Spear-Phishing

On June 28, 2012, The US-CERT (United States Computer Emergency Readiness Team) released the ICS-CERT Advisory "ICS-CERT Incident Summary Report." The report provides a summary of their incident response activities from 2009 - 2011.
The most common attack vector for was spear-phishing emails with malicious links or attachments. This accounted for 7 out of 17 incidents. They surmised that "Sophisticated threat actors were present in 11 of the 17 incidents, including the actors utilizing spear-phishing tactics to compromise networks."


Brian Krebs analyzed email threat data from the University of Alabama at Birmingham and across the sample set the anti-virus solutions on the market were not very effective, with an average detection rate of 24.7 percent and median detection rate of 19 percent.

One cannot survive on anti-virus solutions alone, which tend to rely on signatures and heuristic analysis of the payloads. We recommend a defense in depth strategy here that relies on analyzing the behavior of the PCs as well, so that once an attack has passed through the AV solution, there is another barrier to detect anomalies. Invincea provides an isolated environment to handle links and PDF attachments. An internal IDS/IPS system could identify unusual behavior.  Please reach out to me if you would like more information on our recommendations.