Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

New Webinar: Check out how PeaceHealth maintains word class email security with a vast supply chain and 19k caregivers. Register Now →

Human Layer Security

90% of data breaches are caused by human error. Stay up to date on the latest tips, guides, and industry news on Human Layer Security.

Human Layer Security
15 Virtual Cybersecurity Events To Attend in 2022
12 May 2022
This list of cybersecurity events is updated every month and includes in-person events, virtual summits, and one-off webinars.     Gartner Digital Workplace Summit — May 18-19, 2022   Gartner’s Digital Workplace Summit will be held in London, UK, and will focus on all aspects of digital work—particularly cybersecurity.   Expect sessions on employing secure and flexible cloud infrastructure, remote and hybrid workplace security, plus content about collaboration tools and platforms and enhancing remote employees’ experiences.   The full speaker list has not yet been confirmed, but we know Michael Woodbridge, a Senior Director Analyst at Gartner, will be making an appearance. Early bird standard tickets are €2625, rising to €2975 on March 18.    
RSA Conference San Francisco — June 6-9, 2022   The RSA Conference is held in person at San Francisco’s Moscone Center and is also available online. It’s a great event for security professionals at all levels, with some solid introductory material alongside some more detailed and technical sessions.   Delegates can attend sessions on implementing the CIS Critical Controls, managing human risk, and understanding zero-trust technology.   Expect keynote speeches from Jen Easterly, Director of CISA; Mary O’Brien, General Manager of IBM Security; and American Paralympics champion Jessica Long. There are several registration options, with prices ranging from $395 for a digital pass to $1995 for a full conference pass.   Counter Terror Expo (CTX) 2022 — June 8-9, 2022   The Counter Terro Expo will be held at the ExCel Centre in London, UK, and will bring professionals from industry, government, and law enforcement to discuss technical approaches to combatting terrorism.   This is an exposition, so expect vendors and service providers demonstrating the benefits of their products together with seminars, workshops, and demonstrations.   Speakers have yet to be announced, but the agenda features sessions on protective security for crowded and public spaces, threat intelligence, and the public-Private security partnership. You can view the event’s admissions policy here.   Infosecurity Europe — June 21-23, 2022   Infosecurity Europe is a large event held at the ExCel Centre, London, with security vendors exhibiting alongside some great conference content.   The full agenda is still TBC for this year, but there will be a range of keynotes, tech talks, showcases and workshops. This is a great event for anyone looking to learn what the industry has to offer or hoping to get the best use out of their existing security stack. Registration has yet to open but you can register your interest by subscribing to the Infosecurity mailing list here.   CRESTCon UK — July 13, 2022   CRESTCon is a research-focused cybersecurity conference taking place in London, UK, suitable for academics or advanced cybersecurity practitioners.   Expect sessions on social engineering, data breach response plans, and access controls in Linux.   Speakers include Sarka Pekarova, Cybersecurity Consultant at SureCloud; Thomas V. Fischer, Security Advocate & Threat Researcher at FVT SecOps Consulting; and Costas Senekkis, Senior Security Analyst at ICSI. Ticket prices range between £35-£175.   UKsec Cyber Security Summit — September 12-13, 2022   The UKsec Cyber Security Summit will be held in London and will focus on helping businesses to better protect their networks, data, and infrastructure from cyberattacks.   The agenda for September has yet to be announced, but last year’s event included sessions on digital supply chain security, best practices in incident reponse, and building a strong cybersecurity culture in your organization. Registration costs £499 or £1,999 for vendors.   Executive Women’s Forum — October 24-27, 2022   The Executive Women’s Forum describes itself as a “powerful community and caring sisterhood of women professionals in the information security, risk management, privacy, and related fields.”   The 2022 agenda hasn’t been announced yet, but attendees are promised access to over 1,000 infosec thought leaders aiming to help executive women improve their professional standing and learn from their peers. The standard rate for registration is $895, with discounts for members and early birds available.   FS-ISAC 2022 Europe Summit – Postponed to November 2022   While the event was originally scheduled for May 10-12, 2022, it’s since been postponed to November 2022. This year’s presentations will all be focused our the central theme The New Cyber Era: Hyper Connected & Unbound.    Expect to hear from industry leaders about technology, cloud, application, and data security, compliance, and cross-border intelligence. You can even submit your own presentation here. It’s not too late. You must be a member of FS-ISAC to attend. Learn more about eligibility and annual dues here.
ATO/BEC Human Layer Security
Phishing Awareness Training: How Effective is Security Training?
By Maddie Rosenthal
30 April 2022
Phishing awareness training is an essential part of any cybersecurity strategy. But is it enough on its own? This article will look at the pros and cons of phishing awareness training—and consider how you can make your security program more effective.
✅ Pros of phishing awareness training   Employees learn how to spot phishing attacks   While people working in security, IT, or compliance are all too familiar with phishing, spear phishing, and social engineering, the average employee isn’t. The reality is, they might not have even heard of these terms, let alone know how to identify them.   But, by showing employees examples of attacks – including the subject lines to watch out for, a high-level overview of domain impersonation, and the types of requests hackers will generally make – they’ll immediately be better placed to identify what is and isn’t a phishing attack.     Looking for resources to help train your employees? Check out this blog with a shareable PDF. It includes examples of phishing attacks and reasons why the email is suspicious.    It’s a good chance to remind employees of existing policies and procedures   Enabling employees to identify phishing attacks is important. But you have to make sure they know what to do if and when they receive one, too. Training is the perfect opportunity to remind employees of existing policies and procedures. For example, who to report attacks to within the security or IT team.   Training should also reinforce the importance of other policies, specifically around creating strong passwords, storing them safely, and updating them frequently. After all, credentials are the number one “type” of data hackers harvest in phishing attacks.    Security leaders can identify particularly risky and at-risk employees   By getting teams across departments together for training sessions and phishing simulations, security leaders will get a birds’ eye view of employee behavior. Are certain departments or individuals more likely to click a malicious link than others? Are senior executives skipping training sessions? Are new-starters struggling to pass post-training assessments?    These observations will help security leaders stay ahead of security incidents, can inform subsequent training sessions, and can help pinpoint gaps in the overall security strategy.
Training satisfies compliance standards   While you can read more about various compliance standards – including GDPR, CCPA, HIPAA, and GLBA – on our compliance hub, they all include a clause that outlines the importance of implementing proper data security practices.   What are “proper data security practices?” This criterion has – for the most part – not been formally defined. But, phishing awareness training is certainly a step in the right direction and demonstrates a concerted effort to secure data company-wide.     It helps organizations foster a strong security culture   In the last several years (due in part to increased regulation) cybersecurity has become business-critical. But, it takes a village to keep systems and data safe, which means accountability is required from everyone to make policies, procedures, and tech solutions truly effective.    That’s why creating and maintaining a strong security culture is so important. While this is easier said than done, training sessions can help encourage employees – whether in finance or sales – to become less passive in their roles as they relate to cybersecurity, especially when gamification is used to drive engagement.   You can read more about creating a positive security culture on our blog.
