Advanced Email Risk Classification and Recipient Decision Assistance.

摘要

Email attacks comprise an overwhelming majority of the daily attacks on modern enterprise. "Phishing" is the leading attack vector for the world's most dangerous threats such as the so-called, Advanced Persistent Threat (APT), and hacktivist groups such as Anonymous and LulzSec. The leading mitigation strategy is a combination of user awareness training and email filtering which does not aid the user in making real-time decisions while sitting in front of their inbox. This praxis outlines a solution that delivers email risk and security awareness information at the inbox level to end-users in order to better equip them to make secure decisions while using email.;As an experienced penetration tester and security engineer, I have sent over 50,000 phishing emails as part of email risk awareness and testing campaigns within large enterprise environments. These efforts have shown that it is possible given enough information about a target to craft a near-perfectly spoofed email able to trick over 75% of targeted users. As a result of this experience, I have developed a novel approach to email attack classification called the Phishing Gradation Framework (PGF) presented herein. I have leveraged this work to create a defensive approach to email security which uses the parameters defined in the PGF to assess risk associated with email attacks and present an actionable risk rating to end-users from within their native email client applications.;So-called "anti-spam" capabilities have been incorporated into email client applications for some time now. These are usually in the form of junk boxes or email filters that attempt to identify spam or other unwanted email. Most anti-spam clients use Bayesian filtering to determine whether an email is spam or not spam, typically using word combinations and statistical analysis to make a determination. The use of security bolt-ons such as Domain Keys Identified Mail (DKIM) and Sender Policy Framework (SPF) show promise but have not caught on at the end user level. Many experts advise wary email users to examine the raw email headers in order to attempt to find evidence of an email attack. While this is at present the best security advice one can give users, it is a cumbersome and highly technical process that one cannot expect the majority of email users to be able to carry out and act upon. Security designers have not equipped users with email risk information in a way that can reliably assist them in making safe decisions when checking email. This is the problem that the proposed Advanced Email Risk Classification and Recipient Decision Assistance solution attempts to solve. We will call this solution Phish Finder.