{"181491":{"#nid":"181491","#data":{"type":"news","title":"Spear Phishing: Researchers Work to Counter Email Attacks that Gain Recipients\u2019 Trust","body":[{"value":"\u003Cp\u003EThe email resembled the organization\u2019s own employee e-newsletter and asked recipients to visit a website to confirm that they wanted to continue receiving the newsletter. Another email carried an attachment it said contained the marketing plan the recipient had requested at a recent conference. A third email bearing a colleague\u2019s name suggested a useful website to visit.\u003C\/p\u003E\u003Cp\u003ENone of these emails were what they pretended to be. The first directed victims to a website that asked for personal information, including the user\u2019s password. The second included a virus launched when the \u201cmarketing plan\u201d was opened. The third directed users to a website that attempted to install a malicious program.\u003C\/p\u003E\u003Cp\u003EAll three are examples of what information security experts at the Georgia Tech Research Institute (GTRI) say is the most challenging threat facing corporate networks today: \u201cspear phishing.\u201d\u003C\/p\u003E\u003Cp\u003EGeneric emails asking employees to open malicious attachments, provide confidential information or follow links to infected websites have been around for a long time. What\u2019s new today is that the authors of these emails are now targeting their attacks using specific knowledge about employees and the organizations they work for. The inside knowledge used in these spear phishing attacks gains the trust of recipients.\u003C\/p\u003E\u003Cp\u003E\u201cSpear phishing is the most popular way to get into a corporate network these days,\u201d said Andrew Howard, a GTRI research scientist who heads up the organization\u2019s malware unit. \u201cBecause the malware authors now have some information about the people they are sending these to, they are more likely to get a response. When they know something about you, they can dramatically increase their odds.\u201d\u003C\/p\u003E\u003Cp\u003EThe success of spear phishing attacks depends on finding the weakest link in a corporate network. That weakest link can be just one person who falls for an authentic-looking email.\u003C\/p\u003E\u003Cp\u003E\u201cOrganizations can spend millions and millions of dollars to protect their networks, but all it takes is one carefully-crafted email to let someone into it,\u201d Howard said. \u201cIt\u2019s very difficult to put technical controls into place to prevent humans from making a mistake. To keep these attacks out, email users have to do the right thing every single time.\u201d\u003C\/p\u003E\u003Cp\u003EHoward and other GTRI researchers are now working to help email recipients by taking advantage of the same public information the malware authors use to con their victims. Much of that information comes from social media sites that both companies and malware authors find helpful. Other information may be found in Securities and Exchange Commission (SEC) filings, or even on an organization\u2019s own website.\u003C\/p\u003E\u003Cp\u003E\u201cThere are lots of open sources of information that will increase the chances of eliciting a response in spear phishing,\u201d Howard said. \u201cWe are looking at a way to warn users based on this information. We\u2019d like to see email systems smart enough to let users know that information contained in a suspect message is from an open source and suggest they be cautious.\u201d\u003C\/p\u003E\u003Cp\u003EOther techniques to counter the attacks may come from having access to all the traffic entering a corporate network.\u003C\/p\u003E\u003Cp\u003ETo increase their chance of success, criminals attempting to access a corporate network often target more than one person in an organization. Network security tools could use information about similar spear phishing attempts to warn other members of an organization. And by having access to all email, security systems could learn what\u2019s \u201cnormal\u201d for each individual \u2013 and recognize unusual email that may be suspicious.\u003C\/p\u003E\u003Cp\u003E\u201cWe are looking at building behavioral patterns for users so we\u2019d know what kinds of email they usually receive. When something comes in that\u2019s suspicious, we could warn the user,\u201d Howard said. \u201cWe think the real answer is to keep malicious email from ever getting into a user\u2019s in-box, but that is a much more difficult problem.\u201d\u003C\/p\u003E\u003Cp\u003EIt\u2019s difficult because organizations today depend on receiving, opening and responding to email from customers. Deleting or even delaying emails can have a high business cost.\u003C\/p\u003E\u003Cp\u003E\u201cWhat we do requires a careful balance of protecting the user, but allowing the user to get his or her job done,\u201d he said. \u201cLike any security challenge we have to balance that.