Americas

  • United States

Asia

Oceania

How Abnormal Security combats business email compromise

Reviews
May 22, 20209 mins
PhishingSecurity

Abnormal Security analyzes work relationships, language patterns to spot compromised accounts and stop them from sending mail.

Cybersecurity  >  Email security threats, such as phishing
Credit: CHUYN / Getty Images

When looking at all the different ways that hackers can threaten networks and enterprises, flashy incidents like ransomware scams often come to mind. But a relatively new kind of attack called business email compromise (BEC) has taken the lead in both frequency and overall damage, quickly becoming public enemy number one.

According to the FBI’s recently released 2019 Internet Crime Report, the most destructive cybercrime for 2019 involved the dual threats of business email compromise and email account compromise, which were grouped into a single category. When a private individual falls victim, the FBI calls it email account compromise. When a business suffers the same fate, it’s called business email compromise.

An email compromise attack is successful when hackers take over an email address either by cracking the account password or using social engineering tactics to trick a user into giving them their password. Once compromised, the email is generally used to initiate fake wire transfers from businesses or to steal bank information from private individuals. And it’s a huge problem, resulting in almost $2 billion in losses last year. The numbers are probably higher, because many of the crimes are almost certainly not being reported. By comparison, ransomware scams only netted about $9 million, according to the FBI report.

Defending an enterprise against a hacker using a compromised email is extremely difficult. Unlike a phishing attack where an attacker spoofs an internal address from the outside or sets up a website that looks like the real thing, in a business email compromise attack, the attacker has basically stolen the identity of the person or entity who has been compromised. So it’s not a matter of someone pretending to be writing from the CEO’s account and asking for a wire transfer. It’s the CEO’s actual company email making the request.

From a cybersecurity standpoint, that’s not easy to stop. None of the internal security provided by popular cloud email programs like Google’s G Suite or Microsoft’s Office 365 are designed to protect against compromised accounts sending out bad information. Even if companies add something like a mail gateway, it’s really not going to be designed to stop BEC attacks once they get a foothold. And because they generally don’t involve malware or traditional data exfiltration, once established, compromised email accounts can be an ongoing gold mine for attackers.

The Abnormal Security platform was designed to defend against the growing scourge of BEC attacks. The platform is actually able to defend against most email-based intrusions, but its claim to fame is its ability to spot compromised accounts and stop them from sending mail, even after an attacker has taken over a valid user’s email identity.

The platform is delivered in a software-as-a-service model. It’s installed as an API plugin to either Office 365 or G Suite email. As such, it can be connected and ready to go in about ten or fifteen minutes. Once in place, Abnormal Security ingests the previous 90 days of email correspondence and begins analyzing it to determine the relationships between the various people within the protected network. It also looks at mail from the outside, like third party vendors who might regularly communicate, send invoices and otherwise interact with internal company employees. It even goes so far as to analyze the kind of language that people use when writing to one another, such as whether it’s a formal relationship or more casual. And it can identify external and personal email accounts being used by company officials without first being told about them.

Abnormal Dash CSO

Although the really impressive science happens behind the scenes, the Abnormal Security dashboard provides a detailed look at what kind of email-based attacks are being levied against a protected network.

Because it’s initially analyzing a lot of data, it takes about two days from the point of installation before the platform is ready to start making judgements about suspicious emails, much less identifying BEC attacks. Also, while it’s accurate after the initial analysis, it gets even better over time as it continues to analyze more data, a process that it never stops doing.

Pricing for the program is based on the number of employees working at a company being protected instead of by the number of email addresses that are being watched. The reasoning for this is because much of the heavy lifting for the Abnormal Security platform is creating the user models and analyzing relationships. If an employee has several email addresses, it’s just more data points for their existing model. A new employee, however, would require a completely new profile.

Abnormal Attack CSO

The Abnormal Security platform is almost always adamant when designating email as an attack. But just in case administrators want more information, it will show the evidence it used to reach that decision.

