New tech can help catch spearphishing attacks

New approaches that look for more subtle patterns can help reduce highly-targeted spearphishing attacks

1 2 3 Page 2
Page 2 of 3

In addition, only 33 percent said that user training was "excellent" at effectively stopping these attacks, and 58 percent said it was moderately effective.

But there are some tools already available that can help catch many of these attacks, and some systems on the market can quickly react to new kinds of approaches and block them before they do damage.

Learning to spot the patterns

The most interesting technology hitting the market uses machine learning to spot suspicious patterns.

For example, the email to the GreatHorn controller was caught by GreatHorn's own security product, a cloud-based detection system that works with Office 365 and Google email platforms.

"Within 20 seconds, we recognized that it was likely an impersonation of our domain name, that it was likely fraudulent, that it was looking for a wire transfer, and instantly removed it from her email box," said O'Brien.

The cloud-based approach allows all of its customers to be instantly updated whenever a new type of fraudulent email shows up anywhere else.

For example, one recent tactic is for the scammer to create a personal email address for the CEO or other executive with, say, Gmail or another popular email provider. If the name is already taken, they will add a middle name.

How many people know the middle names of their company executives?

To make it more believable, the scammers will add the executive's real picture, a line like "Sent from my iPhone" at the bottom of the email, and send the message in the middle of the night.

"The email typically says 'are you in the office, if so give me a call back or email me' -- it's just to see if someone responds to that email address," O'Brien said. "We saw a rise of that in the last couple of months."

Once GreatHorn spotted that pattern, the update was immediately available to all users, and GreatHorn went a step further and developed new functionality to track legitimate personal email addresses.

O'Brien confirmed that his company does have to be able to see the emails in order to spot the known patterns and identify new ones.

"We're using the APIs protected by Microsoft and Google," he said. "You're not changing your email transmission -- it all remains entirely within the Microsoft or Google ecosystem. And all of our analysis of email content is done in a very narrowly-scoped environment. We never write it to disk, we never store any email content from any client ever, we do our analysis in memory."

The system originally started out as a tradition rules-based expert system, but now the majority of the back end is unsupervised machine learning, he said.

GreatHorn isn't the only vendor looking for new fraud techniques across a wide customer base.

IronScales, for example, offers fraudulent email detection as software-as-a-service to more than 100 companies with anywhere from 50 to 40,000 employees.

"New phishing attacks -- zero-day phishing attacks that are just emerging in the last couple of minutes -- our machines are trained against them and can create real-time signatures to make sure they're intercepted," said Eyal Benishti, CEO at IronScales.

And if anything does slip through, all it takes is for a message to be flagged as fraudulent by a recipient.

"Our machine is able to extract all the parameters of this fraud," he said. "And from that point on, the more frauds that we see, the better the machine is at predicting other attacks that look very similar to that kind of attack."

Nothing is foolproof

Palo Alto-based Medallia, which sends out customer surveys, started using GreatHorn to catch spearphishing attacks this past spring.

"Our CFO was getting almost daily emails from our CEO asking him to wire transfer large sums of money," said Jonathan Hansen, the company's head of IT.

There was a training program already in place, but the emails were getting really annoying, he said.

The initial setup required two people and about half an hour of time, but the company is still working on fine-tuning the system.

It now catches about 90 percent of fraudulent emails, Hansen said.

"We look at it about once a week, just to see what it's catching, if there might be false positives or false negatives," he said.

There's an email address dedicated to false positive and false negative emails, and those reports are used to fine-tune the settings.

"You have to set proper expectations," he said. "Even the most advanced system isn't going to be 100 percent."

Hersha Hospitality Management's Alvarez said that his company has used the GreatHorn service for about a year, and administrators have a dashboard where they can see all the emails coming in and get warnings about suspicious messages.

Proper configuration can help eliminate false positives, he said, and block fake emails from getting through without being caught.

Every week about a quarter of a million email messages land in employee mail boxes, he said.

"At 5 to 10 percent of those emails are suspicious and we have flagged them," he said. "It's another layer of security."

1 2 3 Page 2
Page 2 of 3
7 hot cybersecurity trends (and 2 going cold)