Detecting Credential Spearphishing attacks in Enterprise Settings
Key Concepts
What is Spearphishing?
Spearphishing is a type of social engineering attack where the attacker send a targeted, deceptive email that tricks the recipient into performing some kind of dangerous action. Spearphishing attacks take several forms: malicious attachment-driven, credential spearphishing etc..
This paper presents a new approach for detecting credential spearphishing attacks in enterprise settings. Their innovation included the following aspects:
- analysis of characteristics;
- a new method anomaly detection – DAS, which is non-parametric and unsupervised
Impersonation
Spearphishing involves impersonating the identity of someone else. Address spoofer, name spoofer, unseen attacker and lateral attacker are the different types of impersonation.
Key features Used
Domain Reputation Features
- number of global visitis to FQDN (fully qualified domain name)
- number of days between email arrived and link clicked
Sender Reputation Features
Name Spoofer:
- number of days where we saw an email whose From header contains the same name and address
- number of weeks we see this name sent at least one email for every weekday of the week
Unseen Attackers:
- number of days from name sent emails
- number of days from address sent emails
Lateral Attackers from LDAP get the IP and geolocation (city) of the sender
- number of employees sending emails from this city
- number of logins from this employee from this city
Anomaly detection model
standard anomaly detection techniques do not incorporte notions of asymmetry or directionlity into their computations (both extremely small and large numbers will be considered as anomaly.) The proposed approach only consider an event as an anomaly if all demisions all extremely small. Anomaly Score E: E is the number of events in the dataset that are considered more normal (all dimensions) then the current event. So the higher of E, the less common of E and the more malicious of E.