On the back of Cybersecurity Awareness Month in October 2022 with key recommendations to protect against phishing attacks, we delve deeper into the latest Phishing-as-a-Service offering known as Caffeine, first identified by Mandiant. We also unpack an impersonation campaign we identified in the wild called Logokit. And in other notable news, a misconfigured Microsoft endpoint storage vulnerability dubbed BlueBleed was exposed by researchers at SOCRadar, potentially exposing sensitive data for thousands of customers. Sign-up for our Threat Intel update to get this monthly update straight to your inbox.     • Phishing-as-a-Service (PhaaS) is now sold alongside Ransomware-as-a-Service (RaaS) on the dark web.  • The commercialization of these PhaaS exploit kits and threat actors’ services are removing the barriers to entry for carrying out attacks, at scale.  • The most recent offering is the so-called Caffeine PhaaS exploit kit that enables anyone to procure the kit and launch phishing attacks against Microsoft 365 targets.  • Tessian Threat Intel recently identified a Business Email Compromise (BEC) campaign in the wild called Logokit. • Logokit uses randomized spoofed pages and brand logos for purposes of harvesting login credentials. In one instance we found that a spoofed version of a Microsoft login page was being used in an attempt to capture credentials. • Researchers from SOCRadar identified six misconfigured Azure buckets which it has dubbed BlueBleed. • The BlueBleed exposure according to SocRadar is among the most significant B2B leaks ever, exposing sensitive data of 65,000 entities across 111 countries.  • Microsoft immediately rectified the privacy settings on the exposed buckets, thanking SOCRadar, however disputing the extent of the exposure.

Phishing remains a persistent threat and security challenge. Threat actors continue having significant success using social engineering attacks to compromise organizations. And there is no silver bullet to protect against social engineering attacks.    Only by adopting a multi-pronged, defense-in-depth security strategy will the risk of a social-engineering-related breach be reduced. Utilizing a best-in-breed solution that has advanced social engineering defense capabilities and that reinforces security culture strengthening like Tessian is increasingly essential to address an ever-evolving threatsc

To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn

As our recent webinar discussed, cybersecurity has become a C-suite issue. Any successful attack will need input from all its executive members: the CEO for steadying the ship and communicating to investors and the Board, the CISO, CIO, CFO and COO to respond and deal with the actual breach and ensure business continuity. Then there also is the fine balancing act of strategic PR and media communications. Consequently, cyberattack resilience and response should be on the agenda of every company’s monthly or quarterly Board meeting. Boards can provide the oversight companies need in planning and executing their security strategy. Because and although Board members might not always understand the technical fundamentals of cybersecurity, recent headlines mean they at least understand the financial implications of a cybersecurity breach. So it’s all roses, right? Well not so much. A recent report from MIT Sloan and Proofpoint reveals that many Board members feel their companies are woefully under-prepared for a cyberattack. What’s more, there is a large disconnect between what the Board wants to prioritize and what Chief Information Security Officers (CISOs) view as important. Here then, are some of the key takeouts.

First the good news: The report found that 77% of Board members agree that cybersecurity is a top priority for their board. Now the not-so-good news. Although most Board members are aware of the risk of cyber attacks, that hasn’t translated into preparedness. Forty-seven percent of all Board members believe that their organization is unprepared for a cyber attack, and about the same amount of CISOs agree. As discussed, CISOs & Board Members disagree on the most critical consequences of a cybersecurity incident. Internal data becoming public is of the most concern for boards while CISOs are more worried about significant downtime and disruption of operations. In reality, both are a problem for organizations. The report specifically highlights the Board’s approach to the number one cause of cyber attacks. Two-thirds (67%) believe human error is their biggest cyber vulnerability and notes that ‘… people throughout the organization, including board members, know what to watch for and what to do should they encounter a questionable email, link or website. Board members have both a personal and professional role to play. They, too, can be targets of cyber criminals who want to get into companies. We’ve seen this across many senior levels in organizations: where the c-suite themselves are at much higher risk of an attack than many ordinary employees because they rely much more on power dynamics. So what’s the answer to this mismatch between the Board, the C-suite, and the CISO?

Firstly, as the report notes, Board members in most countries had markedly different perceptions of cyber risk than their CISOs. That can be addressed through dialogue and better communication. Crucially though, those conversations must approach the issue from a business angle, rather than purely a technological one.  Secondly, on the human error piece, CISOs must put in place not only technological solutions, but also the cultural framework that makes security an ‘always on’ issue for the company and staff. We addressed exactly this aspect in our recent Security Cultures Report, which offers advice on how to bake better security awareness into your staff’s day-to-day routine.  Thirdly, harness the power of the Board. If leaders and parts of the business see cybersecurity as a top priority for the Board, then they’ll do the same. One easy way to do this is to make cybersecurity an agenda item at every monthly or quarterly Board meeting, and establish good cyber metrics to help track your progress.

