Tuesday, May 30, 2017

Improving phishing detection methods

We all know detecting things we do not know exist such as a zero day attack is hard if not downright impossible. However, that does not mean that the occasional joust at a windmill is off the table.

Early this morning, (my time), a member of the GIAC Advisory Board, Kevin Holleran posted a comment that maybe if we could categorize types of phishing that would give us some traction. His original list was:

- Call to Action from a Position of Trust (i.e. CEO Fraud)
- Offers / Products
- Trusted Services (masquerading as Dropbox, Office, etc.)
- Targeted / Spear
- Spoofed Insider
- Credential Harvesting

- Simple (sentence) vs. Complex (HTML)

If you have suggestions on:
- Additional categories
- Keywords or phrases to identify those categories

Please add them to the comments field on this post or the Linkedin announcement. I realize there are a number of scholarly papers on automated phishing detection and over the weekend I will pour through a few, but I am interested in ideas from the people in the trenches. 

Before you say, "that will never work". Let me remind us of a similar field, in fact, I should check they may have already solved this and that is SPAM in general.

A long time ago, my employer, SANS, was a LAMP shop. Our SPAM tool was Spam Assassin. Yes, it had to be configured weekly and yes, there were leakers, (SPAM that got through the filter). As the company grew, they started looking a commercial software and suggested Barracuda. People loved it. SPAM never bothered me, I just deleted it, but the improved solution meant a lot to a lot of people. Here are a few words from Barracuda on how they did it: 

A message "is scored for spam probability. This score ranges from 0 (definitely not spam) to 10 or higher (definitely spam). Based on this score, the Barracuda Email Security Gateway either tags (inbound messages only), quarantines, blocks or allows (or sends, for outbound) the message."

Kevin, Lance and I would love your ideas please post them in a comment field, the occasional snarky remark is fine as well, but go for humor. I used Kevin's ideas with permission:
Absolutely, I am very interested in feedback from the community.

I also agree with Lance's assessment as far as the focus on training, but I believe there is considerable value in being able to focus on realizable threats to a specific organization.  We are not going to be able to get 100% coverage of every threat out there in our programs, so let's work to drive the most value.


Kevin Holleran
Master of Science, Computer Information Systems
Grand Valley State University
Master of Business Administration
Western Michigan University

"Do today what others won't, do tomorrow what others can't" - Smokejumpers Creed

No comments:

Post a Comment