Challenging Verizon’s CIS Control Recommendations for Socially-Engineered Business Email Compromise Attacks - Abnormal Security

Challenging Verizon’s CIS Control Recommendations for Socially-Engineered Business Email Compromise Attacks

While Verizon’s annual Data Breach Incident Report (DBIR) has always offered recommendations on defense and controls through its findings, this year the report shares formal, standardized security control recommendations to readers. In doing so, Verizon aligned its 2020 findings with the Center for Internet Security (CIS) Critical Security Controls (CSC) so that enterprises can apply and prioritize the findings to their own security efforts and programs. 

For those unfamiliar, the CIS CSC is a community-built, attacker-informed, prioritized set of cybersecurity guidelines that consists of 171 safeguards organized into 20 higher-level controls. Verizon offers its CIS Control Recommendations in the form of a table (figure 134, page 102), where it maps types of data breaches and the security controls best suited to mitigate them. 

The data breach ‘types’ range from crimeware to miscellaneous errors to socially-engineered and business email compromise (BEC) attacks, which are grouped under the category ‘Everything Else.’ According to Verizon, the ‘Everything Else’ category mapped 100% to CSC 17 – Security Awareness Training – and only 11% to CSC7 – Email and Web Browser Protections. In other words, Verizon is suggesting that enterprises looking to thwart socially-engineered BEC attacks should invest heavily in security training for employees, but not as much in actual technology to stop the attacks. 

While this may be what the industry currently believes is the right approach, it communicates the idea that “these types of attacks aren’t stoppable” and that we’re forced to rely on security awareness training only. It goes without saying that we at Abnormal Security know that’s not the case. 

In fact, Verizon’s own report proved that socially-engineered BEC attacks are on the rise as the high level of sophistication makes them nearly impossible for employees to spot. Although phishing click rates are down, showing that awareness training does have a positive impact, socially-engineered BEC attacks are highly-personalized and lack the common threat signals that would trigger detection from both an informed employee or an antiquated security email gateway (SEG). In addition, Verizon found that malware has been on a consistent decline over the last five years, theorizing that with hacking and social breaches leading to credential theft, malware is no longer needed to maintain persistence. 

While all this sounds like doom and gloom, the good news that enterprises need to know is that there are in fact email security platforms that can help identify and prevent those attacks that prey upon implied digital trust and slip past SEGs. 

Learn how Abnormal Security protects inboxes from these sophisticated attacks by downloading our case study of an $700K invoice fraud BEC attack.

Related content