Skip to main content
SpringerLink
Log in

Plenty of Phish in the Sea: Analyzing Potential Pre-attack Surfaces

  • Conference paper
  • First Online:
Computer Security – ESORICS 2020 (ESORICS 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12309))

Included in the following conference series:

Abstract

Advanced Persistent Threats (APTs) are one of the main challenges in modern computer security. They are planned and performed by well-funded, highly-trained and often state-based actors. The first step of such an attack is the reconnaissance of the target. In this phase, the adversary tries to gather as much intelligence on the victim as possible to prepare further actions. An essential part of this initial data collection phase is the identification of possible gateways to intrude the target.

In this paper, we aim to analyze the data that threat actors can use to plan their attacks. To do so, we analyze in a first step 93 APT reports and find that most (80%) of them begin by sending phishing emails to their victims. Based on this analysis, we measure the extent of data openly available of 30 entities to understand if and how much data they leak that can potentially be used by an adversary to craft sophisticated spear phishing emails. We then use this data to quantify how many employees are potential targets for such attacks. We show that 83% of the analyzed entities leak several attributes of uses, which can all be used to craft sophisticated phishing emails.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Balduzzi, M., Platzer, C., Holz, T., Kirda, E., Balzarotti, D., Kruegel, C.: Abusing social networks for automated user profiling. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 422–441. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15512-3_22

    Chapter  Google Scholar 

  2. Barre, M., Gehani, A., Yegneswaran, V.: Mining data provenance to detect advanced persistent threats. In: Proceedings of the 11th International Workshop on Theory and Practice of Provenance, TaPP 2019. USENIX Association, Berkeley (2019)

    Google Scholar 

  3. Caputo, D., Pfleeger, S., Freeman, J., Johnson, M.: Going spear phishing: exploring embedded training and awareness. IEEE Secur. Privacy 12(1), 28–38 (2014). https://doi.org/10.1109/MSP.2013.106

    Article  Google Scholar 

  4. Chen, P., Desmet, L., Huygens, C.: A study on advanced persistent threats. In: De Decker, B., Zúquete, A. (eds.) CMS 2014. LNCS, vol. 8735, pp. 63–72. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44885-4_5

    Chapter  Google Scholar 

  5. Chiew, K., Yong, K., Tan, C.: A survey of phishing attacks: their types, vectors and technical approaches. Expert Syst. Appl. 106, 1–20 (2018). https://doi.org/10.1016/j.eswa.2018.03.050

    Article  Google Scholar 

  6. Das, A., Baki, S., El Aassal, A., Verma, R., Dunbar, A.: SoK: a comprehensive reexamination of phishing research from the security perspective. IEEE Commun. Surv. Tutor. (2019). https://doi.org/10.1109/COMST.2019.2957750

    Article  Google Scholar 

  7. Dou, Z., Khalil, I., Khreishah, A., Al-Fuqaha, A., Guizani, M.: SoK: a systematic review of software-based web phishing detection. IEEE Commun. Surv. Tutor. 19(4), 2797–2819 (2017). https://doi.org/10.1109/COMST.2017.2752087

    Article  Google Scholar 

  8. Ferreira, A., Vieira-Marques, P.: Phishing through time: a ten year story based on abstracts. In: Proceedings of the 4th International Conference on Information Systems Security and Privacy, ICISSP 2018, pp. 225–232. INSTICC, SciTePress, Setúbal, Portugal (2018). https://doi.org/10.5220/0006552602250232

  9. Fischer, C., Crocker, A.: Victory! Ruling in hiQ v. Linkedin Protects Scraping of Public Data. https://www.eff.org/deeplinks/2019/09/victory-ruling-hiq-v-linkedin-protects-scraping-public-data

  10. Ghafir, I., et al.: Detection of advanced persistent threat using machine-learning correlation analysis. Future Gener. Comput. Syst. 89, 349–359 (2018). https://doi.org/10.1016/j.future.2018.06.055

    Article  Google Scholar 

  11. Gianvecchio, S., Burkhalter, C., Lan, H., Sillers, A., Smith, K.: Closing the gap with APTs through semantic clusters and automated cybergames. In: Chen, S., Choo, K.-K.R., Fu, X., Lou, W., Mohaisen, A. (eds.) SecureComm 2019. LNICST, vol. 304, pp. 235–254. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-37228-6_12

    Chapter  Google Scholar 

  12. Halevi, T., Memon, N., Nov, O.: Spear-phishing in the wild: a real-world study of personality, phishing self-efficacy and vulnerability to spear-phishing attacks. SSRN Electron. J. (2015). https://doi.org/10.2139/ssrn.2544742

  13. Han, Y., Shen, Y.: Accurate spear phishing campaign attribution and early detection. In: Proceedings of the 31st ACM Symposium on Applied Computing, SAC 2016, pp. 2079–2086. ACM Press, New York (2016). https://doi.org/10.1145/2851613.2851801

  14. Ho, G., Sharma, A., Javed, M., Paxson, V., Wagner, D.: Detecting credential spearphishing in enterprise settings. In: Proceedings of the 26th USENIX Security Symposium, USENIX Sec 2017, pp. 469–485. USENIX Association, Berkeley (2017)

    Google Scholar 

  15. Hunt, T.: Have I Been Pwned: API v3 (2020). https://haveibeenpwned.com/API/v3. Accessed 15 Apr 2020

  16. Kumar, G.R., Mangathayaru, N., Narsimha, G., Cheruvu, A.: Feature clustering for anomaly detection using improved fuzzy membership function. In: Proceedings of the 4th International Conference on Engineering & MIS, ICEMIS 2018. ACM Press, New York (2018). https://doi.org/10.1145/3234698.3234733

  17. Kumaraguru, P., Rhee, Y., Acquisti, A., Cranor, L.F., Hong, J., Nunge, E.: Protecting people from phishing: the design and evaluation of an embedded training email system. In: Proceedings of the 25thACM SIGCHI Conference on Human Factors in Computing Systems, CHI 2007, pp. 905–914. ACM Press, New York (2007). https://doi.org/10.1145/1240624.1240760

  18. Lauinger, T., Chaabane, A., Buyukkayhan, A.S., Onarlioglu, K., Robertson, W.: Game of registrars: an empirical analysis of post-expiration domain name takeovers. In: USENIX Security Symposium (2017)

    Google Scholar 

  19. Lemay, A., Calvet, J., Menet, F., Fernandez, J.M.: Survey of publicly available reports on advanced persistent threat actors. Comput. Secur. 72, 26–59 (2018). https://doi.org/10.1016/j.cose.2017.08.005

    Article  Google Scholar 

  20. LinkedIn Corporation: Statistics (2020). https://news.linkedin.com/about-us#statistics. Accessed 15 Apr 2020

  21. Liu, F., Wen, Y., Zhang, D., Jiang, X., Xing, X., Meng, D.: Log2vec: a heterogeneous graph embedding based approach for detecting cyber threats within enterprise. In: Proceedings of the 26th ACM Conference on Computer and Communications Security, CCS 2019, pp. 1777–1794. ACM Press, New York (2019). https://doi.org/10.1145/3319535.3363224

  22. Lockheed Martin Corporation: Gaining the Advantage-Applying Cyber Kill Chain Methodology to Network Defense (2014). https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/Gaining_the_Advantage_Cyber_Kill_Chain.pdf. Accessed 15 Apr 2020

  23. Milajerdi, S.M., Eshete, B., Gjomemo, R., Venkatakrishnan, V.N.: ProPatrol: attack investigation via extracted high-level tasks. In: Ganapathy, V., Jaeger, T., Shyamasundar, R.K. (eds.) ICISS 2018. LNCS, vol. 11281, pp. 107–126. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-05171-6_6

    Chapter  Google Scholar 

  24. m8r0wn: CrossLinked (2020). https://github.com/m8r0wn/CrossLinked. Accessed 20 Apr 2020

  25. Milajerdi, S., Gjomemo, R., Eshete, B., Sekar, R., Venkatakrishnan, V.: HOLMES: real-time APT detection through correlation of suspicious information flows. In: Proceedings of the IEEE Symposium on Security and Privacy, S&P 2019, pp. 1137–1152. IEEE Computer Society, Washington (2019). https://doi.org/10.1109/SP.2019.00026

  26. Miramirkhani, N., Barron, T., Ferdman, M., Nikiforakis, N.: Panning for gold.com: understanding the dynamics of domain dropcatching. In: International Conference on World Wide Web (2018)

