A group of researchers recently identified a real-time way to detect credential spearphishing attacks in enterprise settings. The discovery net the researchers $100,000 last week from Facebook, which awards money as part of its annual Internet Defense Prize partnership with USENIX Association.

The researchers—Grant Ho, University of California, Berkeley; Aashish Sharma, Lawrence Berkeley National Laboratory; Mobin Javed, University of California, Berkeley; Vern Paxson, University of California, Berkeley and International Computer Science Institute; and David Wagner, University of California, Berkeley—presented a paper, “Detecting Credential Spearphishing Attacks in Enterprise Settings,” (.PDF) last week at the 26th USENIX Security Symposium, in Vancouver, British Columbia.

At the crux of the researchers’ detection method is something they call an anomaly scoring technique for ranking alerts.

The technique, Directed Anomaly Scoring (DAS), operates in a non-parametric fashion, cherrypicking what Ho and company call the most suspicious events from an unlabeled dataset. The technique ranks events by how dubious they appear.

“Once all events have been ranked, DAS simply selects the N most suspicious (highest-ranked) events, where N is the security team’s alert budget,” the researchers write in the paper.

The researchers claim a standard detection method would take nine times as many alerts as theirs to detect the same number of attacks, and that in an experiment they carried out, it detected all but two attacks and even fingered out two previously unknown phishing attack vectors.

The researchers took an anonymized dataset containing 370 million emails from UC Berkeley’s Lawrence Berkeley National Laboratory (LBNL) to test the scoring algorithm. The facility, a Department of Energy (DOE) Office of Science lab managed by University of California, didn’t receive any malicious attachments during the four-year experiment but did receive a number of credential spearphishing attempts.

Credential spearphishing attacks are far less expensive and easier to pull off than attachment-driven exploits. The attacks usually rely on a tricking a user into clicking through a deceptive email to an attacker’s site and entering credentials.

The technique detected six known spearphishing attacks that succeeded and nine that failed. What makes the detector truly remarkable is its false positive rate, 0.004 percent. The number of incoming emails to an enterprise can obviously fluctuate; the researchers say the median number of emails received per day is 263,086. At that false positive rate however the detector can generate 10 or fewer alerts per day 80 percent of the time, Ho and company claim.

The technique is quick too; the researchers say an analyst could investigate a month’s worth of alerts in just 15 minutes. That breaks down to under a minute a day spent by an analyst going over one day’s alerts.

“Ultimately, our detector’s ability to identify both known and novel attacks, and the low volume and burden of alerts it imposes, suggests that our approach provides a practical path towards detecting credential spearphishing attacks,” the researchers wrote.

LBNL was so impressed with the detector it decided to implement and deploy the tool fulltime.

Facebook, which believes the technique could help better protect people from getting hit by social engineering attacks, saw merit in the research as well.

Nektarios Leontiadis, a research scientist with the social network, said late last week the fact the research could help reduce information leaks in the future. Key to winning the prize money was the researchers’ breakdown the method’s false positives.

“The authors acknowledge and account for the cost of false positives in their detection methodology. This is significant because it factors into the overhead cost and response time for incident response teams,” Leontiadis said Thursday.

Facebook, for four years running, has awarded the Internet Defense Prize to researchers for defensive work that prevents vulnerabilities and mitigates attacks.

In 2014 it awarded researchers who came up with a static analysis tool to identify second-order vulnerabilities. In 2015 researchers who identified a series of C++ security issues won the prize. Last year Facebook awarded $100,000 to researchers who came up with a new way to bolster post-quantum security for TLS. The research, which ultimately made its way into Chrome and Tor, was based on bridging the gap between a key exchange protocol (Ring-LWE) and OpenSSL.

Categories: Web Security