undefined

By: Nigel Seddon, VP of EMEA West, Ivanti

Some irritations never seem to die. Elevator music, telemarketing calls, and, of course, phishing, this email-borne toxin has been a problem since the early nineties when it plagued users of AOL and other online services. Today, it’s an international scourge. Its antidote could also come from technology with its roots in the last century: artificial intelligence (AI).

As phishing emails clog up enterprise inboxes, the crooks who send them to appear to be winning. An Ivanti survey of over 1,000 IT professionals found nearly three-quarters of organisations falling victim to an attack in the prior year, with 40% suffering one in the last month. Four in five respondents saw phishing emails rise in volume.

Smarter phish are harder to catch 

Phishing isn’t just increasing in volume; it’s becoming harder to spot. That’s because the criminal gangs that organise phishing campaigns are getting smarter, using new techniques to fly under the radar. The survey found 85% of people worried phishing techniques were getting more sophisticated, which is increasingly worrying as many companies and employees are opting for a hybrid working model, making network and devices protection and visibility more complex.

One such technique is bulk domain registration. Traditionally, email security companies keep lists of malicious domains that have been used in phishing campaigns. They match incoming emails against these blocklists, quarantining any of them containing a known phishing domain on the list. But some phishing gangs now avoid detection by using public cloud services with legitimate domains to host their phishing sites. Others register domains in bulk cheaply using wholesale providers.

Bulk-registered domains are more disposable. Attackers can swap them out quickly before they make their way onto a block list. It also lets them target smaller numbers of victims with separate domains in what’s known as a snowshoe attack. Because each domain reaches a smaller number of people, it’s less likely to surface on a security company’s radar.

Another common technique is “spearphishing”. Plenty of gangs still send unconvincing generic phishing mails en masse in the hope of snagging the occasional clueless victim. For them, it’s a numbers game. But “spearphishers” target more valuable prey, hoping for valuable pay-outs from credential theft, business email compromise, or ransomware infections. They can afford to research those victims, producing more convincing emails that target smaller groups.

All this raises the bar for anti-phishing tools at a time when the stakes couldn’t be higher. Defenders must succeed in blocking all phishing emails, while attackers need only be lucky once. All it takes is a single phishing-spawned ransomware infection to conquer an entire company.

AI to the rescue 

We need something to redress this imbalance, and AI is a good candidate.

Traditional software is procedural, only following specific instructions. That’s why traditional anti-phishing software is reactive. It can only use pre-defined rules to look for phishing emails. It compares emails to exact examples of past attacks, but can’t detect new, unknown phishing emails.

AI doesn’t follow the rules. One of the most common types of AI is called machine learning. It examines large amounts of existing data to create a statistical model. When it encounters new data, it makes decisions for itself by comparing it to this model. The beauty of AI is that it doesn’t need an exact match. It looks for patterns that suggest results.

Armed with this model, a machine learning system excels at probing and classifying mountains of data, far faster than human operators ever could. That data can be anything from cat pictures to credit card transactions – or emails.

From cats to phishing 

AI has big ramifications for phishing protection. It doesn’t need an exact match to detect something “phishy”. A cybercriminal might try to tweak an email’s language or HTML code, making it different to anything a phishing scanner has seen before. A traditional anti-phishing tool might fail to find a match and wave the email through. A machine learning system that has seen enough phishing emails will still find strong enough signals in the new mail to flag it as a problem.

Machine learning goes further than just scanning email content, though. Each email has extra information in the form of metadata. This is information about the email, including which domain it came from when it was sent, who the recipient was, and whether others in the company received it. There are hundreds of these data points and taken collectively they describe that email’s behaviour.

AI can also analyse emails to determine its threat level. It can compare this against its model of known normal email behaviour to determine if it’s unusual or not. Has this employee ever received an email from this domain before? Is it usual to get emails at this time of day from this country? Has this sender ever targeted multiple people in the company at once?

Machine learning’s unique capabilities might help us to catch a few more phish. But let’s not get too complacent. Crooks can use it, too. More powerful machine learning models are already enabling researchers to write convincing spearphishing emails. In the constant cat-and-mouse battle between attackers and defenders, nothing stands still for long.

Data Science is Key to Success

AI and ML are the keys to the success of IT departments in the wake of the pandemic. While many organisations have been making investments in security awareness training initiatives, they should also be prioritizing and applying advanced automation, artificial intelligence, and machine learning technologies to more quickly and consistently identify, verify, and remediate phishing threats. CISOs know they can’t just rely on fallible, distracted humans to thwart cybercriminal activity. A comprehensive and “always-on” security approach that can detect and prevent phishing threats without affecting employee access should be at the top of every CISO’s to-do list in the year ahead.