How are our organisations attacked today? The state-sponsored attacked are usually of an APT variety. If they can’t gain access directly through one of your people, then through your supply chain is effective. The second area is the financially motivated actors; this can range from minor malware-based attacked with ransomware, right up to larger ones that are often attacking organisations through their finance teams. Again, using the supply chain to enact that. You are far more likely to enact a request from someone in your supply chain. Lastly, insider threats – both malicious insiders, someone who has been bribed, or within your supply chain, but also that inadvertent data loss through someone doing something they shouldn’t.
We know that the number one way into an organisation in terms of this risk area is email. That is not only through the mechanism of sending an email, but also gaining access to somebody’s account by stealing credentials. We see that actually, in any given month, 99.9% of attacks are human activated. We have seen a big shift away from getting people to run malware. We are seeing people being impersonated, and accounts being compromised. We have been tracking this to understand the risk.
If we look at email compromise, we are seeing around 15,000 attempt a day over about 1,000 users. We have seen around 7,000 executives impersonated over supply chain and internal. 50% of our customers have had an impersonated VIP in 2020. On average in the last 90 days, CEOs were spoofed 102 times. This is an issue that is increasing year over year.
The FBI have been tracking this particular issue. The first example is a bank in Belgium that was hit by a 70-million-euro fraud in 2019. The second is Lazio, losing 1.75 million Euros. The final payment for a player was intercepted. It’s a great example of supply chain fraud and how easy that is to enact.
If we track this over the last few years, there is a trend. We are interested to see what the FBI publish for 2020. US companies have to report their losses, those of us in Europe do not have to. What is the real figure? That’s open to discussion. The key takeaway here is that the trend is increasing rapidly. We are seeing threat actors turn more to this targeted type of financial fraud attack. Historic focus was on accessing PayPal accounts and the like. Now they are taking time to attack organisations. They are using this to get access into the system to take intellectual property as well.
The issue is internal as well. We have the issue of employees being impersonated, and employees’ accounts being compromised. Impersonating or stealing the account details of a supplier is just as prevalent. How do we monitor and get visibility into that risk? How do we understand the level of risk that poses? The issues of fake you and real you. All of the technology is going to fail.
Other areas of key third party risk – we have talked about financial fraud and malware infection, and also data loss. We also have supply chain failure; what is the risk to your organisation? Supply of malicious code or backdoors in hardware. The current discussion around Huawei, for example. There is also the area of concentrator attacks – the supplier is targeted as a gateway and a growing area of concern.
Ransomware is a concern for taking a business offline. Mostly easy to spot as executives tend to live in each other’s pockets. Now you start to think about the compromise of third-party accounts, those relationships are nowhere near as close. Looking at the monetary loss, it is terrifying. This is up there as a risk, and the possibility of a large monetary loss is likely. Facebook and Google have been defrauded of over $100 million. It will happen. The evidence is that it’s a bigger risk than thought.
A lot of organisations believe they can solve this by putting in internal processes. You can’t employ this with the supply chain in the same way, which is why it’s an angle of attack.
In one organisation there was a breach; an invoice which was supposedly outstanding with different bank details was used for fraud. The supplier’s email system had been compromised, and although the invoice was paid, it wasn’t to them. They would log in and send emails and delete them before they were seen. The culpability was mostly on their side, and cost everyone money. Nobody won. It’s a concern to see this scaling up.
A criminal can make a really good living by going for smaller amounts.
More focus on third party suppliers and getting a secure connection with them. Email fraud is happening on a layer above. Third party connections need to be secure and compliant. The potential oversharing of access – not only secure access, but what you are providing access to, and how data is accessed.
Deep fake – using WhatsApp instead of email. On the other hand, we noticed that some of the attackers are phishers, taking up to six months to prepare their phish. It happens all the time, requests to change bank accounts that are phish. At least once a month. There is always a second check using a different channel. For us, we use no phone numbers. It helps us to detect potential fraud. This is with the supply chain. Lots of small suppliers that don’t have much security in place.
One issue was dealt with as financial fraud. It’s important that security people stay in touch with financial people. Unless they know the threat, they won’t adapt their processes and adapt controls. The path of least resistance; they may shortcut it.
Working with a finance team; developing an awareness message. That goes to all financial people. It works very well and is appreciated. One fraud almost got through. Four or five weeks ago there was an unsuccessful attempt of phishing and we have tightened up. It was almost successful. We saw it quite late, but still in time. It’s about amounts that are around 50,000 euros. For us, it’s a relatively small amount. It’s much easier to get a junior person to sign off who is under pressure and more likely to make mistakes.
How do you deal with brand protection and the external face of your organisation?
Using the organisation to defraud others. WhatsApp scam involving the CEO. Fortunately, we detect them. We didn’t detect them immediately, but we caught them. Some are visible, some are more complex. We have a series of things. We operate in 50 countries. We try to have a way to manage this at scale. We find that new domains are being created and they could be pointed to us as potential phishing attacks. There are firewalls as well. We must prevent malicious traffic jumping in. We try not to use WhatsApp as an internal communication method, but that depends on who owns the devices in use. We keep business decisions off WhatsApp.
Communication channels, especially with social distancing, are problematic. Suddenly every phone has WhatsApp on it. It’s difficult from a compliance perspective.
