WHITEPAPER Protecting Against Account Takeover Based Email Attacks
Executive Summary The onslaught of targeted email attacks such as business email compromise, spear phishing, and ransomware continues uninterrupted, costing organizations of all types and sizes billions of real dollars lost 1. Cybercriminals know that employees are the weak link in an organization and need only to convince these targets that they are someone who should be trusted to achieve success. In terms of methods used to deceive employees, email spoofing and display name deception have been the go-to techniques. However, security leaders charged with reducing this risk need to factor in yet another form of email-based identity deception tactic. According to recent Agari research, there has been a 126% increase of targeted email attacks that exploit account takeovers (ATO). Prior to 2017, concerns over ATO-based email attacks were virtually nonexistent. However, in early 2017, the Google Docs ATO Worm Attack 2 brought a spotlight to the problem when it struck over a million users in only a few hours. Most recently, a new Osterman Survey 3 found that 44% of organizations were victims of targeted email attacks launched via a compromised account in the past 12 months. As these attacks continue to rise, organizations should be evaluating whether their existing email security controls can analyze, detect, and block ATO-based email attacks. This report discusses a typical ATObased email attack flow, why they are effective, and why organizations should be placing a high priority on stopping these attacks in 2019 and beyond. Finally, the paper will introduce Agari Advanced Threat Protection and explain how its core Agari Identity Graph technology works to stop ATO-based email attacks. What Does a Typical Ato-based Email Attack Look Like? An account takeover (ATO)-based email attack is the process of gaining unauthorized access to a trusted email account, and using this compromise to launch subsequent email attacks for financial gain or to execute a data breach. Since ATO-based attacks originate from email accounts of trusted senders, traditional security controls cannot detect such attacks. Moreover, given the pre-existing trust relationships, launching a targeted attack such as a business email compromise from such an account increases the likelihood that the attack will succeed. Account takeover-based email attacks rely on leveraging a compromised account or endpoint as a launchpad for a targeted email attack such as business email compromise. To achieve this goal, cybercriminals follow the below process: 2 www.agari.com
STEP 1: GAIN ACCOUNT ACCESS The attacker attempts to gain access to a user account by launching a spear phishing or malware based email attack. Alternatively, with the proliferation of data breaches, he may simply purchase email account credentials from the dark web at a reasonable price: STEP 2: ESTABLISH ACCOUNT CONTROL The attacker establishes persistent control of the account without alerting the victim or any security personnel. For example, the attacker may implement the following: 1. Create audit rules to delete his own maliciousemail activity. 2. Set up forwarders to silently monitor user communication. STEP 3: CONDUCT INTERNAL RECONNAISSANCE The attacker conducts internal reconnaissance to determine how the compromised account can be exploited. For example, the attacker may use a set of manual or automated scripts to determine the following: 3. Augment password change processes to maintain password control. The longer the attacker controls the account, the more information can be gathered, and higher degree of mission success. Does the compromised account or user credentials give direct access to monetizable data, either locally or on other systems? Can the victim s contacts be exploited to achieve the final mission of financial fraud or data exfiltration? Can the victim s contacts be exploited to compromise other high value accounts? Additionally the attacker may lay dormant, observing email communication between the original account owner and their contacts with plans to eventually hijack the conversation. STEP 4: ATO-BASED ATTACK If the attacker determines that assets can be retrieved directly from the account he will immediately move to Step 5. Otherwise, the attacker will launch a targeted email attack against the contact list of the controlled account. The type of targeted email attack will be dependent on the previous reconnaissance and could consist of a business email compromise scam to extract funds or a spear phishing campaign to gain a deeper foothold into the organization. STEP 5: COMPLETE MISSION Depending on the targeted email attack, the attacker will move to exfiltrate the sensitive information or funds, or repeat the ATO process if user accounts credentials were requested. 3 www.agari.com
Why Are ATO-based Email Attacks So Effective? Based on internal research, Agari has seen a 126% increase month-over-month in early 2018 alone. The data was observed from Agari Advanced Threat Protection, an advanced email threat solution that filters email traffic after it has been scanned by the Agari Identity Graph. As part of the analysis Agari analyzed over 1400 messages considered untrusted, over a two month period. The reasons are due to two distinct adversary advantages: 1. Legitimate or established email accounts do not need to leverage impersonation techniques such as domain spoofing or display name deception to bypass email security controls. 2. Previously established trust relationships between the original user and their contact makes targeting and convincing the contact to give up sensitive data or release funds a significantly easier task. However, not all ATO-based email attacks are the same and the effectiveness will depend on the type of compromised account used in the attack. According to the same research, Agari determined that there are four account types used in ATO-based attacks. Stranger - attacks using any legitimate email account of individuals unknown to the recipient (strangers) to boost reputation and leverage trusted infrastructure. Employee webmail - attacks using personal employee webmail accounts (e.g. Gmail, Yahoo, Hotmail) accounts of individuals known to the recipient to exploit trust. Trusted third parties - attacks using supply chain vendor accounts of individuals known to the recipient to launch spear phishing campaigns. Insider business accounts - attacks that use employee corporate accounts of individuals known to the recipient to execute BEC or invoice scams. Additionally, based on customer feedback, attacks launched from a known employee webmail or insider business account had the highest chance of success. The good news is that the large majority of today s attacks are still only using stranger email to launch attacks. 4 www.agari.com
Note: No Insider business account-based attacks were observed during the observation timeframe As attackers become more adept at identifying and compromising specific employees to target their own organizations, the effectiveness of ATO-based email attacks and real dollars lost associated with these attack will be sure to rise. How Can I Protect My Organization Against These Attacks? ATO-based email attack protection should be added to the email security layer and integrate machine learning models to detect attacks originating from all four compromised account types. Consider the following example: Fig 2. Describes an example ATO-based email attack. 5 www.agari.com
At first glance, the email does not look malicious. In fact, the email originates from an account of a real user, the recipient is a known contact, the subject matter in the communication is relevant, and the communication between Todd and Steve is expected. There is no way Steve could know that this email is from a cybercriminal using Todd s compromised account. Additionally, traditional security controls predicated on first detecting occurence of bad behavior cannot detect such attacks; after all, this email originates from a legitimate user account of trusted senders. To detect this type of attack, a next generation solution that integrates machine learning (ML) models to analyze the three key elements of an email communication must be considered. Imagine a solution that can integrate the following: 1. Identity Mapping: This process would help determine a perceived identity of the sender. In the simplest view, the process could use the following identity markers to map the message to a previously-established identity or organization. Fig 3. Based on the mapping, the perceived identity is derived as Todd Koslowsky, CFO of ZYX Inc. 2. Behavioral Analytics: Given the perceived identity, the message could then be evaluated for anomalies relative to the expected sender behavior. Feature classes associated with the behavior could include but not be limited to the following: Tracking the consistency, timing, and volume of messages sent by this identity Tracking all email addresses and third-party services associated with this identity Tracking how long this identity has been in existence and sending email Tracking the types of email artifacts or subject matter commonly sent 6 www.agari.com
Referring back to the example, a simple analysis of one factor would be to determine whether the timeframe that the email was sent is typical of the normal user behavior. Note that the email was sent at 3:00 in the morning. Since Todd Koslowky never sends email at that time, this could be an ATO indicator. 3. Trust Modeling: Finally, to further ensure accuracy as the identity of the sender is confirmed and behaviors relative to that identity tracked, the next phase would be to determine whether the communication from the sender is expected by the recipient. This modeling is a critical component to determining whether the recipient would actually open and take the requested action within the message. Sources of this modeling could include: Previous email traffic seen between identities Frequencies of interactions and responsiveness Historical organization-specific communications Below is an example of the mapping between Todd s communication relative to Steve and all other organizations. Adding the dimension of Trust, the analysis could be further expanded. For example, based on historical communication, Todd and Steve s communication is expected but the significant delays in Todd s responses are not. Given that Todd sent the email at 3:00 AM where the last communication was at 2:00 PM in the previous day, this could indicate that an attacker is attempting to hijack the conversation. Taking these inputs from each dimension, a final score could determine whether the attack is indeed an ATO and allow organizations to enforce policies to block this attack before it makes it into the end-user s inbox. 7 www.agari.com
