Sponsored Cybersecurity company Darktrace understands digital attack techniques better than most. Its unique AI-driven approach evolved out of work between former spies from government intelligence agencies and mathematicians at the University of Cambridge.
With 4,000 organisations that rely on its technology, Darktrace has been able to discern some noticeable patterns in the modern threat landscape. One trend is impossible to ignore: attackers are increasingly targeting companies through their most unpredictable assets: its people. In particular, they turn to email to gain that initial foot in the door. Indeed, 94 per cent of cyber-attacks originate in the inbox. By adopting the mindset of an attacker, we can begin to understand why email offers the simplest route in, and why they will continue to target the inbox as a springboard for their attacks in 2021.
According to Darktrace's experts, attackers will storm your defences for a range of reasons. Hackers are eager to trawl your digital environment for secrets. Industrial espionage is a booming business and talented hackers are always on the lookout for intellectual property. IP is just one form of economic gain. Organised cyber criminals often take a more direct approach, either pilfering assets that they can convert into cash, or just stealing money directly.
Customer credit card data fetches a handsome profit online, as do account credentials. Alternatively, business email compromise (BEC) scammers run a healthy business convincing those in charge of company purse strings to send money to fraudulent accounts.
Some of the rewards are purely egotistical. Hacking companies purely for the lulz is an ongoing digital sport for some, while some take a more ideological route. Hacktivists still ravage networks on a regular basis.
It started with a phish, never thought it would come to this How do many of these people infiltrate their targets? It typically starts with a phishing attack that aims to steal the recipient’s credentials, so that the hacker can then compromise their account.
Gaining access to someone's login credentials offers a foothold into company infrastructure, along with a rich trove of sensitive data buried in the victim's email account. Contracts, business plans, pricing data, and contact lists are all rich resources for thieves.
Those credentials can also unlock shared corporate resources. Employees using the same credentials for multiple systems amplify the damage. With barely a third of all companies enforcing multi-factor authentication, the risks are high.
Attackers will often launch secondary strikes by sending phishing emails from hijacked inboxes. Who wouldn't trust an email that came from a trusted colleague's account? This phase enables attackers to steal still more credentials from other victims, plant ransomware, or launch an especially convincing BEC attack.
For the attacker, everything depends on the first victim opening that email and taking the bait. Most people see themselves as rational actors who would never fall for a phishing scam - until they do.
Reason has nothing to do with it. Good attackers are experts at social engineering techniques honed to circumvent your rational brain altogether. They use common psychological triggers that appeal directly to a victim's emotions.
Criminals are well-versed in social engineering attacks. They have capitalised on disasters in the news for years, exploiting peoples' compassion and concern with fake charity drives.
Fear is another common emotional trigger because it works so well. Cyber criminals use it as the basis for successful campaigns in a concept that Darktrace calls fearware. That's why the COVID-19 pandemic was such a godsend for attackers.
When the pandemic first broke out, misinformation was rife. People were uncertain and afraid of the disease's impact. Criminals offered solace through sites that harvested account credentials in exchange for fake information about the virus. As people began getting a better hand on the pandemic, those sites evolved into offers of fake stimulus funds and information about economic recovery.
Thieves do their homework
Online criminals sharpen their attacks with research, often through social media but also using public records and company web sites. Attackers use this information to learn who victims hang out with, how they talk, what their sense of humour is like and what kinds of information they share. Those insights can be invaluable in targeting a person's friends and colleagues with credible emails that mimic a person's online voice.
This kind of research takes more effort (although ongoing developments in AI reconnaissance techniques may change that). Attackers frequently hedge their bets by going both broad and deep. They complement their investment in high-value targets by phishing people at scale.
In phishing's early days, large-scale attackers were a spray-and-pray affair, but attackers are refining their techniques, using the same tools and techniques that professional email marketers use to increase email open rates. A/B testing isn't just for marketing agencies anymore.
Playing the domain game
Attackers also rely on a technique known as bulk domain registration in order to phish at scale. In this domain game, criminals can register cheap domains by ordering in bulk. That gives them a large array of domains to choose from, making their campaigns more flexible. They register domains relevant to a particular topic, switching them up in response to emerging news. This is in part why we saw the purchasing of new COVID-related domains skyrocket early on in the pandemic. With attackers becoming more sophisticated, it's time to change the way we think about protecting ourselves. Cybersecurity awareness training will always be useful, but it isn't enough on its own to stave off all social engineering attacks.
Companies need extra layers of defence to increase their chance of stopping attacks, but conventional anti-phishing tools are failing. For example, in one recent email attack that Darktrace saw, a phishing email slipped past Mimecast's email security gateway undetected.
The email directed recipients to a fake Microsoft 365 login page. The attacker used the site to gather the victim's credentials and gain access to their account. The attacker then used the hijacked account to make several private resources including password files and credit card information publicly accessible. After slurping that data, they then perpetuated the attack by using the stolen account to send over 1600 phishing emails in 25 minutes.
Darktrace's Antigena Email spots attacks like these by going beyond the traditional digital signatures and domain blacklists that so often fail legacy tools. Instead, it used a mixture of supervised and unsupervised machine learning techniques to analyse the email's broader context. It was able to detect unusual communication patterns, along with a link that had never been accessed by anyone in the company before.
The promise of AI
By scanning hundreds of data points at once, AI builds an ‘anomaly score’ for an email. These data points are nuanced, covering everything from whether the email includes files (and what they look like), to the sender's and recipient's communications history. Antigena even picks up on solicitation attempts, and identifies ‘hidden links’ contained within emails behind buttons or images.
The tool embodies three key principles of AI as a cyber-defence technology:
AI is nuanced
Conventional tools classify emails as either good or bad. This binary approach is too simplistic. AI goes deeper, using its broad contextual understanding to assess different problems with an email and take the appropriate action.
While Antigena might hold back one email containing known malicious links, it might allow another email through while disabling a macro in its file attachment or disallowing a hyperlink. In other cases, it will let the email through but mark it as a potential spoof. This offers precise, measured protection while allowing business to function as usual.
AI constantly refines its understanding
Even if humans could articulate communications norms, those trends change over time as employees come and go. AI maintains an up-to-date picture of how people normally communicate by continually monitoring and learning from new emails.
AI is built for the cloud
Antigena supports this nuanced, self-learning approach with an architecture that monitors emails without changing the existing email infrstructure. Instead of using MX records, it uses journaling to read emails and APIs to take action. This enables it to protect users without changing the flow of email or becoming a single point of failure. This mode of operation also makes Antigena easy to install. It takes five minutes to set up the API journaling rule and between seven and 10 days for the system to learn context from an organisation's email.
Criminals scaled up their operations to take advantage of the pandemic, and it's unlikely that they'll scale back. As their techniques improve, so do their profits. Large-scale attacks and surgical spearphishing yield significant financial rewards. Organisations must adapt to cope with this morphing threat. That means adopting new playbooks, new technologies, and new tools.
Trial Darktrace for free today
Darktrace is offering a 30-day free trial of Antigena Email, its AI-powered email security technology. Sign up here.
Sponsored by Darktrace