Fighting Spear Phishing with Artificial Intelligence
October 31, 2016—
3 min read
Fighting spear phishing with artificial intelligence is the solution. An email arrives in your work inbox. No big deal. You probably get hundreds of messages every day. You recognize the sender. It’s your work friend Dave. It reads, “Dude, did you see Lebron last night? That was awesome!” You shoot back a quick, “Yes! I lost ten bucks on that game. ;(.” What just happened? Are you shooting the breeze with your friend or being set up as the victim of a serious white collar crime?
How Spear Phishing Attacks Steal Corporate Information
Spear phishing is a type of hacking where the attacker impersonates a friend or coworker in order to trick an email recipient into disclosing confidential information or clicking on a URL that leads to theft of information. Assuming this questionable message is not actually from your friend, Dave, let’s see how it can lead to a successful hack of your organization.
The first email is harmless, on purpose. “Dave” is simply establishing contact with you. He wants to create a rapport so you will be more likely to interact with him in subsequent exchanges. How does he know you would respond to a note about Lebron? He checked out your Facebook profile and saw that you’re a Cavs fan. We all publicize information about ourselves that makes the hacker’s job easier.
The second email says, “Dude, listen, I’m going on vacation next week. I don’t want to take my laptop with me. Can you do me a favor and let me know if anything important happens at work – send messages here to my Gmail address, which I get on my phone.” You agree. Why wouldn’t you? This message has established that you’re connecting with Dave on his “personal” email account. How does the hacker know that Dave is on vacation? It’s on his Facebook profile.
The third message says, “Hey – quick thing. I’m away but I wanted to let you know that our company is joining a vendor consortium. You need to sign up for it right away. The link is www.vendorconsortium.com.” You click on the link. You see a familiar logo and the names of other companies you work with. It seems legit. So, you set up an account.
There is a real vendor consortium. That’s why the site looks familiar and real, but it’s not. It’s a perfect replica of the legitimate site. The actual URL is www.vendorconsortium.org. You’re busy and you have little reason to think that it wouldn’t be a .com URL. As you set up your account on the fake vendor consortium site, you get asked for your login credentials to your corporate applications. The fake site tells you they need these credentials to set up OAuth or some comparable API authentication process.
Now, the hacker can impersonate you and log into your organization’s applications. You probably have no idea what has just happened. This is spear phishing at its worst. Some of the most egregious data breaches in recent history started with attacks just like the one used in this simple example.
The Spear Phishing Detection Challenge
Unfortunately, spear phishing can be extremely difficult to detect and prevent. Unlike spam or malware-bearing emails, which can be detected by signature-based filters, the message, “Dude, did you see Lebron…” will not trigger any standard email security flags. It’s not carrying an attachment that can be analyzed and quarantined. It doesn’t contain any standard phishing language like, “Dear sirr. I am a Nigerian Prince in search of a financial partner…”
The Artificial Intelligence Approach to Detecting Spear Phishing
It takes a much more sophisticated approach to reliably detect spear phishing emails, such as artificial intelligence informed by a huge data set of emails. This is the approach used by Vade. We leverage the power of machine learning to detect subtle bits of evidence that a seemingly harmless email is in fact a spear phishing attack. Like fraud detection software used to spot suspicious credit card transactions based on factors like location, retailer and so forth, our solution has been “trained” – over a decade, with tens of millions of emails – to see patterns in spear phishing attacks.
Our proprietary processes enable identification of one-off attacks. We do this by developing an overall sense of the user. Vade can match the style and technical indicators of the claimed sender of any given email with known information about the actual sender. Vade looks at multiple elements of every email. Behavioral analysis examines everything from style and grammar indicators to the code and commands embedded in attachments. This way, if email from the fake “Dave” uses different header fingerprints from those of the real Dave, our solution will spot the issue and flag the email.
Vade is always learning more and retraining itself to get better at detecting spear phishing messages that seem totally normal to a busy employee. This capability is part of a layered approach to anti-phishing. Vade can be used as a total email security and management solution or quickly layered onto existing email defenses in Office 365, corporate Gmail, Zimbra, and many other common email systems.
Give us a call at 415-745-3630, if you want to discuss how you can quickly add anti-phishing measures to your current email setup.