Blog Post

Anatomy of a Spearphishing Attack

Intrusion Process Cycle Explained w/Video Demo

In blogs past, we have discussed the importance of Cyber Security, and how it is one of the most important pieces of the Information Assurance puzzle.  One of the greatest problems that we continue to face as Network Defenders and Information Assurance professionals is human error. We spend millions of dollars on technologies built to protect, block and alert when our IT systems come under fire, but many times the user is the very reason why we are under attack.

The Target, The User
The user is a soft, fleshy decision-making machine with something our computing systems do not have; free will. It's that very free will that empowers the user to decide whether to open an email and its attachment, or click on a link that appears legitimate or report the email as a potential spearphishing attempt. Easily fooled, caught off guard or simply unaware of the potential threat, the user continues to be the easiest and least difficult control to bypass to gain access to your internal network.

Technical Controls vs. User Awareness
Technical controls can only offer so much protection from and for the user. That means the gaps in protection against social engineering type attacks are not only technical, but also educational and awareness related. Only when your users are more informed and aware of their susceptibility toward socially engineered attacks will they exercise proper caution before opening emails or clicking a web link.  There is no silver bullet in any situation where security is a concern, it must be developed and implemented in layers. Multiple layers can add to the difficulty, security education and awareness training is one layer.

The Attacker
It takes an adversary very little time to craft a believable message that will entice a user to click on a link or open an attachment.  Below is a typical, high level process used by most adversaries before, during and after an attack.  This process is common among attackers of all skill levels, including Advanced Persistent Threats, and is extremely repeatable.

The Processes Defined
The process starts with the attacker identifying a target, and then researching the target to gain as much information as possible.  Generally, all the attacker needs is a name, an email address and some personal information (e.g. company or business, personal interests or hobbies). From there, the adversary creates a believable spearphish email message written in a way to entice the target to open the message and access the link.  The attacker may spoof the sender to appear as a friend or even a family member, increasing the likelihood of compromise

  • Sourcing Information - Is simply the process of choosing a target and performing research on that target.  The information is collected in a way that doesn't alert the target to the research (i.e. search engines, online white pages, social network sites).  Having information about the target provides the means to craft a personal message that is convincing enough to get the target to perform the desired action (open an attachment, or click on a web link within an email).
  • Crafting the Spearphish - Working with the information collected on the target, the spearphishing message should be crafted in such a way that the target believes it to be legitimate.
  • Obtaining Access - Is the initial compromise of the host, either through an infected, malicious attachment or a web link to a malicious website with a browser or java exploit embedded. This initial access is used to give the adversary its vector for follow-on actions after the initial exploitation. Elevating privileges, creating services and registry keys are just a few possible follow-on actions.
  • Stealing Data - Pretty much speaks for itself.  Once in, the attacker begins interrogating the compromised host for anything of interest.  MS Word files, Excel spreadsheets, Adobe PDF files and plain text files are immediate targets for data ex-filtration.  Due to the type of access the attacker may have, the initial action may be akin to a "smash & grab" type robbery.  If the attacker is not concerned about being caught or losing persistence, then they may scrutinize the data they want to steal more heavily.  Every byte that leaves the compromised host potentially puts the attackers at risk of being caught.
  • Moving Laterally - This is a common phrase within the CND community as well as Penetration Testers to describe the movement from the initial compromised host to another host on the same network. The idea behind lateral movement has several benefits to attackers which include removing themselves and their actions from the initial vector of compromise (most likely to be detected), or gaining access to additional information and information systems not available to the initial compromised host.  Another thing worth mentioning about moving laterally within a network is that the deeper the attacker gets, the harder it is to fully remove their access.  If the attacker can spread across the network, there is an increased chance that some access will remain even after the intrusion is detected.
  • Maintaining Access - Although the position in the process varies when the attacker moves to maintain their access beyond their initial attack vector, it is an essential part of the process for long-term access. If the attacker was not able to obtain the information they were seeking during the initial attack, they will need to return to continue looking. They may also have a particular system in mind that they are attempting to gain access to, so persistent backdoors will provide the attacker time to get to their intended destination.
  • Analyzing the Stolen Data - This part of the process is where the attacker can spend time going through the data they were able to remove from the compromised host or hosts network.  If the attacker is satisfied with the information they may have, there is no need to return to the intrusion.  This rarely is the case. More often than not, there is more to steal.  It helps if the victim is completely unaware of the attacker's presence.

Anatomy of a Spearphishing Attack Demonstration
The intrusion process is relatively easy to carry out and highly repeatable.  Cyber Squared has put together a short demonstration that illustrates an intrusion process from a Spearphishing message in action here

More Stories By Cory Marchand

Cory Marchand is a trusted subject matter expert on topics of Cyber Security Threats, Network and Host based Assessment and Computer Forensics. Mr. Marchand has supported several customers over his 10+ years within the field of Computer Security including State, Federal and Military Government as well as the Private sector. Mr. Marchand holds several industry related certificates including CISSP, EnCE, GSEC, GCIA, GCIH, GREM, GSNA and CEH.

