When you’re swimming along a coral reef with a speargun, a funny sensation will sometimes remind you that the hunter can become the hunted--and that’s when you look over your shoulder for those big jaws. In this real training for free session, I’ll show how you can turn the tables on spearphishers in cyberspace. We’re talking about going on the hunt – looking for attackers getting ready to target your organization.
The differences between fishing and spearfishing are informative when understanding the difference between phishing and spear phishing. I enjoy real spearfishing - the kind where you get wet. Spearfishing is totally different than fishing where you use a hook. It’s an immersive (pun intended) experience in which you are hunting in another world. And you pick your prey as opposed to line fishing where the prey picks you.
Similarly, there are 2 kinds of bad buys in the phishing world: generalized phishing and targeted spear phishing. A lot of phishing detection depends on heuristics or signatures designed to detect and stop a phishing email. But phishers keep evolving their tactics and they are often able to evade those detection mechanisms. And much of the threat intel feeds and other technologies for anti-phishing are just that – more about generalized phishing as opposed to spear-fishing. It’s easier to catch generalized phishing and share information about it or build detections – but you’re only going to detect generalized phishers. What about when you are specifically targeted?
A lot of anti-phishing technology is good at detecting and stopping general, widespread campaigns. But what about when your organization is specifically targeted? Spearphishers mount persistent and dangerous campaigns, especially around the areas of business email compromise or intellectual property theft. Since these campaigns are persistent and ongoing, however, we have a chance to get out ahead of them by detecting preparation phases and profiling the attacker and the campaign. The key to this is early detection of domains and IPs that the phisher intends on using.
Here's how it unfolds:
- Attacker decides to go after a particular target, and registers one or more domains mimicking the victim organization and/or other businesses in close relationships with that victim (e.g. if you wanted to steal Apple's plans for the next iPhone, you might pose as someone at their contract manufacturer Foxconn to gain unauthorized access)
- Would-be victim (defender) detects these registrations
- The defender blocks those domains, but also...
- ...starts digging into correlated infrastructure
- ....and blocks anything closely tied to the original spoof domain(s)
- From here, the defender may choose to start monitoring other things besides just detecting other cybersquatting domains. For example, watch name servers, IPs, registrants, etc.
Proactive detection and blocking of emerging campaigns are effective and often fairly straightforward, but doing it requires some advanced technology and information, and that’s where our sponsor DomainTools comes in. Tim Helming will walk us through this process using two very cool DomainTools technologies: phishing domain detection tool PhishEye and infrastructure investigation tool Iris.
Please join us for this real training for free session.