Fact: email is responsible for up to 90% of breaches, consequently email security is at the core of keeping your organization and its data safe and secure.   As cyber risk continues to increase, having robust email threat prevention in place can mean the difference of preventing threat actors from gaining a foothold and establishing initial access. It can also provide critical visibility and control over data within the organization, significantly reducing insider risk.   Why email security deserves greater attention   It might seem like a basic question, but when you drill into what email security is and what it entails, it is fundamentally about data security. With the typical organization sending and receiving hundreds and thousands of emails on a monthly basis, explains why email is regarded as the lifeblood of organizations.    From a security standpoint, given the critical data transportation role played by email, helps explain why email security is increasingly being regarded as one of the cornerstones of data security.  Another security consideration is the open architecture character of email – making email an accessible attack vector. Anyone can send an email to any individual or organization making the threat vector extremely attractive to exploit. Want to email the CEO of a company? Their name is probably in the public domain and so their email is likely to be firstname.lastname@companyname.com  or some combination thereof.

Email cyber risks are increasing    The open nature of email explains why threat actors are continuously at work in developing email-based social engineering campaigns. These campaigns are developed by using open-source information sources such as social media accounts, company PR statements and news mentions.    Recent research also points to threat actors mining dark web data dumps obtained from previous breaches for personally identifiable information (PII) to be used in impersonation campaigns.    Another attack vector that is gaining prominence is credential related compromises. A credential compromise that leads to an account takeover (ATO) of a vendor in the supply chain or even an internal email account is particularly challenging to detect.    Threat actors typically leverage ATO for purposes of carrying out second stage attacks that can include email requests for invoices to be paid (invoice fraud), or delivering a malicious payload via email.   Insider threats within organizations present another threat vector on email. In fact, until the recent roll-out of behavioral-based data loss prevention (DLP), being able to detect and prevent data loss on email was near impossible.   The challenge with data loss on email is that it can occur in a multitude of seemingly innocuous ways, for example, an employee attaching the incorrect file and sending this out via email, or sending the email to the unintended recipient. More malicious acts of insider threat could include a disgruntled employee that exfiltrates sensitive company data via email, or a threat actor that has gained access via an impersonation or ATO attack.

Rule-based solutions no longer provide adequate protection   Threat actors can bypass rule-based email security controls like Secure Email Gateways (SEGs) that rely on a threat detection engine of already documented indicators of compromise. This results in effectively chancing your email security on threat detection approach of established indicators of compromise – with no protective capability against zero day attacks.   We know that threat actors don’t work this way.    Threat actors are continuously refining their attack campaigns. The result is that attack social engineering campaigns are becoming ever-more sophisticated and are increasingly able to bypass rule-based detection systems.  Some of the tried and tested methods for compromise include creating spoofed domains, leveraging compromised accounts, as well as procuring a wide-array of exploit kits on the dark web.    Phishing-as-a-Service (PhaaS) is now sold alongside Ransomware-as-a-Service (RaaS) on the dark web. The commercialization of these exploit kits and threat actors services are removing the barriers to entry for carrying out attacks.  On the PhaaS front, the most recent offering is the so-called Caffeine PhaaS exploit kit that enables anyone to procure the kit and launch phishing attacks against targets. The service offering includes pre-built phishing templates, available in multiple languages. 

The time for advanced email protection is now    No organization can afford to neglect increasing email security risk. Only by leveraging behavioral based cybersecurity solutions will advanced email attacks be detected and prevented. This includes insider threats that leads to data loss.    Tessian’s Intelligent Cloud Email Security Platform has behavioral intelligence at its core – using Natural Language Processing (NLP) and Natural Language Understanding (NLU) – to detect advanced external and internal threats, as they manifest and in real-time. This includes threats that have been able to circumvent rule-based security controls such as SEGs.

A career in Infosec can be demanding. And as recent headlines have shown, the stakes have never been higher as Chief Information Security Officers (CISOs) are charged with keeping all facets of their organization protected online. This constant vigilance also results in security pros regularly working extra hours and overtime, and even missing holidays, to keep the company secure.    We recently took an updated look at how overworked and stressed CISOs are in 2022, following our inaugural CISO Lost Hours report last year. This year, we learned that CISOs are working more than ever which is contributing to stress, fatigue and feelings of burnout: 18% of security leaders work 25 extra hours a week, which is double the amount of overtime that they worked in 2021.    Some overtime or extra hours worked can be unavoidable, but the consequences of habitual overwork are real. Our recent study shows that employees are more likely to make mistakes when they’re tired or stressed, which could have serious consequences for security pros. 

Here are the highlights:   CISOs are working overtime and can’t always switch off from work   The demands of the CISO role mean they are putting in significant overtime – about two extra work days per week. The study found that on average, CISOs work 16.5 hours over their contracted weekly hours, an increase of 11 hours from last year. What’s more, many have adopted an “always on” way of working. Three-quarters of security leaders report being unable to always switch off from work, while 16% say they can rarely or never switch off.    Last year, we learned that CISOs were missing out on important personal and social events outside of work like holidays, family vacations and even workouts and doctor appointments due to the nature of their role. Even if security leaders are able to attend these events, the “always on” mindset takes away from being fully present during these moments.

The size of the company makes a difference   The survey also found that security leaders at larger companies are putting in more overtime. CISOs at smaller companies (10-99 employees) report working an average of 12 extra hours a week, whereas those in the same role at a company with 1,000+ employees report working an extra 19 hours.    On the other hand, security leaders at small companies say they have more difficulty creating boundaries between work and home life. Twenty percent of CISOs at these companies say they can always switch off from work, compared to 31% of those at larger companies.

Overworked employees make more security mistakes   Many overworked and burnt-out employees are finding resolve in “quiet-quitting” where employees do the bare minimum of their job requirements. However, CISOs don’t have that luxury. They’re putting in more hours and can’t switch off from work just to keep up with the demands of the job.    Unfortunately, the Great Resignation has impacted the IT industry, with IT employees being the most likely to look for a new job, according to another Tessian data report from earlier this year. We’ve also learned that employees are more likely to make security mistakes when they’re tired or stressed. In fact, 47% of employees cited distraction as the top reason for falling for a phishing scam, and 41% said they accidentally sent an email to the wrong person because they were distracted. While accidentally sending an email to the wrong person might seem small, mistakes like these can lead to serious cybersecurity incidents like data loss or a breach.    While no employee should ever be shamed or punished for making a security mistake at work, it’s mistakes like these that can contribute to the extra time CISOs are putting in at work. According to a separate survey conducted by Forrester and commissioned by Tessian, employee-related security incidents take up a significant amount of CISOs’ time. In fact, the survey found that security teams spend up to 600 hours per month investigating and remediating threats caused by human error – the equivalent of nearly four employees’ full-time workloads.

So what can CISOs do to create a better work / life balance?   Lean on your team: While CISOs are the Head Honcho within IT and security teams, that doesn’t mean they have to do everything. It’s okay to ask for help, prioritize, and then divide and conquer. Beyond their immediate team, CISOs can also work closely with other members of the C-Suite – like the CFO – to adopt new tools that automatically prevent threats and give CISOs some time back in their day. Set boundaries and stick to them: It can be difficult to establish a division between work and life. With mobile access to Slack, email, and Google Docs, “work creep” can seem inevitable. Similarly, if you’re working from home, personal tasks can take up mental space that could compromise your productivity. That’s why you need to define your work space and working hours, and try to create healthy habits that give you a chance to recharge. For some it might be a walk or making time to connect with kids during a lull in active work. These mini breaks can also make a big difference in recharging your battery.    Unplug: This is easier said than done, especially when CISOs are considered the superheroes of any organization. “When duty calls”, right? Yes and no. If you don’t take time for yourself, you won’t be up for the job. You also won’t model the kind of the habits that will help up-and-comers in your organization to see a path to balanced work and life if you don’t figure it out for yourself. Consider mindfulness apps for day-to-day relaxation, and limit the number of people who have access to you while you’re OOO.

October is Cyber Awareness Month, and this year’s theme is “Do your part. #BeCyberSmart.”   Fun fact: Cyber Awareness Month started back in 2004, the same year a former AOL software engineer stole 92 million screen names and email addresses and sold them to spammers. Sadly, that’s peanuts compared to more recent breaches. Incidents involving insider threats are at an all-time high, phishing incidents are doubling and even tripling in frequency year-on-year, and the cost of a breach is now over $4 million. This is all to say that cybersecurity is more important than ever. And at Tessian, we live by the motto that cybersecurity is a team sport. So, to help you educate and empower your employees, we’ve put together a toolkit with over a dozen resources, including:

You can download them all for free, no email address or other information required. But, that’s far from the only content we have to share… CEO’s Guide to Data Protection and Compliance By 2024, CEOs will be personally responsible for data breaches. So it’s essential they (and other execs) understand the importance of privacy, data protection and cybersecurity best practices. To help you out, we’ve published an eBook which breaks down: How different regulations have changed how businesses operate  How cybersecurity and compliance can be leveraged as a business enabler The financial and operational costs of data breaches OOO Templates OOO emails can contain everything a hacker needs to know to craft a targeted spear phishing attack… Where you are How long you’ll be gone Who to get in touch with while you’re away Your personal phone number Use these templates as a guide to make sure you don’t give too much away👇🏼

Human Layer Security Knowledge Hub Cyber Awareness Month is all about raising awareness and sharing best practices, and we know the #1 source of trusted information and advice for CISOs are…other CISOs….  That’s why we’ve created a hub filled with dozens of fireside chats and panel discussions about enterprise security, spear phishing, data loss prevention, leadership, and the human element. Sign-up for free and hear from some of the biggest names in the industry.   You Sent an Email to the Wrong Person. Now What? Did you know at least 800 emails are sent to the wrong person in organizations with 1,000 employees every year. While it’s easy to shrug something like this off as a simple mistake, the consequences can be far-reaching and long-term. Learn more, including how to prevent mistakes like this.   6 Best Cybersecurity Podcasts While we’re partial to our own podcast – RE: Human Layer Security – we’ve learned from the best in the business.  To get our fix of cybersecurity breaking news, threat intel, and inspiring interviews, we regularly tune into these podcasts: The CyberWire Daily The Many Hats Club WIRED Security Get the full breakdown here.   How to Get Buy-In For Security Solutions As a security or IT leader, researching and vetting security solutions is step one. Step two involves convincing key stakeholders like the CEO, CFO, and the board that the product needs to be implemented, that it needs to be implemented now, and that it’s worth the cost.  This is easier said than done… So, how do you communicate risk and make a compelling case to (eventually) get buy-in from executives? We talked to security leaders from some of the world’s most trusted and innovative organizations to find out what they do to get buy-in from CxOs.  Here’s a summary of their tips.    Ultimate Guide to Staying Secure While Working Remotely While most of us have been working remotely or in a hybrid environment for well over a year, we know that more than half of IT leaders believe employees have picked up bad cybersecurity behaviors since working remotely. This eBook offers plenty of helpful reminders, including: The risk involved in sending work emails “home” Why using public Wi-Fi and/or your personal device as a hotspot aren’t good ideas Best practice around using cloud storage to share documents How to physically protect your devices Top tips for businesses setting up remote-working policies What Does a Spear Phishing Email Look Like? We know you’re working hard to train employees to spot advanced impersonation attacks…but every email looks different. A hacker could be impersonating your CEO or a client. They could be asking for a wire transfer or a spreadsheet. And malware can be distributed via a link or an attachment. But it’s not all bad news. While – yes – each email is different, there are four commonalities in virtually all spear phishing emails.  Download the infographic now to help your employees spot the phish.   The Risks of Sending Data to Your Personal Email Accounts  Whether it’s done to work from home (or outside of the office), to print something, or to get a second opinion from a friend or partner, most of us have sent “work stuff” to our personal email accounts.  And, while we might think it’s harmless…it’s not. In this article, we explore the reasons why employees might send emails to personal accounts, why sending these emails can be problematic, and how security leaders can solve the problem.  Looking for more helpful content? Sign-up to our weekly newsletter, or follow us on LinkedIn and Twitter (or do all three!).

Our latest product update for our Advanced Email Threat Prevention module, Tessian Defender, improves the efficiency of security event filtering through new and easy-to-navigate event filters. We have also improved malicious email reporting, resulting in improvements to our detection efficacy.

New and enhanced filters for more efficient event filtering The enhanced event filtering interface will improve confidence and control for security admin using Tessian’s portal. It enables security admins to  efficiently filter and find security events, enabling security teams to respond faster.    

Some of the new and enhanced filters include:   Original filter location: Folder location of the email at the time of delivery to the end-user’s mailbox. Attachment filter: Contains attachments or not. Phishing simulation filtering: To exclude/include phishing simulations. Confidence level filtering: To filter on high/medium/low confidence interval events.  

Improved end-user reporting capability   Improvements to malicious email reporting will further improve the ability to recall malicious emails from inboxes, as well as improving detection efficacy. After a security admin reports a malicious email, future emails that share the same characteristics will automatically be quarantined in the portal – reducing cyber risk.  

Why these updates matter: Quicker response time and improved detection efficacy   In a hypothetical example of attempted Account Takeover (ATO), Tessian will flag suspicious emails as potentially malicious. After receiving an alert, security admins using the Tessian Cloud Email Security Platform, analyze all suspicious emails marked with a high degree of confidence and take appropriate action.    The new event filtering capability further speeds up this process, enabling security admins to filter all the security events by event type, confidence level, user response and quarantine status, while also allowing security admins to exclude events classified for example as phishing simulations – improving response times.     The new labeling feature incentivizes customers to report malicious emails. This, in turn, improves the detection efficacy of the platform’s algorithms with each reported email. 

Every minute counts to reducing cyber risk   Time is of the essence in triaging security events on email. Our engineering teams are working relentlessly to cut response times and give time back to security teams. These latest product updates do just that, enabling our customers to reduce the time spent on event triaging while also improving detection efficacy. To see how the Tessian Cloud Email Security platform intelligently prevents ransomware attacks, and protects against data loss, watch a product overview video or book a demo.

For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn

Law firms handle some of the most sensitive and confidential information in any sector. Not only that, there are huge pressures on employees to ensure the right verdict for the firm’s clients. Add to this the large sums of money at stake in any court case and you can see why they represent nice juicy targets for bad actors/ . We spent the summer talking to law firm security leaders and technologists at various conferences. Here’s the problems they detailed and how they mitigate them.    Free as in domains   Law firms are public facing, customers can and do come in all shapes and sizes. Consequently many individual clients will use freemail email addresses. Increasingly many small businesses are also turning to services like Gmail for their email needs. Consequently, blanket banning freemail domains doesn’t work, and having to maintain and update a whitelist of individuals is a drag. What’s more, by banning freemail domains, you could potentially be costing the business money in the form of lost clients. This is where Tessian comes in. It looks beyond the domain to deeper within the content – and context –  of an email to understand the sender’s intent.

Partners going rogue Partners run the firm – it’s literally their names on the wall in reception – consequently they tend to act in a manner that they see fit, emailing case notes to their personal addresses to read later on that commute or vacation. You can’t stop them doing that – they’re the bosses, but with Tessian, you can track high profile users to understand what is being sent where and by who.   It’s not just the partners that can present problems. Lawyers are incredibly busy people juggling lots of information via email and trying to build a case around it. Statistically, that means that someone’s gonna hit the reply all rather than the reply button. Tessian’s in the moment notifications catch these human errors and alert the user to any potential dangers. It happens more times than you think.   The result depending on your jurisdiction could be serious compliance violation fines. Indeed, nearly half (48%) of the top 150 law firms in the UK have reported data breaches since the GDPR came into force in May 2018. And, of those breaches, 41% were a result of emailing the wrong person.

Forwarding exhibit A   Many law firms didn’t adopt email until the 1990s. In 1996 the UK’s leading legal technology expert, Richard Susskind, was almost banned from speaking and labelled ‘dangerous’ for predicting that lawyers would use email as their main communication method in the future, and was accused of “…bringing the profession into disrepute!” That was over 30 years ago, but technology is now everywhere. Indeed some of the biggest vendors at ILTACon were offering smart screens and projects that can access digital content from emails and shared company drives. As more case notes and legal content goes digital, the potential for email as a means of mis-distributing and mis-sharing this information grows exponentially.

Of course these three issues sit on top of all the regular ones security leaders in any sector face – rising threats, more advanced attacks and the cost of a breach rising exponentially. Tessian is trusted by over 15o of the world’s leading law firms. They rely on Tessian to protect their organizations from advanced email threats, data exfiltration and accidental data loss. Get in touch today and see how we can help your firm.

Innovations in machine learning have fundamentally changed the email security landscape.    And in order to stay ahead, and to ensure that we are protecting our customers from new and advanced email threats, we need to continually improve our machine learning algorithms. Most recently, Tessian’s data science team updated our platform’s Behavioral Intelligence Modeling algorithms to detect advanced social engineering threats.   The result? A 15% increase in the detection of advanced email threats including impersonation spear phishing and account takeover (ATO) attacks.

The growing threat of advanced social engineering attacks  Social engineering attacks like impersonation and ATO attacks are a growing threat, with ATO attacks witnessing +300% growth over the last three years.    Impersonation and ATO attacks are a notoriously difficult type of advanced email threat to detect and prevent. This is because the threat actors either impersonate a trusted party or, in the case of ATO, the emails originate from a legitimate source, either within the organization from an already compromised account, or from a compromised vendor in the supply chain.    Traditional, rule-based email security solutions, like Secure Email Gateways (SEGs), which enterprises have been reliant on for decades, offer little protection against these types of attack. Why? Because legacy solutions like SEGs and built-in security from cloud providers are unable to detect adaptive and unknown threats with no prior indicators of compromise reported.    This makes the case for why security and risk management teams must move away from a rule-based approach to one that analyzes behavior instead.    This behavioral approach should leverage machine learning, Natural Language Processing (NLP), Behavioral Intelligence and Global Threat Feeds to automatically determine whether an email sent to an end-user at a particular time is an advanced threat.

A machine intelligent approach to email security Encouragingly, an increasing number of security leaders are realizing the need to adopt machine intelligent solutions to tackle the persistent threat of advanced email attacks. In fact, over half of cybersecurity leaders (58%) surveyed in a 2022 Forrester Consulting report said that they are actively looking to displace SEGs for the next generation of email security solutions. These solutions, like Tessian, leverage machine learning to help organizations mitigate risk on email.    The importance of machine learning powered cybersecurity solutions was similarly recognized by IBM’s Cost of Data Breach Report for 2022. IBM reported that the average cost of a data breach was $3.05 million less in organizations that deployed security artificial intelligence (AI) versus those that had not. What’s more, 66% of security leaders from across the world believe that AI and Machine Learning enables faster threat detection on email and 56% say it makes threat detection more accurate.    Continual improvements to our algorithms are important to ensuring we quickly and accurately detect new and unknown threats on email – keeping our customers and their data safe and secure.    Learn more by speaking to our experts and seeing our machine learning algorithms in action. 

Sometimes, what looks like a harmless third party breach notification can lead on to other, more targeted attacks, in this article, Tessian’s Head of Security Engineering & Operations explains how.    There is a deluge of breach notifications for defenders to track, monitor, and respond to. When triaging a breach notification for a third party service, the first instinct is to review the exfiltrated data and evaluate for impact to users.    When that data comes back as non-sensitive, defenders will oftentimes stop analysis there and breathe a sigh of relief. Unfortunately, as some recent breaches make clear, evaluating risk and impact isn’t that simple.

Two confirmed identity points   Take Twitter’s July breach as an example. In the notification, Twitter confirmed the exposure of 5.4 million emails as well as associated phone numbers that had been used as 2 factor authentication (the problem with using phones for 2FA is a topic for another time). No passwords were exposed, so it’s simply a minor irritation for the impacted users, right?   Well, not always. Things get more complicated when we consider what an attacker might be able to pivot to with two confirmed identity traces like email and mobile number.   Smishing attacks   At the low end of the sophistication scale, the phone numbers (which remember have been confirmed as active to the attacker by virtue of use as an auth factor) can be targeted for waves of SMS based phishing attacks. Anecdotally, Tessian has received reports of an increase in these attacks for users who had a number tied to their Twitter accounts.

Moving up in complexity, a SIM swap attack paired with a compromised password can yield access to other accounts using the same email. Credential pair reuse across multiple sites can make a single breach keep yielding dividends to the attacker for months.   Secondary attack vectors   These are well known post breach secondary attack vectors that have had a lot of visibility over the years. Less well known is the gray market for end user data used to enable scams and sales of questionable products and services, popularly known as crapware.    Quite a few people have heard of tech support scams, where an overseas scammer will call an elderly person and pretend to have valuable security services to offer. Less well known is how these scammers get access to phone numbers in the first place.

As we can see here, third party data brokers offer resales of “warm leads” for tech support scams targeting English speaking countries for call centers around the world. It’s easy enough to buy or otherwise acquire breach data for this purpose; though it’s important to note that data brokers don’t always stop with legal means of targeting users.

This particular data broker kindly offers pop-up campaigns, better known as fake blue screens in the browser that force the user to call an 800 number to unlock. So while buying gray market data can be lucrative for brokers, they certainly aren’t limited to it.   How to protect against attacks   So how do we protect against the impact of a secondary attack vector like this? First, end users should be encouraged and enabled to use software authenticators or hard tokens. SMS based attacks are widespread and tough to mitigate.    Secondly, security tooling that identifies a departure from normal email traffic can be more effective than relying on end user reporting. Tessian’s implementation of our product alerts us to unusual trends in email traffic that we in turn use for campaign tracking and prioritizing SecOps team resources. An eye on what’s normal and what isn’t serves as our first line against malicious activity. Stay vigilant and stay secure.   To see how Tessian prevents ATO attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn

Over half of the top 25 U.S. healthcare insurance providers are at risk of having their domain spoofed by threat actors looking to target individuals via advanced phishing and email impersonation attacks as open enrollment begins on 1 November 2022.    In our analysis, we found that 52% of the top healthcare insurance providers in the U.S. do not have DMARC – Domain-based Message Authentication, Reporting & Conformance – policies set up to the strictest settings or don’t have it set up at all to prevent abuse of the domain on email.    Why is DMARC important in preventing impersonation on email?    Nearly all cyberattacks in enterprises start with a successful spear phishing attack. This often involves a threat actor directly impersonating an email domain of a recognizable, trusted or well-known organization. 

There are a number of policies and protocols that prevent direct impersonation of an organization’s domain on email. In its simplest form, SPF and DKIM are email authentication records that allow email clients to validate the domain name of an inbound email. DMARC enables organizations to specify how to respond to emails that fail these SPF or DKIM checks – generally reject, quarantine, or take no action.   In the absence of authentication records, bad actors could easily create legitimate-looking emails with the domain extension, while the recipient of the malicious emails wouldn’t be able to validate the sender’s authenticity.    In the case of the insurance providers that do not have DMARC records in place – or do not have the DMARC policies set up to ‘reject’ – there is a very real opportunity for threat actors to impersonate the provider’s domain in spear phishing campaigns, convincing their targets they are opening a legitimate email from their healthcare insurance provider.    What risk does this pose to individuals?    Open enrollment – the yearly period in which people in the U.S. can enroll in a health insurance plan for the next calendar year – begins on 1 November 2022.    As open enrollment becomes available for employees and people seeking healthcare options, threat actors will likely take advantage of this time to target unsuspecting people – using the timely hook as a lure in their scams. We’ve noted in previous blogs how cybercriminals take advantage of timely or trending moments to make their phishing attacks more convincing.    By impersonating a trusted insurance provider, cybercriminals could trick people into sharing personally identifiable information including social security numbers, financial information, or even confidential medical details which – if gotten into the wrong hands – could be used to perpetrate identity fraud. 

