Spear phishers have two very nice targets to choose from. Businesses just have to accept malware will get past them, says Tom Brewster
Britain’s new cyber crime cops won’t be subject to freedom of information requests. Indeed, the entire National Crime Agency is exempt from the FOI Act. That might upset people hungry for transparency, especially after all the furore surrounding secrecy over surveillance following the leaks of Edward Snowden.
But, as I suggested to Andy Archibald, who is heading up the National Cyber Crime Unit, this could be a good thing for the organisation’s security. If I were an attacker, my prime target for any public sector organisation would be the FOI team. I’d craft a malicious attachment that exploited much-used software – Internet Explorer perhaps – and send it in a fake FOI request.
Hopefully, the exploit code would get past the organisation’s email security protections, meaning it would almost certainly be opened by the unsuspecting employee. Then I could get malware on their machine before trying to find my way onto other bits of the network. I’d also use encryption on the communications going between that malware and my command and control systems, as that would make it rather tricky for the victim to see what’s going on. “You’re in the wrong profession,” Archibald tells me.
Similar ideas came up in conversation the day before with former Symantec CEO and now FireEye board member Enrique Salem. For the majority of organisations FOI does not apply, but there are some departments that have to open attachments regularly, HR being one. Given the amount of sensitive data passing through HR systems, even if an attacker couldn’t escalate privileges to gain access across the target’s network, they could still glean vast amounts of valuable information just by infecting an HR worker’s client.
Any part of the organisation that has to open emails frequently throughout a working day is a prime spear phishing target. Even basic anti-phishing advice, like do not open emails that appear to come from dodgy sources, cannot really apply here. Those emails have to be opened.
What to do then? First, use the most current version of whatever software you’re running, especially oft exploited kit like Internet Explorer. That might be a problem for the UK government, which is still widely using IE6. Others who stick to old versions due to web application compatibility may also find this tricky. And getting away from Java, despite the many flaws that emerge on Oracle’s software, appears to be an impossibility for many.
After that, get as many layers of protection as you can and ensure you have some kind of advanced malware detection system if you can afford it, whether that’s a pureplay appliance or cloud-based tools. Even then, things will slip through, so data loss protection tools should surround your most valuable information.
And make sure you have a post-attack strategy, including not just technical measures but PR response too. Everyone can be breached.
Whatever you do, don’t just rely on antivirus. If you’re still in that mindset, there may be no saving you.