Barracuda Launches AI-based Spear Phishing Detection

Barracuda Networks this week announced its new Sentinel product: an artificial intelligence (AI) powered spear-phishing and business email compromise (BEC) realtime detection and prevention solution. It marks the second company in a week, following GreatHorn, to use AI to combat social engineering.

“The threat has grown exponentially over the last few years,” Asaf Cidon, vice president of content security services at Barracuda, told SecurityWeek. “According to the FBI’s latest figures, more than $5 billion has been lost to BEC fraud between 2013 and 2016 — with a 2,370% growth in spear-phishing between the beginning of 2015 and the end of 2016. BEC has become so pervasive because it is simple to do: anyone with an email account and a little on-line research into the target can produce a compelling fraudulent email.”

Not only is BEC easy to produce, it is also hard to detect. While many other email-based attacks include a payload — from a link in the body to malware in the attachment — BEC fraud has neither. It relies entirely upon social engineering that traditional defenses cannot detect.

“This problem led us to build Sentinel,” said Cidon; “an AI-based platform for real-time spear-phishing and cyber fraud defense. It relies on three individual layers to provide a comprehensive solution: artificial intelligence for fraud detection; DMARC for protection against domain spoofing and brand hijacking; and simulated attack training for identified high-risk staff.”

The AI layer is the most important, he suggested. With access to millions of mailboxes, Barracuda has taught its AI to recognize fraudulent emails. It does this in two ways. Firstly, it fingerprints communication patterns within the customer organization. It learns, for example, how the CEO normally communicates with the finance team. Deviations from this pattern — such as the sudden use of an email address not used before — immediately flag the communication as worrying.

But Sentinel also analyzes the email content for style. In an example given by Cidon, the AI engine detected urgency (use of the word ‘need’, and termination with a question-mark) and sensitivity (use of ‘bank transfer’). ‘Urgency’ is an archetypal element of social engineering. When the content analysis is coupled with the metadata fingerprint, other indicators such as the use of an external email address in either the from or reply-to fields are sufficient for the AI to recognize and quarantine the fraud.

The second layer of Sentinel sets up DMARC (Domain-based Message Authentication Reporting & Conformance) to prevent outbound domain spoofing. One common technique used by criminals is to spoof the organization’s domain in order to send apparently official messages to customers and partners to steal credentials and gain access to accounts. This layer of Sentinel helps prevent spoofing-based spear phishing and brand hijacking.

The final layer is anti-fraud training for high risk staff. The AI part of the product is used to identify high risk personnel. The product then offers a set of tools to periodically and automatically train and test the security awareness of these employees with simulated spear phishing attacks.

Sentinel currently works with Office 365. However, Barracuda also offers a set of APIs designed to make to make the functionality easily extensible beyond email to additional messaging platforms such as G Suite, Slack, social media, and others: “In fact,” said Cidon, “to any platform used by organizations for business communication.”