Advisory to healthcare insurance companies and the public   As open enrollment begins,  healthcare insurance providers must ensure they are taking every measure to protect their domain from misuse over email.    Conversely, it’s important that employees signing up to new benefits – as well as HR personnel – are made aware of the potential scams that could land in their inbox during this period. Advise people that if they do receive an email from their provider, asking for urgent action or financial information, they must take the time to check it and question the legitimacy of any requests. If they’re ever unsure, they should always contact the insurance company directly to verify or only read correspondence in the insurance provider’s portal.    An more intelligent approach to email impersonation attacks   While DMARC is certainly a necessary first step to prevent domain impersonation over email, it’s not without its shortcomings and cybercriminals can find ways around it.    For example, DMARC won’t stop lookalike domains, and there’s nothing stopping threat actors from registering look-a-like domains, betting on the fact that victims may not notice the slight change. Furthermore, DMARC records are inherently public, and an attacker can use this information to select which domains they can directly impersonate, their targets and their attack methods, simply by identifying providers that do not have DMARC policies configured to the strictest settings.    In addition to ensuring DMARC records are set to the strictest standards, security teams at healthcare insurance providers should also question whether they are equipped to safeguard against email scams. They should consider whether a more intelligent approach to email security is needed to stop staff and customers falling victim to advanced email impersonation attacks.    To see how the Tessian Cloud Email Security platform intelligently prevents advanced email threats and impersonation attacks, watch a product overview video or book a demo with us today.

The cost of a data breach is up 13% from 2020 totalling $4.35 million, according to IBM’s Cost of a Data Breach Report for 2022. IBM’s annual report also revealed that compromised credentials, phishing and cloud misconfiguration are the top three attack vectors. Phishing related breaches is the costliest form of attack, costing businesses $4.91 million in damages per breach.  IBM recommends investing in security tools that leverage artificial intelligence (AI) and machine learning. These next generation security tools represent the biggest breach cost mitigation measure organizations can take, reducing the overall cost of a breach by an average of $3.05 million.  Keep reading for key findings from the report. Key findings The cost of a breach continues to creep up year-over-year. The cost of a breach has increased to $4.35m in 2022 –  representing a nearly 13% increase from 2020. Top 3 attack vectors were identified as: compromised credentials (19%), phishing (16%) and cloud misconfiguration (15%). Phishing is the costliest form of a breach. Although compromised credentials is the leading cause of a breach, phishing is the costliest with the fallout averaging $4.91m per breach.  Business Email Compromise (BEC) is expensive. BEC attacks are the second costliest, totalling on average $4.89m per breach.  

Healthcare remains the most adversely impacted vertical. Costs of healthcare breaches have reached a record high of $10.1m. According to HIPAA, there were over 680,000 healthcare breaches in 2021, resulting in close to 45 million healthcare records being compromised. Million dollar savings. Investing in security AI and machine learning tools is the greatest breach cost mitigation organizations can take, reducing the overall cost of a breach by an average of $3.05m compared to organizations that do not have these tools in place.   The increasing frequency and costs associated with breaches is adding to inflationary pressure for goods and services. Companies that have suffered a breach are typically raising their prices for goods and services. Breaches are still taking an inordinate amount of time to contain. On average breaches are resolved within 277 days from discovery. Paying ransoms does not lead to significant cost savings for victims of a breach. Those that chose to pay ransoms saw on average $610, 000 less in breach costs than those that chose not to pay. Critical infrastructure remains vulnerable and lags in zero trust adoption. 80% of critical infrastructure organizations have not adopted zero trust strategies. The result is +$1m more costly breaches, totalling an average of $5.4m per breach. 

The importance of cloud adoption maturity and cloud security Hybrid cloud represents a hedge against cyber risk. The study found hybrid cloud adopters discovered breaches 15 days sooner than companies that relied solely on a single public or private cloud operating model. Hybrid cloud reduces breach cost. Companies that rely on a  hybrid cloud operating model also experienced the lowest costs associated with a breach. On average breach costs for hybrid cloud adopters were $3.8 million. Cloud security adoption is lagging breaches. Almost half (45%) of all breaches originated in cloud environments, with 43% of organizations stating that they are only in the early stages of implementing security across their cloud environments.  A lack of cloud security adoption increases time to resolve a breach. On average organizations that failed to adopt adequate or any cloud security for their cloud environments required +108 days to resolve a breach.

Phishing and Business Email Compromise (BEC) are the costliest attack vectors BEC and credential compromise breaches are insidious and difficult to discover. Email breaches have the second highest mean time to discovery at 308 days (+16% on the overall mean time), with compromised credentials topping the list with a mean time for discovery 327 days (+19%). Phishing is a lucrative scam. Phishing is the second leading attack vector for breaches (16%), and is also the costliest at $4.91m. BEC attacks come a close second, costing businesses $4.89m. 

