Leveraging behavioral data science to detect advanced email threats

By Dan Nickolaisen, Senior Sales Engineer, Abnormal Security

Today’s security landscape is drastically different than it was 5 years ago.  The majority of IT services have been or are migrating to the cloud and an increasing number of employment positions are remote, even without considering the effects of COVID-19 and its variants.  With this shift in service delivery, your perimeter has also shifted from an on-premises network with a defined perimeter, protected by a suite of controls; to your people and your ecosystem of suppliers, partners and customers. Again, your people and the external entities with whom you interact are your perimeter.

With this new perimeter comes a shift in attacker techniques and threat vectors.  Email has long-been a primary source of successful data breaches and this trend has continued to the point where over 90% of successful data breaches begin with email (Verizon DBIR). Shifts in attacker behavior and technique have led to an increasing volume of email-borne threats that leverage compromised internal and external business accounts; and simultaneously abuse otherwise-legitimate services, such as Sharepoint, Adobe and Wetransfer. This compromise and abuse of legitimate entities is rendering traditional detection techniques that rely on reputation, signatures and threat intelligence decreasingly effective at identifying threats.

This reality requires a shift in defensive techniques that relies less on reputations, signatures and threat intelligence and more on behavioral profiling and business context.

When I mention “behavioral profiling and business context”, I am referring to a series of strategies that profile and model normal inbound, outbound and internal email sending behaviors in order to identify anomalies indicative of attack. Anomaly detection from learned patterns is not new and has been successfully used for endpoint detection & response, network detection & response, insider threat management and increasingly in data loss prevention strategies.

Its use, however, has been woefully lacking in the arena of email security, which, as stated above, is the adversary’s threat vector of choice; being the point of initial access for more than 90% of successful data breaches.

So how does behavioral profiling and business context identify threats and ultimately reduce organizational risk?

Let’s take a look at the following anonymized credential phishing example:

Looking at this email through the lens of reputation, signatures and threat intelligence, it becomes apparent why a well-known Secure Email Gateway (SEG) provider allowed this message through to [Recipients] at [Company]:

  • biz does not have a poor reputation
  • The sending infrastructure is Office 365
  • This email is passing SPF, DKIM and DMARC for the appropriate sending domain (corporate.biz).
  • There are no language indicators that would align with common spam or phishing signatures.
  • Sharepoint is a legitimate service that does not carry a poor reputation.

If we look at this same email through the lens of behavioral profiling and business context, the following threat indicators surface:

  • While corporate.biz is a known external entity, the sender has never interacted with [Recipients] at [Company].
  • This email is BCC’d to some number of recipients, including [Recipients] at [Company] while being addressed to the sender’s own email account.
  • [Recipients] at [Company] are not in Sales nor Accounts Payable roles.
  • Sharepoint site indicates Repton School, which does not align with the sender domain of this email (corporate.biz).
  • No one at [Company] has ever sent an email to or received an email from Repton School, nor a link to Repton School’s Sharepoint site.

Through a behavioral and contextual lens, it makes very little sense for a previously-unknown user at a known third party (corporate.biz) to provide payment confirmation; especially when intended recipients are not in Sales nor Accounts Payable roles. It makes little sense for this message to be addressed to the sender, while being BCC’d to some number of recipients, including those at [Company]. Finally, a link pointing to a Sharepoint site belonging to Repton School makes little sense given the sender of the message is at corporate.biz.

Ultimately, email analysis through the lens of business context provides a stronger security outcome, not only for the above credential phishing example and others like it, but also for broader social engineering attacks, especially invoice fraud from compromised or impersonated third parties that lead to direct financial loss without all of the noise that is often identified by non-email controls when credential phishing or malware delivery is successful.


Hot Topics

Related Articles