In an era of sophisticated and advanced attack vectors, one can wonder why criminals still resort to the more basic approaches like phishing. The answer is: because it works.
Phishing is still one of the most used attack vectors today and is often the first stage of complex campaigns. Given that most security professionals perceive employees as a company’s weakest link, it’s unsurprising that this is where criminals hit first. Some of the biggest and most devastating cyber attacks like SolarWinds, started with a phishing campaign. Cyber criminals who choose phishing as their preferred attack vector know its success rate– if you phish enough people, someone is bound to get hooked.
All it takes is one unsuspecting employee, and because of this, more organisations are conducting security awareness training (SAT). But even if 90 percent of workers remain diligent after the training, the last 10 percent is enough to undermine the entire security system. It might not seem like a big risk, but in a 5000-person company, that’s still 500 weak links – every day of every week. Would a business be happy to leave 500 out of 5000 servers totally unprotected? Unlikely.
Traditional email security systems are no longer enough to defend against these relentless attempts. Artificial intelligence, or more specifically, machine learning (ML) is on hand to make lives a lot easier. But what exactly are companies fighting against?
The never-ending enemy
The modern-day attack can be broken down into several categories. The type that most individuals receive on a regular basis is the generic phishing attempt that includes spoofing a popular brand, such as Office 365. Quite often the victim will receive an email requesting details on a false Microsoft login page, set to harvest any credentials typed in. The basis of this attack can be made more sophisticated for targeted campaigns which are far more convincing in their appearance due to its use of multi-stage processes and credited information within the email. The real danger arises once the attacker breaches the network. Phishing is often considered to be the first step for criminals to commence their multi-stage attack. Once they’ve gained access to the network, there are any number of directions an adversary could take.
Business email compromise (BEC) is also a major factor on the email threat scene. From a detection standpoint, these are much harder to identify as they’re usually plaintext emails, with no phishing artefacts such as URLs or logos to suggest they’re false. A common trend within BEC is the use of business press releases, such as employee promotions, to shape phishing attacks. Exploiting what we would call ‘human nature’ is a popular and effective approach for threat actors.
These advanced email threats still frequently evade detection predominantly because phishers conduct large-scale attacks and are constantly changing their tactics to avoid known behavioural patterns. Businesses therefore need a shield strong enough to keep up with the never-ending shots fired.
Bringing out the big guns
Machine learning in its simplest form is statistical analysis to recognise a known pattern. Understanding the approaches and pathways taken by phishers will greatly strengthen a company’s defence line and ML is well equipped to provide this data.
This is helpful because it can automate the detection process of patterns that we know to be malicious or abnormal. In the context of modern phishing, an informed human can detect a Microsoft phishing email by looking at the email sender or URL that’s included. Even if the company name is involved, it’s easy to tell whether the link is actually hosted on a Microsoft server. ML can do the same, and over time learn to detect all similar phishing attempts before any damage is caused.
Even with BEC, which often doesn’t leave evidence like files or URLs, ML can recognise anomalies based on the content of the email. It monitors the patterns of company employees and can therefore detect any unusual behaviour. With the data accumulated, ML systems can also reasonably predict who might be targeted next based on those who have already been hit. Being able to get ahead of the attackers is the first step towards achieving an effective detection and remediation approach – rather than constantly playing catch up.
Combining ML with threat intelligence
Maintaining machine learning systems is not a straightforward task. Unlike configuring firewalls which is done and dusted comparatively quickly, ML requires frequent training and plenty of data to operate. Furthermore, it is limited in its threat intelligence output. It’s fairly black box in that it can identify if a certain pattern is bad, but it cannot explain why. This is where human intelligence is vital.
Machine learning is effective at spotting anomalies and patterns in real time and at a scale that human workers physically cannot achieve. But when paired with human instinct and intelligence, the system is a force to be reckoned with. It’s important for businesses to derive their own threat intelligence and apply it within their enterprise. ML can detect indicators of a malicious pattern, but it cannot provide feedback on why it’s bad. By analysing the reports developed by ML, security teams can effectively determine the primary targets for criminals within their network and increase security around those specific areas.
With ML, organisations can apply real-time detection and automated remediation to their email security strategy to identify and eliminate phishing threats effectively. But this technology should not be deployed in isolation.
When all elements in an email security stack work symbiotically, the outcome is far stronger. The system can continuously scan emails, attachments and URLs whilst automatically remediating any threats from every affected inbox. In the same way that a business wouldn’t rely on employee detection alone, machine learning should be incorporated in a multi-layered security system to provide organisations resilient security coverage moving forwards. Investing in solutions that do this can make the difference between a devastating phishing attack, or a protected network.
Cyren is a cloud-based, Internet security technology company based in Israel and providing security as a service and threat intelligence services to businesses.