Request a Demo of Tessian Today.

Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

State of Email Security 2022: Every Company’s Riskiest Channel |  Read the Full Report →

Tessian Blog

  • All
  • Customer Stories
  • Compliance
  • Email DLP
  • Integrated Cloud Email Security
  • Data Science
  • NULL
    array(14) { [0]=> object(WP_Term)#10552 (11) { ["term_id"]=> int(5) ["name"]=> string(16) "Customer Stories" ["slug"]=> string(16) "customer-stories" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(5) ["taxonomy"]=> string(8) "category" ["description"]=> string(155) "Read our latest Customer Stories, interviews and news. Learn how Tessian protects organisations in Financial Services, Legal, Technology and other markets." ["parent"]=> int(2) ["count"]=> int(46) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "2" } [1]=> object(WP_Term)#10148 (11) { ["term_id"]=> int(120) ["name"]=> string(10) "Compliance" ["slug"]=> string(10) "compliance" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(120) ["taxonomy"]=> string(8) "category" ["description"]=> string(143) "Read our latest articles, tips and news on Compliance including GDPR, CCPA and other industry-specific regulations and compliance requirements." ["parent"]=> int(0) ["count"]=> int(39) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "3" } [2]=> object(WP_Term)#10149 (11) { ["term_id"]=> int(116) ["name"]=> string(9) "Email DLP" ["slug"]=> string(20) "data-loss-prevention" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(116) ["taxonomy"]=> string(8) "category" ["description"]=> string(144) "Read our latest articles, tips and industry-specific news around Data Loss Prevention (DLP). Learn about the implications of data loss on email." ["parent"]=> int(0) ["count"]=> int(94) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "2" } [3]=> object(WP_Term)#10150 (11) { ["term_id"]=> int(2) ["name"]=> string(31) "Integrated Cloud Email Security" ["slug"]=> string(20) "human-layer-security" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(2) ["taxonomy"]=> string(8) "category" ["description"]=> string(301) "Integrated Cloud Email Security solutions were introduced as a new category, and positioned as the best defense against advanced phishing threats that evade traditional email security controls.  Learn more about what they are, the benefits of using them, and how you can best evaluate those on offer." ["parent"]=> int(0) ["count"]=> int(130) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "4" } [4]=> object(WP_Term)#9416 (11) { ["term_id"]=> int(486) ["name"]=> string(12) "Data Science" ["slug"]=> string(12) "data-science" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(486) ["taxonomy"]=> string(8) "category" ["description"]=> string(0) "" ["parent"]=> int(0) ["count"]=> int(1) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "1" } [5]=> object(WP_Term)#9415 (11) { ["term_id"]=> int(341) ["name"]=> string(17) "Data Exfiltration" ["slug"]=> string(17) "data-exfiltration" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(341) ["taxonomy"]=> string(8) "category" ["description"]=> string(154) "Access Tessian's library of free data exfiltration posts, guides and trend insights. Acidental data loss, insider threats, and misdirected emails content." ["parent"]=> int(116) ["count"]=> int(34) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "2" } [6]=> object(WP_Term)#9414 (11) { ["term_id"]=> int(433) ["name"]=> string(14) "Remote Working" ["slug"]=> string(14) "remote-working" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(433) ["taxonomy"]=> string(8) "category" ["description"]=> string(163) "Access free tips from security leaders and new research related to remote working and hybrid-remote structures. Level-up your cybersecurity for a remote workforce." ["parent"]=> int(116) ["count"]=> int(15) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "1" } [7]=> object(WP_Term)#9413 (11) { ["term_id"]=> int(384) ["name"]=> string(7) "Podcast" ["slug"]=> string(7) "podcast" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(384) ["taxonomy"]=> string(8) "category" ["description"]=> string(345) "Cybersecurity podcast series on the human factor, discussing why we need to focus on people - not just machines and data - to stop breaches and empower employees. Tim Sadler, CEO of Tessian meets with business, IT and security leaders to flip the strict on cybersecurity and share best practices, cybersecurity challenges, threat intel and more." ["parent"]=> int(2) ["count"]=> int(9) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "1" } [8]=> object(WP_Term)#9412 (11) { ["term_id"]=> int(411) ["name"]=> string(12) "Threat Intel" ["slug"]=> string(19) "threat-intelligence" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(411) ["taxonomy"]=> string(8) "category" ["description"]=> string(155) "Tessian Threat Intelligence and Research team uncovers trends and insights in email security related to phishing, social engineering, and more. Learn more!" ["parent"]=> int(2) ["count"]=> int(20) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "3" } [9]=> object(WP_Term)#9411 (11) { ["term_id"]=> int(3) ["name"]=> string(7) "ATO/BEC" ["slug"]=> string(14) "spear-phishing" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(3) ["taxonomy"]=> string(8) "category" ["description"]=> string(166) "Get up to speed on the latest tips, guides, industry news and technology developments around phishing, spear phishing, Business Email Compromise, and Account Takeover" ["parent"]=> int(0) ["count"]=> int(142) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "5" } [10]=> object(WP_Term)#9410 (11) { ["term_id"]=> int(352) ["name"]=> string(15) "Life at Tessian" ["slug"]=> string(12) "team-culture" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(352) ["taxonomy"]=> string(8) "category" ["description"]=> string(149) "Learn more about Tessian company news, events, and culture directly from different teams. Hear from engineering, product, customer success, and more." ["parent"]=> int(0) ["count"]=> int(42) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "6" } [11]=> object(WP_Term)#10429 (11) { ["term_id"]=> int(435) ["name"]=> string(21) "Interviews With CISOs" ["slug"]=> string(21) "ciso-spotlight-series" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(435) ["taxonomy"]=> string(8) "category" ["description"]=> string(164) "Learn how to navigate the threat landscape, how to get buy-in, and how to break into the industry from these cybersecurity leaders from Shell, Penn State, and more." ["parent"]=> int(0) ["count"]=> int(32) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "7" } [12]=> object(WP_Term)#10421 (11) { ["term_id"]=> int(436) ["name"]=> string(16) "Engineering Team" ["slug"]=> string(16) "engineering-team" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(436) ["taxonomy"]=> string(8) "category" ["description"]=> string(134) "Tessian's engineering team shares tips for solving complex problems. Get advice related to QAs, 502 errors, team management, and more." ["parent"]=> int(352) ["count"]=> int(17) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "1" } [13]=> object(WP_Term)#10554 (11) { ["term_id"]=> int(434) ["name"]=> string(16) "Cyber Skills Gap" ["slug"]=> string(16) "cyber-skills-gap" ["term_group"]=> int(0) ["term_taxonomy_id"]=> int(434) ["taxonomy"]=> string(8) "category" ["description"]=> string(149) "Learn more about the cybersecurity skills gap and cybersecurity gender gap. Research and interviews with industry leaders and champions of diversity." ["parent"]=> int(435) ["count"]=> int(19) ["filter"]=> string(3) "raw" ["term_order"]=> string(1) "1" } }
Threat Intel
“No Pain No Gain” Impersonation Campaign – Sending Stolen Credentials to Telegram Group
by Catalin Giana Thursday, November 10th, 2022
