WHITEPAPER. Protecting Against Account Takeover Based Attacks

Similar documents
Protecting Against Account Takeover Based Attacks

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Phishing in the Age of SaaS

Building Resilience in a Digital Enterprise

Evolution of Spear Phishing. White Paper

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Machine-Powered Learning for People-Centered Security

How to Conquer Targeted Threats: SANS Review of Agari Enterprise Protect

EBOOK. Stopping Fraud. How Proofpoint Helps Protect Your Organization from Impostors, Phishers and Other Non-Malware Threats.

CloudSOC and Security.cloud for Microsoft Office 365

What can we lose not implementing proper security in our IT environment? Aleksandar Pavlovic Security Account Manager Cisco

Office 365 Buyers Guide: Best Practices for Securing Office 365

Security & Phishing

DMARC Continuing to enable trust between brand owners and receivers

CyberArk Privileged Threat Analytics

The 2017 State of Endpoint Security Risk

RSA NetWitness Suite Respond in Minutes, Not Months

Privileged Account Security: A Balanced Approach to Securing Unix Environments

Security and Compliance for Office 365

with Advanced Protection

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

RSA INCIDENT RESPONSE SERVICES

TABLE OF CONTENTS Introduction: IS A TOP THREAT VECTOR... 3 THE PROBLEM: ATTACKS ARE EVOLVING FASTER THAN DEFENSES...

2018 Edition. Security and Compliance for Office 365

THE EVOLUTION OF SIEM

Automated Context and Incident Response

RSA INCIDENT RESPONSE SERVICES

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Cyber Insurance: What is your bank doing to manage risk? presented by

Attackers Process. Compromise the Root of the Domain Network: Active Directory

AKAMAI CLOUD SECURITY SOLUTIONS

New Zealand National Cyber Security Centre Incident Summary

Advanced Malware Protection: A Buyer s Guide

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

ENTERPRISE ENDPOINT PROTECTION BUYER S GUIDE

2018 Cyber Security Predictions

Speed Up Incident Response with Actionable Forensic Analytics

The Cost of Phishing. Understanding the True Cost Dynamics Behind Phishing Attacks A CYVEILLANCE WHITE PAPER MAY 2015

ARTIFICIAL INTELLIGENCE POWERED AUTOMATED THREAT HUNTING AND NETWORK SELF-DEFENSE

Are we breached? Deloitte's Cyber Threat Hunting

EBOOK. Stopping Fraud. How Proofpoint Helps Protect Your Organisation from Impostors, Phishers and Other Non-Malware Threats.

Microsoft Security Management

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

ATTIVO NETWORKS THREATDEFEND PLATFORM INTEGRATION WITH CISCO SYSTEMS PROTECTS THE NETWORK

Cognito Detect is the most powerful way to find and stop cyberattackers in real time

PEOPLE CENTRIC SECURITY THE NEW

Security Gap Analysis: Aggregrated Results

THE ACCENTURE CYBER DEFENSE SOLUTION

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

Security analytics: From data to action Visual and analytical approaches to detecting modern adversaries

Prescriptive Security Operations Centers. Leveraging big data capabilities to build next generation SOC

THE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY

ADVANCED THREAT PREVENTION FOR ENDPOINT DEVICES 5 th GENERATION OF CYBER SECURITY

TRUE SECURITY-AS-A-SERVICE

HOSTED SECURITY SERVICES

Securing Office 365 with SecureCloud

The Artificial Intelligence Revolution in Cybersecurity

McAfee Total Protection for Data Loss Prevention

Whitepaper. Advanced Threat Hunting with Carbon Black Enterprise Response

The Cognito automated threat detection and response platform

2017 Annual Meeting of Members and Board of Directors Meeting

BUILDING AN EFFECTIVE PROGRAM TO PROTECT AGAINST FRAUD

Protecting Against Online Banking Fraud with F5

Carbon Black PCI Compliance Mapping Checklist

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Cisco Cloud Security. How to Protect Business to Support Digital Transformation

THE CLOUD SECURITY CHALLENGE:

Managed Enterprise Phishing Protection. Comprehensive protection delivered 24/7 by anti-phishing experts

Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches

Managed Endpoint Defense

Protect Your Data the Way Banks Protect Your Money

Vectra Cognito. Brochure HIGHLIGHTS. Security analyst in software

ADAPTIVE AUTHENTICATION ADAPTER FOR IBM TIVOLI. Adaptive Authentication in IBM Tivoli Environments. Solution Brief

Pass4suresVCE. Pass4sures exam vce dumps for guaranteed success with high scores

Behavioral Analytics A Closer Look

Compare Security Analytics Solutions

How Breaches Really Happen

Fast Incident Investigation and Response with CylanceOPTICS

IPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions

Surviving the rise of. cybercrime. A new approach to threat prevention.

