Levenshtein Distance as a Defence Against Spear Phishing


When an advanced persistent threat (APT) targets an organization they will relentlessly work to find a way into the network . Once inside they can take any number of actions all of which are specific to their goals. These attackers are determined and have unlimited resources and will eventually find a way in.

Infiltration is often achieved by compromising the people within the organization. Why fight your way past state-of-the-art technology when you can just get somebody to click on a link?

By using publicly available open source intelligence (OSINT) tools an APT can construct a list of emails of people that work in the target organization and then build profiles on each. With a name and an email as a starting point very detailed profiles can be constructed with little effort.

Using these detailed personal profiles the APT can then construct a sophisticated email campaign targeting specific employees. Emails can be constructed to appear like they are coming from fellow employees or specific organizations using a homograph attack.

Using this method a fake email or domain can appear to be genuine even to a technically savvy and vigilant user.

To combat this LimaCharlie has added support for 'string distance'  to it's detection and response rules. This feature is based on the Levenshtein distance and can alert analysts to the existing of phishing domains  or executables masquerading as well known ones.

The Levenshtein distance, in layman's terms, is the number of character that must change in a bit of text to become equal to another bit of text. For example, the Levenshtein distance between “hello” and “hallo” is 1.

This simple concept allows you to simply quantify possible phishing domains since those often try to mimic legitimate corporate domains. In these cases, we want to look for a distance that is not 0 (since this is the legitimate domain), but with a distance lower than 2 or 3. This would catch a phishing attack attempting to redirect you to “c0rp.mydomain.com” instead of “corp.mydomain.com” (notice the zero instead of “o”).

Getting alerts while monitoring internal domains using this method can serve as an early indicator of a sophisticated campaign against the organization. Using this information the security team can raise the level of vigilance at every level of the organization and prevent a breach.


Christopher Luft

My name is Christopher Luft and I am an artist turned computer scientist turned something else.