detecting credential spearphishing attacks in enterprise ......detecting credential spearphishing...
TRANSCRIPT
DetectingCredentialSpearphishingAttacksinEnterpriseSettings
GrantHoUCBerkeley
AashishSharma,MobinJaved,VernPaxson,DavidWagner
1
OurFocus:EnterpriseCredential Spearphishing
“Credentialsareking”- RobJoyce,DirectorofNSA’sTailoredAccessOperations
• Wealthofaccess&lowerbarrierthan0-daymaliciousattachments
• Whatabout2FA?• Cost,usability ,incompletedeployment,oftenstillphish-able
• Detectiontoday:userreporting,phish-able2FA,post-mortemforensics3
OurWork
Practical detectionsystemforanenterprise’ssecurityteam
1. ExtremelylowFPburden(Goal:<minutesperday)
2. Raisesbar&detectsmanyattacks,butnot silverbullet
4
OurWork
WorkedwiththeLawrenceBerkeleyNationalLaboratory(LBL)• USDoENationalLabw/5,000employees
Anonymizeddatasets:• SMTPheaderinformation(FromandRCPT-TOheaders)• URLsinemails• Networktrafficlogs• LDAPlogs
5
KeyChallenges
1. Smallsetoflabeledattackdata• <10knownsuccessfulcredentialspearphishing attacks
2. Baserate• 372million emailsover4years (Mar2013– Jan2017)• Evendetectorw/99.9%accuracy=372,000alerts
6
SpearphishingAttackTaxonomy• Successfulspearphishing attackshavetwonecessarystages:
1. TheLure• Successfulattackslure/convincevictimtoperformanaction
2. TheExploit• Successfulattacksexecutesomeexploit onbehalfoftheattacker• Malware,revealingcredentials,wiringmoneyto“corporatepartner”
8
SpearphishingAttackTaxonomy• Successfulspearphishing attackshavetwonecessarystages:
1. TheLure• Successfulattackslure/convincevictimtoperformanaction
2. TheExploit• Successfulattacksexecutesomeexploit onbehalfoftheattacker• Malware,revealingcredentials,wiringmoneyto“corporatepartner”
9
Lure1. Attackersendscatchyemailundertrusted/authoritativeidentity
ModernCredentialSpearphishing:TheLure
From: “Berkeley IT Staff” <[email protected]>
11
Exploit1. Victimclicksonembeddedlink2. Victimarrivesatphishingwebsite&submitscredentials
ModernCredentialSpearphishing:TheExploit
Actual Destination for linked text:auth.berkeley.netne.net
12
LureFeatures:SuspiciousSenderPresent
• Commonlure:impersonateatrustedorauthoritativeentity
• Four“impersonation”classes- eachhasownsetoflure features1. Namespoofingattacker2. Addressspoofingattacker3. Previouslyunseenattacker4. Lateralattacker
• Thistalk:lateralattackers
13
LureFeatures(Cont.):SuspiciousSenderPresent
• Lateralspearphishing lure:attackercompromisestrustedentity’saccount
• Featureintuition:email=suspiciousifemployeesentitduringasuspiciousloginsession
• Lurefeaturesforlateralspearphishing:• wasemailsentinasessionwheresenderloggedinw/newIPaddress?• #priorloginsbythesenderfromthegeolocatedcityofloginIPaddr• #ofotheremployeeswho’vealsologgedinfromcityofloginIPaddr
14
ExploitFeatures:SuspiciousActionOccurred
• Winnowpoolofcandidatealertsto:EmailswhererecipientclickedonembeddedURL(aclick-in-email action)
• Exploitfeatures:URL’sFully-qualifieddomain(hostname)issuspicious• #ofpriorvisitstoFQDNacrossallenterprise’snetworktraffic• #ofdaysbetween1st employee’svisittoFQDN¤temail’sarrival
15
Howdoweleverageourfeatures?• Combinelure+exploitfeaturestogetFVsforemails
• Howdoweusethesefeaturesfordetectingattacks?
Approach1:Manualrules• Problems:soundlychoosingthresholds&generalizabilityApproach2:SupervisedML• Problems:tiny#oflabeledattacksandbaserate
17
LimitationsofStandardTechniquesApproach3:Unsupervisedlearning/anomalydetection
• Clustering/DistanceBased:kNN• Density-based:KDE,GMM• Manyothers...
Threecommonproblems:1. Requirehyperparameter tuning
18
ClassicalAnomalyDetection:LimitationsThreethematicproblems:1. Parametricand/or
hyperparameter tuning2. Direction-agnostic
(standarddevof+3justasanomalousas-3)
19
Feature:# prior logins by current employee from
city of new IP addr
50 1000
Mean
ClassicalAnomalyDetection:LimitationsThreethematicproblems:1. Parametricand/or
hyperparameter tuning2. Direction-agnostic3. Alertifanomalousin
onlyonedimension
20
MORE
BENIGN
MOREBENIGN
ClassicalAnomalyDetection:LimitationsThreethematicproblems:1. Parametricand/or
hyperparameter tuning2. Direction-agonistic3. Alertifanomalousinonly
onedimension
21
•DAS:simple,newmethodthatovercomesthese3problems
MORE
BENIGN
MOREBENIGN
DAS:DirectedAnomalyScoring
1. Securityanalystsw/limitedtime: specifyB =alertbudget
2. Forsetofevents,assigneacheventa“suspiciousness”score
3. Rankeventsbytheir“suspiciousness”
4. OutputtheBmostsuspiciouseventsforsecurityteam
22
DAS:DirectedAnomalyScoring• Score(EventX)=#ofothereventsthatareasbenign asXinevery dimension
• i.e.,Largescore=manyothereventsaremorebenignthanX
23
MORE
BENIGN
MOREBENIGN
6 1
10
3
11
DAS:DirectedAnomalyScoring• Score(EventX)=#ofothereventsthatareasbenign asXinevery dimension
24
MORE
BENIGN
MOREBENIGN
D
A
3
BC
DAS:DirectedAnomalyScoring• Score(EventX)=#ofothereventsthatareasbenign asXinevery dimension
25
MORE
BENIGN
MOREBENIGN
1
A
B
DetectionResults
• Real-timedetectoron370millionemailsover~4years
• Randetectorw/totalbudgetof10alerts/day• PracticalforLBL’ssecurityteam(~240alerts/daytypical)
• Detected17/19spearphishing attacks(89%TP)• 2/17detectedattackswerepreviouslyundiscovered
• Bestclassicalanomalydetection:4/19 attacksforsamebudget• Needbudget>=91alerts/daytodetectsame#ofattacksasDAS
26
Results:CostofFalsePositives• 10alarms/day:Howmuchtimedoesthiscostthesecurityteam?
• LBL’ssecuritystaffmanuallyinvestigatedallouralerts• 24alerts/minute(avg rateforoneanalyst)• <15minutes for1analysttoinvestigatealertsfrom anentiremonth
• Subject+URL+“From:”=quicksemanticfilter• “Never Lose Your Keys, Wallet, or Purse Again!”• “Invitation to Speak at Summit for Energy...”
27
Conclusion• Real-timesystemfordetectingcredentialspearphishing attacks
• TP=89%: detectsknown+previouslyundiscoveredattacks• FP=0.004%:10alerts/day(alertsprocessedin<minutesperday)
Keyideas1. Leveragelure+exploitstructureofspearphishing todesignfeatures2. DAS:unsupervised,non-parametrictechniqueforanomalydetection
1. Generalizesbeyondspearphishing2. “Needle-in-haystack”problemsw/curated&directionalfeatures
28