nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
Berkeley boffins build better spear-phishing black-box bruiser

K
Silver badge

Realistically

MITM is the only decent way of doing this. Using agents is very cumbersome and in my experience unreliable, there always some users who will try to subvert it, then there is the issue of deployment, management and users who bring personal devices into the corporate network.

Just my 2 pence, feel free to disagree, and I'd be interested to hear of other people's experience on this front.

1
0
Silver badge
WTF?

Re: Realistically

The entire UC system, not just UC Berkeley, has a Fidelis XPS MITM system doing full packet capture already. Kind of makes one wonder how seriously to take any spear phishing work given everything they do has already been filtered by the Fidelis system.

0
0
Gold badge
Unhappy

"our detector extracts the feature vector for that URL "

You mean the parameters of the URL?

So in English they set up a lookup table keyed on the URL (can you say "pearl script"?) and every time the NIDS reported a wrong 'un it checked to see if they were going there and if the parameters looked sus enough to suggest the back end of a phishing attack IE the start of malware coming in.

Obfuscation in academic papers can be down to a)Too long in academia b) English not a first language c) BS detected.

I'll note (from the abstract) they did detect a spear phishing attack their test enterprise had not even previously noticed and their work load was 1/9 of other systems. And as they note it can be circumvented by going to HTTPS, which in a less trusting internet should be SOP. That said you should have no expectation of privacy on a job PC. It's not yours. It's theirs.

However since this is not my thing I'll leave the other 19 pages till I have nothing better to do.

But my first thought was "Doesn't a company this big reconcile the from line with actual email addresses (at least internally) ? Don't they disable outgoing links unless they are whitelisted?

0
2

Re: "our detector extracts the feature vector for that URL "

> You mean the parameters of the URL?

No, they mean a feature vector. Try Wikipedia.

0
1
Anonymous Coward

Re: "our detector extracts the feature vector for that URL "

Why would you assume, upon encountering a term of art you're not familiar with, that the user of it is mistaken in it's use, rather than your ignorance of it being the problem?

0
1
Silver badge

Re: "our detector extracts the feature vector for that URL "

can you say "pearl script"?

What's that? Is it something like a Perl script?

0
0
Silver badge

200x reduction

The reduction cited still left the number of 'hits' as 1850 for may be 20 actual attacks. That seems like way too many to investigate.

0
0
Anonymous Coward

Remember folks

The target audience is often senior management and CEOs.

I've had a senior manager insist that we must respond to what was clearly a spammer seeking corp info.

Admirable customer service but foolhardy.

1
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing