which is why user awareness training and the consistent promotion of a culture in which security processes and practices are incentivized and rewarded is a must. Currently, there is no silver bullet for security and we doubt one will come along any time soon. But weaving the above suggestions into daily operations is bound to help. For more information on post breach attack detection, feel free to reach out to me directly at lotem@cybereason.com.