Spear-phishing has become the scourge of the internet. It is the primary method used by the Syrian Electronic Army to gain the credentials it uses for its many and repeated hacks, and has become the weapon of choice for state-sponsored espionage. Just this week it was revealed by Kaspersky as the first step of the Mask campaign, which it considers to be a state-sponsored tool even more sophisticated than Duqu.
Spear-phishing is little more than highly targeted social engineering. It is aimed at individuals or small groups of people; but cleverly uses personal knowledge of the intended victim. The attack is generally delivered by email, and is designed to persuade the victim to visit a compromised site or click on a weaponized attachment.
The more personal knowledge known, the more persuasive the argument and the more successful the attack. The amount of personal detail contained in the Barclays Bank stolen customer details disclosed earlier this week would be a treasure-trove for phishers. If sophisticated spear-phishing is then combined with a zero-day exploit, it is almost a certainty that the victim will be compromised.
The fact remains, however, that spear-phishing simply fails if the target recognizes it and declines to click on the link or the attachment. Empirical evidence demonstrates that this is not happening: users get fooled and compromised in increasing numbers. Since technology doesn't work against social engineering, the best defense is improved staff training and awareness.
But a major problem with training is that while it needs to be continuous, it is disruptive and costly. Wombat Security Technologies has now introduced a new automated training program designed to improve awareness without tying up trainers. Any member of staff who falls for a simulated phish attack is automatically enrolled to a series of short ten-minute modules designed to teach people how to recognize the tricks and traps of spear-phishing. Since the training is immediately associated with having fallen for social engineering, training completion rates are considerably improved.
“By motivating employees to quickly respond and complete security awareness training," explained the Manager of IT security and disaster recovery for a Fortune 1000 manufacturing company, "it means a company’s workforce is armed against the most current attacks. In addition, using automated phishing attacks enables companies to streamline operations, save money, and protect their organization at the same time.”
The bottom line is simply this: if users don't get fooled, they won't get phished. Achieving it is the problem.