Spear Phishing Attacks Need To Be Given The Attention They Deserve

Modern cyber attacks come in all shapes and sizes, meaning businesses are facing a constant battle to stay up to date with the latest security threats.

Cyber security itself has become a well-publicised topic that rightly receives a large amount of media attention, but is this coverage focusing on the right types of attacks? According to Hatem Naguib, SVP of security at Barracuda, the answer is no.

He believes that, while the likes of ransomware and Distributed Denial of Service (DDoS) attacks continue to attract the most media attention, other potentially more damaging criminal activity is slipping under the radar.

Spear phishing threat

“The high-profile attacks you’re seeing right now are the ransomware ones. Those are generally disruptive and I would argue they have a higher fear-factor than impact,” he said, of course referring to the recent WannaCry and NotPetya outbreaks that have impacted organisations around the world.

While these types of attacks obviously do have significant productivity and trust impacts for businesses, Naguib believes more airtime should be given to spear phishing activities due to their rising prevalence.

“Those are arguably more damaging and more personal. In this aspect the criminals will social engineer and that impersonation model is much more nefarious. Customers have seen a 25X increase in those types of attacks over the last two years.

“The impact is you lose credentials, you lose passwords and you loss thousands or sometimes tens of thousands of dollars. There’s a real material impact associated with it, brands can be damaged, people can lose their jobs.

“The other thing is it’s not just money. They take your W2 information, your tax information. That’s very frustrating and personal, so it’s impact is greater but I don’t think it gets the same level of attention.”

So, why does spear phishing tend to not receive as much media attention? Naguib believes it comes down to the personal nature of the attacks, which by their nature target specific individuals rather than anyone and everyone.

He argues that ransomware and DDoS attacks have the “volumetric impact” that makes them front-page news, despite the material impact often being less severe.

Barracuda Sentinel

To counter the threat, Barracuda has released an artificial intelligence (AI) based system that carries out ongoing behavioural analysis of a business’s communications to learn how employees talk to each other.

First it classifies individuals based on their seniority within the company,  then looks contextually at emails to spot unique patterns and trends in order to identify spear phishing attempts.

Barracuda Sentinel “uses artificial intelligence and machine learning to profile the customer’s communication patterns. So I can tell, looking at you as a corporation, here are the high-profile individuals who have the highest levels of approval, who usually send emails at this time of the day and then dozens of classifiers on the content of the emails they typically send.

“Here’s what an email looks like when it’s urgent, here’s one that includes financial information and we can mash these things together so that when these impersonation attacks come in we can say ‘this has a high probability that it’s an attack’ and quarantine it.”

The system itself is constantly learning and also includes a training capability that mimics spear phishing attacks to help educate employees and improve their awareness.

Social engineering

Cyber criminals are frequently using social engineering practices to trick individuals into handing over confidential information.

A study released in April found that 70 percent of UK universities have fallen victim to a phishing attack in the past, shortly after which Google and Facebook admitted to being tricked out of more than $100 million (£77m).

Such attacks were one of the most prominent threat vectors in 2016, a trend which has continued into 2017 as the likes of Netflix, McDonald’s and even the Saudi Arabian government have been targeted.

With the threat seemingly on the rise, businesses would be wise to pay more attention to phishing and spearphishing attacks, or risk facing the consequences.