WHITEPAPER. Protecting Against Account Takeover Based Attacks

Transcription

1 WHITEPAPER Protecting Against Account Takeover Based Attacks

2 Executive Summary The onslaught of targeted attacks such as business compromise, spear phishing, and ransomware continues uninterrupted, costing organizations of all types and sizes billions of real dollars lost 1. Cybercriminals know that employees are the weak link in an organization and need only to convince these targets that they are someone who should be trusted to achieve success. In terms of methods used to deceive employees, spoofing and display name deception have been the go-to techniques. However, security leaders charged with reducing this risk need to factor in yet another form of -based identity deception tactic. According to recent Agari research, there has been a 126% increase of targeted attacks that exploit account takeovers (ATO). Prior to 2017, concerns over ATO-based attacks were virtually nonexistent. However, in early 2017, the Google Docs ATO Worm Attack 2 brought a spotlight to the problem when it struck over a million users in only a few hours. Most recently, a new Osterman Survey 3 found that 44% of organizations were victims of targeted attacks launched via a compromised account in the past 12 months. As these attacks continue to rise, organizations should be evaluating whether their existing security controls can analyze, detect, and block ATO-based attacks. This report discusses a typical ATObased attack flow, why they are effective, and why organizations should be placing a high priority on stopping these attacks in 2019 and beyond. Finally, the paper will introduce Agari Advanced Threat Protection and explain how its core Agari Identity Graph technology works to stop ATO-based attacks. What Does a Typical Ato-based Attack Look Like? An account takeover (ATO)-based attack is the process of gaining unauthorized access to a trusted account, and using this compromise to launch subsequent attacks for financial gain or to execute a data breach. Since ATO-based attacks originate from accounts of trusted senders, traditional security controls cannot detect such attacks. Moreover, given the pre-existing trust relationships, launching a targeted attack such as a business compromise from such an account increases the likelihood that the attack will succeed. Account takeover-based attacks rely on leveraging a compromised account or endpoint as a launchpad for a targeted attack such as business compromise. To achieve this goal, cybercriminals follow the below process: 2

3 STEP 1: GAIN ACCOUNT ACCESS The attacker attempts to gain access to a user account by launching a spear phishing or malware based attack. Alternatively, with the proliferation of data breaches, he may simply purchase account credentials from the dark web at a reasonable price: STEP 2: ESTABLISH ACCOUNT CONTROL The attacker establishes persistent control of the account without alerting the victim or any security personnel. For example, the attacker may implement the following: 1. Create audit rules to delete his own malicious activity. 2. Set up forwarders to silently monitor user communication. STEP 3: CONDUCT INTERNAL RECONNAISSANCE The attacker conducts internal reconnaissance to determine how the compromised account can be exploited. For example, the attacker may use a set of manual or automated scripts to determine the following: 3. Augment password change processes to maintain password control. The longer the attacker controls the account, the more information can be gathered, and higher degree of mission success. Does the compromised account or user credentials give direct access to monetizable data, either locally or on other systems? Can the victim s contacts be exploited to achieve the final mission of financial fraud or data exfiltration? Can the victim s contacts be exploited to compromise other high value accounts? Additionally the attacker may lay dormant, observing communication between the original account owner and their contacts with plans to eventually hijack the conversation. STEP 4: ATO-BASED ATTACK If the attacker determines that assets can be retrieved directly from the account he will immediately move to Step 5. Otherwise, the attacker will launch a targeted attack against the contact list of the controlled account. The type of targeted attack will be dependent on the previous reconnaissance and could consist of a business compromise scam to extract funds or a spear phishing campaign to gain a deeper foothold into the organization. STEP 5: COMPLETE MISSION Depending on the targeted attack, the attacker will move to exfiltrate the sensitive information or funds, or repeat the ATO process if user accounts credentials were requested. 3

4 Why Are ATO-based Attacks So Effective? Based on internal research, Agari has seen a 126% increase month-over-month in early 2018 alone. The data was observed from Agari Advanced Threat Protection, an advanced threat solution that filters traffic after it has been scanned by the Agari Identity Graph. As part of the analysis Agari analyzed over 1400 messages considered untrusted, over a two month period. The reasons are due to two distinct adversary advantages: 1. Legitimate or established accounts do not need to leverage impersonation techniques such as domain spoofing or display name deception to bypass security controls. 2. Previously established trust relationships between the original user and their contact makes targeting and convincing the contact to give up sensitive data or release funds a significantly easier task. However, not all ATO-based attacks are the same and the effectiveness will depend on the type of compromised account used in the attack. According to the same research, Agari determined that there are four account types used in ATO-based attacks. Stranger - attacks using any legitimate account of individuals unknown to the recipient (strangers) to boost reputation and leverage trusted infrastructure. Employee webmail - attacks using personal employee webmail accounts (e.g. Gmail, Yahoo, Hotmail) accounts of individuals known to the recipient to exploit trust. Trusted third parties - attacks using supply chain vendor accounts of individuals known to the recipient to launch spear phishing campaigns. Insider business accounts - attacks that use employee corporate accounts of individuals known to the recipient to execute BEC or invoice scams. Additionally, based on customer feedback, attacks launched from a known employee webmail or insider business account had the highest chance of success. The good news is that the large majority of today s attacks are still only using stranger to launch attacks. 4

5 Note: No Insider business account-based attacks were observed during the observation timeframe As attackers become more adept at identifying and compromising specific employees to target their own organizations, the effectiveness of ATO-based attacks and real dollars lost associated with these attack will be sure to rise. How Can I Protect My Organization Against These Attacks? ATO-based attack protection should be added to the security layer and integrate machine learning models to detect attacks originating from all four compromised account types. Consider the following example: Fig 2. Describes an example ATO-based attack. 5

6 At first glance, the does not look malicious. In fact, the originates from an account of a real user, the recipient is a known contact, the subject matter in the communication is relevant, and the communication between Todd and Steve is expected. There is no way Steve could know that this is from a cybercriminal using Todd s compromised account. Additionally, traditional security controls predicated on first detecting occurence of bad behavior cannot detect such attacks; after all, this originates from a legitimate user account of trusted senders. To detect this type of attack, a next generation solution that integrates machine learning (ML) models to analyze the three key elements of an communication must be considered. Imagine a solution that can integrate the following: 1. Identity Mapping: This process would help determine a perceived identity of the sender. In the simplest view, the process could use the following identity markers to map the message to a previously-established identity or organization. Fig 3. Based on the mapping, the perceived identity is derived as Todd Koslowsky, CFO of ZYX Inc. 2. Behavioral Analytics: Given the perceived identity, the message could then be evaluated for anomalies relative to the expected sender behavior. Feature classes associated with the behavior could include but not be limited to the following: Tracking the consistency, timing, and volume of messages sent by this identity Tracking all addresses and third-party services associated with this identity Tracking how long this identity has been in existence and sending Tracking the types of artifacts or subject matter commonly sent 6

7 Referring back to the example, a simple analysis of one factor would be to determine whether the timeframe that the was sent is typical of the normal user behavior. Note that the was sent at 3:00 in the morning. Since Todd Koslowky never sends at that time, this could be an ATO indicator. 3. Trust Modeling: Finally, to further ensure accuracy as the identity of the sender is confirmed and behaviors relative to that identity tracked, the next phase would be to determine whether the communication from the sender is expected by the recipient. This modeling is a critical component to determining whether the recipient would actually open and take the requested action within the message. Sources of this modeling could include: Previous traffic seen between identities Frequencies of interactions and responsiveness Historical organization-specific communications Below is an example of the mapping between Todd s communication relative to Steve and all other organizations. Adding the dimension of Trust, the analysis could be further expanded. For example, based on historical communication, Todd and Steve s communication is expected but the significant delays in Todd s responses are not. Given that Todd sent the at 3:00 AM where the last communication was at 2:00 PM in the previous day, this could indicate that an attacker is attempting to hijack the conversation. Taking these inputs from each dimension, a final score could determine whether the attack is indeed an ATO and allow organizations to enforce policies to block this attack before it makes it into the end-user s inbox. 7

8 A New Approach: Agari Advanced Threat Protection Agari Advanced Threat Protection leverages the Agari Identity Graph, an advanced artificial intelligence and machine learning system that ingests data telemetry from more than two trillion s per year to model senders and recipients identity characteristics, behavioral norms, and personal, organizational, and industry-level relationships. Agari incorporates machine learning algorithms to model ATO-based behavior in the Agari Identity Graph. For example, when a message is received, it is subjected to the following phases of analysis and scoring: 1. Identity Mapping Determines the perceived identity of the sender, mapping the sender to a previouslyestablished sender/organization or a broader classification. 2. Behavioral Analytics Given the derived identity, the message is evaluated for anomalies relative to the expected sender behavior such as whether the sender has ever interacted with the recipient, whether the content or structure of the message sent by the sender is expected, or whether the frequency and timing of when the message sent is normal. Any anomalies are obviously perceived to be suspicious. 3. Trust Modeling The final phase determines if communication from the sender is expected by the recipient. The closer the relationship, the less tolerance for anomalous behavior because of the greater impact of the attack. Ultimately the system models interaction - how often the sender/recipient interact or if the responsiveness and timing of responsiveness between the two are normal. 4. Identity Graph Scoring The final Identity Graph Score of a message is a combination of the features and indicators of the three phases that determines whether the attack is indeed originating from an account takeover-based compromised account. To support this modeling, Agari has leveraged the elasticity enabled by its cloud-native architecture to drive over 300 million daily model updates, allowing the system to maintain a real-time understanding of this type of behavioral pattern. Agari Advanced Threat Protection is the first to model the four types of account takeover behavior: stranger , employee webmail, trusted third, and insider business accounts. 8

9 How Agari Advanced Threat Protection Works Agari Advanced Threat Protection deploys as a lightweight sensor either on-premises or in the cloud to integrate with the existing Secure Gateway (SEG). Working as the last line of defense, Agari Advanced Threat Protection receives all messages considered clean by the SEG and analyzes the messages for the existence of ATO threat signals. Upon confirmation that the message is a malicious ATO , security operations teams can configure policies to immediately block or quarantine the message. Finally, forensic information can also be extracted via alerts or API for further incident investigations including assisting in recovering or taking down the compromised account. Identity Graph Conclusion The right strategy to protect against account takeover-based attacks is at the gateway. Existing security solutions should be evaluated to meet the following: 1. Ability to enforce policies to prevent targeted and scattershot phishing attempts intending to steal credentials or compromise the endpoint. 2. Ability to enforce policies to prevent targeted attacks launched via a compromised user account, such as spear phishing, BEC, or ransomware. 3. Provide forensic intelligence that exposes the compromised account details to help security teams return these accounts to their rightful owners. Given the effectiveness of account takeover-based attacks and the lack of protections, attackers will be highly motivated to increase their attack rate in the coming year. Organizations must place a higher priority and reevaluate whether their existing controls can protect against this attack category or risk becoming the next victim. About Agari Agari is transforming the legacy Secure Gateway with its next-generation Secure Cloud powered by predictive AI. Leveraging data science and real-time intelligence from trillions of s, the Agari Identity Graph detects, defends and deters costly advanced attacks including business compromise, spear phishing and account takeover. Winner of the 2018 Best Security Solution by SC Magazine, Agari restores trust to the inbox for government agencies, businesses, and consumers worldwide. Learn more at 1. Internet Crimes Report 2016: 2. Google Docs Attack: 3. Osterman Research Report - Protecting Against Phishing, Resomeware, & BEC Attacks: Agari Data, Inc. All rights reserved. Agari, Agari Secure Cloud, Agari Identity Graph, Agari Advanced Threat Protection, Agari Brand Protection, Agari Business Fraud Protection, Agari Incident Response, Agari BEC Automated Deception System and the Agari logo are trademarks of Agari Data, Inc. 9