Facebook has awarded this year's Internet Defense Prize worth $100,000 to a team of researchers from the University of California, Berkeley, who came up with a new method of detecting spear-phishing attacks in closely monitored enterprise networks.
The five-man research team has focused on detecting spear-phishing attacks alone, and not spam or other types of email-based threats.
They did this by creating a system — called DAS (Directed Anomaly Scoring) — that detects uncommon patterns in emails communications.
They trained DAS by having it analyze 370 million emails from one single large enterprise with thousands of employees, sent between March 2013 and January 2017.
Researchers configured DAS to use a series of factors for evaluating newly received emails. These included a sender domain reputation score and sender reputation score, but also analyzed SMTP, NIDS, and LDAP logs, looking at logins from new IPs, total logins per employee, inactivity periods, and others.
By looking at this factors, DAS was able to detect spoofed addresses, spoofed sender names, but also lateral attacks from the compromised accounts of fellow co-workers.
"Out of 19 spearphishing attacks, our detector failed to detect 2 attacks," the research team said.
"Our detector [also] achieved an average false positive rate of 0.004%," researchers added, pointing out that this is almost 200 times better than previous research.
Based on their sample data, the company for which they trained the DAS system received 263,086 emails per day. This means incident response teams had only to inspect around 10.5 emails per day if DAS would have been deployed on their network, freeing employees for other tasks.
Facebook, who forked over the cash for the award, cited the low false positive rate as one of two reasons it decided to select the Berkley DAS detector as this year's winner.
The other reason was the impact of spear-phishing attacks, who often are the root cause of today's major cyber-incidents, such as the DNC hack, the OPM hack, and others. Below is Facebook's full rationale for selecting Berkley's DAS as the winner.
First, in recent history, successful spearphishing attacks have led to a number of prominent information leaks. Every time the community improves the detection or prevention of compromise from a technical standpoint, the human factor becomes an even stronger focal point of adversaries. Helping protect people from social engineering attacks becomes even more important. This research can help reduce the potential of such compromises happening in the future. Secondly, the authors acknowledge and account for the cost of false positives in their detection methodology. This is significant because it factors into the overhead cost and response time for incident response teams.
The Berkley crew presented their findings at the USENIX security conference that took place this week in Vancouver, Canada. The research paper — titled "Detecting Credential Spearphishing in Enterprise Settings" — is available here, here, and here. A video of the team's presentation at the USENIX conference is available below.
Facebook also awarded honorable mentions to two other research projects, also presented at USENIX.
The first one is titled "DR. CHECKER: A Soundy Analysis for Linux Kernel Drivers" and details a method of existing static analysis techniques to find a large number of vulnerabilities in Linux kernel drivers.
The second is titled "Oscar: A Practical Page-Permissions-Based Scheme for Thwarting Dangling Pointers" and describes an approach for preventing specific classes of vulnerabilities in low-level code.
Last year's winner of the Internet Defense Prize $100,000 prize was a research project titled "Post-quantum Key Exchange—A New Hope" that focused on improving post-quantum protection in TLS. This project is already embedded in Chrome and there are plans to support it in the Tor Browser as well.
Image credits: Facebook