Recommendations Some of the key IBM recommendations include: Adopt a zero trust security strategy and security model. Zero trust is particularly well-suited to hybrid cloud environments and hybrid and remote work operating models, protecting data by limiting accessibility and requiring context to grant access. Adopt security tools that can share and centralize data between disparate systems. Implement security tools that can centralize data security operations across multiple environments to enable security teams to detect incidents across complex hybrid multi-cloud environments. Invest in cloud native security automation tools. This includes security orchestration, automation and response (SOAR), security information and event management (SIEM), managed detection and response (MDR) tools and XDR to accelerate incident response through automation. Use best-of-breed security tools that help protect and monitor endpoints and remote employees. Remote work related breaches cost an average of $1 million more than non-remote work breaches. Leveraging endpoint and end-user focussed security solutions including endpoint protection platforms (EPP), identity and access management (IAM) and email security solutions are essential. Create and test incident response plans and playbooks. This includes creating incident response teams that are well rehearsed on testing the IR plan. Additional measures include red teaming and finding solutions that manage attack surface risk.  

To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn.

Each year it seems we are met with new complex challenges and risks that few could have predicted. In turbulent times, it is prudent to take stock of what business and security leaders can control. Allocating dedicated resources to more effectively manage both known and unknown risk is fast becoming essential to shore-up organizational resiliency.   Turning the focus to the sector that is germane to what we do at Tessian, effectively managing cybersecurity risk is now more critical than ever. In fact, cybersecurity risk is now considered the number 1 risk faced by businesses according to Allianz’s 2022 Global Risk Barometer, followed by business interruption (2) and natural disasters (3).   Read on to learn more about some of the key cyber risks organizations are faced with today, and how best to mitigate it.

Cybersecurity risk is increasing The costs associated with breaches are increasing each year. The global cost and impact of cybercrime damages is expected to reach $10.5 trillion in damages by 2025 – representing a 350%+ increase from 2015.    A sign of the worsening cyber risk can be seen in the cybersecurity insurance industry. Given the high number of recent claims, up by 500% in 2021, has resulted in cyber insurance premiums seeing significant escalations – essentially doubling over the past year. And as a result of recent developments in Ukraine, leading insurers are now excluding suspected nation-state cyber attacks from coverage provisions.  

Persistent and increasing email security risk   Due to its open nature, email remains the preferred method for delivering a malicious payload, including ransomware – responsible for up to 95% of breaches. Email also attracts the greatest investment in the attacker value chain and is the riskiest channel for data loss.    Until recently, detecting and preventing email threats relied on static, rule-based solutions like Secure Email Gateways (SEGs). These solutions are only able to detect known threats because they rely on a threat detection engine of already documented threat campaigns. But threats have become more advanced and are proliferating at an alarming rate, with the net result these threats are going undetected by SEGs and are reaching victims’ mailboxes.   According to Verizon’s DBIR 2022, email-delivered social engineering attacks are growing in complexity, with phishing responsible for 60% of these attacks. In addition, the FBI reported that $43 billion has been lost globally due to Business Email Compromises (BEC) in the past 5 years, with a 65% increase in BEC fraud related losses reported globally in the period 2019 to 2021.  

The growing ransomware challenge   Advanced cyber threats like ransomware are also trending in the wrong direction. Ransomware related damages exceeded $20 billion for 2021 – representing a 57x fold increase from 2015. By 2031 ransomware damages are expected to reach $265 billion. Responsible for 75% of cybersecurity insurance claims, Ransomware-as-a-Service offerings are mainstreaming the ability to carry out devastating ransomware attacks.    Russia-based Conti ransomware gang aka Wizard Spider has been linked to 50 incidents in April 2022 alone, including attacks on the Costa Rican and Peruvian governments. Currently there is a $15million bounty on Conti from the US government – indicative of the scale of the problem. The FBI estimates that over 1,000 Conti ransomware victims have paid in excess of $150 million in ransom in the past year.    Also concerning is the increasing proliferation of wiper-malware seen in 2022 in cyber attacks against the Ukraine in 2022. Disguised as ransomware, wiper-malware essentially wipes all data from infected hosts. In response to the growing ransomware threat, CISA announced the formation of a ransomware taskforce at the end of May 2022.   

Software supply chain vulnerability   Software supply chain cyber risk is another leading concern for CIOs and CISOs. The acceleration of digital transformation and cloud adoption, and increased speed of deployment through DevOps processes, have resulted in dramatically expanding the attack surface area with vulnerable code and applications exposed online.    Software supply chain attacks remain a vulnerable element given the high impact and high reward for the attackers as has been demonstrated in the SolarWinds and Kaseya attacks. 

Final thoughts for staying safe in a volatile cybersecurity environment   Prioritizing cybersecurity program development is now a core aspect of effective organizational risk management. There however remains a collective need in the vendor and the broader business community to elevate and educate executives particularly at the board level, on the importance of proactive cybersecurity risk management.    Assume you will suffer a breach. From this risk-aware position think about the proactive steps you can take to improve your cyber resilience. The escalating email, ransomware, wiper malware and supply chain vulnerability risks underscore the imperative for investing in intelligent and agile cybersecurity defenses.   Continuously seek out innovative solutions that keep your environment safe, while at the same time ensure high degrees of employee engagement on the importance of security awareness.  

To see how the Tessian Intelligent Cloud Email Security platform  prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn