Phishing is one of the most popular and prolific attacks that organizations face today. Security Operations Center (SOC) teams spend a huge chunk of their time investigating suspicious emails to determine if they are legitimate phishing attempts.
In this talk, we will share observations accumulated from building a machine learning (ML) classifier for detecting phishing emails, based on the analysis of over 200K suspicious emails gathered from top-tier SOC teams around the world.
As part of the discussion, we will cover how various SOC teams handle their phishing investigations. We will describe the processes they employ as part of the phishing investigation and what they can, and cannot, automate out of those processes. We will also share real-world metrics for the time spent on various stages of the investigation process.
Next, we will cover an introduction to Supervised Machine Learning and the advances made in the field of text classification, especially around the supporting open source libraries. We will explain how we collected the dataset used in our research and describe what is unique about that dataset. We will touch upon the explainability technique for the model decision and its importance to the security analyst.
Lastly, there will be a deep dive into the ML development process in building a phishing classifier. We will elaborate on each of the following steps, explaining the obstacles encountered and their workarounds:
1. Problem definition
2. Data
3. Evaluation
4. Features
5. Model
6. Experimentation
Attendees will learn how to build their own phishing email classifier based on their email datasets, observe a model in action, and see how the model numbers net out in real-world in SOC deployments.
Session outline:
Introduction to phishing incidents and response processes at SOC teams
Phishing problem definition
Datasets used
Process followed to build the model
Model deployment
Q&A
Attendees Will Learn:- How SOC teams handle phishing investigations internally today.
- How Machine Learning can be applied to accelerate phishing incident response
- How the ML model can be adapted to different security incident environments.
- How ML classifiers are a powerful tool in decision making for security.
