Spear Phishing: Extracting the sting from infected documents

Targeted emails with infected attachments are the hacker's weapon of choice but there are ways to avoid being spiked by spear phishing says Noam Green.

Spear Phishing:  Extracting the sting from infected documents
Spear Phishing: Extracting the sting from infected documents

What links the high-profile data breaches at leading retailers Target and Neiman Marcus, health insurance giant Anthem, and Sony Pictures?  They all started with a carefully-crafted spear phishing attack, using emails with malware-spiked document attachments that were designed to look legitimate, targeting specific employees within the organisation. 

Spear phishing is the most common type of targeted attack technique for a very simple reason:  it works, fooling even security-savvy users and giving hackers a foothold on networks.  Research done in 2014 across over 10,000 organisations worldwide found that 84 percent had downloaded an infected document in the past 12 months.  It's relatively easy for a hacker to profile an organisation or individual from the company's online presence, and create an email that can trick even a vigilant employee into opening that infected document and launching the malware attack.

Evading detection

The problem is compounded by the way that traditional signature-based anti-virus products work.  They're fast, but can only catch malware that has already been identified:  they cannot detect new, zero-day malware infections.  This is a problem because while the code for a majority of new infections is concealed in common file types that we all use for business – emails, Word documents, PDFs, Excel spreadsheets and so on – hacker toolkits exist that can obscure executable scripts and help evade detection.  So conventional antivirus only offers around 93 percent accuracy. 

Sandboxing solutions provide a useful additional method of stopping unidentified and zero-day malware, but in some cases take several minutes before the threat is detected, which in turn exposes the network to the risk of infection.  Some sandboxing solutions deliver around 95 percent accuracy.

And while security awareness training can offer some mitigation of the spear-phishing threat, it is not infallible:  people are innately trusting, and want to do their jobs as efficiently as they can.  They're not always going to think twice about whether an email attachment is legitimate, or a potential attack. 

So a new approach is needed to address these threats and eliminate malware before it has the opportunity to reach employees' email inboxes.

Trust nothing

Conventional anti-malware techniques involve a ‘trust, but verify' approach of inspecting file attachments to see if they harbour malware, and then blocking them.  But this doesn't deliver the accuracy of detection necessary to fully protect networks against potential risks.

Isn't it better from a security standpoint to invert this thinking, and assume that any attached document is always infected – and cleanse it of any potential threat before passing it to the user, so that the risk of attack using this vector is removed completely?

This approach is called threat extraction.  It works at the organisation's network gateway level, inspecting emails in real time as they arrive at the gateway.  Documents attached to emails are deconstructed, and any content or code that is identified as malware or can be exploited, such as macros, embedded objects and files, and external links, is removed.  The document is then reconstructed with known safe elements, and forwarded to the intended recipient, either in the original file format or as a locked-down PDF, according to the organisation's IT team's requirements.   This entire process takes less than a second, pre-emptively eliminating the risks from infected files.

So for a majority of files the process is completely transparent, as most documents do not have embedded content or macros. This means employees will not notice any delay in receiving files. 

Of course, in some instances, a complex document (such as a PowerPoint presentation) may come from a legitimate source and be benign, but still contain macros and embedded object which threat extraction would remove.   In these cases, as well as forwarding the cleansed document, the original file can be retained so that it can be analysed by conventional anti-virus and sandboxing approaches to determine if it is safe, and the user given access.  The solution also logs the incidences of malware identified in received files, enabling security teams to identify patterns that would indicate a concerted campaign specifically targeting an organisation.

This threat extraction approach could offer a critical layer of protection for organisations against destructive malware that arrives in targeted emails – helping to take the sting out of spear phishing.

Contributed by Noam Green, product manager, Check Point