By now, we all know that the bad guys are using phishing and spear-phishing to go after your users and penetrate your networks. This type of social engineering attack is getting used more and more, since it's the least effort for the attacker. They are getting pretty good at making users click on links and open attachments.
Organizations that are successful in defending their networks use defense-in-depth. The outer layer of that model is Policy, Procedure and Awareness. Create security Policies; make sure everyone knows about them and the correct Procedures to follow, and give security Awareness training to everyone with exposure to the Internet.
Next, you need some specific technical measures against these attacks. Email is the most used vector for these attacks, so you need to have a few layers of defense in place. Sometimes these are part of your mail server anti-spam features, however, you need to differentiate between anti-spam and anti-phishing functionality, as these two actually are somewhat different technologies, but they are often combined. Let's look at a few anti-spam features that also protect against (spear)-phishing.
A specific Anti-Phishing Database:
Several anti-spam products (either on a server in your own datacenter or hosted by a service provider) contain a database that is constantly updated containing so-called 'finger print' data which is used to detects elements encountered in phishing emails. It is a somewhat generic approach that helps against normal phishing attacks but does not do much against the more focused spear-phishing attacks.
Sender Policy Framework (SPF)
You really need this in place, and it is mainly a configuration issue. SPF blocks email that spoofs their origin email address. That means the attacker can no longer send an email to all employees, impersonating the CEO with a 'from' address within the domain. SPF blocks these attacks by comparing the host of the email received, against a list of email servers that are authorized to send emails on behalf of that domain. This method is actually very effective at stopping both regular phishing emails and spear phishing emails. To see if you have SPF correctly configured, go to this URL and enter your domain name: http://www.kitterman.com/spf/validate.html
It will let you know if there is a valid SPF record. KnowBe4 can help you establish if your organization can be spoofed or not. We provide a free service that can do this.
DNS blacklist (DNSBL)
There are several organizations that have as their goal in life to make the spammers' lives hell. They create lists of the servers that spammers use to send spam. These spam hosts are made available in a database through the DNS system. Your email server can talk to these DNS blacklist databases and ensure that the email server sending you an email is not blacklisted. Keep in mind that normal phishing emails usually are sent from servers that also send spam, and are blacklisted, but spear-phishing email is usually sent from a brand new clean server that was set up especially for that purpose, so it is not known by the DNS blacklist folks.
These three technologies give you the biggest bang for your buck, and when you combine them with security awareness training, you are a much harder target to attack and the bad guys likely just move on to your competitor who might be easier to hack. (Hat Tip to Emmanuel Carabott of GFI)
Organizations that are successful in defending their networks use defense-in-depth. The outer layer of that model is Policy, Procedure and Awareness. Create security Policies; make sure everyone knows about them and the correct Procedures to follow, and give security Awareness training to everyone with exposure to the Internet.
Next, you need some specific technical measures against these attacks. Email is the most used vector for these attacks, so you need to have a few layers of defense in place. Sometimes these are part of your mail server anti-spam features, however, you need to differentiate between anti-spam and anti-phishing functionality, as these two actually are somewhat different technologies, but they are often combined. Let's look at a few anti-spam features that also protect against (spear)-phishing.
A specific Anti-Phishing Database:
Several anti-spam products (either on a server in your own datacenter or hosted by a service provider) contain a database that is constantly updated containing so-called 'finger print' data which is used to detects elements encountered in phishing emails. It is a somewhat generic approach that helps against normal phishing attacks but does not do much against the more focused spear-phishing attacks.
Sender Policy Framework (SPF)
You really need this in place, and it is mainly a configuration issue. SPF blocks email that spoofs their origin email address. That means the attacker can no longer send an email to all employees, impersonating the CEO with a 'from' address within the domain. SPF blocks these attacks by comparing the host of the email received, against a list of email servers that are authorized to send emails on behalf of that domain. This method is actually very effective at stopping both regular phishing emails and spear phishing emails. To see if you have SPF correctly configured, go to this URL and enter your domain name: http://www.kitterman.com/spf/validate.html
It will let you know if there is a valid SPF record. KnowBe4 can help you establish if your organization can be spoofed or not. We provide a free service that can do this.
DNS blacklist (DNSBL)
There are several organizations that have as their goal in life to make the spammers' lives hell. They create lists of the servers that spammers use to send spam. These spam hosts are made available in a database through the DNS system. Your email server can talk to these DNS blacklist databases and ensure that the email server sending you an email is not blacklisted. Keep in mind that normal phishing emails usually are sent from servers that also send spam, and are blacklisted, but spear-phishing email is usually sent from a brand new clean server that was set up especially for that purpose, so it is not known by the DNS blacklist folks.
These three technologies give you the biggest bang for your buck, and when you combine them with security awareness training, you are a much harder target to attack and the bad guys likely just move on to your competitor who might be easier to hack. (Hat Tip to Emmanuel Carabott of GFI)
