Protect Your Critical Infrastructure from Phishing Attacks with Core Security
Phishing costs about $500M to $3B annually according to Consumer Reports and Gartner Research, respectively. The latest report from the Anti-Phishing Working Group shows the number of phishing campaigns is declining. That’s good, right? Wrong. Phishing attacks are a clear and present danger to our endpoint and network systems. By its very nature, email is able to travel from outside a network to all the locations where users are present. This can effectively eliminate the benefits of a strong and hardened perimeter and allow an attacker a point of entry to multiple layers inside a target network. Hackers have mostly shifted from mass phishing attacks in favor of spear phishing attacks, which yield a much greater open rate because the content is tailored to appear trustworthy.
An attacker can learn potential target email addresses by purchasing a list from a provider, mining online sites like LinkedIn, mining news reports regarding specific topics and employees, or other public information repositories. With spear phishing, attackers might select a few targets and make the emails highly customized. This may mean the attacker only sends small number of emails to avoid detection based on bulk sending, and each email is unique enough that they are not detected based on duplicate content.
When a recipient clicks a link or opens an attached file (such as a PDF, which users are accustomed to receiving) in the email, the attack launches and attempts to get control of the user’s machine. Once that control has been established the email is no longer relevant, and the attacker has remote control of a user’s machine inside the target environment.
From this point the attacker may attempt to raise their privileges on the user’s machine to SYSTEM level. Attackers can also attempt to gain control of a server or another machine in the user’s environment. Typically, the attacker will want to ensure they have persistent access to the target network, as user machines tend to power off at the end of each business day. Therefore, the attacker is interested in taking control of a server. This provides a more stable environment for the attacker to then launch internal discovery and probes to both further their knowledge of the internal environment, gain control of more servers and gain access to more data.
Try our unique ROI Calculator to see how your organization can save costs across the board with CORE.
An organization should never rely on your end-users as a legitimate line of defense; rather create awareness of the phishing threat among your user population. A user who suspects an email might be a threat should have an easy means of reporting it, and there should be a process by which the email is promptly investigated. If it is determined to be a threat, emails from the same sender should be quarantined and explored.
CORE Insight allows you to test end-users’ awareness of potential threats with minimal disruption, using customizable phishing email campaigns. With these campaigns, end-users do not receive a code execution exploit, but rather an email encouraging them to click on a link. (Recipients can also be invited to open an attached file – see below for more). Each user receives a unique link, allowing administrators to determine the percentage of users who clicked it, as well as pinpoint individual users who need additional security awareness training. This can be performed quickly and simply via CORE Insight. Information about the campaign will be displayed in the modules and, when the campaign is finished, you can review the results via CORE Insight’s reports.
End Point Assessment
While a phishing campaign will indicate whether users would expose their environment to attack, it does not indicate how likely the attack is to work. However, a strong argument can be made that the increase in zero-day vulnerabilities is partly attributable to successful phishing attacks, in which case testing the responsiveness of the surrounding system to a breach is also important.
Using CORE Insight you can quickly and automatically run all or a subset of client-side exploits against a valid example of the end users’ system and against the various standard desktop images deployed. This is also used as part of updated desktop build security checks before they are deployed. This analysis will return a list of vulnerabilities on the local OS and third party applications that were exploited, thus providing a list of possible weaknesses an attacker could exploit.
Sending an Exploit as an Attachment
As an alternative phishing campaign using CORE Insight, an exploit can be written into a file associated with a familiar application, such as Microsoft Office, PDF readers and media players, and attached to an email. In this instance, you can combine end-user awareness with an end point assessment, as the attack can only work if the user and system are vulnerable.
The same kind of reporting described previously is available for this kind of phishing campaign.
Continuous and Distributed Monitoring
Many organizations don’t have the time or resources to plan and deliver a series of client-based attacks. CORE Insight lets you set and forget this activity with a powerful scheduling engine and standardized email samples. Security professionals can now review the data once a week, month or quarter and make informed decisions about the risk associated with phishing.