The Credential Phishing Handbook. Why It Still Works and 4 Steps to Prevent It

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

Predicting and Stopping Account Takeover Fraud. A PatternEx Solution Guide

CROWDSTRIKE FALCON FOR THE PUBLIC SECTOR

Cisco Advanced Malware Protection (AMP) for Endpoints Security Testing

McAfee MVISION Cloud. Data Security for the Cloud Era

SIEM: Five Requirements that Solve the Bigger Business Issues

to protect the well-being of citizens. Fairfax is also home to some Fortune 500 and large

Employee Security Awareness Training

align security instill confidence

Traditional Security Solutions Have Reached Their Limit

Combatting advanced threats with endpoint security intelligence

Machine Learning and Advanced Analytics to Address Today s Security Challenges

Technical Brochure F-SECURE THREAT SHIELD

AND FINANCIAL CYBER FRAUD INSTITUTIONS FROM. Solution Brief PROTECTING BANKING

Make security part of your client systems refresh

Product Overview Version 1.0. May 2018 Silent Circle Silent Circle. All Rights Reserved

Transcription:

WHITEPAPER Protecting Against Account Takeover Based Email Attacks

Executive Summary The onslaught of targeted email attacks such as business email compromise, spear phishing, and ransomware continues uninterrupted, costing organizations of all types and sizes billions of real dollars lost 1. Cybercriminals know that employees are the weak link in an organization and need only to convince these targets that they are someone who should be trusted to achieve success. In terms of methods used to deceive employees, email spoofing and display name deception have been the go-to techniques. However, security leaders charged with reducing this risk need to factor in yet another form of email-based identity deception tactic. According to recent Agari research, there has been a 126% increase of targeted email attacks that exploit account takeovers (ATO). Prior to 2017, concerns over ATO-based email attacks were virtually nonexistent. However, in early 2017, the Google Docs ATO Worm Attack 2 brought a spotlight to the problem when it struck over a million users in only a few hours. Most recently, a new Osterman Survey 3 found that 44% of organizations were victims of targeted email attacks launched via a compromised account in the past 12 months. As these attacks continue to rise, organizations should be evaluating whether their existing email security controls can analyze, detect, and block ATO-based email attacks. This report discusses a typical ATObased email attack flow, why they are effective, and why organizations should be placing a high priority on stopping these attacks in 2019 and beyond. Finally, the paper will introduce Agari Advanced Threat Protection and explain how its core Agari Identity Graph technology works to stop ATO-based email attacks. What Does a Typical Ato-based Email Attack Look Like? An account takeover (ATO)-based email attack is the process of gaining unauthorized access to a trusted email account, and using this compromise to launch subsequent email attacks for financial gain or to execute a data breach. Since ATO-based attacks originate from email accounts of trusted senders, traditional security controls cannot detect such attacks. Moreover, given the pre-existing trust relationships, launching a targeted attack such as a business email compromise from such an account increases the likelihood that the attack will succeed. Account takeover-based email attacks rely on leveraging a compromised account or endpoint as a launchpad for a targeted email attack such as business email compromise. To achieve this goal, cybercriminals follow the below process: 2 www.agari.com

STEP 1: GAIN ACCOUNT ACCESS The attacker attempts to gain access to a user account by launching a spear phishing or malware based email attack. Alternatively, with the proliferation of data breaches, he may simply purchase email account credentials from the dark web at a reasonable price: STEP 2: ESTABLISH ACCOUNT CONTROL The attacker establishes persistent control of the account without alerting the victim or any security personnel. For example, the attacker may implement the following: 1. Create audit rules to delete his own maliciousemail activity. 2. Set up forwarders to silently monitor user communication. STEP 3: CONDUCT INTERNAL RECONNAISSANCE The attacker conducts internal reconnaissance to determine how the compromised account can be exploited. For example, the attacker may use a set of manual or automated scripts to determine the following: 3. Augment password change processes to maintain password control. The longer the attacker controls the account, the more information can be gathered, and higher degree of mission success. Does the compromised account or user credentials give direct access to monetizable data, either locally or on other systems? Can the victim s contacts be exploited to achieve the final mission of financial fraud or data exfiltration? Can the victim s contacts be exploited to compromise other high value accounts? Additionally the attacker may lay dormant, observing email communication between the original account owner and their contacts with plans to eventually hijack the conversation. STEP 4: ATO-BASED ATTACK If the attacker determines that assets can be retrieved directly from the account he will immediately move to Step 5. Otherwise, the attacker will launch a targeted email attack against the contact list of the controlled account. The type of targeted email attack will be dependent on the previous reconnaissance and could consist of a business email compromise scam to extract funds or a spear phishing campaign to gain a deeper foothold into the organization. STEP 5: COMPLETE MISSION Depending on the targeted email attack, the attacker will move to exfiltrate the sensitive information or funds, or repeat the ATO process if user accounts credentials were requested. 3 www.agari.com

