How much damage happens to a company when hackers phish an executive’s email? An FBI report claims that the total losses from these attacks has grown to $3.7 billion dollars. Can current phishing detection find instances of these attacks? A solution is to first separate the generic phishing attacks from those to executives, also known as whaling attack. Whaling attacks are different as they are more targeted to prominent employees. A wide range of detection currently exists, from security appliances all the way through relying on self-reported emails. Those that slip through are the ones that can cause the most damage.

Target’s Cyber Fusion Center has the objective of determining how to seek out these types of attacks before the high-profile employees even see the email. There is a constant cycle of researching the current trends of phishing with the goal to improve detection and prevention. However, there is an important data set that is overlooked. Depending on the size of the company, the volume of emails sent and received by high-profile employees is insignificant to that of the rest of the employees. Using this information will quickly identify the whaling attacks.

The main idea is to be catching malicious/suspicious emails to high-profile employees as they come in vs waiting for them to be reported.

Technical Details

To grasp this idea, we must establish parts of the sender and recipient email address. Using john.smith@contoso.com email address as an example, contoso.com would be the domain. And if the email was sent from john.smith@contoso.com to ashley.johnson@example.com then we would refer to contoso.com as the sender domain and example.com as the recipient domain.

Whaling Detection works by building a list of the sender domains sent to the high-profile employees and alerting on any emails when the sender domain is not found in these three sections:

  • Emails the high-profile employees composed themselves (recipient domain)
  • Emails sent to non-high-profile employees
  • Emails composed by non-high-profile employees (recipient domain)

Below is a diagram that shows these relationships of finding the outliers and suspicious and malicious emails:

Visual

Examining these three sections in more detail will show why they work as a great resource for finding Whaling Attacks. The emails the high-profile employees composed themselves (recipient domain) works as a source to rule out because those emails will be a strong confidence that are legitimate emails. Similarly, with emails composed by non-high-profile employees (recipient domain) follows the same reasoning. Emails sent to non-high-profile employees is the last key as Whaling Attacks are not targeting the large subset of employees.

Detection

Establishing who the high-profile employees are for the organization will be the first step to alerting on Whaling Detection. Depending on the historic data the organization collects on email ingress/egress will vary if whaling attacks were done in the past, but either way it will have a high percentage to catch new whaling attempts. With all the data stored and easily accessible or queried, the next step will be building the relationship rule to notify of when a true unknown email is sent to a high-profile employee.

The pseudo rule would look similar to:

ALERT: Recipient=HPE & Sender NOT IN (HPE_Composed_Domains OR NonHPE_Composed_Domains OR Sender_Domains_To_NonHPE)

Analysts can compare the email to common trends in phishing and whaling attacks to determine the validity of the email and if it needs to be removed from the inbox.

Conclusion

Performing statistical analysis between high-profile employees and all employees will allow outlier sender domains to be more easily observed. This will not only help organizations focus in on whaling attacks, but also allow for a faster response time. Getting ahead of these attacks can save a company from significant financial loss, as well as damage to the organization’s reputation.

Researchers