Although spear phishing has been around for years, organizations continue to fall victim as criminals evolve their methods. According to the most recent quarterly report from the Anti Phishing Working Group (APWG), spear phishing spiked last spring but has since remained steady, with adversaries using new techniques to carry out their attacks and to conceal them. These include using web page redirects to hide their phishing sites from detection and hosting them on web sites that have HTTPS and SSL certificates. The Cisco 2019 CISO Benchmark Study corroborates these findings, reporting that phishing is the third most common type of incident security leaders face. Of the study’s 2,900 respondents, 38 percent said they encountered a phishing attack last year.

When a spear phish attack is suspected, most organizations approach it in the same way. The security operations center (SOC) becomes aware of the attack or a user will forward a suspicious email to a designated mailbox that the security team monitors continuously. Either way, the incident response (IR) team gets involved because the event has occurred in the past and needs to be investigated. They analyze the spear phish email, including sender information, attachments and links, and may enlist the help of other systems like a sandbox, enrichment tools and intelligence feeds to determine whether the email is safe or malicious.

This extensive analysis produces a lot of good data that can be used for many purposes, in addition to detecting and stopping a current spear phish attack. These include:

• Updating policies and the sensor grid to protect the organization from future, similar spear phish campaigns
• Alerting teams to spear phish attacks that happened in the past but weren’t detected as malicious at the time
• Conducting advanced analysis, including victimology, and proactive threat hunting

Increasingly security teams want to be able to use the data to address questions like: Is this malicious email part of a spear phish campaign? Do broader spear phish attack patterns exist that might help us understand who is behind the campaign, how is it being executed and who is being targeted? Answers to these questions can help determine if there are additional measures organizations can take in terms of training and awareness to help prepare and protect targeted users.

However, to be able to take advantage of these opportunities and fully use the data, it must be stored in a place that is accessible by all security operations teams, and it must easily integrate with existing workflows and tools so that it can be applied proactively across the organization.

ThreatQ and ThreatQ Investigations help you meet the spear phish challenge. You can read more here and watch this webinar on-demand, featuring ThreatQuotient’s APAC Director Anthony Stitt and Threat Intelligence Engineer, Rob Streamer. You’ll see an in-depth demo of how to conduct an investigation of spear phishing with the ThreatQ platform, including how to incorporate complementary tools like Cisco Threat Grid and MITRE ATT&CK, as well as how to generate a management-ready report.