It Takes a Fish to Catch a Phish

In recent posts we have examined the manner in which different behaviors and characteristics can be associated with distinct threat actors. From the use of high volumes of unique attachments and changing the payload of a malicious macro to the choice of cybercrime infrastructure components, these differences can help identify new campaigns and threat actors, providing valuable insight into not only current attacks but the potential emergence and direction of future threats.

Taking this logic a step further, Proofpoint researchers have been developing a sophisticated big-data modeling engine based on the concept of "flocking", which in CGI enables digital artists to animate the movement of large numbers of individuals. A similar logic can be applied in reverse to discern patterns in attacker behavior.

Beginning with a small program called a "fish", which models the behavior of an individual data point (such as a phishing email), researchers then use a special algorithm known as Basal Online Analytic Trending (BOAT™) to simulate the large-scale movement of these nodes. Today the technique employs millions of virtual "fish" moving together in patterns, or "cyber-schools," driven by their own complex logic: viewed and analyzed as a whole, the artificial intelligence of Proofpoint BOAT makes it possible to identify larger attack patterns, model direction, and predict responses to defensive adaptations. Much like the old saying, "It takes a thief to catch a thief," it takes a fish to catch a phish.

This new technique demonstrated its value recently when cyber-schooling enabled researchers to detect and analyze a new form of email-borne attack that employs complex cryptographic techniques to evade detection by antivirus engines and resist both automated and manual analysis. In the Strongly Hashed Anomalous Recursive Key (SHARK) attack, attackers use hashes of the certificates in the target system's browser keystore as private keys to decrypt an encrypted malware payload, at once protecting their malware from inspection while enabling it to execute stealthily and without end-user interaction.

While these initial results are exciting, considerable work remains to realize the potential of this analytic system. Faced with the inherent logical limitations of the small fish program, Proofpoint researchers are already at work on a new version that employs live fish fitted with nano-implants to load and transmit data directly into each fish's cerebral cortex. Tens of thousands of fish swimming in vast tanks or open-water pens will create a cybernetic “bio-schooling” program that will render all known phishing techniques obsolete. Challenges abound, from deciding which species of fish are best suited to bio-schooling (herring are currently the top candidate) to hungry pelicans and tank sanitation, but the potential rewards of this game-changing “cyborgsecurity” solution ensure that solutions will be found.

Breaudy Poissondavril, CISO at Acme Propellants and a tester of the early versions of virtual schooling, was impressed by BOAT's ability to identify an early generation of the SHARK threat. Looking ahead, however, he underscored the rapidly growing danger of this new threat and emphasized the importance of moving to the bio-schooling phase of this technology. Time is critical, he said, because, "For a SHARK of this magnitude, we're going to need a bigger BOAT."

The next version is planned for beta in late 2015, with general availability exactly one year from today, on April 1, 2016.