A New Approach: Agari Advanced Threat Protection Agari Advanced Threat Protection leverages the Agari Identity Graph, an advanced artificial intelligence and machine learning system that ingests data telemetry from more than two trillion emails per year to model email senders and recipients identity characteristics, behavioral norms, and personal, organizational, and industry-level relationships. Agari incorporates machine learning algorithms to model ATO-based behavior in the Agari Identity Graph. For example, when a message is received, it is subjected to the following phases of analysis and scoring: 1. Identity Mapping Determines the perceived identity of the sender, mapping the sender to a previouslyestablished sender/organization or a broader classification. 2. Behavioral Analytics Given the derived identity, the message is evaluated for anomalies relative to the expected sender behavior such as whether the sender has ever interacted with the recipient, whether the content or structure of the message sent by the sender is expected, or whether the frequency and timing of when the message sent is normal. Any anomalies are obviously perceived to be suspicious. 3. Trust Modeling The final phase determines if communication from the sender is expected by the recipient. The closer the relationship, the less tolerance for anomalous behavior because of the greater impact of the attack. Ultimately the system models interaction - how often the sender/recipient interact or if the responsiveness and timing of responsiveness between the two are normal. 4. Identity Graph Scoring The final Identity Graph Score of a message is a combination of the features and indicators of the three phases that determines whether the attack is indeed originating from an account takeover-based compromised account. To support this modeling, Agari has leveraged the elasticity enabled by its cloud-native architecture to drive over 300 million daily model updates, allowing the system to maintain a real-time understanding of this type of email behavioral pattern. Agari Advanced Threat Protection is the first to model the four types of account takeover behavior: stranger email, employee webmail, trusted third, and insider business accounts. 8 www.agari.com
How Agari Advanced Threat Protection Works Agari Advanced Threat Protection deploys as a lightweight sensor either on-premises or in the cloud to integrate with the existing Secure Email Gateway (SEG). Working as the last line of defense, Agari Advanced Threat Protection receives all messages considered clean by the SEG and analyzes the messages for the existence of ATO threat signals. Upon confirmation that the message is a malicious ATO email, security operations teams can configure policies to immediately block or quarantine the message. Finally, email forensic information can also be extracted via email alerts or API for further incident investigations including assisting in recovering or taking down the compromised account. Identity Graph Conclusion The right strategy to protect against account takeover-based email attacks is at the email gateway. Existing security solutions should be evaluated to meet the following: 1. Ability to enforce policies to prevent targeted and scattershot phishing attempts intending to steal credentials or compromise the endpoint. 2. Ability to enforce policies to prevent targeted email attacks launched via a compromised user account, such as spear phishing, BEC, or ransomware. 3. Provide email forensic intelligence that exposes the compromised email account details to help security teams return these accounts to their rightful owners. Given the effectiveness of account takeover-based email attacks and the lack of protections, attackers will be highly motivated to increase their attack rate in the coming year. Organizations must place a higher priority and reevaluate whether their existing controls can protect against this attack category or risk becoming the next victim. About Agari Agari is transforming the legacy Secure Email Gateway with its next-generation Secure Email Cloud powered by predictive AI. Leveraging data science and real-time intelligence from trillions of emails, the Agari Identity Graph detects, defends and deters costly advanced email attacks including business email compromise, spear phishing and account takeover. Winner of the 2018 Best Email Security Solution by SC Magazine, Agari restores trust to the inbox for government agencies, businesses, and consumers worldwide. Learn more at www.agari.com. 1. Internet Crimes Report 2016: https://pdf.ic3.gov/2016_ic3report.pdf 2. Google Docs Attack: https://www.agari.com/google-docs-account-take-over-worm/ 3. Osterman Research Report - Protecting Against Phishing, Resomeware, & BEC Attacks: https:// www.agari.com/resources/whitepapers/email-threat-trends/ 2019 Agari Data, Inc. All rights reserved. Agari, Agari Secure Email Cloud, Agari Identity Graph, Agari Advanced Threat Protection, Agari Brand Protection, Agari Business Fraud Protection, Agari Incident Response, Agari BEC Automated Deception System and the Agari logo are trademarks of Agari Data, Inc. 9 www.agari.com