Spear phishing is an attempt to entice a specifically targeted victim to open a malicious attachment or visit a malicious website with the intent of gaining insight into confidential data and/or acting on nefarious objectives against the victim’s organization.
A common tactic used by an attacker is a spoofed email address designed to look like it’s coming from a source that is trusted by the victim. Reconnaissance and social engineering tactics may also help produce content and wording that makes the delivery email more believable to the victim.
A motivated attacker can get a weaponized file through traditional signature-based email security solutions. Traditional tools must rely on signatures and are easily left blind by intentional obfuscation of attachments and embedding of unique malicious code. In order to effectively respond to spear phishing attacks, defenders must maximize visibility into each stage of the attack lifecycle in order to understand the delivery mechanism, the infection (i.e. did the user fall for it), and the impact to the business by having full visibility into network, endpoint, and user activity.
Customer values/problems solved
- The ability to reconstruct the entire email session (analysts are great at confirming whether an email is truly phishing) as well as extract and perform analysis on all attachments is crucial to understanding the delivery mechanism.
- The capability to extract the initial payload is an invaluable way for investigators to perform deep analysis on potentially malicious files.
- Furthermore, the only way to truly determine whether or not an end user fell victim to the attack is to have deep visibility into the endpoint without relying on signature-based anti-virus solutions (a motivated attacker can easily evade AV).
- RSA NetWitness Suite