The Spear Phishing Threat to Government Security

Everyone knows that President Harry Truman said, “If you want a friend in this town, get a dog.” Except, he didn’t. This memorable quote was invented by the writer of the play, Give ‘Em Hell, Harry. Truman died the same year that email was invented, but figuring out who-really-said-what and who-is-your-friend have become the central challenges for governments fighting the growing email security threat known as spear phishing.

Spear phishing is a more powerful variant of standard mass phishing emails. Unlike a basic phishing attack, which tries to convince email recipients to click on malware links or disclose personal information by sending generic messages to thousands of recipients, spear phishing messages are customized with specific references to people and projects that the recipients knows. Spear phishing attacks are extremely dangerous and on the rise. According to Trend Micro, spear phishing is employed as a key element in 91% of cyber attacks.

A Growing Risk to Governments And Their Employees

Spear phishing is drawing the attention of top officials. After the US Office of Personnel Management was breached through spear phishing, Bill Evanina, Director of the National Computer Security Center (NCSC) — the “Counter-Intel Czar” — held a public meeting to raise awareness of the threat. "There have been just over 500 breaches so far this year, some of which made the news," Evanina said at his presentation, which was described by Sean Gallagher in an article in Ars Technica. Evanina added, “And 47 percent of adult Americans have been the victim of a breach in the last three years. That data is an opportunity for criminals, but it's also allowed foreign intelligence to collect information about government employees, contractors, and their families.”

Risk Profile

Governments face significant risk exposure from spear phishing. A number of high-profile and highly-damaging spear phishing attacks have already affected the United States Government, but the threat is global in scope. Every government in the world, at the regional and national levels, is assessing how to defend against these types of attacks. The highest profile risks include the following:

• Data Breach - The Office of Personnel Management (OMB) breach exposed the personal information of over 22 million people who either worked for the US government or had applied for employment or contracting positions over the previous 10 years. It’s not clear if the theft of data was intended to embarrass the government or to profit financially from identify theft. Evanina commented on the breach’s impact by stating, "That puts them [the victims] in a vulnerability bracket they've never been in before."

• Espionage - The administrative network of the US Joint Chiefs of Staff was hacked through spear phishing when attackers sent emails to military personnel that appeared to be from a bank they many of them patronize. This attack shows the foreign espionage risk that governments face from spear phishing.

• Cyber War/CyberTerror - Data breaches are embarrassing for governments, but they may be a prelude to something far more sinister. Though there is some hype and distortion around this issue, it is well understood that sovereign powers are developing advanced hacking capabilities in order to wage “cyber war” or “cyber terror.” These attacks are expected to play out with nations sabotaging each other’s infrastructure or deadening their operational capabilities by crippling essential systems through hacking. Given the effectiveness of spear phishing in penetrating government networks, it is likely that spear phishing will be among the key vectors of attack for potential cyber warfare moves.

How does this happen? Aren’t government systems secure? Aren’t government workers trained to spot a threatening email? Yes and no. The reality is that no amount of training can eliminate human risk. Government workers, like many other people, can be duped by impersonation techniques. Spear phishers take advantage of these types of lapses in conduct.

Yes, sir!

In the military, the command and social structures actually can make it easier for spear phishing to succeed. For instance, in a test meant to show the phishing vulnerability in the military, over 80% of West Point cadets clicked on a malware link in an email that came from a “Colonel.”

“The Colonel Effect” shows how people can let their guards down when they think that an email comes from an individual with a superior rank.”

As Tom Chapman noted in Spear Phishing Could Enable Cyberterrorism Attacks Against The U.S. “Spear phishing is based on the premise that slipping through a side entrance is easier than breaking down the front door. When you picture spear phishing, Swordfish or other hacker movies are the wrong image — we’re not dealing with cyber geniuses who bang away on the keyboard until they control the entire network. Effective spear phishers are really social engineers. They are experts at appearing to be someone you know and trust.”

Solving the Government Spear Phishing Problem

Most standard anti-spam email filtering solutions are not set up to catch a spear phishing email. Vade anti-phishing solution offers a defense, however. As a unique countermeasure, it provides better overall email protection by being layered on top of existing anti-spam solutions. It employs Heuristic Email Filtering with artificial intelligence. The solution has been trained to spot spear phishing messages based on learning from monitoring hundreds of millions of emails over a decade. It looks at each URL included in an email the instant a government employee clicks on the, safely exploring it in a remote sandboxed environment to see if it contains any malware, honeypots or malicious code. This averts the problem of phishers sending clean links that they later point to malicious URLs. Proprietary processes spot one-off spear phishing attacks by matching the style and technical indicators of the claimed sender of any given email with known information about the actual sender.

Give us a call at 415-745-3630 or contact us, if you want to discuss how you can quickly add anti-phishing measures to your current email setup.