Proofpoint email protection. What is really moving up is phishing. It’s 95% of attacks. It’s everywhere. What we notice is that a fake email dropped into Proofpoint, it’s working much better.
We have observed that around 53% of all malicious emails are phishing.
Most of the phishing was coming from Microsoft’s platform.
It’s a big concern with everyone adopting Cloud. Now you can steal credentials and that gives you a way into an organisation. Theft of third-party accounts – do they need controls? How do you apply them?
Establishing a connection with a third party, we have a process to exchange keys and establish this kind of connection. We have a process to regularly check if the connection is still valid and needed. We usually don’t do changes anymore. Next to that, we don’t have other connectivity’s with external providers. We used to. That can be easily compromised, and we removed that connectivity. All is now through a secure VPN tunnel.
The next step is to authenticate into individual systems. Is the individual who they say they are? Once you have a dedicated environment with virtual machines it’s an isolated zone. Another level of firewalls is protecting that.
Those firewalls still let data through, however. It’s a tough one to be able to segregate your network properly.
Where do you see ransomware as a risk?
Ransomware can be devastating. The damage can be not even comparable with email threats. It is usually targeting systems. It can be in the system for months. We have different layers of defence. We have next generation firewalls – C&C – command and control centres. We will be notified immediately where there are power shell scripts on systems where they do not belong. It isn’t 100% waterproof, but it delays a lot of provocation on the network.
Ransomware – email is an attempt, and we can mostly filter those. Ransomware is a bit different. The impact of an attack, so far, we’ve seen companies where it’s been blocked. There are ways to prevent it and reduce the impact.
Ransomware 2.0 – they get into your organisation and steal your data, which gives them leverage over you. It’s interesting to see that the email account compromise is a forward indicator of a bigger threat. If you have a ransomware attack, you have to think what has happened earlier on in the kill chain. It’s important to look. There is a connection between email attacks and ransomware.
Technical controls
Some of the new visibility on supply chain risk – one of the key vectors is not only impersonation, but account compromisation. We also have data loss. We want to give organisations visibility of potential risk upfront. What we realised is that we have got a huge amount of data. Through all of the email traffic we see globally – we process about one in eight of the world’s traffic – this has given us great visibility into impersonation across the globe. We also see lookalike domains and brand spoofing.
Because account compromise is so often used to effect attacks, we look at supply traffic for an organisation to see risk. We score risk. How do you encourage business partners to deploy email authentication? We look at trends over time. We give a threat score so that organisations can be pro-active. Is this visibility around high risk something we can see value in?
Does this visibility change how you provide access into a supplier? If there is a suspicious account, does it change how we authenticate? We can take the next step with a supplier on what kind of traffic is going through the tunnel to do some deep dive checks. Once we establish a connection with a third party, we are checking on a yearly basis. We don’t have any kind of alert we are looking at. If a supplier is compromised, we would take the action to look at what kind of traffic is going through the tunnel and if it is normal. We would take a closer look. But today, we don’t have that.
How do you keep a track on third parties?
How do you keep a track on their security postures? Bitsite and RiskRecon – score the risk. Not terribly useful, but when it changes, it can alert you to the need to have a conversation and the chance there is fraud coming from them.
Third party security is an art. How do you get assurance when there are thousands to look after in terms of contractual obligations? It’s a whole industry to try to keep on top of.
In terms of audits and testing, there are different controls. It’s also very easy to work with them because they understand the critical nature of the topics. Sometimes a vendor who doesn’t provide a service in the right way might create a problem. This is an interesting focus. On the external side, we have some tools that allow us to give a security score on cloud solutions. What does the outside tell me about this vendor?
How do you protect your company from external spoofers?
We have a team that is improving the email filtering system. We are aware of the risks that are associated. What we try to do regarding email is that we try to scan the deep and dark web using a partner and technologies that allow us to work with the filtering system and increase its success rate.
It’s an ongoing effort. Email spoofing is still one of the most specific ways companies are being attacked.
How do you ensure your users are aware of the threat from third parties?
How is your organisation educating you and your colleagues about how to be suspicious enough without breaking relationships and processes? You don’t what to have to phone to double check every time.
Internal training – all employees need to pass a certain security awareness. From time to time, focusing on email spoofing. There are emails sent around by the security department and if you click on it, then you are automatically directed to an awareness session and you need to follow the training again. This is continuous. It’s hard to spot if you are busy and it’s easy to be fooled.
Information protection – how should you be sharing data with third parties? There is also a data classification policy for email. It is part of the security awareness training. The higher a classification, the greater the training.
What we need to focus on going forward is how you break the established trust. It’s a different problem than just spotting a phishing email. When you see an email that appears to come from your boss, to think twice before you act on it. How do we put the trust back in? It’s a tough dilemma.
How do you start to protect the people and build that trust from identities? Especially if you can’t just walk down the corridor and check? The threat actors know that everyone is remote, and we see a change in the type of lure. They are still focused on peoples’ vulnerability. The adoption of Cloud has really pushed that forward. The chance of having your identity stolen and used against you has increased.
Training on security is many man-weeks long. It’s the right training for the right people at the right time, and the ability to identify who those people are, who are of special interest to the ‘bad guys’.
This also extends to the monitoring of account access. Are we seeing lots of access attempts from unknown locations? Is there more credential phishing? This all plays into visibility and both third party and internal risk.