Latest Stories
Your homes and cars can be automated and self-serviced. Why can't your storage? From simply asking questions to analyze and troubleshoot your infrastructure, to provisioning storage with snapshots, recovery and replication, your wildest sci-fi dream has come true. In his session at @DevOpsSummit at 20th Cloud Expo, Dan Florea, Director of Product Management at Tintri, provided a ChatOps demo where you can talk to your storage and manage it from anywhere, through Slack and similar services with...
The financial services market is one of the most data-driven industries in the world, yet it’s bogged down by legacy CPU technologies that simply can’t keep up with the task of querying and visualizing billions of records. In his session at 20th Cloud Expo, Karthik Lalithraj, a Principal Solutions Architect at Kinetica, discussed how the advent of advanced in-database analytics on the GPU makes it possible to run sophisticated data science workloads on the same database that is housing the rich...
DevOps at Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 21st Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to w...
Any startup has to have a clear go –to-market strategy from the beginning. Similarly, any data science project has to have a go to production strategy from its first days, so it could go beyond proof-of-concept. Machine learning and artificial intelligence in production would result in hundreds of training pipelines and machine learning models that are continuously revised by teams of data scientists and seamlessly connected with web applications for tenants and users.
All organizations that did not originate this moment have a pre-existing culture as well as legacy technology and processes that can be more or less amenable to DevOps implementation. That organizational culture is influenced by the personalities and management styles of Executive Management, the wider culture in which the organization is situated, and the personalities of key team members at all levels of the organization. This culture and entrenched interests usually throw a wrench in the work...
"We want to show that our solution is far less expensive with a much better total cost of ownership so we announced several key features. One is called geo-distributed erasure coding, another is support for KVM and we introduced a new capability called Multi-Part," explained Tim Desai, Senior Product Marketing Manager at Hitachi Data Systems, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
There is a huge demand for responsive, real-time mobile and web experiences, but current architectural patterns do not easily accommodate applications that respond to events in real time. Common solutions using message queues or HTTP long-polling quickly lead to resiliency, scalability and development velocity challenges. In his session at 21st Cloud Expo, Ryland Degnan, a Senior Software Engineer on the Netflix Edge Platform team, will discuss how by leveraging a reactive stream-based protocol,...
IoT is at the core or many Digital Transformation initiatives with the goal of re-inventing a company's business model. We all agree that collecting relevant IoT data will result in massive amounts of data needing to be stored. However, with the rapid development of IoT devices and ongoing business model transformation, we are not able to predict the volume and growth of IoT data. And with the lack of IoT history, traditional methods of IT and infrastructure planning based on the past do not app...
SYS-CON Events announced today that SkyScale will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. SkyScale is a world-class provider of cloud-based, ultra-fast multi-GPU hardware platforms for lease to customers desiring the fastest performance available as a service anywhere in the world. SkyScale builds, configures, and manages dedicated systems strategically located in maximum-securit...
With tough new regulations coming to Europe on data privacy in May 2018, Calligo will explain why in reality the effect is global and transforms how you consider critical data. EU GDPR fundamentally rewrites the rules for cloud, Big Data and IoT. In his session at 21st Cloud Expo, Adam Ryan, Vice President and General Manager EMEA at Calligo, will examine the regulations and provide insight on how it affects technology, challenges the established rules and will usher in new levels of diligence...
As businesses adopt functionalities in cloud computing, it’s imperative that IT operations consistently ensure cloud systems work correctly – all of the time, and to their best capabilities. In his session at @BigDataExpo, Bernd Harzog, CEO and founder of OpsDataStore, presented an industry answer to the common question, “Are you running IT operations as efficiently and as cost effectively as you need to?” He then expounded on the industry issues he frequently came up against as an analyst, and ...
DX World EXPO, LLC., a Lighthouse Point, Florida-based startup trade show producer and the creator of "DXWorldEXPO® - Digital Transformation Conference & Expo" has announced its executive management team. The team is headed by Levent Selamoglu, who has been named CEO. "Now is the time for a truly global DX event, to bring together the leading minds from the technology world in a conversation about Digital Transformation," he said in making the announcement.
In the enterprise today, connected IoT devices are everywhere – both inside and outside corporate environments. The need to identify, manage, control and secure a quickly growing web of connections and outside devices is making the already challenging task of security even more important, and onerous. In his session at @ThingsExpo, Rich Boyer, CISO and Chief Architect for Security at NTT i3, discussed new ways of thinking and the approaches needed to address the emerging challenges of security i...
Internet of @ThingsExpo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 21st Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The Internet of Things (IoT) is the most profound change in personal and enterprise IT since the creation of the Worldwide Web more than 20 years ago. All major researchers estimate there will be tens of billions devic...
"The Striim platform is a full end-to-end streaming integration and analytics platform that is middleware that covers a lot of different use cases," explained Steve Wilkes, Founder and CTO at Striim, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.