Plenty of Phish in the Sea: Analyzing Potential Pre-Attack Surface - Prof. Dr. Norbert Pohlmann

T. Urban, M. Große-Kampmann, D. Tatang, T. Holz, and N. Pohlmann:
„Plenty of Phish in the Sea: Analyzing Potential Pre-Attack Surface”.
European Symposium on Research in Computer Security –
ESORICS ’20

Advanced Persistent Threats (APTs) are one of the main challenges in modern computer security. They are planned and performed by well-funded, highly-trained and often state-based actors. The first step of such an attack is the reconnaissance of the target. In this phase, the adversary tries to gather as much intelligence on the victim as possible to prepare further actions. An essential part of this initial data collection phase is the identification of possible gateways to intrude the target.
In this paper, we aim to analyze the data that threat actors can use to plan their attacks. To do so, we analyze in a first step 93 APT reports and find that most (80 %) of them begin by sending phishing emails to their victims. Based on this analysis, we measure the extent of data openly available of 30 entities to understand if and how much data they leak that can potentially be used by an adversary to craft sophisticated spear phishing emails. We then use this data to quantify how many employees are potential targets for such attacks. We show that 83 % of the analyzed entities leak several attributes of uses, which can all be used to craft sophisticated phishing emails.

Today, advanced persistent threats (APTs) represent one of the most dangerous types of attacks, as a malicious actor focuses a tremendous amount of resources into an attack on a selected target. Often such attacks utilize social engineering methods—especially spear phishing—to initially infect the system in the target’s network (e. g., via an email attachment). For an attacker, one of the first steps is to collect as much information as possible on the target to plan their further steps (e. g., used technologies or intelligence on employees to craft spearphishing emails). This data collection mostly happens unnoticed since the adversaries often rely on open-source intelligence (OSINT) data, which can be accessed by anyone. The collection of such data cannot be measured, or at least the crawling cannot be distinguished from benign traffic.
In this paper, we aim to understand and measure which publicly available data malicious actors can potentially utilize to plan and conduct their attacks with a strong emphasis on data an adversary can use to design sophisticated phishing campaigns. To the best of our knowledge, all previous work exclusively aims to detect attacks while they happen, to investigate them after the adversaries performed the attack, or to compare different APT campaigns. We aim to illuminate the data publicly available to adversaries during their initial reconnaissance phase by analyzing a diverse set of organizations (n = 30). In a first step, we analyze 93 APT reports with a strong focus on the different approaches how actors get access to a company’s network and which techniques they use to do so. We show that an overwhelming majority of 80 % use targeted phishing emails to lure users to unknowingly infect their system (e. g., clicking on a malicious email attachment). Based on this finding, we crawled nearly 5 million websites, analyzed more than 250,000 documents, and over 18,000 social media profiles regarding data that can be used to create
personalized phishing emails. We then quantify the magnitude of publicly available data companies (unknowingly) leak and show that 90 % of them leak data that adversaries can use for the desired task. Furthermore, we show that, on average, 71 % of the employees we identified leaked several attributes that can be used for phishing attacks as we found several work-related information on them that an adversary can use in a targeted phishing campaign (e. g., supervisors, the focus of work, or the used software).
In summary, we make the following key contributions:

1. We analyze real-world APT campaigns and identify the most common tactics adversaries use during an attack and map these tactics and techniques onto the MITRE PRE-ATT&CK framework.
2. We measure the magnitude of data that companies (unknowingly) expose that can be used by adversaries to craft spear phishing emails. To this end, we crawl several publicly available data sources (e. g., social networks and openly available information on data leaks) and the company’s infrastructure.
3. We analyze how many employees of a company leak enough attributes to
   write highly sophisticated phishing mails. We find that over 83 % of all analyzed companies provide rich target for spear phishing attacks.

…