back to article Berkeley boffins build better spear-phishing black-box bruiser

Security researchers from UC Berkeley and the Lawrence Berkeley National Laboratory in the US have come up with a way to mitigate the risk of spear-phishing in corporate environments. In a paper presented at Usenix 2017, titled "Detecting Credential Spearphishing in Enterprise Settings," Grant Ho, Mobin Javed, Vern Paxson, and …

  1. K

    Realistically

    MITM is the only decent way of doing this. Using agents is very cumbersome and in my experience unreliable, there always some users who will try to subvert it, then there is the issue of deployment, management and users who bring personal devices into the corporate network.

    Just my 2 pence, feel free to disagree, and I'd be interested to hear of other people's experience on this front.

    1. The Man Who Fell To Earth Silver badge
      WTF?

      Re: Realistically

      The entire UC system, not just UC Berkeley, has a Fidelis XPS MITM system doing full packet capture already. Kind of makes one wonder how seriously to take any spear phishing work given everything they do has already been filtered by the Fidelis system.

  2. John Smith 19 Gold badge
    Unhappy

    "our detector extracts the feature vector for that URL "

    You mean the parameters of the URL?

    So in English they set up a lookup table keyed on the URL (can you say "pearl script"?) and every time the NIDS reported a wrong 'un it checked to see if they were going there and if the parameters looked sus enough to suggest the back end of a phishing attack IE the start of malware coming in.

    Obfuscation in academic papers can be down to a)Too long in academia b) English not a first language c) BS detected.

    I'll note (from the abstract) they did detect a spear phishing attack their test enterprise had not even previously noticed and their work load was 1/9 of other systems. And as they note it can be circumvented by going to HTTPS, which in a less trusting internet should be SOP. That said you should have no expectation of privacy on a job PC. It's not yours. It's theirs.

    However since this is not my thing I'll leave the other 19 pages till I have nothing better to do.

    But my first thought was "Doesn't a company this big reconcile the from line with actual email addresses (at least internally) ? Don't they disable outgoing links unless they are whitelisted?

    1. Phil Endecott

      Re: "our detector extracts the feature vector for that URL "

      > You mean the parameters of the URL?

      No, they mean a feature vector. Try Wikipedia.

    2. Anonymous Coward
      Anonymous Coward

      Re: "our detector extracts the feature vector for that URL "

      Why would you assume, upon encountering a term of art you're not familiar with, that the user of it is mistaken in it's use, rather than your ignorance of it being the problem?

    3. Doctor Syntax Silver badge

      Re: "our detector extracts the feature vector for that URL "

      can you say "pearl script"?

      What's that? Is it something like a Perl script?

  3. a_yank_lurker

    200x reduction

    The reduction cited still left the number of 'hits' as 1850 for may be 20 actual attacks. That seems like way too many to investigate.

  4. Anonymous Coward
    Anonymous Coward

    Remember folks

    The target audience is often senior management and CEOs.

    I've had a senior manager insist that we must respond to what was clearly a spammer seeking corp info.

    Admirable customer service but foolhardy.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like