detecting credential spearphishing attacks in enterprise ......detecting credential spearphishing...

28
Detecting Credential Spearphishing Attacks in Enterprise Settings Grant Ho UC Berkeley Aashish Sharma, Mobin Javed, Vern Paxson, David Wagner 1

Upload: others

Post on 10-Mar-2020

28 views

Category:

Documents


0 download

TRANSCRIPT

DetectingCredentialSpearphishingAttacksinEnterpriseSettings

GrantHoUCBerkeley

AashishSharma,MobinJaved,VernPaxson,DavidWagner

1

SpearPhishingTargeted emailthattricksvictim intogivingattackerprivilegedcapabilities

2

OurFocus:EnterpriseCredential Spearphishing

“Credentialsareking”- RobJoyce,DirectorofNSA’sTailoredAccessOperations

• Wealthofaccess&lowerbarrierthan0-daymaliciousattachments

• Whatabout2FA?• Cost,usability ,incompletedeployment,oftenstillphish-able

• Detectiontoday:userreporting,phish-able2FA,post-mortemforensics3

OurWork

Practical detectionsystemforanenterprise’ssecurityteam

1. ExtremelylowFPburden(Goal:<minutesperday)

2. Raisesbar&detectsmanyattacks,butnot silverbullet

4

OurWork

WorkedwiththeLawrenceBerkeleyNationalLaboratory(LBL)• USDoENationalLabw/5,000employees

Anonymizeddatasets:• SMTPheaderinformation(FromandRCPT-TOheaders)• URLsinemails• Networktrafficlogs• LDAPlogs

5

KeyChallenges

1. Smallsetoflabeledattackdata• <10knownsuccessfulcredentialspearphishing attacks

2. Baserate• 372million emailsover4years (Mar2013– Jan2017)• Evendetectorw/99.9%accuracy=372,000alerts

6

Structure-DrivenFeatures

7

SpearphishingAttackTaxonomy• Successfulspearphishing attackshavetwonecessarystages:

1. TheLure• Successfulattackslure/convincevictimtoperformanaction

2. TheExploit• Successfulattacksexecutesomeexploit onbehalfoftheattacker• Malware,revealingcredentials,wiringmoneyto“corporatepartner”

8

SpearphishingAttackTaxonomy• Successfulspearphishing attackshavetwonecessarystages:

1. TheLure• Successfulattackslure/convincevictimtoperformanaction

2. TheExploit• Successfulattacksexecutesomeexploit onbehalfoftheattacker• Malware,revealingcredentials,wiringmoneyto“corporatepartner”

9

10

Lure1. Attackersendscatchyemailundertrusted/authoritativeidentity

ModernCredentialSpearphishing:TheLure

From: “Berkeley IT Staff” <[email protected]>

11

Exploit1. Victimclicksonembeddedlink2. Victimarrivesatphishingwebsite&submitscredentials

ModernCredentialSpearphishing:TheExploit

Actual Destination for linked text:auth.berkeley.netne.net

12

LureFeatures:SuspiciousSenderPresent

• Commonlure:impersonateatrustedorauthoritativeentity

• Four“impersonation”classes- eachhasownsetoflure features1. Namespoofingattacker2. Addressspoofingattacker3. Previouslyunseenattacker4. Lateralattacker

• Thistalk:lateralattackers

13

LureFeatures(Cont.):SuspiciousSenderPresent

• Lateralspearphishing lure:attackercompromisestrustedentity’saccount

• Featureintuition:email=suspiciousifemployeesentitduringasuspiciousloginsession

• Lurefeaturesforlateralspearphishing:• wasemailsentinasessionwheresenderloggedinw/newIPaddress?• #priorloginsbythesenderfromthegeolocatedcityofloginIPaddr• #ofotheremployeeswho’vealsologgedinfromcityofloginIPaddr

14

ExploitFeatures:SuspiciousActionOccurred

• Winnowpoolofcandidatealertsto:EmailswhererecipientclickedonembeddedURL(aclick-in-email action)

• Exploitfeatures:URL’sFully-qualifieddomain(hostname)issuspicious• #ofpriorvisitstoFQDNacrossallenterprise’snetworktraffic• #ofdaysbetween1st employee’svisittoFQDN&currentemail’sarrival

15

UsingFeaturesforDetection

16

Howdoweleverageourfeatures?• Combinelure+exploitfeaturestogetFVsforemails

• Howdoweusethesefeaturesfordetectingattacks?

Approach1:Manualrules• Problems:soundlychoosingthresholds&generalizabilityApproach2:SupervisedML• Problems:tiny#oflabeledattacksandbaserate

17

LimitationsofStandardTechniquesApproach3:Unsupervisedlearning/anomalydetection

• Clustering/DistanceBased:kNN• Density-based:KDE,GMM• Manyothers...

Threecommonproblems:1. Requirehyperparameter tuning

18

ClassicalAnomalyDetection:LimitationsThreethematicproblems:1. Parametricand/or

hyperparameter tuning2. Direction-agnostic

(standarddevof+3justasanomalousas-3)

19

Feature:# prior logins by current employee from

city of new IP addr

50 1000

Mean

ClassicalAnomalyDetection:LimitationsThreethematicproblems:1. Parametricand/or

hyperparameter tuning2. Direction-agnostic3. Alertifanomalousin

onlyonedimension

20

MORE

BENIGN

MOREBENIGN

ClassicalAnomalyDetection:LimitationsThreethematicproblems:1. Parametricand/or

hyperparameter tuning2. Direction-agonistic3. Alertifanomalousinonly

onedimension

21

•DAS:simple,newmethodthatovercomesthese3problems

MORE

BENIGN

MOREBENIGN

DAS:DirectedAnomalyScoring

1. Securityanalystsw/limitedtime: specifyB =alertbudget

2. Forsetofevents,assigneacheventa“suspiciousness”score

3. Rankeventsbytheir“suspiciousness”

4. OutputtheBmostsuspiciouseventsforsecurityteam

22

DAS:DirectedAnomalyScoring• Score(EventX)=#ofothereventsthatareasbenign asXinevery dimension

• i.e.,Largescore=manyothereventsaremorebenignthanX

23

MORE

BENIGN

MOREBENIGN

6 1

10

3

11

DAS:DirectedAnomalyScoring• Score(EventX)=#ofothereventsthatareasbenign asXinevery dimension

24

MORE

BENIGN

MOREBENIGN

D

A

3

BC

DAS:DirectedAnomalyScoring• Score(EventX)=#ofothereventsthatareasbenign asXinevery dimension

25

MORE

BENIGN

MOREBENIGN

1

A

B

DetectionResults

• Real-timedetectoron370millionemailsover~4years

• Randetectorw/totalbudgetof10alerts/day• PracticalforLBL’ssecurityteam(~240alerts/daytypical)

• Detected17/19spearphishing attacks(89%TP)• 2/17detectedattackswerepreviouslyundiscovered

• Bestclassicalanomalydetection:4/19 attacksforsamebudget• Needbudget>=91alerts/daytodetectsame#ofattacksasDAS

26

Results:CostofFalsePositives• 10alarms/day:Howmuchtimedoesthiscostthesecurityteam?

• LBL’ssecuritystaffmanuallyinvestigatedallouralerts• 24alerts/minute(avg rateforoneanalyst)• <15minutes for1analysttoinvestigatealertsfrom anentiremonth

• Subject+URL+“From:”=quicksemanticfilter• “Never Lose Your Keys, Wallet, or Purse Again!”• “Invitation to Speak at Summit for Energy...”

27

Conclusion• Real-timesystemfordetectingcredentialspearphishing attacks

• TP=89%: detectsknown+previouslyundiscoveredattacks• FP=0.004%:10alerts/day(alertsprocessedin<minutesperday)

Keyideas1. Leveragelure+exploitstructureofspearphishing todesignfeatures2. DAS:unsupervised,non-parametrictechniqueforanomalydetection

1. Generalizesbeyondspearphishing2. “Needle-in-haystack”problemsw/curated&directionalfeatures

[email protected]

28