    Google Scholar 

  27. Parsons, K., McCormac, A., Pattinson, M., Butavicius, M., Jerram, C.: The design of phishing studies: the design of phishing studies: challenges for researchers. Comput. Secur. 52, 194–206 (2015). https://doi.org/10.1016/j.cose.2015.02.008

    Article  Google Scholar 

  28. Paterson, A., Chappell, J.: The Impact of Open Source Intelligence on Cybersecurity, pp. 44–62. Palgrave Macmillan UK, London (2014). https://doi.org/10.1057/9781137353320_4

  29. RSA Research: Reconnaissance–A Walkthrough of the “APT” Intelligence Gathering Process (2015). http://www.kerneronsec.com/2015/10/a-walkthrough-of-apt-intelligence.html. Accessed 15 Apr 2020

  30. The MITRE Corporation: MITRE ATT&CK matrix for enterprise (2019). https://attack.mitre.org/matrices/enterprise/. Accessed 15 Apr 2020

  31. The MITRE Corporation: MITRE PRE-ATT&CK Matrix (2019). https://attack.mitre.org/matrices/enterprise/. Accessed 15 Apr 2020

  32. Yadav, T., Rao, A.M.: Technical aspects of cyber kill chain. In: Abawajy, J.H., Mukherjea, S., Thampi, S.M., Ruiz-Martínez, A. (eds.) SSCC 2015. CCIS, vol. 536, pp. 438–452. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-22915-7_40

    Chapter  Google Scholar 

  33. Yu, H., Li, A., Jiang, R.: Needle in a haystack: attack detection from large-scale system audit. In: Proceedings of the 19th International Conference on Communication Technology, ICCT 2019, pp. 1418–1426 (2019). https://doi.org/10.1109/ICCT46805.2019.8947201

Download references

Acknowledgment

This work was partially supported by the Ministry of Culture and Science of North Rhine-Westphalia (MKW grant 005-1703-0021 “MEwM”), the federal Ministry of Research and Education (BMBF grant 16KIS1016 “AWARE7”), and the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) under Germany’s Excellence Strategy – EXC-2092 CaSa – 390781972. We would like to thank Sweepatic NV—a cybersecurity company which maps, monitors and manages attack surfaces—for their support and access to their technology.

Author information

Authors and Affiliations

  1. Institute for Internet-Security, Westphalian University of Applied Sciences, Gelsenkirchen, Germany

    Tobias Urban, Matteo Große-Kampmann & Norbert Pohlmann

  2. Aware7 GmbH, Gelsenkirchen, Germany

    Matteo Große-Kampmann

  3. Ruhr-Universität Bochum, Bochum, Germany

    Tobias Urban, Matteo Große-Kampmann, Dennis Tatang & Thorsten Holz

Authors
  1. Tobias Urban
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Matteo Große-Kampmann
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Dennis Tatang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Thorsten Holz
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Norbert Pohlmann
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Tobias Urban .

Editor information

Editors and Affiliations

  1. University of Surrey, Guildford, UK

    Liqun Chen

  2. Purdue University, West Lafayette, IN, USA

    Ninghui Li

  3. Delft University of Technology, Delft, The Netherlands

    Kaitai Liang

  4. University of Surrey, Guildford, UK

    Steve Schneider

A Analyzed MITRE PRE-ATT&CK Techniques

A Analyzed MITRE PRE-ATT&CK Techniques

Table A lists the groups analyzed in this work. For each group, the techniques and tactics are shown and we indicate whether we analyzed it (“Meas.”), if we collected the needed information on third-party websites (“3\(^{rd}\) or from first-party resources (“1\(^{st}\))”, and how we collected them (“How obtained”). If we did not collect data on a technique, the column “How obtained” provides a brief explanation why.

figure d

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Urban, T., Große-Kampmann, M., Tatang, D., Holz, T., Pohlmann, N. (2020). Plenty of Phish in the Sea: Analyzing Potential Pre-attack Surfaces. In: Chen, L., Li, N., Liang, K., Schneider, S. (eds) Computer Security – ESORICS 2020. ESORICS 2020. Lecture Notes in Computer Science(), vol 12309. Springer, Cham. https://doi.org/10.1007/978-3-030-59013-0_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-59013-0_14

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-59012-3

  • Online ISBN: 978-3-030-59013-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation