There’s no shortage of interesting points to take away from the Mandiant® report about the Chinese hacking group APT1 released Tuesday, with many of Mandiant’s findings confirming the threat organized attacker teams pose to enterprises.
First and foremost, the report states, “the most commonly observed method of initial compromise is spear phishing.” This backs up our main message for organizations – to remain focused on the core problem of people being the main vulnerability. Organizations need to proactively address this by developing a user base that is resilient to spear phishing attacks. This doesn’t discount the importance of technology (see our blog post about the NY Times breach), but security behavior management can’t be ignored.
Prior to co-founding PhishMe®, I served as the Managing Director of Mandiant’s New York office; and our Executive Vice President, Jim Hansen, served as the Chief Operating Officer at Mandiant. The trends we observed during our time at Mandiant and in the field helped form the basis for PhishMe, and have positioned us to offer numerous features that address many of the tactics discussed in Mandiant’s report.
The report notes that spear phishing emails often deliver malware in the form of zip files attached to the email. This echoes the TrendMicro® report from late 2012, which concluded that 94% of targeted emails use malicious file attachments. Applying our experience in the field, PhishMe has provided our customers the ability to send employees mock phishing emails with zip attachments for years.
Another phishing tactic PhishMe simulates is luring users to enter sensitive data through seemingly genuine webpages. The bottom of page 48 of Mandiant’s report described an example of APT1 creating a false domain designed to mimic a Yahoo! site, with the goal of collecting user login credentials. Traditionally, this type of phishing has been more of a problem for colleges and universities, but clearly the use of stolen credentials is part of the APT game plan and remains a threat to enterprise security. It took our development team quite a bit of engineering to safely simulate this attack vector without executing code and ensuring that we don’t collect the sensitive data.
While PhishMe has offered the above-mentioned features to our customers for some time, we continue to roll out new features based on patent-pending technologies to address tactics used by groups such as APT1. Page 29 of the Mandiant report cited an example of the recipient of a phishing email interacting with APT1 in a conversational manner, with the APT1 attackers establishing both authenticity and trustworthiness by sending a benign email encouraging the recipient to interact with another email containing the malware. PhishMe recently rolled out a feature, called Double Barrel, which allows our customers to immerse their employees in this experience; something we’ll discuss in greater detail in an upcoming blog post.
In describing the nature of phishing emails, Mandiant noted that they often contain information relevant to the recipient found via Internet searches, such as a name of a colleague (the report described an email sent to Mandiant employees under CEO Kevin Mandia’s name, but from a free webmail account, a tactic we discussed in a previous blog). TrendMicro’s report echoed this finding. With PhishMe’s new Highly Visible Target Identifier, customers can scour such data with the click of a few buttons to find which of their employees have highly visible online presences, and are thus more likely to be sent targeted phishing emails.
Mandiant’s report also described the high costs of launching a phishing campaign, noting that APT1 controlled a large infrastructure of physical systems and hundreds of domains. The large investment required to carry out attacks means that attackers are trying to maximize the use of those resources by sending large batches of emails rather than targeting 1 or 2 users. This is consistent with trends our customers have reported to us, and underscores the need to train your entire user base, as hundreds of employees may receive a phishing email at once.
Mandiant’s findings are fascinating, and can’t be addressed in one blog post. However, from the spear phishing standpoint, the report provides confirmation of what PhishMe has known for a while: APT will try to gain a foothold in enterprise systems through the employees. By focusing on improving employee resilience to spear phishing attacks, enterprises can greatly reduce susceptibility to a breach. In fact, attack detection windows can be reduced when trained employees call these attacks in. Our history in this space helped make PhishMe an industry-leading, world-class product; and we will continue to rely on our industry connections and reports from our customers to make sure we stay ahead of the curve.