How it works

Abnormal Security uses three logic pillars to determine if email is being sent by actual users or someone who has compromised an account. This three-pronged approach can also go a long way toward catching less advanced threats since they won’t be hiding nearly as well as a BEC attack. The three pillars include Identity Modeling, Relationship Profiling and Content Analysis. Observations and suspicions grounded in just one pillar are almost never enough to trigger the platform to take action. There has to be corroborating evidence across at least two tiers, and ideally three.

For an internal company employee, Identity Modeling includes things like the person’s name, their role in the company, their phone number, normal login times, devices used, their locations, browsers used, their company managers, physical mailing address and other factors. For vendors, their identity might include many of those same factors plus things like the date of their last contact and their communication cadence. The profile of customers would include who they email at the company, what kinds of interactions take place and many other factors.

Abnormal Vendor Compromise CSO

Abnormal Security can detect business email compromise attacks even if it’s an outside vendor that has been successfully breached. In that case, the platform will prevent a compromised vendor email account from being used to sidestep into a protected company network.

Once the identity models are completed, Abnormal Security then begins to work on Relationship Profiling. Behind the scenes, the platform creates a model showing the frequency, tone and topics used by everyone who has been modeled.

Finally, the Content Analysis engine initiates deep URL analysis, applies relevant threat intelligence, and analyzes what the messages say and how they say it. It even uses a science called Computer Vision Techniques, which looks at things like how vendor invoices are configured. If an invoice comes in and the logo is in the wrong place, or the normal form looks different, computer vision would flag that as suspicious. Of course, a vendor could have changed their form or even their logo, so nothing will happen unless other pillars are also detecting anomalies.

Testing Abnormal Security

To put Abnormal Security to the test, several emails were sent through a system being protected by the platform. This included instances where the login and password for a user was known, which simulated a BEC attack.

In one example, an internal employee sent an email to a company official asking about financial data. It got flagged for several reasons. First, the two employees had never communicated before. Second, the language used was informal, even though one would expect a more formal engagement. The request also had financial information in it, which was unusual if not suspicious. Finally, Abnormal Security noted how an attacker tried to extend the BEC attack by creating a rule that sent internal company mail to a junk folder, a technique often used by hackers to prevent victims from seeing odd replies and figuring out that someone is writing on their behalf.

Technically, Abnormal Security found several thousand things that were odd about the actions in most test emails that were sent. It only bubbled up the most egregious factors in the platform’s interface, though we could drill down and look at all of them if we wanted.

Abnormal COVID Phishing CSO

In addition to stopping the most advanced email attacks like business email compromises, the Abnormal Security platform is also adept at catching more typical scams. It was able to stop a phishing email that tried to direct users to a fake COVID-19 website like the one shown here (with identification data removed). Sadly, Abnormal Security says that COVID-19 scams are increasingly common, and they are devoting a lot of effort into stopping them.

Other simulated attack emails were blocked for a variety of reasons. They included, among other factors, employees who logged into their email from their office in the United States and then two hours later from Hong Kong. Bogus invoices sent from actual vendor accounts to proper company officials were also flagged if they didn’t look right or follow established patterns. And email was stopped if the content didn’t match anything that had previously occurred between two employees with a longstanding relationship.

Even when we tried to get very clever by cutting and pasting archived conversations into a new email to hide the fact that we were illegally using an account, Abnormal Security still stopped us based on other factors. Abnormal Security really proved itself in performance testing. Despite knowing exactly how the program operated, we were unable to trick it into letting an invalid or dangerous email pass through. It might be possible to trick Abnormal Security somehow, but we couldn’t do it.

Abnormal Security can take several actions once an email is deemed malicious. It can block the message which happens at the server level so users will never see it. It can flag the message and let it pass, though it will then track to see if a user ignores the flag and engages with the likely attacker. It can also quarantine a bad email or force compromised users to redo their password. And of course it can generate an alert to its internal console or to an external security event tracking platform.

The bottom line

Today, BEC attacks are one of the most dangerous problems that enterprises face, doubly so because there are so few effective defenses. With Abnormal Security being designed specifically to halt those kinds of attacks, it’s a tool that no enterprise that is serious about email security should be without.