Security firms slow to react to spear phishing like that used in China hack

Email security vendors have failed to do enough to protect customers against advanced cyberattacks like the one recently linked to the Chinese military, experts say.

Vendors have needlessly left customers exposed to spear phishing, which is the most effective way hackers have of penetrating corporate networks. The technique involves scouring the Web for information related to the target in order to craft an email most likely to trick the person into clicking an attachment or visiting a malicious website.

"The players that have had email and Web security solutions have failed at their job," Rick Holland, an analyst at Forrester Research, said on Wednesday.

The result has been successful spear phishing-based cyberattacks like the one recently uncovered by Mandiant. The security vendor this week released a 60-page report that traced an advanced cyberespionage operation to a Chinese military unit.

Researchers at the Georgia Institute of Technology are working on analytics that they hope will one day be able to spot bogus email and warn recipients. Before starting the project, research scientist Andrew Howard investigated the market last year and found only one vendor that he believed had reliable analytics.

"The technologies available out there to help with this problem are severely inadequate," Howard said.

[Also see: Chinese Army link to hack no reason for cyberwar | Hack findings highlight China, U.S. in game of spy vs. spy]

Georgia Tech researchers are looking at the possibility of developing algorithms that could look at the content of the email to determine whether it contains information readily available from public sources. The technology could also compare the email with the messages the recipient normally gets to look for abnormalities. In addition, if the email was sent to multiple individuals, that could be another sign of spear phishing.

The research is at an early stage, so there's been no decision whether the technology would be open source or commercialized. "At a minimum, they'll be some good papers written," Howard said.

The failure of companies such as Symantec, Cisco, McAfee and Proofpoint to adequately address spear phishing has opened the door to companies like FireEye and Damballa, which have products to fill the gap, Holland said.

However, the problem is this requires a Symantec customer, for example, to add technology that should already be in the vendor's product. "Instead of having one solution that's able to address this problem, I now have to buy another point product to cover up what my existing technology has been failing at," Holland said.

The email security vendors are starting to play catchup, due to the success of FireEye and Damballa, Holland said. For example, Proofpoint released last spring analytics aimed at catching advanced malware used in spear phishing attacks.

Not everyone is sold on the need for expensive analytics. Many companies could improve security dramatically by strictly limiting, or removing, applications known to contain many vulnerabilities exploited by hackers, such as Java and Adobe Flash, said Al Pascual, an analyst at Javelin Strategy & Research.

In addition, companies could use less expensive email authentication technology that looks at the sending mail servers and the IP addresses of the sender to determine whether the email is legitimate, Pascual said.

Such technology uses the Sender Policy Framework (SPF) and the complementary DomainKeys Identified Mail (DKIM). Another anti-phishing technology released last year was the Domain-based Message Authentication, Reporting and Conformance (DMARC) framework.

"Unfortunately, it's been around for awhile, but not a lot of businesses are using it," Pascual said of the various technologies. "It's very underutilized."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationslegalsoftwareMandiantemail securityForrester Researchdata protectioncybercrimespear phishingData Protection | MalwareGeorgia Institute of Technology

More about Adobe SystemsAndrew Corporation (Australia)CiscoFireEyeForrester ResearchGeorgia Institute of TechnologyJavelinMcAfee AustraliaProofpointSymantecTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place