Promoting mistrust: thwarting spear phishing cyber threats

companies and malware authors find helpful. Other information may be found in Securities and Exchange Commission (SEC) filings, or even on an organization’s own Web site.

“There are lots of open sources of information that will increase the chances of eliciting a response in spear phishing,” Howard said. “We are looking at a way to warn users based on this information. We’d like to see e-mail systems smart enough to let users know that information contained in a suspect message is from an open source and suggest they be cautious.”

Other techniques to counter the attacks may come from having access to all the traffic entering a corporate network.

To increase their chance of success, criminals attempting to access a corporate network often target more than one person in an organization. Network security tools could use information about similar spear phishing attempts to warn other members of an organization. By having access to all e-mail, security systems could learn what’s “normal” for each individual — and recognize unusual e-mail that may be suspicious.

“We are looking at building behavioral patterns for users so we’d know what kinds of e-mail they usually receive. When something comes in that’s suspicious, we could warn the user,” Howard said. “We think the real answer is to keep malicious e-mail from ever getting into a user’s in-box, but that is a much more difficult problem.”

It is difficult because organizations today depend on receiving, opening, and responding to e-mail from customers. Deleting or even delaying e-mails can have a high business cost.

“What we do requires a careful balance of protecting the user, but allowing the user to get his or her job done,” he said. “Like any security challenge we have to balance that.”

These and other strategies will be part of Phalanx, a new product being developed by GTRI researchers to protect corporate networks from spear phishing. It will be part of Titan, a dynamic framework for malicious software analysis that GTRI launched last spring.

Among the challenges ahead are developing natural language algorithms that can quickly separate potential spear phishing attacks from harmless e-mails. That could be done by searching for language indicating a request such as “open this attachment” or “verify your password.”

The release notes that GTRI researchers been gaining experience with corporate networks based on security evaluations they have done, and work with GTRI’s own network — which receives millions of e-mails each day. Fortunately, they say, it is not just the bad guys who are learning more.

“The chief financial officers of companies now understand the financial impacts of spear phishing, and whey they join forces with the chief information officers, there will be an urgency to address this problem,” he added. “Until then, users are the front line defense. We need every user to have a little paranoia about e-mail.”