The Tessian Threat Intel team discovered a new Microsoft impersonation campaign in the wild called “No Pain No Gain.” The campaign utilizes a Telegram API call to harvest credentials to a malicious chat group on the messaging platform – a common tactic that was first identified last year. The threat actors also relied on heavily encoding the malicious attachment.  Read further to see how we reviewed the attachment, and the steps we took to de-obfuscate it. We also show what the harvested credentials look like when received by the Telegram BOT API. The victim receives an email with an HTML attachment called Setup Outlook-mail.html. Upon opening it you are redirected to a page that impersonates Microsoft’s login, with the victim’s email address already embedded in the page.                                  Impersonated Microsoft login page
Although this is not impressive at this point. At face value it appears to be a run-of-the-mill impersonation campaign that has been seen before. Where it gets interesting is that upon inspecting the HTML page it is apparent that great effort was taken to obfuscate the code. Decoding the HTML attachment Obfuscated code
Step 1 The HTML page contains multiple layers of obfuscation that needed to be removed manually in order to reveal the original content. After escaping all the javascript-encoded characters we were left with a more readable script. Code snippet before base64 decoding Step 2 In order to reveal the actual HTML script we had to decode the string found in the data variable which we found out was base64 encoded. After another step of decoding and beautifying, we found the readable HTML code. Decoded data variable Outcome All the magic can be found in the code snippet above. What is unique about this campaign is the fact that instead of using a command and control server to store the stolen data, it is using the Telegram app, via the Telegram API to a malicious chat group on the messaging platform. The stolen information contains usernames and passwords that can be used to compromise Microsoft email accounts. The sent message also has the geolocation of the victim and the User-Agent that was used.
Telegram testing with our own channel We created a Telegram chat group for testing purposes to see exactly how the stolen data i.e. the credentials are harvested and sent out via the Telegram API (see graphic below). Using an impersonated Microsoft login-in page, the threat actors prompt the victim for a password, this triggers a pop-up message indicating that the first password entered is incorrect or too short. The victim is then prompted to submit a second password, which then appears to be a successful log-in.  In addition to harvesting the credentials, other collected data includes the victim’s IP address by using the ip-api.com service. All the stolen data is stored in the malicious Telegram chat group in the format below. Example of harvested credentials message  
When we use the getChat endpoint, we received the response below from the malicious Telegram group chat. We were able to identify the group ID, the group name and determine that the channel is private. Group ID   We were also able to determine that the malicious Telegram group chat has two members. Group Members   After further investigation we were unable to access the contents of the Telegram chat group due to privacy and security settings set by the threat actors. We based this determination on the fact that the value of the parameter “can_read_all_group_messages” is set to “False”. Privacy Settings
Indicators Here is a table of indicators that can be filtered or searched on in your logs for any potential past leaks, or signals for any attempts. Object Indicator Telegram Bot ID 5695672431:AAF0Bzm_wh3g13sO-CDFeWWC-k6kWv7-Emk Telegram Channel ID 5748272550 Email Attachment Filename [T1598.002] Setup Outlook-mail.htm Setup Outlook-mail.html Starting Text <script>var emai\u006c=” Telegram API Exfiltration [T1071.001] https://api[.]telegram[.]org/bot$botid_value/sendMessage?chat_id=$channel&text=$credentials $botid_value = the value that Telegram BotFather provides for the bot 5695672431:AAF0Bzm_wh3g13sO-CDFeWWC-k6kWv7-Emk $channel = the value of the channel at Telegram 5748272550 $credentials = The data that is being sent to Telegram and the fraud channel hosted there  
Conclusions and Recommendations  Don’t open attachments from unknown sources, especially if you weren’t expecting an Invoice/Outlook Setup/Resume etc. If you opened an attachment and you are still unsure please send it to your security team for review. Ensure that your organization utilizes an intelligent email security solution that can prevent and detect advanced impersonation campaigns. If you have security experience, you can open the HTML page in a text editor before running it, if it’s highly obfuscated as in the first screenshot above there is a high possibility that it’s likely to be malicious.  Additionally the US Cybersecurity and Infrastructure Security Agency (CISA) offers useful advice for staying safe as well as a list of free cybersecurity tools: The UK’s National Cyber Security Centre (NCSC) also has offers useful guidance for staying safe:
Read Blog Post
Life at Tessian
A fresh new look for a world in need of Intelligent Cloud Email Security
by Adrian Jozwik Wednesday, November 9th, 2022
When you visit Tessian’s website, download a piece of content or see our social media channels you will notice something different. We have redesigned our brand with one thing in mind, our customers. We have focused our brand to reflect what we do best and that is to protect you and your people. At Tessian, we understand the importance of helping you protect your organization from advanced cyber threats such as business email compromise ransomware while also ensuring we stop insider risks, whether accidental or malicious over email. We place this responsibility in the highest regard. Intelligence at the very core With all of this in mind, we wanted to create a brand that reflects the trust you place in us and is guided by the values we at Tessian represent. A brand that is: At the highest degree of Intelligence, where we focus on high value security technology that solves hard problems Customer centric because we know you and your people need intelligent technology that is focused on protecting, together. On the front line of intelligently protecting organizations and users with the latest in technology. The Tessian Cloud Email Security Platform utilizes unparalleled behavioral intelligence to stop the attacks that could hurt you the most. Tessian prevents attacks from coming into the inbox while protecting against intentional and accidental data loss over email by leveraging behavioral intelligence modeling. Because of this deep behavioral understanding, we can predict the right decisions each person should make when interacting with email and intervene to protect your users and your organization from email-based threats. Because Intelligence comes in all shapes and sizes Tessian’s brand had to represent not only the high levels of intelligence our products offer but also represent the people that interact with our products. The visual language we have created is more serious, more aligned with the industry we’re in, and gives a clear message of how our products work to protect you. We have delivered a new look and feel and a website to reflect our primary focus. We want our customers and partners to be able to find and recognize Tessian when they need to. For Tessian to break through the noise, it was time to come out of our shell and emphasize the capabilities we provide and the values we stand for. Make no mistake, our technology is differentiated and complete – Cloud Email Security which is unmatched at protecting you against cyber attacks, bar none. Taking a deeper look A large part of any brand is the visual identity it encapsulates for the company, and the way its products are perceived by those who experience it. We wanted to achieve a brand that was ‘FWD:Thinking’ (also the name of our recent security summit), reflecting the ever changing attack landscape our customers live in and one that stays front of mind for those that we protect.  
