The security threat:
Mail impersonation is one of the most popular and successful attacks today.
This kind of attack can be split into two main types: Phishing and Mail impersonation.
Phishing attacks try to stall credentials by impersonating a legit login page and stalling the password.
Mail impersonation attacks try to create mail sessions that look like regular intersessions or between an organization and a vendor, causing the organization’s workers to send them classified information or money.
We use ArcSight, along with our unique mechanism to recognize different mail attacks and customize our solutions for each customer.
For the following examples, this will be the legit mail address:
Our recognized methods:
1. In a phishing scenario, we look at the mail domain and rate its similarity to the organization’s domain. If the rate passes the threshold, we trigger the rule in ArcSight:
|Organization Domains||Incoming Domains||Rate|
2. In an impersonation scenario, we look for the mail user’s name and compare it with the full names of the organization’s users. We compare the similarity rate with the full name or part of it in case a person has a middle name:
|Organization user full name||Incoming mail users name||Rate|
|Wolfgang Amadeus Mozart||mozart.amadeus||100|
|Wolfgang Amadeus Mozart||wolfgang_amadeus||100|
|Wolfgang Amadeus Mozart||lake.amadeus||50|
By correlating these rates, we know to give a customer a deep and reliable image about mail attacks on the organization.
For security reasons, we don’t publish our specific technical methods or algorithms, but this is one of the scenarios in which we liberate it to our customers.
If you wish to integrate this mechanism or more special mechanisms in your organization, please contact us here.
Ofek Sher[email protected]