sans spearphishing survival guide - proofpoint, inc. · sans spearphishing survival guide....

A SANS WhitepaperWritten by Jerry Shenk

December 2015

Sponsored by Proofpoint

©2015 SANS™ Institute

SANS Spearphishing Survival Guide

Organizations are constantly under attack. Nearly every week comes a news headline

of another breach affecting millions of people. Organizations that experience

“small” breaches spend hundreds of thousands of dollars on forensic examinations,

infrastructure upgrades and identity monitoring. Those that get hit by a large breach

spend millions.

The majority of those threats still arrive by email in the form of weaponized file

attachments, malicious links, wire-transfer fraud and credential phishing. In most cases,

attackers deploy email-borne attacks that target specific individuals and fool them into

believing they are from someone they do business with or someone in authority who

knows them. Often, attackers gather the information they need to pull off these sorts

of phishing attacks over social media, where employees share significant amounts of

personal and contextual information. Just as often, employees leak information over

mobile applications that make it easier for criminals to target their attacks.

While most antivirus, anti-malware and email security systems are good at catching

traditional mass email phishing attacks with known malicious attachments, links

and content, they are not catching the most sophisticated targeted attacks on email

recipients. These types of attacks, called spearphishing, gather information on high-

value targets who have direct access to company financial or customer information.1

Using social media, mobile apps and other sources of information (such as a company

website), criminals can make connections between business associates and third

parties in order to craft emails that look like they come from someone the targets work

with—and neither network-based nor email-based security tools are catching them

consistently. The emails are so well crafted that even well-trained, sophisticated users are

likely to click their malicious URLs or weaponized attachments (malicious attack files).

SANS ANALYST PROGRAMSANS Spearphishing Survival Guide1

Executive Summary

1 “Spear Fishing Definition,” TechTarget, March 2011, http://searchsecurity.techtarget.com/definition/spear-phishing

Executive Summary (CONTINUED)

SANS ANALYST PROGRAM2

For example, the infamous 2011 breach of RSA Security that resulted in the loss of its

SecurID tokens was almost a perfect example of a believable spearphishing exploit: It

targeted human resources personnel with the subject line “2011 Recruitment Plan” and

appeared to originate from a recruitment firm the HR department was familiar with. Only

eight emails were sent, but one person in HR opened the Excel attachment, titled “2011

Recruitment Plan.xls.”2 The SecurID fiasco cost RSA $66 million, including costs to replace

tokens, monitor customers and handle other fallout.3

It is not just the emails the attackers craft that are becoming more sophisticated;

attackers are also deploying techniques such as polymorphism and changing their

malicious payloads or links to avoid detection. In its 2015 Global Phishing Survey, the

Anti-Phishing Working Group identified nearly 124,000 unique phishing attacks against

569 different institutions.4 Those attacks resolved to 95,321 unique malicious domains.

These malicious domains are usually obfuscated to avoid blacklist detection through

URL shortening, polymorphism (changing attack patterns and signatures) and other

means, making it difficult for email security systems to detect them. When malware

and sender information continually changes, it can be difficult to keep users away from

dangerous attachments or malicious URLs that can immediately infect an organization’s

network with malware, especially when the security program relies solely on signatures

of known bad attachments and senders.

In the case of mobile apps, spearphishing may be even more difficult to detect.

According to an article in Wired, mobile users are checking email constantly, but their

screens are too small to tell when their email and text messages are fake (for example,

whether or not they come from the domain they claim to be coming from).5 Mobile users

are also mixing personal email apps with business email apps and even using public

Wi-Fi to collect their email, thus creating new attack surfaces and making it more difficult

for traditional network-based and email security systems to detect attacks and block

spearphishing attacks from executing.


2 “Lessons Learned from DigiNotar, Comodo and RSA Breaches,” SecurityWeek, Nov. 17, 2011, www.securityweek.com/lessons-learned-diginotar-comodo-and-rsa-breaches

3 “RSA SecurID Breach Cost $66 Million,” InformationWeek, July 28, 2011, www.darkreading.com/attacks-and-breaches/rsa-securid-breach-cost-$66-million/d/d-id/1099232?

4 “Global Phishing Survey: Trends and Domain Name Use in 2H2014,” Anti-Phishing Working Group, May 27, 2015, http://internetidentity.com/wp-content/uploads/2015/05/APWG_Global_Phishing_Report_2H_2014.pdf

5 “Spear Phishing: A Modern Threat to Mobile Devices,” Wired, Sept. 26, 2013, http://insights.wired.com/profiles/blogs/spear-phishing-a-modern-threat-to-mobile-devices - axzz3uKfhQRUS

Executive Summary (CONTINUED)


These new attack surfaces and more sophisticated threats require updated functionality

and processes to protect organizations against advanced spearphishing, including the

ability to:

• Block mass email attacks in order to detect specific, targeted attacks as indicators

of more serious compromise by a knowledgeable enemy

• Identify high-value human targets based on their role and the applications and

data they have access to

• Identify targets who click things they shouldn’t

• Intelligently respond to specific targeted attacks, including the ability to:

- Scan the actual URLs, to determine whether the website is hosting malicious

content, before a user is granted access

- Sandbox suspect URLs and attachments to test their payloads before users are

allowed to execute them

- Identify employees who fall victim to the lures for education

• Improve through self-learning (for example, the ability to automatically update

email security and malware detection systems to include new signatures)

• Continuously improve the collection of threat intelligence and data analysis

This paper describes these and other capabilities for preventing advanced email attacks

from succeeding.


Advanced Phishing Attacks Revealed


Spearphishers have several motivators for breaking into organizations, and all of them

have to do with high-value targets and data: criminal operations seeking profits, nation-

states interested in causing disruption, and industrial spies or politically motivated groups

seeking to damage the target in some way. Spearphishing is a common means to this end

and usually takes a specific trajectory, starting with gathering information on high-value

targets, which is quite often gathered from information divulged through users’ social

media and mobile applications. Knowing this attack progression is critical intelligence

that should help detect, defend against and respond to advanced email attacks.

Attack Progression

Advanced email attacks usually follow a common progression, or “kill chain,” of events

that email security intelligence should acknowledge and make use of in order to stop

attacks before they cause damage. The attack steps include the following:

1. Gathering information on targets. Spearphishing starts with identifying key,

high-value individuals in the company to target. These are usually people in

HR (who have access to valuable employee data), finance (with access to wire

transfer accounts), customer service or billing (with valuable customer financial

data) and IT (they make mistakes, too, and those mistakes can be a jackpot for the

attacker), as well as key personnel at email service providers, where more email

accounts can be harvested (such as what happened in the infamous Epsilon case,

which affected 75 large email clients in 20116). These people are targets because

their credentials and the applications they have access to are of most value.

In targeted email attacks, the attackers have likely learned about their targets

and their roles through company announcements or social media such as

LinkedIn, Facebook and Twitter, where employees are divulging information

about their projects and possibly even collaborating with peers and partners.

Associations are critical to attackers who want to create convincing emails that

seem to originate from someone the target already knows or does business with.

Attackers may also be sitting on wireless networks at coffee shops, catching

personal email or business email sent from employees’ mobile devices. This may

get them access credentials, departmental information on the employees and

associations between personal and business contacts that the employee would

likely accept a link or attachment from. And even access to a lower-level account

can be a win for the attacker because once inside the company, higher-level

access can be collected.


6 “Epsilon Fell To Spear-Phishing Attack,” InformationWeek, April 11, 2011, www.darkreading.com/attacks-and-breaches/epsilon-fell-to-spear-phishing-attack/d/d-id/1097119

Advanced Phishing Attacks Revealed (CONTINUED)


2. Creating convincing emails. With information about their targets and

their targets’ associations, attackers then craft the emails so that they seem

legitimate enough to get intended targets to open an attachment or click

a link. Gone are the days when language, linking and other issues made it

easy to detect a phish. Spearphishers can create emails so realistic that they

appear to come from a trusted source and ask for information that the source

would normally request. For example, a recent article on CSO’s website7 told

about an extremely well-written phishing email that would have worked if

the comptroller hadn’t noticed that the CEO signed off as “Richard” when he

always used “Dick.” Everything else was right—details, grammar, even inside

information about the company. Fortunately in this case, the phish failed,

meaning it was a win for the intended victim, who happened to be educated

enough to notice the difference in the signature.

