War Stories, Part 2: Cutting the Phishing Lines

June 21, 2017 Arctic Wolf Networks

Phishing is becoming more sophisticated and personalized. In the past, would-be phishing victims often received generic emails instructing them to sign a contract or take action to renew their expired credit cards. But now, a campaign might be continually refined so that it targets a single person, making it much more effective than the traditional broadcast email (spray-and-pray) approach.

Go phish: How one click can grind the company network to a halt

That was the crux of a war story that Sam McLane, head of security engineering at Arctic Wolf Networks (AWN), shared during a recent webinar titled “War stories from the trenches – case studies from a security ops perspective.” The specific story McLane told highlighted some overall trends in phishing that were also covered in the 2017 Data Breach Investigations Report from Verizon:

  • Targeted phishing campaigns are now a leading cause of corporate cyber espionage.
  • Phishing was also the most common form of “social attack” documented in the DBIR.
  • It was present in 93 percent of such incidents; moreover, 28 percent of all these phishing attempts were targeted.

According to McLane, one customer he worked with saw its CEO succumb to a textbook phishing scheme, under which the executive received an email that misleadingly looked like it came from a corporate partner. After the CEO clicked on a malicious attachment to the message, his laptop got infected and began sending spam emails to company employees, which looked like they were coming from the CEO. This campaign was intended to spread malware rapidly across the network; however, an AWN Security Engineer identified the sequence of events and warned everyone at the firm about this phishing campaign in the nick of time.

“The CEO was socially profiled and eventually spear-phished,” McLane said. “That’s a targeted attack, directly at one person.”

This sequence, from spear-phishing email to malware infection to spam dissemination, is a classic feature of modern phishing design. The DBIR revealed that in 95 percent of phishing incidents that led to a data breach, the initial click was followed by a software installation (i.e., of malware that hijacked the device in question).

What’s the best defense against phishing? For SMBs, it can be challenging to find an efficient solution, since as McLane noted in his opening remarks, it is costly to hire and retain security engineers on staff. The alternative is to follow the lead that this customer took in quickly controlling the spread of the phishing campaign.

Stopping spear-phishing with real time network monitoring

While even the CEO in this story could not avoid being phished, the good news was that the company’s network was monitored 24/7 for anomalies, especially ones involving users in executive and administrative roles. The custom rules engine in the AWN CyberSOC flagged the breach of the CEO’s email account and alerted the AWN Security Engineer to the unusual email activity on its network.

The amount and variety of forensics collected by the AWN Security Engineer ultimately made the difference. If the company had not been working with AWN, the phishing campaign likely would have succeeded in infecting numerous devices. Instead, its impact was limited to the CEO’s laptop.

“Because we were continuously monitoring the network, because we had both email logs, firewall logs and intrusion detection logs, we were able to cross-pollinate all those different sources of log data and come up with: ‘Your CEO’s been phished, it was successful, it was his corporate account and that’s the source of the spam campaign,'” explained McLane. “Even before any credentials were stolen, we prevented the infection from going further and worked with the company on a user awareness program.”

AWN offers a SOC-as-a-Service with managed detection and response (MDR) services from expert security engineers. Delivered as a subscription, the CyberSOC is predictably priced and highly reliable.

You can read part III of the War Stories blog series, Foul Play or False Alarm, here.

Are you ready to learn more about protecting your assets? Read our eBook on Protecting Against the Top Five Attack Vectors.

Previous Article
War Stories, Part 3: Foul Play or False Alarm?
War Stories, Part 3: Foul Play or False Alarm?

Are you making mountains out of molehills?

Next Article
Ransomware Attacks Will Persist Even Though WannaCry Has Died Down
Ransomware Attacks Will Persist Even Though WannaCry Has Died Down

Ransomware Attacks Will Persist Even Though WannaCry Has Died Down The WannaCry ransomware swept through Eu...


Want cybersecurity updates delivered to your inbox?

First Name
Last Name
Thanks for subscribing!
Error - something went wrong!