The Watch Commander’s Log: Adapting to Meet Phishing Challenges

by Peter Schawacker 0 Comments

If you have questions about anything you read here, please feel free to reach out to us at mdrbriefings@agio.com. If you are a current Agio MDR client, you can also reach out to your assigned MDR analyst. 

Biometrics has a concept called crossover error rate (CER). The CER rate is important because it accounts for both false positives and false negatives in a way that is potentially measurable. Crossover error rate applies to the detection of spam and phishing as well. 

The false acceptance rate (FAR) is the spam that gets through; the false rejection rate (FRR) is the legitimate spam that gets quarantined. The CER appears where the FAR intersects with the FRR. The CER is also known as the equal error rate (EER) because it is the point on a graph where FAR = FRR.

Detection Measures

Our task as defenders is to reduce the CER; the task of the attackers is to raise it. The bad actor tweaks their attacks to increase our error rates. We, in turn, adjust the sensitivity of our detection measures.

What do we mean by detection measures? Broadly speaking, we mean the analysis of:

  • Email text (e.g., structure and format)
  • SMTP headers to find anomalies (e.g., routing and identifying spoofing)
  • URLs
  • Embedded images and other files
  • File attachments
  • Meaning

All of these measures used to be done with simple binary matching techniques. These days, block/allow decisions are made using artificial intelligence, machine learning, natural language processing, and often reputation data.

Sometimes we involve users by asking them to provide feedback through tools like Inky Phish Fence, or we train them how to spot phishing through cybersecurity awareness training. These efforts are all about driving down CER efficiently and cost effectively.

But no matter how low our CER gets (good for us), the adversary is there, finding ways to drive it up (good for them.) We get inside the attacker’s observe-orient-decide-act (OODA) loop, they get inside ours. Basically, we adapt—then they adapt, we adapt, and so on and so on, ad infinitum.

If you have questions about anything you read here, please feel free to reach out to us at mdrbriefings@agio.com. If you are a current Agio MDR client, you can also reach out to your assigned MDR analyst.