We started with looking at the foundations of our new brand. The most important part was to ensure we could communicate our solutions through our imagery. We decided to utilize hexagons for two reasons: Firstly they convey strength. Secondly, Tessian is built on six values; each side represents one of our values. Placing a person behind a frosted glass demonstrates the true nature to how our solutions work, keeping you safe from cyberattacks and attackers at bay. The same tile allows Tessian to see right through and see the attacks which otherwise would have been hidden from view. Furthermore, we often combine this visual device with an example of a suspect email, demonstrating how our behavioral intelligence sees its true nature. Various triggers are called out as Tessian , identifies and analyzes behaviors and highlights threat signals, coming together to drive an unparalleled level of intelligence.  
You will also see customer iconography across our new website and assets. Each icon represents different areas of the product from behavioral intelligence to preventative capabilities. Each icon holds its own place in telling the Tessian story.  
Darker tones and more harmonious colors are now utilized in our new color palette. We wanted a color palette that you can relate to while feeling assured, yet also colors that appear serious but still approachable. We can distinguish between good and bad by using a straightforward red and blue combination, which we will then emphasize with a simple white and gray background. Finally, the keen eyed among you might even notice a subtle difference in our logo. While we wanted to keep the identity our logo gives us, we also wanted it to reflect the sharpness we have in detecting and preventing cyber-attacks. Our mission to Secure the Human Layer Gartner stated in the 2021 Market Guide for Email Security that customers are now looking for solutions that integrate directly into cloud email via an API, rather than as a gateway and that a behavioral approach is needed for both threat protection and data protection on email. That’s why we’re building intelligent security that works for human beings as they are, not how security policies would like them to be. Using machine learning technology, Tessian automatically predicts and eliminates advanced threats on email caused by human error – like data exfiltration, accidental data loss, business email compromise and phishing attacks – with minimal disruption to employees’ workflow. As a result, employees are empowered by security. Our new brand encompasses our mission and approach to security, however since the company started we never shy away from the hard problems to solve. We put our customers’ problems at the heart of everything we do and intelligently solve them.  
Read Blog Post
Threat Intel, ATO/BEC
Tessian Threat Intel Roundup: Advanced Phishing Attacks
by John Filitz Monday, October 31st, 2022
On the back of Cybersecurity Awareness Month in October 2022 with key recommendations to protect against phishing attacks, we delve deeper into the latest Phishing-as-a-Service offering known as Caffeine, first identified by Mandiant. We also unpack an impersonation campaign we identified in the wild called Logokit. And in other notable news, a misconfigured Microsoft endpoint storage vulnerability dubbed BlueBleed was exposed by researchers at SOCRadar, potentially exposing sensitive data for thousands of customers. Sign-up for our Threat Intel update to get this monthly update straight to your inbox.     • Phishing-as-a-Service (PhaaS) is now sold alongside Ransomware-as-a-Service (RaaS) on the dark web.  • The commercialization of these PhaaS exploit kits and threat actors’ services are removing the barriers to entry for carrying out attacks, at scale.  • The most recent offering is the so-called Caffeine PhaaS exploit kit that enables anyone to procure the kit and launch phishing attacks against Microsoft 365 targets.  • Tessian Threat Intel recently identified a Business Email Compromise (BEC) campaign in the wild called Logokit. • Logokit uses randomized spoofed pages and brand logos for purposes of harvesting login credentials. In one instance we found that a spoofed version of a Microsoft login page was being used in an attempt to capture credentials. • Researchers from SOCRadar identified six misconfigured Azure buckets which it has dubbed BlueBleed. • The BlueBleed exposure according to SocRadar is among the most significant B2B leaks ever, exposing sensitive data of 65,000 entities across 111 countries.  • Microsoft immediately rectified the privacy settings on the exposed buckets, thanking SOCRadar, however disputing the extent of the exposure.
Phishing remains a persistent threat and security challenge. Threat actors continue having significant success using social engineering attacks to compromise organizations. And there is no silver bullet to protect against social engineering attacks.    Only by adopting a multi-pronged, defense-in-depth security strategy will the risk of a social-engineering-related breach be reduced. Utilizing a best-in-breed solution that has advanced social engineering defense capabilities and that reinforces security culture strengthening like Tessian is increasingly essential to address an ever-evolving threatsc
To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Read Blog Post
Interviews With CISOs
Watch Again: Fwd: Thinking – The Intelligent Security Summit
by Andrew Webb Thursday, October 27th, 2022
If you missed Fwd: Thinking – The Intelligent Security Summit, don’t worry. We have every session available on demand right here. You can also watch past sessions of previous Tessian summits over on our knowledge hub.   Five Email Security Stats You Don’t Already Know (But Wish You Did)   The summit kicked off with Tessian’s John Filitz in conversation with Ram Ganeshanathan — VP of Enterprise Security at Arm, and Anuj Tewari, CISO at  TMF Group. Together they discussed the findings from our latest State of Email Security Report, comprising global research into email security trends for 2022. The panel then revealed where your focus should be as we head toward 2023.   The Growing Threat of Impersonation and Account Takeover Attacks   Impersonation and Account Takeover (ATO) attacks are the leading threat vectors that result in Business Email Compromise (BEC) and represent among the greatest cybersecurity threats to enterprises. In this session, Tessian’s Paul Laudanski is joined by David Kennedy – CEO and Ethical Hacker at TrustedSec, James Fernley –  Head of IT Security, BDO UK, and Jason Thomas — CIO, Cole, Scott and Kissane for a lively discussion on the growing threat of account takeover attacks, and how to mitigate them.    Making the Case for Cybersecurity Spend? What’s the risk really worth?   We need to talk about risk. And you can’t talk about risk without talking about spending. It’s a fact that as companies think about growing efficiently, security is often bumped down the agenda. Nate Tombs, CISO at Man Group, Marco Garcia, Field CTO at Torq and Tessian‘s Josh Yavor explore how to prioritize cyber risk as a business risk and explain how to demonstrate ROI so that all business leaders can speak the same language and avoid that worst case scenario. Isn’t Security Everyone’s Responsibility?    Fact: Your end users don’t really care about cybersecurity. Our recent Security Cultures report found that 1 in 3 workers do not think they play a role in maintaining their company’s cybersecurity posture while only 36% say they’re paying full attention to security awareness training. Ash Hunt – Group Head of Information Security at Sanne Group, Imraan Dawood – Information Security Officer, Investec and Tessian’s Kim Burton take a look at why this is and what a better approach to building a stronger security culture looks like.   Lessons Learned on the journey to a Machine Learning Platform   Tessian is built on machine learning and artificial intelligence. In this session, Daniel Linder — Senior Director of Data Science at Tessian, takes you on the journey of building a Machine Learning system in the InfoSec world. You’ll also get to peek behind the curtain into building and scaling a team of data scientists and engineers, as well as some practical tips on how to apply machine learning  in ways that are most impactful now, and not in 10 years’ time.     How to Survive and Thrive in Cybersecurity Finally, we were delighted to welcome our keynote speaker and guest, Helen Rabe, CISO at the BBC. Large enterprises like the BBC are high-value targets for attackers, in this wide-ranging talk, Helen explains her approach to cybersecurity and details what it takes to be a successful and savvy security leader.   
To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Read Blog Post
ATO/BEC
Board Members Believe Their Companies Are Unprepared For A Cyberattack
by Andrew Webb Friday, October 21st, 2022
As our recent webinar discussed, cybersecurity has become a C-suite issue. Any successful attack will need input from all its executive members: the CEO for steadying the ship and communicating to investors and the Board, the CISO, CIO, CFO and COO to respond and deal with the actual breach and ensure business continuity. Then there also is the fine balancing act of strategic PR and media communications.   Consequently, cyberattack resilience and response should be on the agenda of every company’s monthly or quarterly Board meeting. Boards can provide the oversight companies need in planning and executing their security strategy. Because and although Board members might not always understand the technical fundamentals of cybersecurity, recent headlines mean they at least understand the financial implications of a cybersecurity breach.   So it’s all roses, right? Well not so much. A recent report from MIT Sloan and Proofpoint reveals that many Board members feel their companies are woefully under-prepared for a cyberattack. What’s more, there is a large disconnect between what the Board wants to prioritize and what Chief Information Security Officers (CISOs) view as important. Here then, are some of the key takeouts.
First the good news: The report found that 77% of Board members agree that cybersecurity is a top priority for their board. Now the not-so-good news. Although most Board members are aware of the risk of cyber attacks, that hasn’t translated into preparedness. Forty-seven percent of all Board members believe that their organization is unprepared for a cyber attack, and about the same amount of CISOs agree.   As discussed, CISOs & Board Members disagree on the most critical consequences of a cybersecurity incident. Internal data becoming public is of the most concern for boards while CISOs are more worried about significant downtime and disruption of operations. In reality, both are a problem for organizations.   The report specifically highlights the Board’s approach to the number one cause of cyber attacks. Two-thirds (67%) believe human error is their biggest cyber vulnerability and notes that ‘… people throughout the organization, including board members, know what to watch for and what to do should they encounter a questionable email, link or website. Board members have both a personal and professional role to play. They, too, can be targets of cyber criminals who want to get into companies.   We’ve seen this across many senior levels in organizations: where the c-suite themselves are at much higher risk of an attack than many ordinary employees because they rely much more on power dynamics.   So what’s the answer to this mismatch between the Board, the C-suite, and the CISO?
Firstly, as the report notes, Board members in most countries had markedly different perceptions of cyber risk than their CISOs. That can be addressed through dialogue and better communication. Crucially though, those conversations must approach the issue from a business angle, rather than purely a technological one.    Secondly, on the human error piece, CISOs must put in place not only technological solutions, but also the cultural framework that makes security an ‘always on’ issue for the company and staff. We addressed exactly this aspect in our recent Security Cultures Report, which offers advice on how to bake better security awareness into your staff’s day-to-day routine.    Thirdly, harness the power of the Board. If leaders and parts of the business see cybersecurity as a top priority for the Board, then they’ll do the same. One easy way to do this is to make cybersecurity an agenda item at every monthly or quarterly Board meeting, and establish good cyber metrics to help track your progress.
Read Blog Post
Email DLP, Data Exfiltration, ATO/BEC
What is email security and why it’s important
by John Filitz Thursday, October 20th, 2022
Fact: email is responsible for up to 90% of breaches, consequently email security is at the core of keeping your organization and its data safe and secure.   As cyber risk continues to increase, having robust email threat prevention in place can mean the difference of preventing threat actors from gaining a foothold and establishing initial access. It can also provide critical visibility and control over data within the organization, significantly reducing insider risk.   Why email security deserves greater attention   It might seem like a basic question, but when you drill into what email security is and what it entails, it is fundamentally about data security. With the typical organization sending and receiving hundreds and thousands of emails on a monthly basis, explains why email is regarded as the lifeblood of organizations.    From a security standpoint, given the critical data transportation role played by email, helps explain why email security is increasingly being regarded as one of the cornerstones of data security.  Another security consideration is the open architecture character of email – making email an accessible attack vector. Anyone can send an email to any individual or organization making the threat vector extremely attractive to exploit. Want to email the CEO of a company? Their name is probably in the public domain and so their email is likely to be firstname.lastname@companyname.com  or some combination thereof.
Email cyber risks are increasing    The open nature of email explains why threat actors are continuously at work in developing email-based social engineering campaigns. These campaigns are developed by using open-source information sources such as social media accounts, company PR statements and news mentions.    Recent research also points to threat actors mining dark web data dumps obtained from previous breaches for personally identifiable information (PII) to be used in impersonation campaigns.    Another attack vector that is gaining prominence is credential related compromises. A credential compromise that leads to an account takeover (ATO) of a vendor in the supply chain or even an internal email account is particularly challenging to detect.    Threat actors typically leverage ATO for purposes of carrying out second stage attacks that can include email requests for invoices to be paid (invoice fraud), or delivering a malicious payload via email.   Insider threats within organizations present another threat vector on email. In fact, until the recent roll-out of behavioral-based data loss prevention (DLP), being able to detect and prevent data loss on email was near impossible.   The challenge with data loss on email is that it can occur in a multitude of seemingly innocuous ways, for example, an employee attaching the incorrect file and sending this out via email, or sending the email to the unintended recipient. More malicious acts of insider threat could include a disgruntled employee that exfiltrates sensitive company data via email, or a threat actor that has gained access via an impersonation or ATO attack.
Rule-based solutions no longer provide adequate protection   Threat actors can bypass rule-based email security controls like Secure Email Gateways (SEGs) that rely on a threat detection engine of already documented indicators of compromise. This results in effectively chancing your email security on threat detection approach of established indicators of compromise – with no protective capability against zero day attacks.   We know that threat actors don’t work this way.    Threat actors are continuously refining their attack campaigns. The result is that attack social engineering campaigns are becoming ever-more sophisticated and are increasingly able to bypass rule-based detection systems.  Some of the tried and tested methods for compromise include creating spoofed domains, leveraging compromised accounts, as well as procuring a wide-array of exploit kits on the dark web.    Phishing-as-a-Service (PhaaS) is now sold alongside Ransomware-as-a-Service (RaaS) on the dark web. The commercialization of these exploit kits and threat actors services are removing the barriers to entry for carrying out attacks.  On the PhaaS front, the most recent offering is the so-called Caffeine PhaaS exploit kit that enables anyone to procure the kit and launch phishing attacks against targets. The service offering includes pre-built phishing templates, available in multiple languages. 
The time for advanced email protection is now    No organization can afford to neglect increasing email security risk. Only by leveraging behavioral based cybersecurity solutions will advanced email attacks be detected and prevented. This includes insider threats that leads to data loss.    Tessian’s Intelligent Cloud Email Security Platform has behavioral intelligence at its core – using Natural Language Processing (NLP) and Natural Language Understanding (NLU) – to detect advanced external and internal threats, as they manifest and in real-time. This includes threats that have been able to circumvent rule-based security controls such as SEGs.
Read Blog Post
Threat Intel
A day in the life of Tessian’s Threat Hunters
by Andrew Webb Thursday, October 13th, 2022
Our head of Threat Intelligence, Paul Laudanski, takes us through a typical threat hunting exercise and takes up the story… Threat hunting is the act of looking for the unknown; for an attack vector we don’t know anything about, for a new campaign, or changes to tactics, techniques and procedures. And there are always new types of attacks to contend with. When I find one type of threat, oftentimes that can snowball into finding other types of threats, so I keep hunting and pivoting and enriching the information that I find. Here’s a recent example…   At Tessian, we’re interested in attacks delivered via email and so I started off with a query looking for URL duplicates that have been sent in emails at least five times during September. I’m specifically targeting the “low and slow” type of attack, where the offenders do not want to alarm security tools and teams. They might be targeting a certain type of function or role for instance. 
Breaking this SQL query down, I search for URLs and the email subjects they are associated with, and how many times they were seen. I don’t want to see singletons but my gut tells me I don’t want to see anything less than 3 hits. Will I search for those as well? Yes, that is another type of search I run in another stream. But for now, my interest is in 5 or more hits. This approach revealed some interesting recurring URL path and filename values. This match, k7OIMyJhEU/page1.php  after the domain, was seen hundreds of times across many domains and their subdomains. Very much a low type of attack because it was spread across different domains. Tools don’t normally pick up on this type of occurrence, and it takes an intel analyst to find such behavior There were several full URLs with that exact pattern, and as I sampled some, Chrome was telling me they were bad. But I couldn’t get the ones I was sampling to actually load anything. So I updated my query to this:
This query now focuses on giving me all the URLs that match that directory pattern, because I want to see what this actually is. Here is a sample, with a subject containing Visa or Mastercard in it. We know from Chrome that some of these that I sampled are malicious.
The subject is detected by Google Translate as Japanese. Taking a sample subject from the above, I’m advised it translates to: “Visa card information on estimated payment amount”. Now I continue to pivot, and take a domain for further analysis: anl7ya[.]icu.   An open source investigation into said domain showed it is heavily involved in phishing and malware activity. Researching Passive DNS data for that domain, there are 191 records. Many of the subdomains were first seen on the 14th of September. None of this is good based on the threat signals around the domain and its activity.   The IP address associated with the domain, searching spam deny listed services reveals UCEPROTECT and Barracuda have it listed as being involved in spam campaigns.
So I started off with JST with an open mind and a theory, hunting and pivoting, trying to see what I could find. I found something for sure, and then started to enrich and dive deeper and go broader. Doing so gave me a lot more information we can use to build our own threat intel. This is called derivative data, and it helps to spot the attacks on a broader scale, otherwise we might miss additional attack vectors   Ultimately, in my open source queries I found a snapshot reported by a Twitter user:  
As a threat intelligence team, we work hard to ensure customers are protected against this and other types of behavior by leaning in and being engaged with the intelligence. We want to focus on what is called the Pyramid of Pain. Here we have indicators we can use to detect and protect against, and we can also move up the pyramid and look at the patterns, in this case, it doesn’t matter what the domain is, so long as we see “k7OIMyJhEU/page1.php”, we can detect it and look to protect against it. Hence our coverage is broad, and we add another query into our playbook that we can automate and spot any changes or new patterns of threats.   This is fun and exciting work, I enjoy working with the unknown and making actionable sense of intelligence. If you’d like to join me, check out our open roles here. 
Read Blog Post
Integrated Cloud Email Security, ATO/BEC
1 in 5 Chief Information Security Officers (CISOs) Work More Than 25 Extra Hours Per Week
by Andrew Webb Tuesday, October 11th, 2022
A career in Infosec can be demanding. And as recent headlines have shown, the stakes have never been higher as Chief Information Security Officers (CISOs) are charged with keeping all facets of their organization protected online. This constant vigilance also results in security pros regularly working extra hours and overtime, and even missing holidays, to keep the company secure.    We recently took an updated look at how overworked and stressed CISOs are in 2022, following our inaugural CISO Lost Hours report last year. This year, we learned that CISOs are working more than ever which is contributing to stress, fatigue and feelings of burnout: 18% of security leaders work 25 extra hours a week, which is double the amount of overtime that they worked in 2021.    Some overtime or extra hours worked can be unavoidable, but the consequences of habitual overwork are real. Our recent study shows that employees are more likely to make mistakes when they’re tired or stressed, which could have serious consequences for security pros. 
Here are the highlights:   CISOs are working overtime and can’t always switch off from work   The demands of the CISO role mean they are putting in significant overtime – about two extra work days per week. The study found that on average, CISOs work 16.5 hours over their contracted weekly hours, an increase of 11 hours from last year. What’s more, many have adopted an “always on” way of working. Three-quarters of security leaders report being unable to always switch off from work, while 16% say they can rarely or never switch off.    Last year, we learned that CISOs were missing out on important personal and social events outside of work like holidays, family vacations and even workouts and doctor appointments due to the nature of their role. Even if security leaders are able to attend these events, the “always on” mindset takes away from being fully present during these moments.
The size of the company makes a difference   The survey also found that security leaders at larger companies are putting in more overtime. CISOs at smaller companies (10-99 employees) report working an average of 12 extra hours a week, whereas those in the same role at a company with 1,000+ employees report working an extra 19 hours.    On the other hand, security leaders at small companies say they have more difficulty creating boundaries between work and home life. Twenty percent of CISOs at these companies say they can always switch off from work, compared to 31% of those at larger companies.
Overworked employees make more security mistakes   Many overworked and burnt-out employees are finding resolve in “quiet-quitting” where employees do the bare minimum of their job requirements. However, CISOs don’t have that luxury. They’re putting in more hours and can’t switch off from work just to keep up with the demands of the job.    Unfortunately, the Great Resignation has impacted the IT industry, with IT employees being the most likely to look for a new job, according to another Tessian data report from earlier this year. We’ve also learned that employees are more likely to make security mistakes when they’re tired or stressed. In fact, 47% of employees cited distraction as the top reason for falling for a phishing scam, and 41% said they accidentally sent an email to the wrong person because they were distracted. While accidentally sending an email to the wrong person might seem small, mistakes like these can lead to serious cybersecurity incidents like data loss or a breach.    While no employee should ever be shamed or punished for making a security mistake at work, it’s mistakes like these that can contribute to the extra time CISOs are putting in at work. According to a separate survey conducted by Forrester and commissioned by Tessian, employee-related security incidents take up a significant amount of CISOs’ time. In fact, the survey found that security teams spend up to 600 hours per month investigating and remediating threats caused by human error – the equivalent of nearly four employees’ full-time workloads.
So what can CISOs do to create a better work / life balance?   Lean on your team: While CISOs are the Head Honcho within IT and security teams, that doesn’t mean they have to do everything. It’s okay to ask for help, prioritize, and then divide and conquer. Beyond their immediate team, CISOs can also work closely with other members of the C-Suite – like the CFO – to adopt new tools that automatically prevent threats and give CISOs some time back in their day. Set boundaries and stick to them: It can be difficult to establish a division between work and life. With mobile access to Slack, email, and Google Docs, “work creep” can seem inevitable. Similarly, if you’re working from home, personal tasks can take up mental space that could compromise your productivity. That’s why you need to define your work space and working hours, and try to create healthy habits that give you a chance to recharge. For some it might be a walk or making time to connect with kids during a lull in active work. These mini breaks can also make a big difference in recharging your battery.    Unplug: This is easier said than done, especially when CISOs are considered the superheroes of any organization. “When duty calls”, right? Yes and no. If you don’t take time for yourself, you won’t be up for the job. You also won’t model the kind of the habits that will help up-and-comers in your organization to see a path to balanced work and life if you don’t figure it out for yourself. Consider mindfulness apps for day-to-day relaxation, and limit the number of people who have access to you while you’re OOO.
Read Blog Post
Integrated Cloud Email Security
Product Update: Advanced Malicious URL Protection
by James Alliband Thursday, October 6th, 2022
The threat caused by malicious, embedded URLs will grow as Business Email Compromise (BEC) attacks increase. Only a behavioral-based approach that involves a thorough examination of the URL content contained within the email body and its attachment allows you to reduce the risk of a URL-based email compromise.   Differentiating from the SEG   While URL link rewriting, also known as time-of-click protection, is offered by legacy email security providers, such as Secure Email Gateways (SEGs), it has major restrictions on the level of security it can provide. The problem is that your protection is only as effective as the rules and policies you create and how up-to-date the threat detection engine of known threats is.   Tessian enhances the protection against known and unknown malicious URLs by ensuring they are detected and retrieved from both the email’s body as well as any attachments that may include them. From here the URLs are analyzed against known and unknown indicators of compromise (IOC).
Cyber Criminals break the rules   The static, rule-based approach to malicious URL detection offered by legacy email security presents an open opportunity for threat actors to circumvent them using a range of obfuscation methods. For example, in a well-documented case of APT 39’s malicious URL campaign, the cyber criminals were able to hide malicious links within attached files and bypassed the rule-based SEGs of numerous victims.   
Five Shortcomings of URL Link Rewriting Protection    Here are five additional reasons why URL Link Rewriting falls short in protecting your organization from malicious URLs:   URL link rewriting is an overly manual security control prone to human error   It requires a significant degree of manual security rule and policy orchestration. The static nature of URL policy and rule orchestration also opens up the probability of human error introducing security risk, by either failing to set the appropriate degree of URL scanning intensity, or failing to include appropriate user groups.      URL link rewriting is ineffective at protecting against zero-day attacks   It only offers protection against known threats and limited protection against zero-day attacks. For example, registering new domains or hijacking existing “trusted” domains are popular methods of evasion by threat actors.      URL link rewriting lacks the intelligence to detect advanced attacks on email   Threat actors are continuously becoming more sophisticated. Hiding malicious URls in an attachment or having a redirected link tricks the victim into thinking they are clicking on a perfectly safe link when in fact they are actually clicking on a malicious link.     Protection starts and stops at the gateway   When utilizing a perimeter solution, such as a SEG, you can only see what is coming into and out of the organization. Lateral phishing attacks are missed as the email doesn’t pass the gateway.     If all you have is a hammer, everything looks like a nail   URL link rewriting offers no protection against cross-site scripting (XSS) attacks. In this type of attack, threat actors will send a benign-looking URL link to a victim, usually from a legitimate but recently compromised website. Here the threat actor is able to capture credentials from the victim, for example on a log-in page of the compromised website. Legacy email security solutions would have determined that the link is “safe” even if the email was received from an unknown or suspicious party.
The need for Intelligent Cloud Email Security    Email-based attacks are still by far the most popular attack vector. The efficiency of legacy email security controls has come into sharp focus as a result of the constantly shifting and developing attack landscape.     Threat actors are continuously becoming more sophisticated and circumventing the rules-based approaches of legacy email security tools. Today URL link rewriting is no longer capable of defending organizations from advanced attacks on email. Only by leveraging intelligent email security solutions that understand behavior and have contextually aware scanning capabilities – detecting the most obfuscated of URLs – can you significantly improve your email security posture against URL-based attacks.   To see how the Tessians Intelligent Cloud Email Security platform prevents ransomware attacks, and protects against data loss, watch a product overview video or book a demo.
For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Read Blog Post
Integrated Cloud Email Security
Video: Tips For Cybersecurity Awareness Month
by Andrew Webb Saturday, October 1st, 2022
October is Cyber Security Awareness Month, The US Cybersecurity and Infrastructure Agency (CISA) and National Cyber Alliance (NCA) call for organizations to focus on the fundamentals of cyber security. So we caught up with Tessian’s Head of Risk and Compliance, Kim Burton, to find out what they are and what they mean for your organization. Watch the video below or read the transcript.  
So one of the things that’s really exciting about starting your security journey is that there are things that are actually very, very easy to do. And these are true for everyone. It doesn’t matter if you’re an employee somewhere. It doesn’t matter if this is what you’re doing at home trying to protect your friends and family. The key core components of where security starts are…   Strong passwords That means long, strong, and unique. You can store those in a password manager, and with that password manager you want to pair that two-factor authentication on every account that you have if possible. Not every account allows for two factor authentication, but everywhere that you can. You want to use multi-factor authentication,   Updates Make sure you’re always keeping your machine updated!   Mindful posting   What I mean by that is, make sure that when you’re posting on social media, you’re being careful about the kinds of information you reveal. And note that you’re also protecting your friends and family, your business when you’re posting online. So you want to just be careful about the kind of privacy implications that that could come about.    Report suspicious emails And then, when you see something uh make sure you talk about it with your coworkers. If something seems a little bit off, send it to your security team. Report fishing emails uh, and remember that you’re in a community, protect each other.  
Hosting a security open day There are all kinds of different activities that you can run for Cybersecurity Awareness Month. Having a security party where you all come together and discuss secure solutions that the company specifically requires and  relying on people at the business to present their expertise to other coworkers like doing brown bag lunches that are focused on security components. You can use your employees to actually do a pretend ‘hack the company’ event where you can encourage them throughout the month to name different security concerns that they see. Maybe someone’s left their laptop unlocked, or maybe they noticed people aren’t badging in consistently. Or maybe you’re trying to encourage them to wipe down whiteboards – a security scavenger if you will. Have a prize at the end of it. You can get people to design security posters. Your employees know what secure behavior looks like, and they actually get very excited to talk about the knowledge that they have. What’s hard is if someone’s coming in and top-down, telling them very aggressively like waving a stick and saying “you will do these things”. A lot of these folks have worked  other places. They know what they need to be doing, they just need to be empowered to do it. So let them show what knowledge they have and encourage them to talk about it with you, so that you can maneuver exactly their knowledge to be exactly what the business needs. You can make it so that they have the opportunity to talk about it, teach their peers, and then encourage them to grow from where they’re at.   You can have other security events like an Osint scavenger hunt. So Osint is Open Source Intelligence Gathering. That would be maybe a couple of employees gather a bunch of different photographs around the Internet and you ask your folks to identify where they are. It’s amazing how quickly people can identify locations from photographs, and they think they’re not going to be good at this and they’re like “I’ve never done this before, there’s no way I’ll be able to tell from this corner of a building where this is located in the world”. But then you give them five minutes to think about it, and they start saying “You know that type of tree doesn’t grow anywhere else”, or “you know the angle of the sun there seems like it could be in this region of the world” It’s amazing how fast people like start to to figure out these things. And that teaches them how attackers think, that teaches them how malicious actors are going to react.    And it’s fun. You’ve changed it into a game, but what they come away with is; “Oh, okay, I was able to do this in  half an hour of activity. What could someone do with a month? I’ve got to be careful. I have a duty to protect myself. I have a duty to protect my friends, and I really need to protect the business”. It helps them  really see the practicality of of the events that they’re doing.
Read Blog Post
Threat Intel
New Impersonation Campaign: Logokit
by Catalin Giana Friday, September 30th, 2022
In August Tessian’s Threat Intel team saw a new Business Email Compromise malware campaign in the wild called Logokit. Logokit is an impersonation attack phishing kit used to propagate Business Email Compromise campaigns to harvest credentials.   How Logokit exploit kits work    Threat actors will impersonate domains of trusted brands, commonly seen impersonating healthcare, financial or legal services providers. The phishing email usually contains a malicious URL or attachment.    The unsuspecting victim will click on the malicious URL which in this case redirects to an impersonated website of Microsoft. There, the threat actors attempt to harvest login credentials.    