\u201d\u003C\/p\u003E\u003Cp\u003EThese and other strategies will be part of Phalanx, a new product being developed by GTRI researchers to protect corporate networks from spear phishing. It will be part of Titan, a dynamic framework for malicious software analysis that GTRI launched last spring.\u003C\/p\u003E\u003Cp\u003EAmong the challenges ahead are developing natural language algorithms that can quickly separate potential spear phishing attacks from harmless emails. That could be done by searching for language indicating a request such as \u201copen this attachment\u201d or \u201cverify your password.\u201d\u003C\/p\u003E\u003Cp\u003EGTRI researchers been gaining experience with corporate networks based on security evaluations they\u2019ve done, and work with GTRI\u2019s own network \u2013 which receives millions of emails each day. Fortunately, they say, it\u2019s not just the bad guys who are learning more.\u003C\/p\u003E\u003Cp\u003E\u201cThe chief financial officers of companies now understand the financial impacts of spear phishing, and whey they join forces with the chief information officers, there will be an urgency to address this problem,\u201d he added. \u201cUntil then, users are the front line defense. We need every user to have a little paranoia about email.\u201d\u003Cbr \/\u003E\u003Cbr \/\u003E\u003Cstrong\u003EResearch News\u003C\/strong\u003E\u003Cbr \/\u003E\u003Cstrong\u003EGeorgia Institute of Technology\u003C\/strong\u003E\u003Cbr \/\u003E\u003Cstrong\u003E177 North Avenue\u003C\/strong\u003E\u003Cbr \/\u003E\u003Cstrong\u003EAtlanta, Georgia\u0026nbsp; 30332-0181\u003C\/strong\u003E\u003C\/p\u003E\u003Cp\u003E\u003Cstrong\u003EMedia Relations Contact\u003C\/strong\u003E: John Toon (404-894-6986)(\u003Ca href=\u0022mailto:jtoon@gatech.edu\u0022\u003Ejtoon@gatech.edu\u003C\/a\u003E)\u003C\/p\u003E\u003Cp\u003E\u003Cstrong\u003EWriter\u003C\/strong\u003E: John Toon\u003C\/p\u003E\u003Cp\u003E\u0026nbsp;\u003C\/p\u003E","summary":null,"format":"limited_html"}],"field_subtitle":"","field_summary":[{"value":"\u003Cp\u003EResearchers at the Georgia Tech Research Institute (GTRI) are working to counter threats from spear phishing. The attacks use knowledge of computer users to gain their trust to break into corportate networks.\u003C\/p\u003E","format":"limited_html"}],"field_summary_sentence":[{"value":"Georgia Tech researchers are working to counter spear phishing threats to corporate networks."}],"uid":"27303","created_gmt":"2013-01-08 13:30:02","changed_gmt":"2016-10-08 03:13:26","author":"John Toon","boilerplate_text":"","field_publication":"","field_article_url":"","dateline":{"date":"2013-01-08T00:00:00-05:00","iso_date":"2013-01-08T00:00:00-05:00","tz":"America\/New_York"},"extras":[],"hg_media":{"181471":{"id":"181471","type":"image","title":"Countering Spear Phishing","body":null,"created":"1449179053","gmt_created":"2015-12-03 21:44:13","changed":"1475894828","gmt_changed":"2016-10-08 02:47:08","alt":"Countering Spear Phishing","file":{"fid":"196045","name":"spear-phishing19.jpg","image_path":"\/sites\/default\/files\/images\/spear-phishing19_0.jpg","image_full_path":"http:\/\/www.tlwarc.hg.gatech.edu\/\/sites\/default\/files\/images\/spear-phishing19_0.jpg","mime":"image\/jpeg","size":1486746,"path_740":"http:\/\/www.tlwarc.hg.gatech.edu\/sites\/default\/files\/styles\/740xx_scale\/public\/images\/spear-phishing19_0.jpg?itok=qTWFxyAJ"}},"181481":{"id":"181481","type":"image","title":"Countering Spear Phishing2","body":null,"created":"1449179053","gmt_created":"2015-12-03 21:44:13","changed":"1475894828","gmt_changed":"2016-10-08 02:47:08","alt":"Countering Spear Phishing2","file":{"fid":"196046","name":"spear-phishing135.jpg","image_path":"\/sites\/default\/files\/images\/spear-phishing135_0.jpg","image_full_path":"http:\/\/www.tlwarc.hg.gatech.edu\/\/sites\/default\/files\/images\/spear-phishing135_0.jpg","mime":"image\/jpeg","size":1522508,"path_740":"http:\/\/www.tlwarc.hg.gatech.edu\/sites\/default\/files\/styles\/740xx_scale\/public\/images\/spear-phishing135_0.jpg?itok=Wu64DGww"}}},"media_ids":["181471","181481"],"groups":[{"id":"1188","name":"Research Horizons"}],"categories":[{"id":"153","name":"Computer Science\/Information Technology and Security"}],"keywords":[{"id":"415","name":"Georgia Tech Research Institute"},{"id":"416","name":"GTRI"},{"id":"2678","name":"information security"},{"id":"7772","name":"malware"},{"id":"169546","name":"spear phishing"},{"id":"4292","name":"virus"}],"core_research_areas":[{"id":"39431","name":"Data Engineering and Science"},{"id":"39481","name":"National Security"},{"id":"39501","name":"People and Technology"}],"news_room_topics":[],"event_categories":[],"invited_audience":[],"affiliations":[],"classification":[],"areas_of_expertise":[],"news_and_recent_appearances":[],"phone":[],"contact":[{"value":"\u003Cp\u003EJohn Toon\u003C\/p\u003E\u003Cp\u003EResearch News\u003C\/p\u003E\u003Cp\u003E(404) 894-6986\u003C\/p\u003E\u003Cp\u003E\u003Ca href=\u0022mailto:jtoon@gatech.edu\u0022\u003Ejtoon@gatech.edu\u003C\/a\u003E\u003C\/p\u003E","format":"limited_html"}],"email":["jtoon@gatech.edu"],"slides":[],"orientation":[],"userdata":""}}}