Why I attack my colleagues with spears

Ok so firstly, just to clarify, I don't attack my colleagues with physical spears (that would probably be frowned upon by HR). I am instead referring to a type of attack known as spear phishing. Email is often the primary point of entry into a company's network for malicious code. It is the delivery mechanism for the vast majority of phishing attacks including the recent worldwide WannaCry ransomware attack that gained particular notoriety due to its impact on the NHS. As the WannaCry attack demonstrated, even just one person being tricked into running a malicious script by a phishing email can have devastating impact on a company.

Phishing v Spear Phishing

Phishing emails have been around for a long time but, fortunately, the majority of them are pretty easy to spot with most being picked up by spam filters. Spear phishing emails, however, are a totally different kettle of phish (see what I did there).

Spear phishing is much more targeted than regular phishing and is aimed specifically at one company or even one individual; this allows attackers to personalise attacks. It's easy to forget that we all have a large amount of information publicly available online, all of which can be used against us by someone with malicious intentions.

"We have 2FA so we're protected against phishing attacks..."

2FA (Two-Factor Authentication) does effectively mitigate login credential stealing attacks as the attacker would still need a verification code from your trusted device to log in using any stolen credentials. However, there are many other attacks types out there which utilise malicious attachments or URLs, for example, that are not trying to steal credentials but execute malicious code on the user's computer. If a user can identify a spear phishing email, they won't be clicking any suspect links so they should never be taken to an attacker's fake login page and so would never have the opportunity to have their credentials stolen anyway. So yes, 2FA is a great security defence but not the only one!

We've never been targeted by spear phishing attacks...

It is easy to ignore the risk from spear phishing attacks if you've not been on the receiving end of them. Large companies are obviously targeted more frequently than smaller ones but generally smaller companies are less aware of the danger and so make easier targets. Essentially, it's about being proactive with your approach to security, it's too late to train people after an incident and, without training, it's a matter of 'when' not 'if' an incident happens.

How do you train people to identify spear phishing emails?

The answer is the same as for every other skill in world: practice. At random times throughout the year, I covertly carry out spear phishing attacks against my colleagues at Razor. It is vital that they are unaware of when I will be carrying out the attacks so that identifying them becomes second nature and they don't know to look out for them specifically that week. So when a real spear phishing email arrives in a Razor inbox, we should be ready to spot it. Rather than anyone interacting with it, they say "Jog on!", report it and leave the attacker to skulk off and target a company whose staff aren't so on the ball. That could very well be your company if you don't educate your colleagues appropriately. If that is the case, it's time to grab your spears, scream your security battle cry (quietly) and send some emails.