3. Hiding their origin. Attackers can spoof email sender addresses to make

it look as if the email came from a trusted domain, and they employ other

methods of obfuscating the email’s malicious intent from users and security

systems. Return addresses and links can render almost perfectly when the

user puts the cursor over the address or link. For example, the attackers may

have hacked a legitimate domain and sent the email from there. Or they

might open their own domain with a very similar URL as the trusted source

they’re trying to impersonate. For example, attackers can make it look as if the

email came from www.mycompany.com by creating a domain with a single

character off in the URL, such as www.myconpany.com, that are difficult to

notice, particularly in the case of email on mobile devices where the screens

are small and visibility difficult. Such URLs, if newly registered and minimally

used, will often bypass network- and email-scanning systems because there is

no existing blacklist for them.


7 “Near-flawless Social Engineering attack spoiled by single flaw,” CSO, Oct. 8, 2015, www.csoonline.com/article/2990471/social-engineering/near-flawless-social-engineering-attack-spoiled-by-single-flaw.html

Advanced Phishing Attacks Revealed (CONTINUED)


4. Delivering the payload. The link will send the user to a malicious URL or

compromised reputable domain that takes the user’s credentials as he or she

logs in. The target of the attack usually predicts the payload. For example,

attackers seeking to collect financial system credentials will lead users to log into

what the users believe is the company’s commercial bank account to collect their

access credentials and infiltrate the account on their own to transfer funds from

wire accounts. The spearphishers may also just want to use the target to infiltrate

the company, such as in the case of a malicious attachment, where advanced

malware enters the organization and starts searching for credentials across any

department it is able to access.

5. Avoiding detection. The attack tries to hide itself throughout the process.

Methods that attackers use to avoid detection include polymorphism and

shortened or obfuscated URLs to prevent blacklist detection. Once an attacker

has successfully gotten malware onto an enterprise’s network, the malware

can do any number of things, such as ensuring that it survives a reboot, giving

attackers remote access, turning off detection software or providing the attacker

administrative access to the entire network.

Figure 1 illustrates the path of most advanced email attacks.

Figure 1. Advanced Email Attack Progression


Attack Progression

GatherinG information on tarGets

CreatinG ConvinCinG

emails

DeliverinG the payloaD

avoiDinG DeteCtion

Protection and Prevention


Organizations need to deploy protections that recognize these email-based attack

steps and wrap that into their cyberthreat intelligence, security information and event

management (SIEM) system and/or response systems for detection and response.

The logical place to start is to minimize the attack surface to prevent opportunistic

attacks, which is the desired outcome of the Center for Internet Security’s Critical

Security Controls and other security frameworks.8 In the case of mobile and social

media, the first steps toward reducing these attack surfaces are employee education and

monitoring for misuse. Shoring up vulnerabilities in email systems and endpoints will

also reduce your attack surface.

To prevent and respond to attacks, monitoring is key. Advanced spearphishing gets

around network-based anti-malware and antivirus systems because of the sophisticated

targeting and hiding tactics they use, as discussed previously in this paper. Therefore,

email scanning and file and data analysis are also critical components of an advanced

protection system. Email monitoring should detect known and unknown malicious

sender URLs, links and attachments even before they reach the end user. If they do

manage to reach the end user, then the email system should test malicious links and

attachments in a secure (sandboxed) environment before the user is allowed to click the

message links or attachments.

Because spearphishing threats indicate a serious problem occurring in the enterprise,

the scanning should also provide insight into the reason the receiver was targeted and

the motives of the sender. Ultimately, a classification system should emerge on potential

targets that would continuously update itself with new information and be used to

detect weak points, secure them and circle around to reduce attack surface.


To prevent and

respond to attacks,

monitoring is key.

8 The Critical Security Controls for Effective Cyber Defense, Version 6.0, Center for Internet Security, www.cisecurity.org/critical-controls

Protection and Prevention (CONTINUED)


Email Analysis Methods

Monitoring email for signs of trouble is generally done in three ways: inline analysis,

which looks at network traffic flow; mail flow analysis, which monitors mail passing

through a mail server; and endpoint security, which puts tools like antivirus and junk

email filters on the client. These options typically are signature-based, though some

analyze IP addresses, formatting irregularities and other characteristics of the email

transfer that might look suspicious.

Network Monitoring

Inline email analysis is typically done with an IDS/IPS or a dedicated appliance, usually

where Internet traffic enters or leaves the network. Often, the appliance scans other

traffic in addition to email. These devices are good at detecting oddities in the network

traffic, but they are typically not optimized to process inside the email, looking for

content that would suggest malicious intent or evaluating email attachments.