Why Are ATO-based Email Attacks So Effective? Based on internal research, Agari has seen a 126% increase month-over-month in early 2018 alone. The data was observed from Agari Advanced Threat Protection, an advanced email threat solution that filters email traffic after it has been scanned by the Agari Identity Graph. As part of the analysis Agari analyzed over 1400 messages considered untrusted, over a two month period. The reasons are due to two distinct adversary advantages: 1. Legitimate or established email accounts do not need to leverage impersonation techniques such as domain spoofing or display name deception to bypass email security controls. 2. Previously established trust relationships between the original user and their contact makes targeting and convincing the contact to give up sensitive data or release funds a significantly easier task. However, not all ATO-based email attacks are the same and the effectiveness will depend on the type of compromised account used in the attack. According to the same research, Agari determined that there are four account types used in ATO-based attacks. Stranger - attacks using any legitimate email account of individuals unknown to the recipient (strangers) to boost reputation and leverage trusted infrastructure. Employee webmail - attacks using personal employee webmail accounts (e.g. Gmail, Yahoo, Hotmail) accounts of individuals known to the recipient to exploit trust. Trusted third parties - attacks using supply chain vendor accounts of individuals known to the recipient to launch spear phishing campaigns. Insider business accounts - attacks that use employee corporate accounts of individuals known to the recipient to execute BEC or invoice scams. Additionally, based on customer feedback, attacks launched from a known employee webmail or insider business account had the highest chance of success. The good news is that the large majority of today s attacks are still only using stranger email to launch attacks. 4 www.agari.com

Note: No Insider business account-based attacks were observed during the observation timeframe As attackers become more adept at identifying and compromising specific employees to target their own organizations, the effectiveness of ATO-based email attacks and real dollars lost associated with these attack will be sure to rise. How Can I Protect My Organization Against These Attacks? ATO-based email attack protection should be added to the email security layer and integrate machine learning models to detect attacks originating from all four compromised account types. Consider the following example: Fig 2. Describes an example ATO-based email attack. 5 www.agari.com

At first glance, the email does not look malicious. In fact, the email originates from an account of a real user, the recipient is a known contact, the subject matter in the communication is relevant, and the communication between Todd and Steve is expected. There is no way Steve could know that this email is from a cybercriminal using Todd s compromised account. Additionally, traditional security controls predicated on first detecting occurence of bad behavior cannot detect such attacks; after all, this email originates from a legitimate user account of trusted senders. To detect this type of attack, a next generation solution that integrates machine learning (ML) models to analyze the three key elements of an email communication must be considered. Imagine a solution that can integrate the following: 1. Identity Mapping: This process would help determine a perceived identity of the sender. In the simplest view, the process could use the following identity markers to map the message to a previously-established identity or organization. Fig 3. Based on the mapping, the perceived identity is derived as Todd Koslowsky, CFO of ZYX Inc. 2. Behavioral Analytics: Given the perceived identity, the message could then be evaluated for anomalies relative to the expected sender behavior. Feature classes associated with the behavior could include but not be limited to the following: Tracking the consistency, timing, and volume of messages sent by this identity Tracking all email addresses and third-party services associated with this identity Tracking how long this identity has been in existence and sending email Tracking the types of email artifacts or subject matter commonly sent 6 www.agari.com

Referring back to the example, a simple analysis of one factor would be to determine whether the timeframe that the email was sent is typical of the normal user behavior. Note that the email was sent at 3:00 in the morning. Since Todd Koslowky never sends email at that time, this could be an ATO indicator. 3. Trust Modeling: Finally, to further ensure accuracy as the identity of the sender is confirmed and behaviors relative to that identity tracked, the next phase would be to determine whether the communication from the sender is expected by the recipient. This modeling is a critical component to determining whether the recipient would actually open and take the requested action within the message. Sources of this modeling could include: Previous email traffic seen between identities Frequencies of interactions and responsiveness Historical organization-specific communications Below is an example of the mapping between Todd s communication relative to Steve and all other organizations. Adding the dimension of Trust, the analysis could be further expanded. For example, based on historical communication, Todd and Steve s communication is expected but the significant delays in Todd s responses are not. Given that Todd sent the email at 3:00 AM where the last communication was at 2:00 PM in the previous day, this could indicate that an attacker is attempting to hijack the conversation. Taking these inputs from each dimension, a final score could determine whether the attack is indeed an ATO and allow organizations to enforce policies to block this attack before it makes it into the end-user s inbox. 7 www.agari.com

