Your browser does not support JavaScript!
http://iet.metastore.ingenta.com
1887

access icon free Detecting lateral spear phishing attacks in organisations

© The Institution of Engineering and Technology
Received 17/03/2018, Accepted 30/11/2018, Revised 07/10/2018, Published 04/12/2018

Lateral spear phishing attack is a powerful type of social engineering attack carried out using compromised email account(s) within the target organisation. Spear phishing attacks are difficult to detect due to the nature of these attacks. The inclusion of a lateral attack vector makes detection more challenging. The authors present an approach to detect lateral spear phishing attacks in organisations in real-time. Their approach uses features derived from domain knowledge and analysis of characteristics pertaining to such attacks, combined with their scoring technique which works on non-labelled dataset. They evaluate the approach on several years’ worth of real-world email dataset collected from volunteers in their institute. They were able to achieve false positive rate of below 1%, and also detected two instances of compromised accounts which were not known earlier. A comparison of their scoring technique with machine learning based anomaly detection techniques shows the proposed technique to be more suited for practical use. The proposed approach is primarily aimed at complementing existing detection techniques on email servers. However, they also developed a Chrome browser extension to demonstrate that such a system can also be used independently by organisations within their network.

Inspec keywords: unsolicited e-mail; learning (artificial intelligence); computer crime; Internet

Other keywords: lateral attack vector; lateral spear phishing attack detection; social engineering attack; anomaly detection techniques; Chrome browser extension; organisations; machine learning

