Defending Against Email Attacks Means Optimizing Your Team (Not Just Your Tech)

Originally published by CXO REvolutionaries here.

Written by Heng Mok, CISO APJ, Zscaler.

Social Engineering is Still Very Much in Style Among Attackers

Though cybersecurity is a swiftly evolving field, one principle remains constant: it’s often easier to fool people than to circumvent security tech.

Sometimes social engineering leads to an initial breach: a remote employee (who is actually a malicious actor) is granted access by deceived support staff. Once inside, they go on to explore internal networks, compromise key assets, and orchestrate additional attacks such as deploying ransomware.

It’s also possible for attackers to orchestrate serious security breaches that involve no unauthorized access or subsequent technological manipulation at all.

One successful technique is business email compromise (BEC). Using this tactic, a malicious actor simply sends an email posing as a trusted employee to company insiders. Once they gain trust, the attacker manipulates victims into taking actions like transferring money to a remote bank account under the threat actor’s control. These attacks have been part of the internet threat landscape as long as email has been popular and show no sign of slowing down. If anything, they’re escalating.

Consider the recent case of the FBI’s Operation Eagle Sweep of late March 2022, which led to the arrests of multiple Houston residents over BEC schemes. In that instance, attackers requested wire transfers from businesses, recent real estate purchasers, and senior citizens – over 500 in all – leading to losses estimated at $51 million. If that figure sounds incredible, understand it’s just a drop in the bucket. The FBI says that BEC attacks generated almost $2.4 billion in global losses in 2021 alone.

Dissecting a Modern Email Attack: Methods and Goals

The methodology involved in a BEC attack is usually quite simple. The attacker begins with target analysis by determining who within an organization is a trusted authority capable of requesting successful payment transfers.

The attacker then creates a domain name similar to the true domain to fool a casual observer, compromises a trusted employee's email account, or breaches the trusted organization's email infrastructure. The threat actor then generates a (hopefully) convincing email complete with the appropriate visual content. Once this is done, it’s simply a matter of sending it to carefully chosen targets and waiting to see what happens.

Because BEC attacks require little investment or research, they are easy to repeat at scale, which is precisely what attackers often do. These attacks require as little as a spoofed domain name and an example of the target company’s email style, including logos and standard footer text. This, along with browsing LinkedIn to identify the most suitable authority to imitate when making transfer requests, is all it takes to get started.

Building a Security Culture is Your Best Defense

The reason BEC attacks remain popular, decade after decade, is that they work – and the fundamental reason they work is that there is no easy fix.

Blocking BEC attacks is difficult because:

• External emails will always be necessary for business purposes
• No malware is usually included or needed in these attacks
• It’s hard to configure technology to recognize a spoofed domain (as opposed to a legitimate domain that simply isn’t the same as the company’s)

The best way to shield organizations from this threat is to train workforces on how BEC attacks work, how to recognize them, and what to do if in doubt.

Specifically, IT security leaders should build security awareness and train staffers to look for the following key signs:

• Any unexpected communication from someone outside of the normal chain of command, or unexpected contact from highly ranked individuals within the organization. Attackers typically do not invest enough time to determine their target's position on the chain of command. They usually don't know who has sufficient authority to complete the desired request. For this reason, attackers will often adopt a high-level persona such as a CEO, COO, CFO, or board chairman, whose job role empowers them with maximum authority. If an employee does not regularly interact with high-level staff, unexpected communication on their behalf should raise a red flag.
• Any request requiring action that is not typically part of job duties. The most obvious instance would be a money transfer of some kind. Other examples include requests for key information, requests for temporary access to company resources, requests to change or confirm a password, etc. These requests demand that standard authentication protocols be followed, and those protocols must involve rigorous identity verification beyond a simple email.
• Any email domain that is not identical to the company domain. Even tiny changes like a newly-introduced hyphen can give away a BEC attack. But without training, staffers may not be paying attention to the domains their emails originate from. Attackers are counting on their targets only checking the name of the sender, and not scrutinizing other aspects of the email.
• Stylistic choices in emails that deviate from the company norm. For instance, financial sums specified in a wire transfer may involve incorrect currencies. Calendar dates may be rendered in American style when one would expect a European one (or vice versa). Additionally, logos may be out of date, wrong, or .signature files may not match corporate mandates. Any deviation from an expected, established norm should raise suspicions.

Blocking BEC with Zero Trust Fundamentals

Like many cyberattacks, BEC relies heavily on users and systems naively extending their trust to areas that are exploitable. The attackers want targets to trust the validity of a dangerous domain that looks similar to ones legitimately used by their organization. They want targets to trust the authority of the fake identity used to author the email. They want targets to trust the legitimacy of their request, whether it is for more access, information, or money. The entire threat campaign hinges upon acquiring trust throughout multiple stages of the attack chain.

This reliance on trust makes BEC attacks particularly ineffective against organizations implementing a zero trust security framework. Core aspects of zero trust – including rigorous identity authentication, least privilege access, and monitoring encrypted traffic – block BEC attacks on multiple levels. I mentioned earlier that stopping BEC attacks with technology is difficult for several technical reasons. Zero trust principles, however, can mitigate these attacks by changing the business process and conditions by which we communicate.

The changes include implementing verification controls into an invoicing payment process, limiting emails to verifiably known actors, transacting over safe and monitored infrastructure, and adopting an "assume breach" mentality with custom detection rules for these attacks.

Implementing such a holistic approach strips BEC attacks of the resources they need to succeed.