We read about the work of security researchers at Georgia Tech Research Institute (GTRI) with great interest and even greater skepticism.
We wholeheartedly concur with this observation of Andrew Howard, a GTRI research scientist who heads up the organization’s malware unit:
Organizations can spend millions and millions of dollars to protect their networks, but all it takes is one carefully-crafted email to let someone into it. It’s very difficult to put technical controls into place to prevent humans from making a mistake. To keep these attacks out, email users have to do the right thing every single time.
The place where we part company is this plan of action:
To increase their chance of success, criminals attempting to access a corporate network often target more than one person in an organization. Network security tools could use information about similar spear phishing attempts to warn other members of an organization. And by having access to all email, security systems could learn what’s “normal” for each individual — and recognize unusual email that may be suspicious.
“We are looking at building behavioral patterns for users so we’d know what kinds of email they usually receive. When something comes in that’s suspicious, we could warn the user,” Howard said. “We think the real answer is to keep malicious email from ever getting into a user’s in-box, but that is a much more difficult problem.”
The GTRI researchers call the action by the spearphishing victim “a mistake.” This characterization demonstrates a fundamental misunderstanding of the problem. The victims aren’t making simple mistakes — the victims are being deceived. Consider the everyday example of a retail cashier. The cashier is busy making lots of decisions. Among these decisions are processing cash. If the cashier hands a customer a $100 bill instead of a $1.00 bill in change, that is a mistake. If, on the other hand, the customer is dishonest and wants to increase the chances of the cashier making an error, the customer can use deception. A classic form of deception is counterfeiting. Of course, taking a counterfeit bill is a mistake. But it is more than a mistake — it is an error that was induced by the counterfeiter’s malicious manipulation of the cashier’s decision-making process.
Just like counterfeiters, cyber bad guys are thinking adversaries. The attackers are armed with human brains which they use to devise schemes to deceive their human victims. Writing in Fourth Quarter 2012 issue of The Next Wave (a research review published by the NSA), Dr. Frederick Chang, former NSA Director of Research, warns that:
… cybersecurity is fundamentally about an adversarial engagement. Humans must defend machines that are attacked by other humans using machines.
The cyber bad guys understand that the key to stopping them is detecting anomalous patterns. That is why the bad guys avoid creating patterns. They send individually targeted emails. They know that users will open an attachment from their boss or HR — that is why the attackers do their research to figure out convincing deceptions. They exploit current events. They use single use throw away domains. They use malicious attachments to avoid URL detection methods. They use unique malware. Bad guys compromise access cards, so that the illicit activity occurs only during real sessions of the authorized user. Bad guys use security software to QA their attacks. The first step in fighting spearphishing is to realize that the attackers understand and use the same technology that is used by the defenders.
At Iconix we focus on the human deception aspect of spearphishing. Spearphishers deceive by masquerading as trusted senders. SP Guard from Iconix provides the ability to distinguish real email from spearphishing attacks. To learn more, you can contact us at 408-727-6342, ext 3 or use our online form.