Subjects: Data security; Knowledge engineering techniques; Information networks

References

    1. 1)
      • 19. Benenson, Z., Gassmann, F., Landwirth, R.: ‘Unpacking spear phishing susceptibility’, in Mueller, R. (Ed.): ‘Financial cryptography and data security’, Series. Lecture Notes in Computer Science (Springer, Cham, 2017), pp. 610627. Available at https://fastmail.blog/2016/12/24/spf-dkim-dmarc/.
    2. 2)
      • 6. Imperva: ‘Phishing made easy: time to rethink your prevention strategy?’, December 2016. Available at https://www.imperva.com/docs/Imperva-HII-phishing-made-easy.pdf.
    3. 3)
      • 11. Stringhini, G., Thonnard, O.: ‘That ain't you: blocking spear phishing through behavioral modelling’, in ‘Detection of intrusions and malware, and vulnerability assessment’, Series. Lecture Notes in Computer Science (Springer, Cham, 2015), pp. 7897. Available at https://link.springer.com/chapter/10.1007/978-3-319-20550-2_5.
    4. 4)
      • 10. Duman, S., Kalkan-Cakmakci, K., Egele, M., et al: ‘Email-Profiler: spear phishing filtering with header and stylometric features of emails’. 2016 IEEE 40th Annual Computer Software and Applications Conf. (COMPSAC), Atlanta, Georgia, USA, June 2016, vol. 1, pp. 408416.
    5. 5)
      • 20. Mueller, R.: ‘SPF, DKIM & DMARC: email anti-spoofing technology history and future’, December 2016. Available at https://blog.fastmail.com/2016/12/24/spfdkim-dmarc/.
    6. 6)
      • 29. Dewan, P., Kashyap, A., Kumaraguru, P.: ‘Analyzing social and stylometric features to identify spear phishing emails’. 2014 APWG Symp. on Electronic Crime Research (eCrime), Birmingham, Alabama, USA, September 2014, pp. 113.
    7. 7)
      • 22. Goldstein, M., Uchida, S.: ‘A comparative evaluation of unsupervised anomaly detection algorithms for multivariate data’, PLOS ONE, 2016, 11, (4), p. e0152173. Available at http://journals.plos.org/plosone/article?id=10.1371/journal.pone.0152173.
    8. 8)
      • 8. C. T. R. Labs: ‘Phishing got darker and smarter’, January 2018. Available at https://www.comodo.com/lab/pdf/phishing-got-darker-and-smarter.pdf.
    9. 9)
      • 26. Laszka, A., Lou, J., Vorobeychik, Y.: ‘Multi-defender strategic filtering against spear-phishing attacks’. Proc. 13th AAAI Conf. on Artificial Intelligence, Ser. AAAI'16, Phoenix, Arizona, 2016, pp. 537543. Available at http://dl.acm.org/citation.cfm?id=3015812.3015893.
    10. 10)
      • 15. E. Online: ‘Configure your spam filter policies: exchange online protection help’, December 2017. Available at https://technet.microsoft.com/library/jj200684.
    11. 11)
      • 24. Pecchia, A., Sharma, A., Kalbarczyk, Z., et al: ‘Identifying compromised users in shared computing infrastructures: a data-driven Bayesian network approach’. 2011 IEEE 30th Int. Symp. on Reliable Distributed Systems, Madrid, Spain, October 2011, pp. 127136.
    12. 12)
      • 3. K. Lab: ‘Phishing for cryptocurrencies: how bitcoins are stolen’, January 2018. Available at https://www.kaspersky.com/blog/crypto-phishing/20765/.
    13. 13)
      • 14. Zhang, J., Berthier, R., Rhee, W., et al: ‘Safeguarding academic accounts and resources with the University Credential Abuse Auditing System’. IEEE/IFIP Int. Conf. on Dependable Systems and Networks (DSN 2012), Boston, Massachusetts, USA, June 2012, pp. 18.
    14. 14)
      • 4. Fingas, J.: ‘Florida phishing attack exposes data for 30,000 Medicaid recipients’, January 2018. Available at https://www.engadget.com/2018/01/07/florida-phishing-attack-exposes-data-for-30-000-medicaid-recipie/.
    15. 15)
      • 25. Freeman, D.M., Jain, S., Dürmuth, M., et al: ‘Who are you? A statistical approach to measuring user authenticity’. Network & Distributed System Security (NDSS), San Diego, California, USA, 2016.
    16. 16)
      • 27. Egele, M., Stringhini, G., Krügel, C., et al: ‘COMPA: detecting compromised accounts on social networks’. Network & Distributed System Security (NDSS), San Diego, California, USA, 2013.
    17. 17)
      • 7. Meyer, S.: ‘Phishing attacks: insights from more than 1,000 free phishing kits – page 2 of 2’, January 2018. Available at https://www.cpomagazine.com/2018/01/10/phishing-attacks-insights-from-more-than-1000-free-phishing-kits/2/.
    18. 18)
      • 17. Javed, M.: ‘Detecting credential compromise in enterprise networks’. PhD thesis, Electrical Engineering and Computer Sciences University of California at Berkeley, 2016. Available at https://www2.eecs.berkeley.edu/Pubs/TechRpts/2016/EECS-2016-216.pdf.
    19. 19)
      • 5. B. Krebs: ‘Equifax or equiphish? — Krebs on security’, September 2017. Available at https://krebsonsecurity.com/2017/09/equifax-or-equiphish/.
    20. 20)
      • 21. Chandola, V., Banerjee, A., Kumar, V.: ‘Anomaly detection: a survey’, ACM Comput. Surv., 2009, 41, (3), p. 15.
    21. 21)
      • 28. Thomas, K., Li, F., Grier, C., et al: ‘Consequences of connectivity: characterizing account hijacking on twitter’. ACM Conf. on Computer and Communications Security, Scottsdale, Arizona, USA, 2014.
    22. 22)
      • 2. Mak, A.: ‘Oh great, a hacking group linked to North Korea is getting very good at targeting bitcoin owners’, February 2018. Available at https://slate.com/technology/2018/02/the-lazarus-group-isinvading-bitcoin-wallets-a-mcafee-study-finds.html.
    23. 23)
      • 12. I. StackExchange: ‘Email – why does outlook not block spam sent by employees? – Information security stack exchange’, December 2017. Available at https://security.stackexchange.com/questions/176129/whydoes-outlook-not-block-spam-sent-by-employees.
    24. 24)
      • 18. Alsharnouby, M., Alaca, F., Chiasson, S.: ‘Why phishing still works: user strategies for combating phishing attacks’, Int. J. Hum.-Comput. Stud., 2015, 82, pp. 6982. Available at http://www.sciencedirect.com/science/article/pii/S1071581915000993.
    25. 25)
      • 1. Fireye: ‘Best defense against spear-phishing attacks’, January 2018. Available at https://www.fireeye.com/current-threats/best-defense-againstspear-phishing-attacks.html.
    26. 26)
      • 23. Nicholson, J., Coventry, L., Briggs, P.: ‘Can we fight social engineering attacks by social means? Assessing social salience as a means to improve phish detection’. Thirteenth Symp. on Usable Privacy and Security (SOUPS 2017), Santa Clara, CA, 2017, pp. 285298. Available at https://www.usenix.org/conference/soups2017/technicalsessions/presentation/nicholson.
    27. 27)
      • 9. Ho, G., Sharma, A., Javed, M., et al: ‘Detecting credential spearphishing in enterprise settings’. 26th USENIX Security Symp. (USENIX Security 17), Vancouver, BC, 2017, pp. 469485. Available at https://www.usenix.org/conference/usenixsecurity17/technicalsessions/presentation/ho.
    28. 28)
      • 16. Brandom, R.: ‘Two-factor authentication is a mess’, July 2017. Available at https://www.theverge.com/2017/7/10/15946642/two-factorauthentication-online-security-mess.
    29. 29)
      • 13. B. Krebs: ‘The market for stolen account credentials — Krebs on security’, December 2017. Available at https://krebsonsecurity.com/2017/12/the-market-for-stolen-account-credentials/.
http://iet.metastore.ingenta.com/content/journals/10.1049/iet-ifs.2018.5090
Loading

Related content

content/journals/10.1049/iet-ifs.2018.5090
pub_keyword,iet_inspecKeyword,pub_concept
6
6
Loading
Print this page
This is a required field
Please enter a valid email address