Detecting Targeted Spearphishing Campaigns in the Preparation Phase

When you’re swimming along a coral reef with a speargun, a funny sensation will sometimes remind you that the hunter can become the hunted--and that’s when look over your shoulder for those big jaws. In this free and practical training session, I’ll show how you can turn the tables on spearphishers in cyberspace. We’re talking about going on the hunt – looking for attackers getting ready to target your organization.

A lot of anti-phishing technology is good at detecting and stopping general, widespread campaigns. But what about when your organization is specifically targeted? Spearphishers mount persistent and dangerous campaigns, especially around the areas of business email compromise or intellectual property theft. Since these campaigns are persistent and ongoing, however, we have a chance to get out ahead of them by detecting preparation phases and profiling the attacker and the campaign. The key to this is early detection of domains and IPs that the phisher intends on using.

Here's how it unfolds:

1. Attacker decides to go after a particular target, and registers one or more domains mimicking the victim organization and/or other businesses in close relationships with that victim (e.g. if you wanted to steal Apple's plans for the next iPhone, you might pose as someone at their contract manufacturer Foxconn to gain unauthorized access)
2. Would-be victim (defender) detects these registrations
3. The defender blocks those domains, but also...
4. ...starts digging into correlated infrastructure
5. ....and blocks anything closely tied to the original spoof domain(s)
6. From here, the defender may choose to start monitoring other things besides just detecting other cybersquatting domains. For example, watch name servers, IPs, registrants, etc.

Proactive detection and blocking of emerging campaigns is effective and often fairly straightforward, but doing it requires some advanced technology and information, and that’s where our sponsor DomainTools comes in. Tim Helming will walk us through this process using two very cool DomainTools technologies: phishing domain detection tool PhishEye and infrastructure investigation tool Iris.