We just attended the RSA Conference 2013 in San Francisco. The conference presented a vast array of products and technologies to defend systems.
We think the most important security information did not come from the RSA Conference — it came from Mandiant.
Mandiant’s groundbreaking report APT1 – Exposing One of China’s Cyberespionage Units provides a case study of the process we have termed Chasing What’s Already Gone – the cycle of:
- spearphishing attack
- unique exploit installation
- surreptitious command & control
- discovery
- remediation
- repeat
How did the bad guys respond to the Mandiant report? They used the report itself as spearphishing bait to deliver exploits!
A small number of well crafted emails will be delivered. These emails will be specifically written to deceive the recipient into taking an action (most often open an attachment). These emails will exploit the three factors that drive email interactions:
- relevance
- urgency clues
- recipient habits
As Mandiant makes clear, email weapons are cleverly crafted so that they are NOT suspicious. The integrity of your systems depends upon the decisions of staff in the face of clever and persistent deception. Telling employees not to open suspicious attachments, while sound advice, is unhelpful in the face of deceptive emails that are not suspicious. While all spearphishing emails are deceptive, all deceptive emails are not suspicious. Avoiding suspicion is the job of the spearphisher.
Employees’ email decisions compromise security. IT needs to help employees make better email processing decisions. That is where SP Guard comes into play. Using SP Guard, IT can determine a list of trusted senders and provide this information to staff. In the SP Guard environment, staff can easily distinguish a trusted HR email from a spoof HR email.
You can contact us at 408-727-6342,ext 3 or use our online form.