AI-Facilitated Product Aims to Stop Spear-Phishing Attacks
30.10.2019 securityweek
Phishing

Phishing -- from bulk spam phishing to more targeted spear-phishing and business email compromise (BEC) attacks -- is the number one attack vector faced by business today.

According to Wombat, 76% of organizations experienced phishing attacks in 2017. According to Symantec, by the end of 2017 the average user received 16 malicious emails per month. According to the FBI, global BEC losses from October 2013 to December 2016 had reached $5.3 billion -- a figure that Trend Micro believes could expand to $9 billion for 2018 alone.

INKY, founded in 2008 by Dave Baggett and Simon Smith, has today launched a new AI-based anti-phishing product: INKY Phish Fence. The product is designed to recognize phishing emails. It integrates with Office 365 and Google Cloud services. Incoming mail can be marked clean, suspicious or malicious. Such emails can be dropped, quarantined, or delivered with an inserted banner (yellow or red) to warn the user.

"Phishing is the top attack vector in today's threat landscape as criminals can easily access phishing toolkits on the Dark Web. INKY's ability to uniquely detect brand forgery and phishing attacks through the company's anomaly detection algorithms is a welcome approach to solving such a systemic issue," said Mark Bowker, senior analyst at ESG.

INKY combines machine learning algorithms to analyze content and computer vision techniques to analyze any graphics (such as brand logos) to make its decisions. It builds a social graph of all employees to understand the likelihood of communication between any two destinations.

INKY builds a profile capturing the writing style, geographical route and other properties of each incoming email. This is compared to existing profiles for each sender, potentially generating the red or yellow warning banner.

It looks for fraudulent emails by using computer vision techniques to analyze brand imagery, looking at shapes, proportions, pixel colors and more. It calls on SPF, where implemented by the sender, to determine spoofed domains; and examines WHOIS for further details. The latter has suffered somewhat from GDPR requirements but is not entirely irrelevant.

While there are many anti-phishing products available, it is clear that the problem remains unsolved. Analyzing its own repository of phishing emails, INKY believes that more than half phishing emails get through traditional anti-spam filters. 41.57% pass DKIM; 37.93% pass DMARC; and 59.25% pass SPF.

Last year a new research paper, 'Detecting Credential Spearphishing Attacks in Enterprise Settings', was awarded the Facebook Internet Defense Prize at the 26th USENIX Security Symposium in Vancouver, BC. It proposed a methodology to detect spear-phishing that is specifically targeted and merely contains a link to a malicious URL that probably has a good reputation.

It does not involve machine learning. In fact, the paper states, "With such a small number of known spearphishing instances, standard machine learning approaches seem unlikely to succeed: the training set is too small and the class imbalance too extreme."

INKY founder Dave Baggett doesn't disagree in principle, but does disagree in the practice of INKY Phish Fence.

"We've certainly seen that traditional Bayesian techniques do not work well on phishing emails -- especially spear-phishing emails," he told SecurityWeek. "This is because, as the paper says, these models are entirely built around extracting 'good email' vs 'bad email' signals from the mail; and these signals simply aren't present for many spear-phishing emails. For example," he continued, "spear-phishing emails often don't have a URL, a malware attachment or other easily-identified 'bad mail' property. Likewise, they often do have numerous 'good mail' properties, like being sent from a high-reputation IP (G Suite or O365) or being DKIM-signed."

He believes there are two primary reasons that Phish Fence succeeds against the odds. First, the team uses semi-supervised machine learning techniques that boost the efficacy of machine learning modules where there is only small amount of labeled data available. Furthermore, he adds, "For us, training examples aren't just spear-phishing emails, but all emails sent to and from a particular target of impersonation. That's a much larger data set."

The second reason, he continued, "We're not forced to make a binary decision between 'good mail' and 'bad mail' anyway, since we have the 'third way' of communicating exactly what we thought was unusual to the end user by adding a yellow warning banner."

The banner shows up on any endpoint -- and not just Outlook or Gmail -- because it constitutes a modification of the email itself. "While this seems like it would be trivial to do," he said, "there's a long tail of details that make it hard in practice. That's probably why nobody else does it even though it's so helpful for dealing with the cases where a mail is in between 'bad' and 'good'."

Backed by ClearSky Security, Gula Tech Adventures and Blackstone, INKY raised $5.6 million in Series A funding in June 2018. "There is an obvious lack of innovation around detecting and preventing today's sophisticated phishing attacks," said Ron Gula, Founder of Gula Tech Adventures. "With the launch of INKY Phish Fence, enterprises will now be able to detect and prevent against the industry's most common, yet formidable vectors. Investing in this space is incredibly important as the first line of defense against attackers gaining access to sensitive data."