Stamus-Networks-Blog

Weak Attack Signals Your Legacy IDS Will Miss: Homoglyphs

Written by Stamus Networks Team | Oct 14, 2022 4:31:50 PM

Intrusion detection systems (IDS) have proven to be a highly effective and commonly used method of network-based threat detection. Unfortunately, an IDS still faces challenges when detecting more subtle, low-amplitude attack signals. Many modern attacks employ tactics that require more specialized or sophisticated detection methods than IDS can provide.

Organizations wishing to identify subtle attack signals must employ additional detection mechanisms or replace their legacy IDS with a more advanced solution. Homoglyphs, for example, are easily missed by IDS solutions.

What are Homoglyphs?

Homoglyphs (sometimes known as homographs) are a common method of deception used primarily in phishing attempts. In this type of attack, the attacker disguises their malicious domain, URL, or TLS certificate by using characters that appear identical to those that are used by the spoofed domain, URL, or TLS server name indication (SNI). Sometimes this is done by simply substituting similar letters from the English alphabet — for example, a lowercase “g” for a lowercase “q”. For example, an attacker might register “guickbooks.com” in an attempt to trick users into thinking they were being directed to “quickbooks.com.”

In more sophisticated cases, an attacker might substitute a  character from other alphabet (represented by different unicodes) which the network will see as different, but which a user would not be able to detect. Compare the examples below to see how closely these characters from completely different alphabets can appear. 

Homoglyphs are commonly used to spoof domain names, URLs, or even TLS certificates. Because of the vast number of unicode combinations and potential spoofs, the number of possible homoglyph combinations is essentially infinite. This makes detecting homoglyphs incredibly difficult without the right technology.

Why Can’t Your IDS Detect Homoglyphs?

To understand why the typical IDS cannot detect homoglyphs, we have to understand how an IDS works. An IDS uses a signature-based detection mechanism to compare a stream of packets to an explicit rule. To trigger an alert, the IDS must see a match between network traffic and the pre-defined indicator of compromise, known malicious IP address, untrusted domain name, or any other explicitly identifiable characteristic. 

While, technically speaking, rules could be written to detect certain commonly known instances of domain spoofing homoglyphs, it is impractical to assume that a rule could be written for every possible instance of homoglyph usage. If it was even possible to write that nearly infinite number of rules, the IDS would still fail to be capable of storing that many rules while also effectively checking traffic against them.

How Can Homoglyphs be Detected?

Homoglyph detection requires advanced functionality that the IDS simply does not possess – advanced algorithms that perform unicode decoding and anomaly detection. Using this method, traffic can be compared to a database of commonly spoofed domains, including the Alexa top 100 domains and a customizable list of organization-specific known domains. When traffic moves through the network, the homoglyph detection logic checks the domain-related fields against these lists and raises an alert if the observed domain falls below a similarity threshold. Essentially, known and trusted domains are defined, and then a similarity detection engine performs computations that compare the domains seen on the network against those. 

A network security monitoring solution with the ability to capture protocol transactions and generate flow logs, such as Suricata, can gather all the metadata needed detect homoglyphs. Suricata, for example, generates protocol transaction logs containing a robust set of metadata, but the analysis of this data must be conducted by a post-processing engine.

By dedicating computing resources to the inspection of URL, domain name, and SNI certificate metadata, the algorithm can analyze the unicodes in the metadata and trigger security events when appropriate. As such, the system is able to detect homoglyphs at a scale not possible with a signature-based IDS.

Conclusion

An IDS is designed to detect many different threat types, but it is simply not effective when it comes to more nuanced attack signals like Homoglyphs. Because phishing is a widely-used attack method, it is important for organizations to take proactive steps to defend against it. Relying on an IDS alone is not enough.

To ensure maximum visibility into network activity, organizations should be employing solutions that provide advanced detection. A modern network detection and response (NDR) platform could be the answer to the challenges and shortcomings faced by legacy IDS solutions.

Stamus Security Platform (SSP) is a broad-spectrum and open NDR system that provides response-ready threat detection from multiple sources — machine learning, behavioral anomalies, stateful logic, and IDS signatures.

To learn more about how SSP detects homoglyphs and other phishing-related attack signals, read our articles “Threats! What Threats? Detecting Phishing with Stamus Security Platform'' and “Hunting for Phishing Activity with Stamus Security Platform”.