Detecting lateral spear phishing attacks in organisations

摘要

Lateral spear phishing attack is a powerful type of social engineering attack carried out using compromised email account(s) within the target organisation. Spear phishing attacks are difficult to detect due to the nature of these attacks. The inclusion of a lateral attack vector makes detection more challenging. The authors present an approach to detect lateral spear phishing attacks in organisations in real-time. Their approach uses features derived from domain knowledge and analysis of characteristics pertaining to such attacks, combined with their scoring technique which works on non-labelled dataset. They evaluate the approach on several years' worth of real-world email dataset collected from volunteers in their institute. They were able to achieve false positive rate of below 1%, and also detected two instances of compromised accounts which were not known earlier. A comparison of their scoring technique with machine learning based anomaly detection techniques shows the proposed technique to be more suited for practical use. The proposed approach is primarily aimed at complementing existing detection techniques on email servers. However, they also developed a Chrome browser extension to demonstrate that such a system can also be used independently by organisations within their network.