We’ve all seen phishing attacks. Or have we? We’ve actually not seen a large fraction of them, because spam filters have gotten good enough to combat the majority of phishing attacks. A quick glance at your junk mail folder will find a bunch of them. You’ll find a range of Nigerian Princes, Lottery awards, alerts about the World of Warcraft account you don’t have, and a bunch more. Those all use the classic “shotgun” or “driftnet” technique, where the scammer – or just a spammer – sends out a few million copies of the same email hoping someone will bite. Most of them end up caught by the spam filter, largely because all the major email services have been perfecting this kind of filtering for a couple decades now. They are really, really, good at it.
But what about “cast-netting” where an attacker goes after a smaller target audience, like a specific group or company? Those have a better chance to get through the filters because they’re much less “spammy”. And, if well written, those emails have a much better chance to get a bite from the people who get them. Spear-phishing is even harder to stop at the filter level because it can be so well crafted the filters see it as just normal correspondence. Again, a well-crafted phish is likely to hook their target.
A lot of people associate phishing, in any form, with either a scam to steal money or a scheme to grab login credentials. But the email is really just the baited hook for whatever the payload is. It’s just a simple password or money grab most of the time, but the goal can be anything from the usual theft to a complex RAT (Remote Access Trojan) payload. In any case, the challenge is to spot the targeted attack that sneaks past the spam-filter then stop the payload, whatever it is, from doing its damage.
This is where machine-learning based behavior analytics can help. Depending on what data the system has access to, it can potentially flag unusual behavior at any link in the chain. If the system can see incoming email headers, it could identify the tell-tale signature of a tailored cast-netting attack against the organization. There may be a new Yummy Yogurt opening down the street, but that pdf everyone got that said it was from the new shop probably isn’t a coupon for a free single scoop.
Thing is, someone is going to open that PDF and find out the hard way it is a trojan. Once that trojan goes to work, the advanced security analytics system can identify the behavior as being abnormal for the user and throw an alert. It’s the behavior the AI detects. Even if attackers are using a zero-day exploit embedded in that PDF, and a brand new strain of malware, the abnormal behavior will stand out to the analytics platform.
The same is true for a spear-phishing attack. While a single targeted email may slip through, the security analytics engine looks at the sender email address, the IP address of the sender, and the email subject line to see if something is amiss. If not, it can still recognize unusual behavior from the target if they take the bait and get hooked.
Watch Our Webinar
Want to know more about how Machine Learning can help mitigate the threat of phishing attacks – even sophisticated, targeted, ones? Watch our on demand webinar and see how Gurucul’s Unified Security and Risk Analytics can help!