Fighting Spear Phishing with Next-Gen Endpoint Detection and Response (EDR)

In today’s blog, we’ll discuss how you can combat spear phishing with next-generation endpoint detection and response (EDR) solutions. We’ll also provide some examples of how the VMware Carbon Black cloud-native endpoint security platform can offer deeper insights into threats, and how alerts from this platform are incorporated into our ActiveEye platform for complete visibility.

What is Spear Phishing?

Spear phishing is one of the most common and effective cyberattack vectors on today’s threat landscape. Delivered through email, spear phishing campaigns aim to either to infect devices with malware, or to steal important information like credentials and bank numbers. Unlike phishing, spear phishing is targeted at specific groups or individuals within an organization.

A spear phishing email will often appear to come from someone trusted inside the company. It may look like it’s coming from your CEO, your boss, or the head of a department. It will typically contain personalized content and a believable request to sound genuine. This social engineering characteristic is what makes spear phishing so troublesome for security professionals. In one recent case, the Manor Independent School District in Texas lost more than $2.3 million in a spear phishing scam that targeted an individual. Thus far, the school district has only been able to recover a portion of the lost funds.

Phishing as a whole is on the rise, and with the abundance of personal and professional information available to cyber criminals today, spear phishing has become increasingly effective. The Anti-Phishing Working Group (APWG) labeled Q3 2019 as “the worst period for phishing that the APWG has seen in three years.” During this time, they reported more than 80,000 phishing sites, with three-quarters of all attacks targeting three industry sectors: SaaS/webmail (33 percent), payment industry (21 percent) and financial institutions (19 percent).

Learn more about combating spear phishing and other cyber threats with next-generation EDR and Delta Risk.

How Does Spear Phishing Work?

Spear phishing relies on an attacker’s ability to make an email seem genuine. This means attackers do their research before attempting a campaign. A quick Google or LinkedIn search can reveal enough information about a person (job title, who they report to, what their role is) to craft a message that will prompt an employee to follow the directions in it.

These directions can request the recipient take a variety of actions. An email might ask for a direct reply with confidential business information or include a request to wire funds, include a link or attachment that prompts malware to be installed on a device, or send the recipient to a website where they are prompted to enter personal information such as a username and password. The website may mimic a legitimate business website that the company frequently uses, such as a bank or human resources application.

Ultimately, it is much easier to deliver an attack that relies on human “error” than it is to hack into a system. For this reason, it’s important to have protections in place that gives visibility into and alerts on suspicious behavior.

How Carbon Black Combats Spear Phishing

When a phishing or spear phishing attack is successful at getting malware or ransomware to an employee’s device, you’ve got less than 30 minutes to prevent it from moving laterally to other machines. So, 24×7 response capability to begin response action in 10 minutes or less is essential to surviving an attack.

Carbon Black’s cloud-native endpoint security platform, the VMware Carbon Black Cloud (CBC) (formerly known as ‘Predictive Security Cloud), constantly monitors and records what is happening on endpoints. This offers visibility into malicious activities across the devices connected to your network. If there’s any suspicious behavior (i.e., an application is attempting to open another application it normally wouldn’t) the CBC will send an alert.

Since Delta Risk is partnered with VMware Carbon Black, we can easily pull all these alerts into our cloud-based ActiveEye platform for our clients. This makes it easy to correlate endpoint activity with network and cloud security alerts, and to provide you a consolidated view of your entire cyber security environment. We also incorporate insights from third-party threat intelligence partners like the Alien Labs Open Threat Exchange to detect and prevent threats faster.

Visualizing the Attack Chain

If the CBC machine learning engine detects patently malicious activity (i.e., suspicious files attempting to run) it will be blocked. Additionally, you can see quick and easy attack chain visualizations. This can help you understand the attacker’s path to prevent similar actions in the future.

The screenshot above shows an example of how Carbon Black provides visibility into a spear phishing attack. The attack kill chain started with Microsoft Outlook, which invoked Excel, which then invoked PowerShell. Prevention was applied to PowerShell because it attempted to launch malware. This is clear when looking at the associated TTPs (tactics, techniques, and procedures).

This is a prime example of how attackers are constantly innovating their spear-phishing campaigns. This attack not only embedded malware, but also weaponized known good pieces of software—like Excel documents—in an attempt to evade any signature-based prevention.

The CBC’s continuous, centralized recording saw all of this activity in real time, applied prevention when the suspicious became inherently malicious, and escalated the alert to administrators accordingly. This allowed them to take continued remediation steps from the console, if desired.

Alternatively, consider a situation in which an attacker sends a spear-phishing email prompting the end user to visit a website that they’ve doctored to look legitimate and input their credentials. If an attacker is able to successfully harvest user credentials, the CBC is there to monitor, alert on, and prevent any malicious activity that then occurs—even when it is under the guise of a legitimate login. Say the attacker, after successfully logging into the endpoint, tries to pull malicious code from online and run it locally—it would be blocked.

Or, suppose they attempt to set up a scheduled task that automatically makes outbound network connections to the attacker’s home IP address —an alert would fire in Carbon Black and in turn at Delta Risk’s Active Eye portal (shown below), allowing you or our security operations center (SOC) analysts to immediately see and evaluate the malicious nature of that activity, and launch a full-scale investigation.


Malware and ransomware variants change quickly, but phishing and spear phishing are still the most effective ways to deliver them. Security analysts need a broad security background to interpret what is going on to identify new indicators, search for them across all systems, and apply blocking measures. Having staff that is experienced in responding to these type of attacks every day is essential to surviving an attack.

If you’re concerned about spear phishing and other advanced threats that may impact your organization, a next-gen EDR endpoint protection platform offers a lot of advantages over traditional antivirus. However, there’s a lot to consider. Although these solutions offer advanced features, you’ll need to consider the cost of hiring or training someone to manage whichever solution you choose. You should also be prepared to handle a potentially large volume of alerts if there are a lot of connected devices in your environment, and to spend some time up front on fine-tuning the solution.

The average cost of recovering from a ransomware attack is 20 times more than putting proper endpoint security and 24×7 SOC in place today. Many organizations, particularly mid-size companies, have realized that a managed security services solution enables them to secure their endpoints more effectively while lowering operational costs and demonstrating a faster return on their next-gen EDR investment.

Delta Risk partners with leading technology vendors to protect cloud applications, network, and endpoints against today’s cyber security threats. This blog was produced in coordination with Carbon Black.

Learn more about combating spear phishing and other cyber threats with next-generation EDR and Delta Risk.