Your attacker is not afraid of getting caught
It used to be that a phisher would get into your company, steal money or information, and be gone as soon as possible. Getting in and out as quickly as possible meant minimizing the chances of being caught, identified, and prosecuted.
Today’s attacker is likely based in a foreign country where your legal jurisdiction and warrants don’t work. You can even identify (using legal evidence) the hacking firm, its hackers, and its physical address to their local authorities, and nothing is likely to happen.
In most of the attacks I’ve been called in to remediate in the past 10 years, the hackers don’t run once they are found. To be sure, they don’t want to be found, but once they are, they hack even more freely and blatantly, as if the restraints have been pulled off.
Remediation ends up being a cat-and-mouse game where the mouse has all the advantages. At first you don’t know what they’ve compromised and how many ways they can get back in. And it all likely started because someone opened up a spearphishing email.
What you can do
Remediation begins with educating all employees about the new reality of spearphishing attacks. Everyone should know that the old-style phishing emails, full of typos and promises of unearned millions, are no longer your main worry. Explain how the new spearphishing emails are handcrafted by professional criminal gangs that know exactly how to tailor their work to seem like a legitimate email coming from someone your colleagues trust.
Employees should be told to always ask for independent confirmation (such as a phone call or IM) before clicking and running any executable or opening any unexpected document. A quick confirmation is simply due diligence today. Tell employees to report anything suspicious. If they accidentally executed anything that they later became suspicious about, they should report it as well. It is important to remove the stigma and embarrassment of being fooled. Let them know that anyone, even security experts, can be tricked today, given the sophistication of the attacks.
Many companies aggressively test their employees with fake phishing attempts. These attempts should use phishing email templates that are more sophisticated and less like the phishing attempts of the past. Keep testing individual employees until you get a very low percentage of easily compromised employees. If you do it right, you’ll have your employees questioning any unexpected emails asking for credentials or to execute programs. Having employees question your legitimate emails is a welcome symptom of a good education program.
Lastly, if a spearphishing attempt is successful in your company, use the actual phish email and the compromised employee’s testimony (if they are well liked and trusted) to help teach others about today’s spearphishing environment. Anything that brings the new lessons front and center is welcome.
The key to prevention is getting everyone to see that today’s spearphishing email is not what they were used to in the past.
Sign up for CIO Asia eNewsletters.