Email Monitoring

Email analysis for malicious links and attachments often runs on the main mail server or

on a scanning mail server that sits in front of the corporate mail server. Such a scanning

system is located either on-site or at the vendor location (as a cloud-based service).

In the cloud-based scenario, unwanted mail should be prevented from entering the

organization’s network at all, which also makes it more difficult for attackers to identify

the corporate email server to look up targets and associations between targets.

The system should be capable of scanning the message body, email attachments and

URLs, both inbound to and outbound from recipients. This analysis should be based

on a number of things, including to/from addresses, time of day, domain information/

destination URL, email content and headers. It should include the capability to pull

suspect mail aside and examine it more thoroughly before allowing it to move on to

the recipient. With advancements in polymorphism and URL obfuscation, the system

will need to be able to scan inbound email in near real time and parse the mail so that it

can send clean messages forward and send malicious messages to a secure, sandboxed

environment to test the link or URL and then take actions based on findings.

Since spearphishing relies on finding and exploiting users and apps of value, it is

important that the email security system also keep intelligence on valuable targets

(users, systems and data) around which to wrap extra protections. For example, the

email system should share intelligence with data loss prevention (DLP) systems to

protect sensitive outbound data but also to identify targets sending that work with

valuable data.




Email analysis at the endpoint is important, too, particularly in the case of mobile users.

Antivirus software on the endpoint can also scan every message, looking for malicious

content. Email security on the endpoint, usually accompanied by an agent, should

provide all the scanning capability listed above as requests from mobile devices attempt

to access the email system. This means that email security at the endpoint would be best

if it could integrate with network access control (NAC) or other access systems to scan

the endpoints for violations of policy, vulnerabilities and security status before email is

downloaded to the mobile device.

Better yet, keep the email on the internal server and do not let it store on mobile devices.

Note that because targeted attacks are designed to evade most endpoint antivirus

discovery, email server and application protections are the critical impact point that

controls should focus on.

File Analysis

A detection system for advanced threats should be able to identify files that are known

and analyze those that are unknown. Analyzing against a blacklist of known bad files can

cut down on the noise, allowing for the detection of advanced spearphishing attempts

that go unnoticed amid other attacks that are easier to detect. The system would

identify and remove malicious files quickly in a process that is repeatable whenever

new instances of the same malicious file attachments are detected by the email security

system. But that only takes care of known problems.

A second layer of analysis is needed when unknown files attempt to execute on the

system. At time of delivery or attempted execution, these files should be screened and

segmented into a secure zone, where they are sandboxed and executed to determine

their payloads. Should those payloads display signs of malware, they are further

examined. Files identified as malicious are added to the blacklist of known bad files.

Once added to the blacklist, they can be used for detecting and blocking the same or

similar files in the future.




URL and IP Address Analysis

Keeping up with changes to URL and IP classifications is not easy. Just recently, an Internet

Storm Center diary entry9 noted that the website for GM trucks was hosting the Nuclear

exploit kit (EK). The site looks quite innocent when checked with a browser appliance, and

it probably had been clean a week earlier. Criminals are constantly scanning the Internet

looking for legitimate sites that can be hijacked and used to compromise unsuspecting

visitors. An advanced threat detection system needs to be able to constantly reclassify

URLs and IP addresses as they go from good to bad and back again.

In addition to monitoring URLs that are being used throughout the organization, the

system should monitor IP addresses of senders. This often involves vendor-managed

databases that list known good and known bad classifications of both URLs and IP

addresses. These lists should accept updates automatically as new

malicious attachments and URLs are found. Often this function is

performed through cloud-based services, on-premise equipment or

both. The key is that the URLs and IP addresses are examined before the

user has a chance to click the links.

Data analysis. Stored email on mobile devices is a treasure trove for

attackers. Therefore, it is important that the system work with DLP to

determine sensitivity of data types, enforce rules such as encryption

of stored data and data emailed off the devices and report when sensitive data tries to

leave the organization via email.

Analysis of high-value targets. The system should also provide intelligence on users

of value to the organization based on their titles, systems they access and the data that

would be impacted should spearphishers access those high-value systems. Additional

analysis may be needed for the highest-value targets, such as what mention they get on

the company websites, what social media use they’re prone to and how they normally

access email.

Together, these email security defenses will catch a lot of malicious activity. Nonetheless,

email analysis alone is not enough; it should be coupled with outbound network

monitoring, activity monitoring and user security awareness training. In addition,

email analysis should integrate with internal and third-party threat intelligence data,

whitelisting and blacklisting policies and network security reports (IDS/IPS/firewalls) to

reduce false positives and block new advanced attacks that email systems alone might

not detect.


Blocking Malicious URLs

Some URLs and IP addresses should be blocked all the time. It is quite common for organizations to try to block all pornography sites, for example, by blacklisting their URLs. Similarly, entire groups of related IP addresses can be blocked, if you have no reason to ever accept IP addresses coming in from China, for example.

9 BizCN gate actor update, SANS ISC InfoSec Forums, https://isc.sans.edu/forums/diary/BizCN+gate+actor+update/20209



Intelligent Response

Threat intelligence from third-party vendors, the email system or the SIEM system is a

good starting place for automating your response processes. Email security systems

should provide their own intelligence that feeds into the SIEM system as needed and

should be especially focused on targets of high value to spearphishers. These systems

should combine machine analytics with self-learning so that newfound threats, such as

newly malicious URLs and malicious payloads, are categorized and included in future

detection and response platforms. It should also be shared with the larger community

through third-party intelligence providers, the email security system or industry groups

such as Information Sharing and Analysis Centers (ISACs).

If email and web security can catch malicious downloads that antivirus isn’t catching,

then these layers should also integrate with anti-malware programs for better detection,

for example. Humans are needed to make decisions, but automated collection and

analysis systems such as SIEM, as well as the sharing of intelligence, are crucial to pulling

out the actionable events.

These automated systems cannot just be plugged in and left alone; they need to be

thoughtfully set up, monitored and adjusted as the network environment and the

threats change. The following email security checklist should help organizations

determine whether their email security is meeting the challenge of fighting today’s

advanced spearphishing threats.


Humans are needed

to make decisions, but

automated collection

and analysis systems

are crucial to pulling

out actionable events.

The following checklist will help users think through the items that an advanced email

security system should include.


Email Security Checklist

Section

1

1.1

_____

Description

Current status

Rate of malicious mail still getting through (Check one.)

High (25% or more) (0 points)

Medium (10% to 24%) (1 point)

Low (5% to 9%) (2 points)

Lower (1% to 4%) (4 points)

Ideal (0%) (5 points)

Points awarded (5 possible)

Section

2

2.1

_____

Description

Monitoring and blocking

Monitoring system and user behavior (Check all that describe your organization’s capabilities, then add up the total number of checkmarks.)

Monitor user location

Monitor user identity

Monitor and assess user email behaviors

Deploy reports and tools to help educate users and raise awareness

Search based on time

Search based on user

Search based on IP address

Search based on domain name

Search based on file attachment

Search based on file hash

Search using regular expressions

Use automated alerts

Employ configurable parameters

Use common notification formats (SMTP, SNMP, SMS, syslog)

Automate actions (such as reject, quarantine and report) based on policy


Section

2

2.2

_____

Description


Monitoring system and user behavior (Check all that describe your organization’s capabilities, then add up the total number of checkmarks.)

Maintain a large pool of shared sensors to classify sites

Sandbox and examine unknown URLS

Block known bad sites

Block unknown bad sites

Block malicious links on known good sites

Whitelist known approved sites

Whitelist domain names

Whitelist IP addresses

Blacklist known sites

Blacklist domain names

Blacklist IP addresses

Regularly update malicious URL database

Rewrite URLs to monitor click-throughs on a per-user basis

Log rewritten URLs and clicks to URLs

Utilize an intuitive interface for searching and reporting



Email Security Checklist (CONTINUED)


Section

2

2.3

_____

Description


Blocking execution (Check all that describe your organization’s capabilities, then add up the total number of checkmarks.)

Block known bad attachments

Block unknown bad attachments

Block malicious file transfers and installations

Support MD5 hash

Support SHA1 hash

Sandbox suspect files and examine them

Prevent malware from detecting the sandbox (run sandbox process that is bare metal)

Regularly update database of blocking rules

Share database updates with other blocking sensors

Log blocked, allowed and tested files and applications


Section

3

3.1

_____

Description

Performance

Volume of unique URLs in scanning database (Check one.)

100,000 (1 point)

250,000 (2 points)

500,000 (4 points)

1 million (6 points)

5 million (8 points)

10 million or more (10 points)


Section

3

3.2

_____

_____

_____

Description

Performance

Accuracy

Number of false positives (per 1,000 alerts) (Calculate by subtracting the number of false positives from 1,000, then dividing by 10. Maximum score is 10.)

Number of false negatives (per 1,000 alerts) (Calculate by subtracting the number of false positives from 1,000, then dividing by 10. Maximum score is 10.)





Section

3

3.3

_____

Description

Performance

Speed of analyzing and correlating large numbers of URLs and attachments (Check one.)

Unacceptable time lag (0 points)

Acceptable time lag (2 points)

Imperceptible/near real time (5 points)


Section

3

3.4

_____

Description

Performance

Self-learning (Check one.)

Not able to learn or reuse newly discovered threat data (0 points)

Must manually input any new threat data we discover (2 points)

Able to automatically catalog newly detected threat data for future reference (5 points)


Section

3

3.5

_____

Description

Performance

Integration with SIEM, IDS/IPS or analytics (Check one.)

Not integrated; no other security technologies aligned with email security (0 points)

Partly integrated; email security, with some third-party SIEM vendor integration and/or detection system (2 points)

Well integrated; email security partnerships with multiple SIEM and detection system vendors (5 points)


Section

3

3.6

_____

Description

Performance

Usefulness of third-party intelligence (Check one.)

No intelligence integration (0 points)

Inadequate intelligence integration (1 point)

Limited use of intelligence (2 points)

Adequate use of intelligence (4 points)

Thorough, accurate and integrated use of intelligence (10 points)





Total Points

100

92 – 99

83 – 91

74 – 82

65 – 73

64 or less

Grade

A+

A

B

C

D

F

ScoringAssessment

The organization is as good as it can be; the only real danger is that it might become complacent and not adapt quickly enough to the next mutation in advanced threats.

The organization proactively monitors and blocks email-based attacks and educates users about them. While the chance of an attack getting through can never be eliminated, the organization has reduced its attack surface, integrated with detection, response and intelligence through SIEM or similar technology. Companies with this score have an excellent chance of quickly detecting any attack that does succeed.

The organization has room for improvement, but it has many of the necessary email security processes in place and is largely integrated with other detection and response capabilities.

The organization faces a high probability of being successfully attacked through email systems and failing to detect the attack for a significant amount of time due to lack of integration and employee training.

Many of the organization’s security systems and processes, not just its email systems, are in need of review, and immediate steps should be taken to strengthen them in every area.

Insufficient attention is being paid to the prevention and detection of attacks through email. A thorough assessment of the security program is needed to put the organization on the path to better security.



Conclusion

Today’s email security systems must be on the alert for known and unknown phishing

targets, the lures attackers use and information about the links and payloads that emails

contain. To do so requires a combination of tools specifically designed for email and

for other network and security processes. Third-party intelligence feeds into the entire

system, providing a robust ecosystem that works to prevent most email-borne payloads

from getting through to the end user, keep those that do from spreading and provide

unified response capabilities in case the payload does get through.

Just as important is knowing which of your employees are seen as targets of value to

attackers and where those people could be leaking information that spearphishers can

leverage to create their convincing emails and associations. For example, many targeted

phishing attempts rely on knowledge gleaned from social media posts made by

employees. Employees also use their own devices to download company email, which

creates another attack surface that should be monitored.

Email, DLP, endpoint and network security need to work together to stop advanced

phishers from getting to sensitive data. Centralized systems for detection and response,

as well as knowledgeable personnel, are key to watching all of these things at once and

connecting the dots. Buyers of advanced threat protection tools need to think through

how those tools will integrate with one another and how well they handle reporting,

alerting and response even as new attack surfaces and phishing techniques advance.


Jerry Shenk currently serves as a senior analyst for the SANS Institute and is senior security analyst for

Windstream Communications, working out of the company’s Ephrata, Pennsylvania, location. Since

1984, he has consulted with companies and financial and educational institutions on issues of network

design, security, forensic analysis and penetration testing. His experience spans networks of all sizes,

from small home-office systems to global networks. Along with some vendor-specific certifications,

Jerry holds six GIAC certifications—all completed with honors—and five with Gold certifications: GCIA,

GCIH, GCFW, GSNA, GPEN and GCFA. He also holds the CISSP certification.


About the Author

Sponsor

SANS would like to thank this paper’s sponsor:


sans spearphishing survival guide - proofpoint, inc. · sans spearphishing survival guide....

Documents