The attack chain   1: The law firm is impersonated and a spoofed account is used to send a malicious email to the victim. 2: The victim receives the malicious email and downloads the malicious HTML attachment.  3: Upon execution of the HTML page, the final landing page is Microsoft impersonation page, requesting the victim to enter Microsoft login credentials.  4: The compromised credentials that were inserted by the victim are then harvested by the threat actor.   Threat analysis In the case that Tessian Threat Intel analyzed, a victim of this campaign was targeted by threat actors impersonating a law firm. The impersonated email from the law firm contained the company logo, as well as an obfuscated HTML attachment titled: Letter To Buyer’s Solicitor Enclosing Contract Bundle.htm
Tessian Threat Intel started the investigation in a virtual environment, analyzing the attached HTML file. At first inspection the HTML file appeared benign. We, then, analyzed the HTML file in a non-virtual environment. This initial HTML file then redirects to an impersonated Microsoft login webpage.   Conclusion and recommendations for staying safe   At the initial time of analysis, the Logokit redirect campaign stopped at the Microsoft phishing landing page. There is a high probability that this campaign could be altered in the coming days and weeks, landing on a different page.   In order to not fall victim to similar types of phishing emails we recommend:   Being careful of unsolicited emails, especially those containing attachments or URLs. Before interacting with any suspicious email received, check the source and email header to confirm the organization it originated from is legitimate. If anything seems unusual, do not follow or click on links, or download attachments.  If the suspicious email appears to come from someone you know and trust, like a colleague, reach out to the individual directly by phone, Slack, or a separate email thread. Rest assured, it’s better to confirm and proceed confidently than the alternative.  Adopt intelligent cloud email security solutions like Tessian that use behavioral intelligence to detect and prevent advanced email attacks, including increasingly sophisticated impersonation emails.
Read Blog Post
Threat Intel
Tessian Threat Intel Roundup: Ransomware Dominates
by John Filitz Wednesday, September 28th, 2022
As we wind down Q3, we see no letting up by threat actors with a series of high profile breaches dominating the headlines in September. Of concern is the increasing activity of Ransomware-as-Service (RaaS) offerings and threat actor activity. It’s little surprise that phishing and email remain significant threat vectors for ransomware actors, either to gain initial access, or to execute ransomware payloads.   Sign-up for our Threat Intel update to get this monthly update straight to your inbox.    Key Takeaways Phishing attacks are in uncharted territory with over 1 million attacks reported for Q2 2022. Financial services and SaaS companies are among the most targeted. Phishing and email remain primary threat vectors for gaining initial access to carry out ransomware attacks. The Ransomware-as-a-Service (RaaS) gang activity continues its steady increase up by 63% in Q1 2022, as RaaS actors continue to diversify services and exploit kits, including mining exposed data to carry out second stage Business Email Compromise (BEC) campaigns. There is significant concern that corrupting of files will become a new modus operandi of Noberus aka BlackCat ransomware actors and affiliates over the usual encrypting of files. LockBit ransomware encryption code has been leaked, sparking concern for an increase in LockBit attacks. Ukraine has proven to be cyber resilient against Russian cyber attacks, largely as a result of recovering from previous significant breaches such as NotPetya, as a result of NATO support. Recent reports of an Iranian cyber campaign against Albania has resulted in the severing of diplomatic ties with Iran. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a record number of advisories for the month, with ransomware and nation-state activity from Iran being front-and-center.
Trending Analysis Phishing attacks continue the upward trajectory according to the latest from APWG’s Q2 Phishing Activity Trends Report – with over 1 million phishing attacks recorded for the 2nd quarter of 2022 – the worst quarter on record. The most targeted industries according to APWG include financial services (28%), followed by webmail and Software-as-Service providers (19%) and retail (15%). Some of the key threat vectors identified by APWG are email delivered impersonation and ransomware attacks. New Zealand’s Computer Emergency Response Team (CERT NZ) agency reports that phishing campaigns are the primary method for threat actors to gain initial access to carry out ransomware attacks. Email according to CERT NZ, is the third most commonly used vector for malware delivery.  Trend Micro reports a 63% rise in Ransomware-as-a-Service (RaaS) groups in the first quarter of 2022.  Accenture reports on a growing trend of threat actors leveraging “sensitive corporate data exposed on the dark web” to carry out sophisticated Business Email Compromise (BEC) campaigns. Findings from a Stairwell study indicate that RaaS Affiliates of Noberus also known as BlackCat/ALPHV, the successor to DarkSide and BlackMatter ransomware gangs, is potentially resorting to corrupting files on local systems instead of encrypting them with the release of a new “Exmatter” tool. BleepingComputer citing research from Symantec on the “Exmatter” tool, shows that the new data extraction tool has been reengineered to more stealthy gain a foothold and exfiltrate data from compromised systems – an essential complement for carrying out double-extortion attacks. Symantec researchers also confirm the ability of Exmatter to “corrupt processed files.” The Record reports that leaked LockBit ransomware code has the ability to enable more widespread use of the ransomware file encryptor.  The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint advisory on Vice Society ransomware actors that are targeting the education sector.  The Los Angeles Unified School District, the second largest school district in the country,  was the latest victim to suffer a Vice Society ransomware attack that resulted in the loss of access to 500GB of data. CISA and MS-ISAC also released a ransomware guide, and CISA issued a RFI for new cybersecurity incident reporting for the proposed Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The proposed cyber compliance requirements will compel companies to report significant cybersecurity incidents within 72 hours, and 24 hours after a ransomware payment has been made.  Turning attention to nation-states, Ukraine has proven to be relatively cyber resilient in the ongoing conflict with Russia in a large part due to recovery from previous cyber attacks such as the infamous NotPetay attack in 2017. The significant support received from NATO is also another decisive factor. It is suspected that Ukranian affiliated cyber actors hacked Russia’s Wagner Group, responsible for mercenary recruitment for the Russian armed forces – compromising the personal data of mercenaries. CISA shows that Iranian nation-state actors gained access to the Government of Albania’s network 14 months prior to launching a devastating ransomware and wiper malware attack on that country in July. Albania has since severed diplomatic relations with Iran as it tries to recover data and restore public service operations.
Concluding Thoughts & Recommended Actions   The data point to an increasing threat of ransomware-related breaches in the short-to-medium term. Key industry verticals receive a disproportionate amount of attacks including financial services, technology, and more recently the education sector. The threat of nation-state-sponsored attacks as witnessed recently in Albania is of growing concern. Increasing geopolitical tension and instability are likely to exacerbate the probability of state-sponsored ransomware campaigns disrupting key public services.   As the ransomware threat grows, adopting a defense-in-depth strategy is essential. One key attribute of hardening your information system against ransomware attacks is leveraging a machine learning, behavioral-based cybersecurity solution like Tessian that can detect anomalous behavior on email as it arises.   
To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo.   For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Read Blog Post