A New Approach: Agari Advanced Threat Protection Agari Advanced Threat Protection leverages the Agari Identity Graph, an advanced artificial intelligence and machine learning system that ingests data telemetry from more than two trillion emails per year to model email senders and recipients identity characteristics, behavioral norms, and personal, organizational, and industry-level relationships. Agari incorporates machine learning algorithms to model ATO-based behavior in the Agari Identity Graph. For example, when a message is received, it is subjected to the following phases of analysis and scoring: 1. Identity Mapping Determines the perceived identity of the sender, mapping the sender to a previouslyestablished sender/organization or a broader classification. 2. Behavioral Analytics Given the derived identity, the message is evaluated for anomalies relative to the expected sender behavior such as whether the sender has ever interacted with the recipient, whether the content or structure of the message sent by the sender is expected, or whether the frequency and timing of when the message sent is normal. Any anomalies are obviously perceived to be suspicious. 3. Trust Modeling The final phase determines if communication from the sender is expected by the recipient. The closer the relationship, the less tolerance for anomalous behavior because of the greater impact of the attack. Ultimately the system models interaction - how often the sender/recipient interact or if the responsiveness and timing of responsiveness between the two are normal. 4. Identity Graph Scoring The final Identity Graph Score of a message is a combination of the features and indicators of the three phases that determines whether the attack is indeed originating from an account takeover-based compromised account. To support this modeling, Agari has leveraged the elasticity enabled by its cloud-native architecture to drive over 300 million daily model updates, allowing the system to maintain a real-time understanding of this type of email behavioral pattern. Agari Advanced Threat Protection is the first to model the four types of account takeover behavior: stranger email, employee webmail, trusted third, and insider business accounts. 8 www.agari.com

How Agari Advanced Threat Protection Works Agari Advanced Threat Protection deploys as a lightweight sensor either on-premises or in the cloud to integrate with the existing Secure Email Gateway (SEG). Working as the last line of defense, Agari Advanced Threat Protection receives all messages considered clean by the SEG and analyzes the messages for the existence of ATO threat signals. Upon confirmation that the message is a malicious ATO email, security operations teams can configure policies to immediately block or quarantine the message. Finally, email forensic information can also be extracted via email alerts or API for further incident investigations including assisting in recovering or taking down the compromised account. Identity Graph Conclusion The right strategy to protect against account takeover-based email attacks is at the email gateway. Existing security solutions should be evaluated to meet the following: 1. Ability to enforce policies to prevent targeted and scattershot phishing attempts intending to steal credentials or compromise the endpoint. 2. Ability to enforce policies to prevent targeted email attacks launched via a compromised user account, such as spear phishing, BEC, or ransomware. 3. Provide email forensic intelligence that exposes the compromised email account details to help security teams return these accounts to their rightful owners. Given the effectiveness of account takeover-based email attacks and the lack of protections, attackers will be highly motivated to increase their attack rate in the coming year. Organizations must place a higher priority and reevaluate whether their existing controls can protect against this attack category or risk becoming the next victim. About Agari Agari is transforming the legacy Secure Email Gateway with its next-generation Secure Email Cloud powered by predictive AI. Leveraging data science and real-time intelligence from trillions of emails, the Agari Identity Graph detects, defends and deters costly advanced email attacks including business email compromise, spear phishing and account takeover. Winner of the 2018 Best Email Security Solution by SC Magazine, Agari restores trust to the inbox for government agencies, businesses, and consumers worldwide. Learn more at www.agari.com. 1. Internet Crimes Report 2016: https://pdf.ic3.gov/2016_ic3report.pdf 2. Google Docs Attack: https://www.agari.com/google-docs-account-take-over-worm/ 3. Osterman Research Report - Protecting Against Phishing, Resomeware, & BEC Attacks: https:// www.agari.com/resources/whitepapers/email-threat-trends/ 2019 Agari Data, Inc. All rights reserved. Agari, Agari Secure Email Cloud, Agari Identity Graph, Agari Advanced Threat Protection, Agari Brand Protection, Agari Business Fraud Protection, Agari Incident Response, Agari BEC Automated Deception System and the Agari logo are trademarks of Agari Data, Inc. 9 www.agari.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback