protecting against account takeover based email attacks · 2 | › step 1: gain account access the...
TRANSCRIPT
www.agari.com
Executive Summary The onslaught of targeted email attacks such as Business Email Compromise, spear phishing, and ransomware
continue uninterrupted, costing organizations of all types and sizes billions of real dollars lost1. Cybercriminals
know that employees are the weak link in an organization and need only to convince these targets that
they are someone who should be trusted to achieve success. In terms of methods used to deceive
employees, email spoofing and display name deception have been the “go-to” techniques. However,
Security leaders charged with reducing this risk need to factor in yet another form of email-based
identity deception tactic. According to recent Agari research, there has been a 126% increase of
targeted email attacks that exploits Account Takeovers (ATO).
Prior to 2017, concerns over ATO-based email attacks were virtually non-existent. However, in
early 2017, the Google Docs ATO Worm Attack2 brought a spotlight to the problem when it struck
over a million users in only a few hours. Most recently, a new Osterman Survey3 found that 44%
of organizations were victims of targeted email attacks launched via a compromised account in
the past 12 months.
As these attacks continue to rise, organizations should be evaluating whether their existing email
security controls can analyze, detect, and block ATO-based email attacks. This report discussed a
typical ATO-based email attack flow, why they are effective, and why organizations should be placing
a high priority on stopping these attacks in 2018 and beyond. Finally, the paper will introduce the latest
Agari Enterprise Protect release and explain how its core Agari Identity IntelligenceTM technology has been
enhanced to stop ATO-based email attacks.
www.agari.com
Protecting Against Account Takeover Based Email Attacks
1 |
WHAT DOES A TYPICAL ATO-BASED EMAIL ATTACK LOOK LIKE?
An Account Takeover (ATO)-based email attack is the process of gaining unauthorized access to a trusted email account, and
using this compromise to launch subsequent email attacks for financial gain or to execute a data breach. Since ATO-based
attacks originate from email accounts of trusted senders, traditional security controls cannot detect such attacks. Moreover,
given the pre-existing trust relationships, launching a targeted attack such as a Business Email Compromise from such an
account, increases the likelihood that the attack will succeed. Account Takeover-based email attacks rely on leveraging a
compromised account or endpoint as a launchpad for a targeted email attack such as Business Email Compromise. To achieve
this goal, cybercriminals follow the below process:
126%
Percentage Increasein # of Attacks
www.agari.comwww.agari.com2 |
› Step 1: Gain Account Access
The attacker attempts to gain access to a
user account by launching a spear phishing or
malware based email attack. Alternatively, with
the proliferation of data breaches, he may simply
purchase email account credentials from the dark
web at a reasonable price:
The longer the attacker controls the account, the more
information can be gathered, and higher degree of
mission success.
1. Create audit
rules to delete
his own malicious
email activity.
2. Set up
forwarders to
silently monitor user communication.
3. Augment password change processes to
maintain password control.
› Step 2: Establish Account Control
The attacker establishes persistent control of the
account without alerting the victim or any security
personnel. For example, the attacker may implement
the following:
› Step 4: ATO-based Attack
If the attacker determines that assets can be retrieved
directly from the account he will immediately move to
Step 5. Else, the attacker will launch a targeted email
attack against the contact list of the controlled account.
The type of targeted email attack will be dependent
on the previous reconnaissance and could consist of a
Business Email Compromise to extract funds or a spear
phishing campaign to gain a deeper foothold into the
organization.
› Step 3: Conduct Internal Reconnaissance
The attacker conducts internal reconnaissance to
determine how the compromised account can be
exploited. For example, the attacker may use a set
of manual or automated scripts, to determine the
following:
• Does the compromised account or
user credentials give direct access to
monetizable data, either locally or on
other systems?
• Can the victim’s contacts be exploited to
achieve the final mission of financial fraud
or data exfiltration?
• Can the victim’s contacts be exploited to
compromise other high value accounts?
Additionally the attacker may lay dormant, observing
email communication between the original account
owner and their contacts with plans to eventually
hijack the conversation.
› Step 5: Complete Mission
Depending on the targeted email attack, the attacker will move to
exfiltrate the sensitive information or funds,
or repeat the ATO process if user accounts
credentials were requested.
www.agari.com3 |
WHY ARE ATO-BASED EMAIL ATTACKS SO EFFECTIVE?
Based on internal research, Agari has seen a 126% increase month-over-month in early 2018 alone. The data was observed
from Agari Enterprise Protect, an advanced email threat solution that filters email traffic after it has been scanned by a
Secure Email Gateway (SEG). As part of the analysis Agari analyzed over 1400 messages considered untrusted, over a two
month period.
The reasons are due to 2 distinct adversary advantages:
1. Legitimate or established email accounts do not need to leverage impersonation techniques such as domain
spoofing or display name deception to bypass email security controls.
2. Previously established trust relationships between the original user and their contact, makes targeting and
convincing the contact to give up sensitive data or release funds, a significantly easier task.
However, not all ATO-based email attacks are the same and the effectiveness will depend on the type of compromised
account used in the attack. According to the same research Agari determined that there are 4 account types used in
ATO-based attacks.
• Stranger - attacks using any legitimate email account of individuals unknown to the recipient (strangers) to boost
reputation and leverage trusted infrastructure.
• Employee webmail - attacks using personal employee webmail accounts (e.g. Gmail, Yahoo, Hotmail) accounts of
individuals known to the recipient to exploit trust.
• Trusted third parties - attacks using supply chain vendor accounts of individuals known to the recipient to launch
spear phishing campaigns.
• Insider business accounts - attacks that use employee corporate accounts of individuals known to the recipient
to execute BEC or invoice scams.
Additionally, based on customer feedback attacks launched from a known employee webmail or insider business
account had the highest chance of success. The good news is that the large majority of today’s attacks are still only
using stranger email to launch attacks.
www.agari.com
As attackers become more adept at identifying and compromising specific employees to target their own organizations,
the effectiveness of ATO-based email attacks and real dollars lost associated with these attack will be sure to rise.
HOW CAN I PROTECT MY ORGANIZATION AGAINST THESE ATTACKS?
ATO-based email attack protection should be added to the email security layer and integrate machine learning models to
detect attacks originating from all 4 compromised account types.
Consider the following example:
Note: No Insider business account-based attacks were observed during the observation timeframe
4 |
Fig 2. Describes an example ATO-based email attack.
www.agari.com5 |
1. Identity Mapping: This process would help determine a perceived identity of the sender. In the simplest view,
the process could use the following identity markers to map the message to a previously-established identity
or organization.
Identity Markers Likelihood of Identity
Class: Finance Executive
Todd Koslowsky
ZYX Employee
2. Behavioral Analytics: Given the perceived identity, the message could then be evaluated for anomalies relative
to the expected sender behavior. Feature classes associated with the behavior could include but not be limited to
the following:
• Tracking the consistencvy, timing, and volume of messages sent by this identity
• Tracking all email addresses and 3rd party services associated with this identity
• Tracking how long this identity has been in existence and sending email
• Tracking the types of email artifacts or subject matter commonly sent
At first glance, the email does not look malicious. In fact, the email originates from an account of a real user, the recipient
is a known contact, the subject matter in the communication is relevant, and the communication between Todd and Steve
is expected. There is no way Steve could know that this email is from a cybercriminal using Todd’s compromised account.
Additionally traditional security controls predicated on first detecting occurence of bad behavior cannot detect such
attacks: after all, this email originates from a legitimate user account of trusted senders.
To detect this attack a next generation solution integrating Machine Learning models to analyze three key elements of an
email communication: Identity, Behavior, and Trust must be considered. Imagine a solution that can integrate the following:
Fig 3. Based on the mapping, the
perceived identity is derived as
Todd Koslowsky, CFO of ZYX Inc.
www.agari.com6 |
Referring back to the example, a simple analysis of one factor would be to determine whether the timeframe that the
email was sent is typical of the normal user behavior. Note that the email was sent at 3:00 AM in the morning, Todd
Koslowsky never sends email at that time and could be an ATO indicator.
3. Trust Modeling: Finally, to further ensure accuracy as the identity of the sender is confirmed and behaviors relative to
that identity tracked, the next phase would be to determine whether the communication from the sender is expected
by the recipient. This modeling is a critical component to determining whether the recipient would actually open and
take the requested action within the message. Sources of this modeling could include:
• Previous email traffic seen between identities
• Frequencies of interactions and responsiveness
• Historical organization-specific communications
AGARIDATA.ATLASSIAN.NETGOOGLE.COM
SYMANTEC.COM
ZOOM.US
EBAY.COM
HOTMAIL.COM
SALESFORCE.COM
GMAIL.COMDOCUSIGN.NET
MICROSOFT.COM
PAGERDUTY.COM
ORACLE-MAIL.COM
MA
RY
REIN
GO
LD
KIT
BR
OW
N
JAN
E
HU
CK
AB
EE
EDFISHEMILY
BARRY
JACKHARMON
MIKE
SANDLER
TOD
DKO
SLO
WSKY
KR
IST
EN
TE
STA
ALE
XLE
E
BETH
AMES
RANDY
HOLMES
AGARIDATA.ATLASSIAN.NET GOOGLE.COM
SYMANTEC.COM
ZOOM.US
EBAY.COM
HOTMAIL.COM
SALESFORCE.COM
GMAIL.COMDOCUSIGN.NET
MICROSOFT.COM
PAGERDUTY.COM
ORACLE-MAIL.COM
HE
AT
HE
R
LI
AU
GU
ST
PR
INC
E
STEVE
BO
WM
AN
TAMMYMILLS
JANESONG
SHAWN
GREEN
SCOTTPARK
TIF
FAN
YW
AT
ER
S
HE
NR
YB
ES
T
PE
TE
HO
NG
MARY
THOMAS
SANDRA
GREY
Below is an example of the mapping between Todd’s communication relative to Steve and all other organizations.
Adding the dimension of Trust, the analysis could be further expanded. For example, based on historical
communication, Todd and Steve’s communication is expected but the significant delays in Todd’s responses are
not. Given Todd sent the email at 3:00 AM where the last communication was at 2:00 PM in the previous day,
could indicate that an attacker is attempting to hijack the conversation.
Taking these inputs from each dimension, a final score could determine whether the attack is indeed an ATO
and allow organizations to enforce policies to block this attack before it makes it into the end-user’s inbox.
www.agari.com7 |
› How Agari Enterprise Works
Agari Enterprise Protect deploys as a lightweight sensor either on-premises or in the cloud to integrate with the existing
Secure Email Gateway (SEG). Working as the last line of defense, Agari EP receives all messages considered clean by
the SEG and analyzes the messages for the existence of ATO threat signals. Upon confirmation that the message is a
malicious ATO email, security operations teams can configure policies to immediately block or quarantine the message.
Finally, email forensic information can also be extracted via email alerts or API for further incident investigations including
assisting in recovering or taking down the compromised account.
A NEW APPROACH: AGARI ENTERPRISE PROTECT
Agari Enterprise Protect leverages Agari Identity IntelligenceTM), an advanced artificial intelligence and machine learning
system that ingests data telemetry from more than two trillion emails per year to model email senders’ and recipients’
identity characteristics, behavioral norms, and personal, organizational, and industry-level relationships.
Agari has integrated updates to its core Agari Identity Intelligence machine learning algorithms to model ATO-based
behavior. When a message is received it is subjected to the following phases of analysis and scoring:
1. Identity Mapping – Determines the perceived identity of the sender, mapping the sender to a previously-established
sender/organization or a broader classification.
2. Behavioral Analytics – Given the derived identity, the message is evaluated for anomalies relative to the expected
sender behavior such as whether the sender has ever interacted with the recipient, whether the content or structure of
the message sent by the sender is expected, or whether the frequency and timing of when the message sent is normal.
Any anomalies are obviously perceived to be suspicious.
3. Trust Modeling – Finally the final phase determines if communication from the sender is expected by the recipient.
The closer the relationship, the less tolerance for anomalous behavior because of the greater impact of the attack.
Ultimately the system models interaction - how often the sender/recipient interact or if the responsiveness and timing
of responsiveness between the two are normal.
4. Identity Intelligence Scoring – The final Identity Intelligence Score of a message is a combination of the features and
indicators of the 3 phases that determines whether the attack is indeed originating from a Account Takeover-based
compromised account.
To support this modeling, Agari has leveraged the elasticity enabled by its cloud-native architecture to drive over 300 million
daily model updates, allowing the system to maintain a real-time understanding of this type of email behavioral pattern.
Agari Enterprise Protect is the first to model the four types of account takeover behavior: stranger email, employee webmail,
trusted third, and insider business accounts.
www.agari.com8 |
CONCLUSION
The right strategy to protect against Account Takeover-based email attacks is at the email gateway and existing security
solutions should be evaluated to meet the following:
1. Ability to enforce policies to prevent targeted and scattershot phishing attempts intending to steal credentials or
compromise the endpoint.
2. Ability to enforce policies to prevent targeted email attacks launched via a compromised user account, e.g., spear
phishing, BEC, or ransomware.
3. Provide email forensic intelligence that exposes the compromised email account details to help security teams return
these accounts to their rightful owners.
Given the effectiveness of Account Takeover based email attacks and the lack of protections, attackers will be highly
motivated to increase their attack rate in the coming year. Organizations must place a higher priority and re-evaluate
whether their existing controls can protect against this attack category or risk becoming the next victim.
1. Internet Crimes Report 2016: https://pdf.ic3.gov/2016_IC3Report.pdf
2. Agari BEC Attack Report: https://www.agari.com/resources/whitepapers/bec-report/
3. Google Docs Attack: https://www.agari.com/google-docs-account-take-over-worm/
4. Osterman Research Report - Protecting Against Phishing, Resomeware, & BEC Attacks: https://www.agari.com/resources/whitepapers/email-threat-trends/
5. Osterman Research Report - Protecting Against Phishing, Resomeware, & BEC Attacks: https://www.agari.com/resources/whitepapers/email-threat-trends/