❌ Cons of phishing awareness training   Training alone can’t prevent human error   People make mistakes. Even if you hold a three-hour-long cybersecurity training session every day of the week, you’ll never be able to eliminate the possibility of human error. Don’t believe us? Take it from the U.K.’s National Cyber Security Centre (NCSC) “Spotting phishing emails is hard, and spear phishing is even harder to detect. Even experts from the NCSC struggle. The advice given in many training packages, based on standard warnings and signs, will help your users spot some phishing emails, but they cannot teach everyone to spot all phishing emails.”   That’s right, even the U.K.’s top cybersecurity experts can’t always spot a phishing scam. Social engineering incidents—attacks that play on people’s emotions and undermine their trust—are becoming increasingly sophisticated.   For example, using Account Takeover techniques, cybercriminals can hack your vendors’ email accounts and intercept email conversations with your employees. The signs of an account take-over attack, such as minor changes in the sender’s writing style, are imperceptible to humans.   Phishing awareness training is always one step behind   Hackers think and move quickly and are constantly crafting more sophisticated attacks to evade detection. That means that training that was relevant three months may not be today. In the last year, we’ve seen bad actors leverage COVID-19, Tax Day, furlough schemes, unemployment checks, and the vaccine roll-out to trick unsuspecting targets.   What could be next?   Training is expensive   According to Mark Logsdon, Head of Cyber Assurance and Oversight at Prudential, there are three fundamental flaws in training: it’s boring, often irrelevant, and expensive. We’ll cover the first two below but, for now, let’s focus on the cost.   Needless to say, the cost of training and simulation software varies vendor-by-vendor. But, the solution itself is far from the only cost to consider. What about lost productivity?   Imagine you have a 1,000-person organization and, as a part of an aggressive inbound strategy, you’ve opted to hold training every quarter. Training lasts, on average, three hours. That’s 12,000 lost hours a year.   While – yes – a successful attack would cost more, we can’t forget that training alone doesn’t work. (See point 1: Phishing awareness training can’t prevent human error.)
Phishing awareness training isn’t targeted (or engaging) enough   Going back to what Mark Logsdon said: Training is boring and often irrelevant. It’s easy to see why. You can’t apply one lesson to an entire organization – whether it’s 20 people or 20,0000 – and expect it to stick. It has to be targeted based on age, department, and tech-literacy. Age is especially important.   According to Tessian’s latest research, nearly three-quarters of respondents who admitted to clicking a phishing email were aged between 18-40 years old. In comparison, just 8% of people over 51 said they had done the same. However, the older generation was also the least likely to know what a phishing email was.   !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");   Jeff Hancock, the Harry and Norman Chandler Professor of Communication at Stanford University and expert in trust and deception, explained how tailored training programs could help.
Should I create a phishing awareness training program? The short answer: “Yes”. These programs can help teach employees what phishing is, how to spot phishing emails, what to do if they’re targeted, and the implications of falling for an attack. But, as we’ve said, training isn’t a silver bullet. It will curb the problem, but it won’t prevent mistakes from happening. That’s why security leaders need to bolster training with technology that detects and prevents inbound threats. That way, employees aren’t the last line of defense. But, given the frequency of attacks year-on-year, it’s clear that spam filters, antivirus software, and other legacy security solutions aren’t enough. That’s where Tessian comes in.   How does Tessian detect and prevent targeted phishing attacks?   Tessian fills a critical gap in security strategies that SEGs, spam filters, and training alone can’t.   By learning from historical email data, Tessian’s machine learning algorithms can understand specific user relationships and the context behind each email. This allows Tessian Defender to detect a wide range of impersonations, spanning more obvious, payload-based attacks to difficult-to-spot social-engineered ones like CEO Fraud and Business Email Compromise.   Once detected, real-time warnings are triggered and explain exactly why the email was flagged, including specific information from the email. Best of all? These warnings are written in plain, easy-to-understand language.
These in-the-moment warnings reinforce training and policies and help employees improve their security reflexes over time.  To learn more about how tools like Tessian Defender can prevent spear phishing attacks, speak to one of our experts and request a demo today.   Not ready for a demo? Sign-up for our weekly blog digest to get more cybersecurity content, straight to your inbox.  Just fill out the form below.
ATO/BEC Human Layer Security
Phishing Campaigns Pick-Up in the Wake of the Ukraine Invasion
By Charles Brook
05 April 2022
Key Takeaways   We’ve seen an upward trend in the number of suspicious emails being flagged related to Ukraine.  Spam campaigns started to appear only one day after the initial invasion by Russia.   The number of new domains containing “Ukraine” registered in 2022 is up 210% from 2021.   An average of 315 new Ukraine themed domains have been observed per day since the 24th February.  77% of these domains appear to be suspicious based on early indicators.
Overview   The conflict taking place in Ukraine has quickly become a common theme for threat actors and scammers alike. Tessian has observed an upward trend in Ukraine themed emails flagged by our platform, including a number of threat campaigns that are exploiting the conflict as a theme for new scams, malspam, and phishing.   In line with this, open source intelligence shows a significant increase in the number of Ukraine themed domains being registered, which can be used for malicious purposes.   The scams observed typically request donations in the form of crypto-currency under the pretense of supporting the Ukrainian humanitarian effort in the wake of the Russian invasion. The spam is similar to common campaigns previously observed, pushing links to suspicious e-commerce sites selling Ukrainian themed items.
Trend analysis Domain registrations   There has been a significant upward trend in the number of new domains being registered that contain “Ukraine”. The number of these domains being registered is up more than 210% in 2022, compared to 2021.   Researching domain registrations , we can see the upward trend progressing over the past two months. 
Since early March there has been an average of 340 new domains registered each day, either containing “Ukraine” or closely resembling the word.  Our platform observed an upward initial trend in Ukraine themed emails, which peaked early March. This included the spam campaigns and donation scams.
Threat campaign explainer  Donation Scams   Donations from around the world have been made in support of Ukraine in the wake of the Russian invasion. Unfortunately, leveraging humanitarian efforts such as the one currently underway in Ukraine to perpetrate phishing-related fraud has become a common modus operandi for threat actors and fraudsters. This explains why phishing remains among the top reported cybersecurity incidents according to the FBI’s latest Internet Crime Report, with over 323k reported incidents for 2021.   The donation scams vary in sophistication from basic emails containing a short message with a plea for help, to fake websites set up to impersonate certain charitable organizations like the British Red Cross.    One of these scam emails claims to be supporting the humanitarian aid effort in Ukraine and is requesting  Bitcoin cryptocurrency donations. Legitimate website  text and logos from the likes of UNICEF, Actalliance and the Australian Council for International Affairs (ACFID) are being fraudulently leveraged to enhance the authenticity of the phishing emails.   The threat campaign detailed below purporting to be a legitimate humanitarian aid effort for Ukraine from the ACFID, requests Bitcoin donations and allows victims to make the donation via direct Bitcoin address or via a malicious QR code.
Phishing email purporting to be from the ACFID  
Scanning the QR code with the iOS camera app will prompt you to open a locally installed payment app that supports Bitcoin. In this case, Cash App.   According to Blockchain Explorer, the last transaction to take place with the address in this email was on 2022-02-14 with only 6 transactions in total.    Another donation scam was sent from a newly registered domain redcrossukraine[.]org impersonating the Red Cross in Ukraine. The email contained a link to a professional looking website containing details of the Ukraine conflict as well as instructions on how to donate cryptocurrency in aid of Ukraine.
The site was based on a bootstrap template by BootstrapMade which gave it the look and feel of a legitimate website. Towards the bottom were references to addresses for 3 different crypto wallets you could send payments to as a ‘donation’. One for Bitcoin, one for Ethereum, and one for Tether cryptocurrency.
Ukraine themed spam   Spammers have also quickly reacted to the invasion of Ukraine by adjusting the themes of their campaigns.    One notable spam campaign, only a day after the initial invasion, began blasting out spam with links to suspicious e-commerce sites pushing the sale of t-shirts and other items to show support for Ukraine.   The emails sent out in the campaign have subjects like “I Stand With Ukraine Shirts” and contain images of t-shirts with slogans in support of Ukraine. The emails also contain links pointing to sites like mimoprint[.]info or mabil-store[.]com where you can browse and purchase some of the products referenced in the email.   Links resolving to recently created sites like mimoprint[.]info or mabil-store[.]com were sent out in emails with subjects like  “I Stand With Ukraine Shirts”. Searching this site online reveals some reviews claiming that they are a scam and if a purchase is made then no product is received. Other reviews claim they steal designs from users on other sites.    Recommended action  Some charities do and are accepting cryptocurrency donations. But be cautious of any emails purporting to aid or receive donations in an effort to support the humanitarian effort in Ukraine. If cryptocurrency is requested from an unsolicited email then the likelihood is that it is a scam.   Before interacting with any Ukrainian themed email received, check the source and email header to confirm the organization it originated from is legitimate.   If you want to make a donation in support of Ukraine, then the best way is to go directly to your preferred charitable organization. CNET has published a list of reputable charities you can donate in aid of Ukraine. 
ATO/BEC Human Layer Security Life at Tessian
Book Recommendations for Security Professionals
By Maddie Rosenthal
01 April 2022
Looking for some summer reading? We’ve pulled together a little reading guide for when you get some well-earned downtime. We asked around the Tessian offices for recommendations for good reads in the tech and security space. Here’s the team’s recommendations.
Cyber Privacy: Who Has Your Data and Why You Should Care April Falcon Doss Amazon, Google, Facebook, governments. No matter who we are or where we go, someone is collecting our data: to profile us, target us, assess us; to predict our behavior and analyze our attitudes; to influence the things we do and buy — even to impact our vote. Read more at Good Reads   Social Engineering: The Science of Human Hacking Christopher Hadnagy Social Engineering: The Science of Human Hacking reveals the craftier side of the hacker’s repertoire—why hack into something when you could just ask for access? Undetectable by firewalls and antivirus software, social engineering relies on human fault to gain access to sensitive spaces; in this book, renowned expert Christopher Hadnagy explains the most commonly-used techniques that fool even the most robust security personnel, and shows you how these techniques have been used in the past. We take a deep dive into the psychology of human error in this report, with insights from Stanford Psychology and Communications professor Jeff Hancock. Read more at Good Reads.    The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats Richard A. Clarke  “Great book on the challenges of cyberwarfare policy” – Paul Sanglé-Ferrière, Product Manager, Tessian. An urgent new warning from two bestselling security experts – and a gripping inside look at how governments, firms, and ordinary citizens can confront and contain the tyrants, hackers, and criminals bent on turning the digital realm into a war zone. Read more at Good Reads   The Wires of War: Technology and the Global Struggle for Power Jacob Helberg From the former news policy lead at Google, an urgent and groundbreaking account of the high-stakes global cyberwar brewing between Western democracies and the autocracies of China and Russia that could potentially crush democracy. Read more at Good Reads   This Is How They Tell Me the World Ends: The Cyberweapons Arms Race Nicole Perlroth Filled with spies, hackers, arms dealers, and a few unsung heroes, written like a thriller and a reference, This Is How They Tell Me the World Ends is an astonishing feat of journalism. Based on years of reporting and hundreds of interviews, The New York Times reporter Nicole Perlroth lifts the curtain on a market in shadow, revealing the urgent threat faced by us all if we cannot bring the global cyber arms race to heel. Read more at Good Reads.   The Art of Invisibility: The World’s Most Famous Hacker Teaches You How to Be Safe in the Age of Big Brother and Big Data Kevin Mitnick & Robert Vamosi  In The Art of Invisibility Mitnick provides both online and real life tactics and inexpensive methods to protect you and your family, in easy step-by-step instructions. He even talks about more advanced “elite” techniques, which, if used properly, can maximize your privacy. Read more at Good Reads The Cuckoo’s Egg Clifford Stoll “Probably the original threat actor report – so good” – Matt Smith, Software Engineer at Tessian In 1986,  Clifford Stoll – a systems administrator at the Lawrence Berkeley National Laboratory – wrote this book. Based on his field notes, this is arguably one of the first documented cases of a computer hack and the subsequent investigation, which eventually led to the arrest of Markus Hess. It’s now considered an essential read for anyone interested in cybersecurity. Read more at Good Reads. CISO Compass: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers  Todd Fitzgerald While this book covers all the fundamentals of IT security governance and risk management, it also digs deeper into people. After all, being a CISO isn’t just about technology. The insights in the book come directly from CISOs. In total, 75 security leaders contributed to the book, which means there’s plenty of actionable advice you can apply to your strategies.  Looking for more insights from security leaders? Check out Tessian’s CISO Spotlight series. Read more at Good Reads.   Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers  Andy Greenburg Politics play a big role in cybercrime. This book is focused on Sandworm, the group of Russian hackers who, over the last decade, has targeted American utility companies, NATO, and electric grids in Eastern Europe and paralyzed some of the world’s largest businesses with malware. But the author, Wired senior writer Andy Greenberg, also provides plenty of background on both the technology and the relationships between various countries. Read more on Good Reads.   Cult of the Dead Cow Joseph Menn Cult of the Dead Cow is the tale of the oldest, most respected, and most famous American hacking group of all time. Though until now it has remained mostly anonymous, its members invented the concept of hacktivism, released the top tool for testing password security, and created what was for years the best technique for controlling computers from afar, forcing giant companies to work harder to protect customers.  Cult of the Dead Cow explores some of the world’s most infamous hacking groups – particularly the cDc – and explains how technology, data, and – well – the world has changed because of them. Read more at Good Reads. The Making of a Manager: What to Do When Everyone Looks to You Julie Zhuo  Congratulations, you’re a manager! After you pop the champagne, accept the shiny new title, and step into this thrilling next chapter of your career, the truth descends like a fog: you don’t really know what you’re doing. Read more at Good Reads. CISM Certified Information Security Manager All-in-One Exam Guide Yes, this is an exam guide…and yes you should add it to your reading list. If nothing else, to have on-hand as a reference. Why? It covers everything. Security governance, risk management, security program development, and security incident management. Curious as to whether or not other security professionals have their CISM certification? We interviewed 12 women about their journeys in cybersecurity. Read their profiles here and the full report, Opportunity in Cybersecurity Report 2020. Read more on Good Reads. The health benefits of reading Whatever you choose to read these holidays, the health benefits of reading are well documented. As our Lost Hours report revealed, many CISOs aren’t taking time out from their jobs to de-stress and unwind. So make sure you schedule a little you time with a good book.  
ATO/BEC Email DLP Human Layer Security
New Research: One in Four Employees Who Made Cybersecurity Mistakes Lost Their Jobs Last Year
By Laura Brooks
29 March 2022
According to our new research, one in four employees lost their job in the last 12 months after making a mistake that compromised their company’s security. The new report, which explores human error on email at work, also found that:   Just over one in four respondents (26%) fell for a phishing email at work, in the last 12 months  Two-fifths (40%) of employees sent an email to the wrong person, with almost one-third (29%) saying their business lost a client or customer because of the error Over one-third (36%) of employees have made a mistake at work that compromised security and fewer are reporting their mistakes to IT
Why do people make mistakes at work?   When asked why these mistakes happened, half of employees said they had sent emails to the wrong person because they were under pressure to send the email quickly – up from 34% reported by Tessian in its 2020 study – while over two-fifths of respondents cited distraction and fatigue as reasons for falling for phishing attacks. More employees attributed their mistakes to fatigue and distraction in the past year, versus figures reported in 2020, likely brought on by the shift to hybrid working   “With the shift to hybrid work, people are contending with more distractions, frequent changes to working environments, and the very real issue of Zoom fatigue – something they didn’t face two years ago,” said Jeff Hancock, a professor at Stanford University who contributed to the report. 
People are falling for more advanced phishing attacks    While the number of employees who fell for phishing attacks only increased by 1% in the last 12 months, people were far more likely to fall for more advanced phishing attacks than they were in 2020.    Over half of employees (52%) said they fell for a phishing email because the attacker impersonated a senior executive at the company – up from 41% reported in 2020. In comparison, click-through rates on phishing emails whereby threat actors impersonated well-known brands dropped. These findings mirror those reported by the FBI, which found that business email compromise attacks (BEC) are eight times more common than ransomware and the losses from these attacks continue to grow year on year.    People were also susceptible to phishing attacks over SMS (smishing), with one-third of respondents being duped by a smishing request in the last 12 months, compared to 26% of those who fell for phishing scams over email. Older employees were more susceptible to smishing attacks; one-third of respondents aged over 55 complied with requests in smishing scam versus 24% of 18-to 24-year-olds.
The consequences for accidental data loss are more severe   On average, a US employee sends four emails to the wrong person every month – and organizations are taking tougher action in response to these mistakes that compromise data. Nearly a third of employees (29%) said their business lost a client or customer after sending an email to the wrong person – up from the 20% in 2020. One in four respondents (21%) also lost their job because of the mistake, versus 12% in July 2020.    Over a one-third (35%) of respondents had to report the accidental data loss incidents to their customers, breaking the trust they had built. Businesses also had to report the incidents to regulators. In fact, the number of breaches reported to the Information Commissioner’s Office, caused by data being sent to the wrong person on email, was 32% higher in the first nine months of 2021 than the same period in 2020.
Employees are fearful of reporting mistakes   With harsher consequences in place, Tessian found that fewer employees are reporting their mistakes to IT. Almost one in four (21%) said they didn’t report security incidents, versus 16% in 2020, resulting in security teams having less visibility of threats in the organization.
Josh Yavor, CISO at Tessian, said, “We know that the majority of security incidents begin with people’s mistakes. For IT and security teams to be successful, they need visibility into the human layer of an organization, so they can understand why mistakes are happening and proactively put measures in place to prevent them from turning into serious security incidents. This requires earning the trust of employees; and bullying employees into compliance won’t work. Security leaders need to create a culture that builds trust and confidence among employees and improves security behaviors, by providing people with the support and information they need to make safe decisions at work.”
Human Layer Security
IT Departments are Looking for New Jobs: Here’s How to Retain Talent
By Andrew Webb
24 March 2022
You can’t stop people from leaving for pastures new; employee turnover is a natural function of any organization. But when that trickle turns into a flood, there’s an issue. Our recent Great Re-evaluation research conducted revealed that 55% of employees are thinking about leaving their jobs this year. What’s more, 39% are currently working their notice period or actively looking for a new role in the next six months. But who’s leaving, and why? According to research by Harvard Business Review, ‘mid career’ employees between 30 and 45 years old have had seen the greatest increase in resignation rates. The research also identified the most at risk sectors and alarmingly tech industry resignations came out on top, with an increase of 4.5% (compared to 3.6% in healthcare for example). If this sounds like the situation in your security or IT team, here’s why they might be leaving, and what you can do about it.
Why are people quitting?   A recent McKinsey report highlighted that it wasn’t always the promise of a higher salary that lures people away. Instead, the things employees were looking for were: feeling valued by either the organization or by their immediate managers, a sense of belonging, and a flexible work schedule. In essence, employees were far more likely to prioritize relational factors, whereas employers were more likely to focus on transactional ones   The past two years have certainly taken their toll on security teams from the CISO down, and people are a little burnt out and stressed. SOC teams are on the front line of a company’s defenses against cyberattacks – alert fatigue is real.  What to do: Work with your people team on an employee support plan, schedule regular check-ins with team members, and explore technological solutions like Spill.chat – full disclosure, it’s what we use here at Tessian.
Highlight team achievements   SOC team members have a thirst for knowledge – they have to reply to an attack quickly in a high-pressure situation. If they feel they haven’t got the support and encouragement they need, both managerially and technologically, they’ll walk. After all, it can be particularly demoralizing to devote eight hours a day to defending an organization when that defense is neither valued and acknowledged nor resourced sufficiently.    What to do: As the company’s security leader, you have to beat the drum for your team’s work and show the value that it brings to the company. Remember, IBM’s ‘Cost of a Data Breach’ report tells us the average cost of a breach is $4.24 million. Communicate that, whether it’s at the all-hands or a poster in the restrooms.
Automate and augment the mundane The IBM Pollyanna Principle states ‘machines should work; people should think’. That means you should review your security automation and response (SOAR) set-up periodically and see what can be automated. Things that automate well are repeatable manual tasks, threat investigations, triage of false positives, and creating reports. This Microsoft blog has some great tips on what security tasks and objectives you should automate, and why. After all, if attackers are automating many of their processes for increased efficiency, so should you.  What to do: Automating the everyday tasks from reporting to rooting out false positives will help you and your team concentrate on the critical issues. Be realistic about what automation is capable of. With that expectation, focus on areas where augmentation can help the team make faster and better decisions. That’s the winning formula.
Reward growth   As Mike Privette said in our podcast, security is the one corporate function that should always be growing. As we explored in this article, one of the key factors in building out a security team is that people must have confidence that they can grow and gain value by staying within the organization. So as well as increasing the team in terms of overall size, prioritize elevating existing team members into more senior roles.   What to do: Have a clear understanding of individuals’ potential career progression within the organization. Work with your People team on highlighting future opportunities and creating growth plans for 6-12 months down the line.  
Make time for training, learning and development   As well as promotions and increased responsibilities for some team members, training across the team keeps everyone united and aligned. Training in conjunction with things like automation is most effective when you’re looking to change behaviors, such as decreased response times or triaging.   For the fifth straight year, the ISSA and EGA Cyber security survey reveals that 59% of cybersecurity professionals agree that while they try to keep up with cybersecurity skills development, job requirements often get in the way. As the survey notes, ‘This training gap is quietly increasing cyber risks at your organization’   What to do: designate a baseline metric to improve upon, and design a training program that is focused, flexible, and able to meet that metric. If training lacks an objective and feels like a chore, people will treat it as a chore.    Finally, if people are dead set on leaving, the only thing you can do is wish them all the best. Infosec is a small world and chances are your paths might cross again.
ATO/BEC Human Layer Security
Nation-States – License to Hack?
By Andrew Webb
10 March 2022
Traditionally, security leaders view of  nation-state attacks has been ‘as long as you’re not someone like BAE systems or a Government, you’re fine’ But in the last three years nation-state attacks doubled in number to over 200… and we’ve yet to see the full cyber impact of the war in Ukraine. Consequently, nation-state attacks are something all security leaders should be aware of and understand. Here’s what you need to know.
How a nation-state attack differs from a regular cyber attack    Nation-state attacks are typically defined as APTs, or advanced persistent threats – a term first defined in 2005. They are referred to as advanced because they have access to exploits and techniques that are more professional, more effective, and more expensive than the average criminal actors.   Nation-state attackers can have teams full of people that can work a 24-hour shift and handoff every 8 hours. There’s also the question of the duration of an attack. APTs play the long-game, and can sometimes take 18 to 24 months before any compromise takes place. The bottom line: nation-state hackers have the resources to wait for the perfect moment to strike.
What are the aims of a nation-state APT attack? With the nearly unlimited money and resources of a nation-state , nation-state attackers can try every technique and tactic available until they eventually accomplish their goal. And those goals are nearly always political rather than purely criminal. APT attacks generally aim to do one of the following:    Exfiltrate data containing military secrets or intellectual property Conduct propaganda or disinformation campaigns Compromised sensitive information for further attacks or identity theft sabotage of critical organizational infrastructures  Russia blurs this line in that they use criminal activity in furtherance of political goals, and have been for years. They also have an APT set whose objective is essentially disruption and discord, so that security teams and government agencies don’t know where to place the defense resources.
Which businesses are most at risk from a nation-state attack?  A sector all threat actor groups are interested in is Cleared Defense Contractors (CDCs). CDCs are businesses granted clearance by the US Department of Defense to access, receive, or store classified information when bidding for a contract or other supporting activities.   One of the first APT attacks against CDCs was Titan Rain in 2003. Suspected Chinese hackers gained access to the computer networks companies such as Lockheed Martin, Sandia National Laboratories, Redstone Arsenal, and NASA, as well as UK Government departments and companies. What’s more, it’s believed that they were inside the network for over three years.  Infrastructure companies are also popular targets. US infrastructure companies such as Colonial Pipeline have been getting hit more and more frequently, and Ukraine suffered a power grid outage in 2015. And banks – especially national banks – are under continual attack, and in light of the recent removal of Russia from the SWIFT payment system, western banks are presumed to be under increased threat in retaliation.
Softer secondary targets   Although traditionally, targets with connections to the military bore the brunt of APTs, there are signs that this is spreading to other industries. In 2021 Microsoft shared detailed information regarding a “state-sponsored threat actor” based in China that targeted a wide range of entities in the U.S. — including law firms. The highly sophisticated cyber-attack used previously unknown exploits to infiltrate Microsoft Exchange Server software, so it’s reasonable to assume that if you have tangential connections to a political target of one of these countries, then you could be at risk.
As KC Busch, Tessian’s Head of Security Engineering & Operations explains “APTs might need to spend a million dollars to compromise their direct target. But if they can find a law firm connected with that target that doesn’t encrypt outbound comms or has adequate email protection, then they’re going to go for the law firm rather than the million-dollar target”   This underscores the importance of not just your own cybersecurity posture, but that of every organization in your network or supply chain. You’re only as strong as your weakest link.. 
The phases of an APT attack   APT attacks come in three phases.    First, there’s network infiltration, typically achieved through compromised credentials. If compromised credentials aren’t an option, or defenses are particularly robust, nation-state attackers might use a zero-day attack. Countries can have teams that will research and write their own zero-days, but more commonly, they will buy them from a gray market of third-party companies that aggregate exploits and sell them without much ethical thought of how they’re used.    This murky world of zero-day exploits and the people that broker them to Governments and security agencies was chronicled by Former New York Times cybersecurity reporter Nicole Perlroth in her recent book, ‘This Is How They Tell Me The World Ends’. Perlorth’s book highlights how for decades, US government agents paid thousands, and later millions of dollars to hackers willing to sell zero-days, and how they lost control of the market. The result is that zero-days are in the hands of hostile nations, who have money to purchase them and a need to deploy them as they’re becoming rarer and more expensive.    The second phase is the expansion of the attack to spread to all parts of the network or system. As we’ve mentioned, APT attacks are not hit-and-run. With time on their side, hackers can wait patiently in the network before gaining full access and control of it.   Thirdly, there’s the attack itself. This could involve collecting data and exfiltrating it, or disrupting critical infrastructure systems. Furthermore, several APT attacks have started with a distributed denial-of-service (DDoS) attack which acts as a smokescreen as data that’s been amassed over what could be months or years is exfiltrated. 
Notable nation-state attacks The most sophisticated: Stuxnet is widely believed to have been developed by the USA and Israel for use against Iran’s uranium enrichment program. It disrupted the plant’s uranium centrifuges by varying their spin rate, but not enough to cause them to shut down. Furthermore, false data was displayed back to the controller, so employees thought everything was business as usual.. Designed to be delivered by an infected USB stick, it could cross the air gap that protected the plant. However, it got out into the wild when an engineer took his infected laptop home from the plant, and connected it to the internet.   The biggest: 2015’s Anthem breach (China was reported to be behind it) saw the sensitive personal data of approximately 78.8 million Americans fall into the wrong hands. Brian Benczkowski, the assistant attorney general in charge of the Department of Justice Criminal Division, called the Anthem hack “one of the worst data breaches in history.”    The data wasn’t ransomed back to the company, and the reasons for the attack remain unclear. By 2019 the DOJ unsealed an indictment charging two Chinese nationals for the attack, but an indication of the alleged hackers’ motives or affiliation was noticeably absent. Current thinking is that it will be used for identity theft or to identify interesting individuals or Government employees for further exploitation and attack. Only nation-states have the resources to process that much intel and find the 100 or so people whose credentials can be further targeted. As for Anthem, the breach cost them over $40 millionto settle the resulting claims, and clear up the mess. 
What’s the future of nation-state attacks?    The Anthem breach and others led to a very loose set of guidelines on what is, and what is not, acceptable. This was hammered out between former President Obama and President Xi Jinpingof China in 2015, but none of this has the force of law like the Geneva Convention. And with an actor like Russia currently in a highly aggressive position, it’s reasonable to expect an escalation until desired political goals are achieved.  Attack types are likely to evolve, too. One example: wipers.. Unlike ransomware, where you pay the money and (hopefully) get your data back, a wiper will display the message as it’s erasing all your data. They’re a class of malware that have a narrowly targeted use, but if someone decided to let those loose, the damage could be astronomical. And worryingly, they’ve already been spotted in Ukraine.
How to protect your organization from nation-state attacks The federal Cybersecurity & Infrastructure Security Agency (CISA) posted a bulletin, titled “Shields Up,” which includes an evolving overview of the current cyber threat environment and specific steps that organizations, corporate leaders, and CEOs can take to bolster their cyber defenses. We have more on those recommendations, as well as how to foster a risk-aware culture, in this blog post. Enacting these defenses and upskilling your team is the best way to protect your organization from Nation-state attacks.   For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn
Human Layer Security
Fostering a Risk-Aware Culture is Key to Ensuring Your Organization’s Cybersecurity
By John Filitz
08 March 2022
Operational complexity and risk are increasing. As the pandemic and the war unfolding in Ukraine have laid bare, risk can manifest unexpectedly. On the cybersecurity front, the risk faced by organizations is increasing steadily year-over-year, with threat actors continuously refining attack methodologies. This in part explains why the cost and impact of cybercrime damages is expected to reach $10.5 trillion by 2025 – a 350%+ increase from 2015.
Cyber threats are increasing  In response to this shifting cyber threatscape, the US government issued an Executive Order on the 12th of May 2021, recognizing the need to strengthen the nation’s cybersecurity posture for public and private sectors alike. The war against Ukraine has increased the threat of nation-state cyber attacks and has underscored the need to improve cyber resiliency for both the public and private sectors. This has prompted the US Cybersecurity and Infrastructure Agency (CISA) to issue a Shields Up notice for heightened awareness and increased protection for critical assets.   The Shields Up guidance includes the following recommendations:   Reduce the likelihood of a damaging cyber intrusion Validate remote access Ensure software is up to date Disable all non-essential ports and protocols   Take steps to quickly detect a potential intrusion Identify and quickly assess unusual network activity Ensure the organization’s network is protected by antivirus/anti-malware software    Ensure that the organization is prepared to respond if an intrusion occurs Designate a crisis-response team Assure availability of key personnel Conduct a table-top exercise so that all participants understand their roles during an incident   Maximize the organization’s resilience to a destructive cyber incident  Test backups procedures  to ensure that critical data can be rapidly restored i.e. Recovery Time Objective in hours vs days   The Shields Up guidance also calls for empowering CISOs, lowering the barriers to reporting threats, as well as focussing on investments and resilience that support critical business functions. It also recommends planning for the worst-case scenario, like disconnecting high-impact parts of the network in the event of an intrusion.   As CISA rightly pointed out, basic cybersecurity best practice is important, too. This includes:   Multi-factor authentication Updating and patching software Improving email security defenses to prevent phishing attacks Having an effective password policy in place and using strong passwords
The importance of a risk-aware culture   Moving beyond the Shield Up guidance, improving cybersecurity for critical industries and non-critical industries starts with ensuring that organizations have adopted a risk-aware mindset and culture. Evidence of this includes having well-developed and routinely exercised business continuity and disaster risk reduction plans – and ensuring that these are updated in accordance with the business strategy and objectives regularly.   Routinely reviewing the risk and threatscape is important, too. In addition to cyber risk, some of the other key risks for consideration in risk mitigating planning include environmental disaster risk, biological risk and man-made risks, such as insider threats, accidents and geopolitical risk.   But, the reality for most organizations is that it’s difficult to balance risk mitigation with a slew of other competing priorities.    Part of the challenge facing risk managers and risk mitigation efforts often includes inadequate resourcing (financial and non-financial). But the greatest impediment concerns the lack of prioritization of risk mitigation by the C-Suite as a business critical function.   Although the importance of prioritizing cybersecurity is starting to get due attention, the roots of the problem stem from the early days of viewing cybersecurity as a strictly IT function. As businesses digitally transform, data and information systems are now seen as the lifeblood of business.   Successful businesses are increasingly fostering a risk-aware culture that prioritizes the importance of cybersecurity along with key business objectives. These leaders understand that the robustness of the risk and the cybersecurity posture can determine whether a business survives a cyber disaster event.   Viewed this way, the cybersecurity resiliency of a business is integral to a business achieving its desired objectives. 
Getting C-Suite buy-in    Often getting C-Suite buy-in for cybersecurity initiatives can be challenging. We have detailed a number of ways on how to get the necessary buy-in. At a high-level, we provide an overview of the three steps below:   Firstly, it’s about getting the C-suite to understand the risk and whether the current cybersecurity posture is commensurate with the threatscape.    The second step entails quantification of that risk. It’s important to quantify what the financial fall-out would be from a successful cyber attack. There are also important non-financial aspects that need to be considered, such as reputational damage and a loss of customer trust.   Finally, it’s about understanding the business criticality of being able to successfully recover your data and information systems in the event of an attack, in the shortest possible time frame. The longer that a business does not have access to its data and information systems, the greater the risk of catastrophic business failure.
Taking a business critical approach to risk and cybersecurity planning   Given the importance of fostering a risk-aware culture and prioritizing cybersecurity as a business critical function, it is imperative that businesses routinely review the current and emerging threatscape – and take appropriate action.    As the past 24 months have borne out, risks that might not have been in the purview for decades can manifest within a short time-frame.    A key part of taking a business critical approach to risk and cybersecurity entails regularly testing cyber defenses and ensuring that emerging threats are addressed as they arise, and with the urgency that they deserve. Additional resources To help ensure you’re prepared for today’s threats, we’ve included some resources from CISA and the UK’s National Cyber Security Center (NCSC)   CISA: Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure: https://lnkd.in/gg2vRd29   CISA: Shields Up guidance: https://lnkd.in/dceQ9YGJ   CISA: Known Exploited Vulnerabilities (KEV) Catalog: https://lnkd.in/gRGpREQS   CISA: Insights on Preparing for and Mitigating Foreign Influence Operations Targeting Critical Infrastructure: https://lnkd.in/dntwU2DK   CISA: Free Public and Private Sector Cybersecurity Tools and Services: https://lnkd.in/dgUvqMwK   And guidance from the UK’s NCSC on what actions to take when the cyber threat is heightened: https://lnkd.in/dMem_PaH
ATO/BEC Threat Intel
Analysis of a Microsoft Credential Phishing Attack
By Charles Brook
25 February 2022
Credential harvesting via phishing remains a significant threat to organizations. In early February 2022, we detected a credential harvesting campaign leveraging a fake Microsoft Outlook login page. Although Secure Email Gateways (SEGS) have URL rewriting protection capability, these types of phishing efforts typically go undetected through the usage of obfuscation techniques such as using superscript tags hiding the malicious code.
Summary of the attack   An email impersonating Microsoft was sent using Amazon Simple Email Service targeting multiple individuals at a specific organization. The email informed recipients their password was due to expire and they needed to follow a link to reset it.   The link in the email followed multiple redirects before landing on a credential phishing site impersonating the Microsoft Outlook login page. Analysis of this attack reveals it to be related to known phishing as a service (PhaaS) site where anyone can purchase tools and services for phishing.   Email Content   Below is a screenshot of the malicious email with a malicious link to reset the password. Note the usage of language (albeit with typos) expressing urgency around changing the end user’s password.
The threat actor sent the target recipients a request to change their Microsoft password that included a malicious link that would redirect to a credential harvesting website. Tailored to specific targets, the emails also appeared to be sent from an AWS Apps server using the Amazon Simple Email Service and passed security checks including SPF, DKIM and DMARC, meaning it is unlikely to be flagged as malicious.    Given the email appears to have been sent via Amazon SES, there is a chance the attacker may have compromised an AWS account. Alternatively they could have registered an account for the sole purpose of sending these emails and passing security checks since Amazon will be seen as a reputable sender.
Email body   When viewed from a mailreader these emails are fairly easy for the trained eye to spot. The main indicators being the grammatical errors that are common amongst phishing emails, as well as the suspicious link clickable from the button.   But underneath the message displayed was further evidence of the attacker going to great lengths through common phishing obfuscation techniques to make these emails difficult to detect.   The email body was base64 encoded which is not that uncommon for emails but still a technique attackers use to obfuscate the content of an email. Decoding this revealed the HTML used to construct the email. When focusing on the email body we find the attacker has added a series of HTML elements distributed randomly between the letters in the message.
Specifically the attacker has used superscript HTML tags to obfuscate the email body against common email security tools like SEGs.   <sup style=”display: none;”>YYCZPYYCZP</sup>   The attacker has added “display: none;” styling to each tag meaning the content of the element won’t appear in the displayed email. This means the recipient will only see the intended message displayed to them in a mail reader while making it difficult for legacy email security tools to pick up on any of the keywords that would indicate this as a phishing email.
By removing the superscript tags from the code we can more clearly see the message left behind that was displayed to the recipient.   Phishing URL   The email contained a phishing URL with the recipient address auto-populated at the end. The URL was added to a button labeled “Keep My Password”. Phishing link embedded in HTML email body        
The phishing link also contained a second URL nested in the query component of the first. The attacker is abusing an open redirect function in a well-known affiliate marketing network called Awin to redirect victims to the malicious site.   Phishing link from email:  hxxps://awin1.com/awclick.php?mid=2584&amp;id=201309&amp;p=hxxps%3a%2f%2fpcbmwc[.]org/fr#<recipient>@<domain>[.]com Which redirects to: hxxps://pcbmwc[.]org/fr#<recipient>@<domain>[.]com   The redirects are incorporated to bypass initial URL security checks common in legacy email security tools. Most security tools scanning URLs are likely to focus on the domain from the initial URL ‘awin1[.]com’ and recognise it as safe.   The domain in the nested URL ‘pcbmwc[.]org’ appears to belong to a buddhist monastery based in Patiya, Bangladesh. The site appears to be fairly basic and low budget, it is likely the attacker compromised this site and is using it to host part of their malicious infrastructure – an increasingly common tactic for phishing attacks.   The initial URL leads you to an apparently blank page. The source code reveals there is a script checking to make sure there is still an email address present at the end of the URL after the ‘#’. This is intended to be the target’s email address.  
If there isn’t an email address appended to the end of the URL then nothing will happen and you will stay on the blank page. If there is an email address included at the end, then the script redirects the target to the final landing page for the phishing site with that email address still included in the URL.   Link to the final phishing site:   hxxps://fra1.digitaloceanspaces[.]com/loskmwaksilopa/%23%25%5EE%26UY%23%26W%26%28%40.html#<recipient>@<domain>[.]com
Phishing Site Clicking the link from the original email will lead to the page below with the target’s email captured in the URL. The site is designed to resemble the Microsoft Outlook login page where you are prompted to enter your password. Looking at the source code for this site, it appears to be based on a previously seen template also used for Microsoft credential harvesting but with a few alterations.
To look as legitimate as possible, the site borrows graphics and styling directly from Microsoft owned CDNs. Entering a password into the box provided and clicking ‘Sign in’ would result in the email address from the URL and the password being captured and submitted through an AJAX post request to a php file hosted on a separate server.   PHP file:   hxxps://moliere[.]ma/aX3.php   The domain in the link to the PHP script appears to belong to a consulting firm based in Casablanca. If legitimate, then it too has likely been compromised by the attacker to host malicious infrastructure.   This script will most likely be what the attacker uses to harvest the credentials. It will either send the credentials to the attacker directly or store them in a location accessible by the attacker.    The source code of the site includes some jQuery scripts to perform a number of actions with the aim of making the site look and feel legitimate. This includes sections to provide feedback to the victim such as error messages and progress bars. One section checks to make sure the password entered isn’t blank and is more than one character long. Another section displays a fake progress bar after clicking sign in to give the illusion of a genuine login taking place.    If the credentials are submitted successfully then the victim is redirected to a genuine Microsoft login page and presented with the login screen again. The victim will assume that they entered their credentials incorrectly the first time and just carry on.   Another observation from the source code is that whoever wrote or borrowed the code has replaced most of the variable names and tag IDs with strings of seemingly random characters.    At closer inspection these random strings appear to be composed of various keyboard walk patterns. A keyboard walk is when you type a series of characters in the order they appear on the keyboard, for example ‘qwerty’ or ‘asdfg’. Often done by dragging a finger across the keyboard.   This has been done deliberately to make the code more difficult to read and follow without clearly labeled variables.
Phishing as a Service (PhaaS) The primary features and indicators from this phishing attack point to it being related to the BulletProofLink (aka BulletProftLink) phishing as a service site, which was detected and analyzed by Microsoft in late 2021.   This site offers phishing kits for sale to anyone and also offers infrastructure to host and run  malicious campaigns from. Phish kits or services will typically be available for sale for around $200.
Although there were some differences for the specific campaign analyzed here, the attack chain observed is virtually identical to that mapped out by Microsoft.  
This credential harvesting attempt is a good example of what is becoming a particularly common modus operandi to compromise an organization’s credentials and information system. The unfortunate reality is that such attempts have a high success rate of bypassing legacy and native email security controls. Threat actors are able to achieve this success through the use of obfuscation techniques that are tried and tested repeatedly against static, rule-based email security controls, until the desired outcome is achieved.   
With continuously advancing sophistication of phishing attacks, it becomes a matter of when, and not if, an organization’s legacy email security controls will be circumvented.  Behavioral cybersecurity solutions like Tessian are increasingly seen as a gamechanger and a necessity to ward off advanced social engineering-based attacks. Tessian detects and prevents phishing attacks as the one discussed on a daily basis for our clients. It does this by scanning not only the URL links, but all of the fields contained in an email and contrasts this against a historical mapping of the email ecosystem to determine using machine learning, whether the email is malicious or safe. End-users then receive in-the-moment security warnings prompting them towards safer action.
Appendix: Indicators Email Body (decoded) <sup style=”display: none;”>YYCZPYYCZP</sup>   URLs hxxps://awin1.com/awclick.php?mid=2584&amp;id=201309&amp;p=hxxps%3a%2f%2fpcbmwc[.]org/fr# hxxps://pcbmwc[.]org/fr# hxxps://fra1.digitaloceanspaces[.]com/loskmwaksilopa/%23%25%5EE%26UY%23%26W%26%28%40.html# hxxps://moliere[.]ma/aX3.php   Appendix: MITRE ATT&CK Framework The tactics and techniques used by the threat actor can be inferred based on analysis of the email and the phishing site that was active at the time of receipt.   TA0043: Reconnaissance  T1589: Gather Victim Identity Information T1589.002: Email Addresses T15905: Active Scanning   The attacker will have gathered email addresses to target either from data breaches dumped on the Internet or by scanning the target organizations’ public facing website for addresses, which will have most likely been found on their people page.   TA0042: Resource Development T1584: Compromise infrastructure T1584.004: Server T1588: Obtain Capabilities T1608: Stage Capabilities T1608.005: Link Target   The attacker will either have developed or obtained the scripts and pages used to construct their malicious email through a phishing as a service site. It also appears they may have compromised vulnerable web-servers to host some of their malicious infrastructure used for harvesting credentials including the redirection page, the malicious login page and the PHP script to collect the credentials. This could also have been provided as part of a PhaaS package.   TA0001: Initial Access T1566: Phishing T1566.002: Spear Phishing Link   The attacker sent emails impersonating Microsoft containing a phishing link aimed at harvesting credentials. These emails were sent from an AWS Apps server via Amazon SES. Meaning the attacker may have compromised an existing AWS account or set one up for this campaign.   TA0005: Defense Evasion   A number of techniques were employed to evade detection. The first is the use of Amazon SES to make emails appear reputable and pass security checks. The attacker also obfuscated the message in the email by placing hidden HTML elements at random intervals, making it difficult for security tools to pick up on keywords.   An open redirect was also used in the phishing URL to send the recipient to the malicious site via a trusted one first. Security tools and the recipient will often see the domain for the trusted site and assume the URL is safe.
ATO/BEC Human Layer Security
Playing Russian Roulette with Email Security: Why URL Link Rewriting Isn’t Effective
By John Filitz
18 February 2022
Malicious URL link-based attacks are tried and tested methods for threat actors to compromise information systems. Although legacy Secure Email Gateway (SEG) vendors offer URL link rewriting protection – also referred to as time-of-click protection – there are significant limitations in the degree of protection provided by this security control.    Unlike behavioral cybersecurity solutions like Tessian that dynamically and in real time scan all of the content in an email, including URL links and attachments, SEGs rely on a manual, rule-based threat detection approach. But with this approach, your protection is only as effective as the rules and policies you have created, combined with the relevancy of your threat detection engine.    The static approach to malicious URL link detection by SEGs explains why zero day threats often get through defenses. And the lack of machine learning scanning capability also explains why threat actors are able to successfully hide malicious URLs either as attachments or even in plain text.  For example, APT 39 successfully leveraged malicious URL links that  were hidden or attached in phishing emails to carry out an elaborate espionage and data gathering campaign, across multiple jurisdictions. Similar attacks are usually but not exclusively motivated by credential harvesting for Account Takeover (ATO) purposes.
How URL link rewriting protection works   SEGs that offer URL link rewriting typically scan and rewrite URLs that are contained in any inbound email via its own network. This means all links contained in any email received through the gateway are rewritten via the email security vendor’s system.     URL link rewriting detects malicious URL links at the time of a user clicking on the link by analyzing the link against key criteria specified in the security rules and policies, as well as against its threat repository of known malicious URLs.    When it comes to the security rules and policies, SEGs require the security admin to set the degree to which URL categories are scanned and also allows select email groups in an organization to be included or excluded. The scanning intensity settings typically range from relaxed, moderate to aggressive.    If a URL link is determined to be malicious based on rules and policies, as well as the reputation of the link, the end-user will be notified and warned against accessing the malicious URL.
Five shortcomings of URL link rewriting protection    1. URL link rewriting is an overly manual security control prone to human error   URL link rewriting or time-of-click protection requires a significant degree of manual security rule and policy orchestration. Due to the post-delivery approach of allowing malicious URLs to be delivered and only scanning URLs upon being clicked, without well-configured URL detection rules and policies, the security effectiveness of this static control is significantly compromised.The static nature of URL policy and rule orchestration also opens up the probability of human error introducing security risk, by either failing to set the appropriate degree of URL scanning intensity, or failing to include appropriate user groups.     2. URL link rewriting is ineffective at protecting against zero day attacks   URL link rewriting offers protection against known threats only. It offers limited protection against zero day attacks. For example, registering new domains or hijacking existing “trusted” domains are popular methods of evasion by threat actors. Once the threat actor has evaded security controls aka passed through the gateway, they have unfettered access to end-users who are under the impression that the email and included URL link has been scanned and is safe. Usually only after a successful compromise is the malicious URL threat detection engine updated.     3. URL link rewriting lacks the intelligence to detect advanced phishing subterfuge    Threat actors find sophisticated ways to obfuscate malicious URLs. They typically do not include malicious URLs in the email but often hide them in “safe” URL redirects or in attachments that are not commonly used, or are outside of the security policy ambit. Upon opening the file or clicking on the URL link, victims are taken to what appears to be a legitimate website, which redirects to a malicious website appearing as a trusted services provider.       4. Protection starts and stops at the gateway   URL link rewriting can be deployed from within the organization via a lateral phishing attack. Malicious URLs can be deployed from trusted sources within the organization and thereby misses the gateway protection.      5. If all you have is a hammer, everything looks like a nail   URL link rewriting offers no protection against cross-site scripting (XSS) attacks. In this type of attack, threat actors will send a benign looking URL link to a victim, usually from a legitimate but recently compromised website. Here the threat actor is able to capture credentials from the victim, for example on a log-in page of the compromised website. Legacy email security solutions would have determined that the link is “safe” even if the email was received from an unknown or suspicious party.
The need for intelligent email security    Email-based attacks remain the overwhelming favorite vector for attack. The forever evolving and advancing nature of email based threats has placed the effectiveness of legacy email security controls into sharp focus.    With its static orchestration and binary threat detection approach, URL link rewriting is the embodiment of legacy approaches to addressing email security risk. Simply stated, this security control is no longer fit for purpose in a dynamic threatscape, where threat actors are continuously honing their capabilities at circumventing rule-based security controls.  Only by leveraging email security solutions that have machine learning and contextually aware scanning capability, can you significantly improve your email security posture. See why CISOs at some of the leading organizations around the world are selecting Tessian as the advanced email security provider of choice. Book a demo now.
ATO/BEC Threat Intel
Spear Phishing Attack Impersonating C-Suite Targets Junior Employees at Law Firm
By Charles Brook
10 February 2022
In late January 2022 a specialist law firm was the target of a spear phishing campaign flagged by Tessian Defender where the threat actor attempted to impersonate the Chairman of the firm. Leveraging common social engineering tactics, the threat actor then targeted the firm’s junior employees. This is known as CEO Fraud.
Impersonation attacks are becoming a mainstay for threat actors. Based on our investigation  into the 2021 spear phishing landscape, we determined that 60% of the malicious emails seen in Tessian’s network relied on generic impersonation techniques, including freemail impersonation and Display Name Impersonation. An additional 30% relied on more advanced impersonation techniques, including direct impersonation like domain spoofing, direct spoofing and account takeover (ATO).
The Attack   The attacker leveraged the name of the chairman and used a freemail domain. Display name and domain name impersonation spoofs accounted for 4.9% of all malicious email detected and prevented by Tessian in 2021.
Email Content: Sender Address: <Name of Chairman>.<Website Domain>@gmail[.]com Display Name <Name of Chairman> Subject:  <Name of Chairman> Body: Asking if recipients have time available Expressing a sense of urgency Links & Attachments None   The threat actor registered an email address using Gmail and chose a username that contained the name of the law firm’s chairman, together with the domain used for it’s website. They also changed the display name associated with the account to match the name of the chairman as it appeared on the firm’s website.   After that, the attacker drafted an email with a generic message containing a call to action, asking the recipient “are you available?”. It was sent to +200 individuals at the firm.   The email did not contain links or attachments when it was sent, just the message added by the threat actor. This indicates intent to engage in social engineering via correspondence with recipients.
This style of phishing usually leads to the threat actor trying to convince the recipient to send money or share information that could be leveraged for a more advanced phishing attack. This low-cost-of-effort phishing attempt explains why social engineering now accounts for 70-90% of all successful breaches.   In other cases it can involve sending a few messages back and forth to establish a baseline of trust, before sending a malicious attachment or URL in subsequent emails. Having established trust, the recipient is more likely to click without feeling much concern or suspicion. This also explains why advanced social engineering threats bypass detection by legacy Secure Email Gateways (SEGs), either due to the sophisticated degree of subterfuge in name and domain name spoofing, or because the malicious payload is not present in the initial email.
The Approach   The majority of phishing attacks using this approach will typically come from addresses registered by a threat actor, for example, looking something like “partner1234@gmail[.]com” or “manager5678@hotmail[.]com”.    Attackers use freemail accounts because of their utility in carrying out attacks and zero cost. Freemail accounts that deliver malicious payloads via a proxy server are also notoriously difficult to trace for attribution. Accounts like this will continue to be used to target multiple organizations.   In the case of this attack the address was created as “<Name of Chairman>.<Website Domain>@gmail[.]com”, this indicates deliberate intent to target this firm specifically.    The fact that the threat actor sent the email to +200 junior members of the firm indicates a higher level of planning and reconnaissance than most of these types of attacks typically have.    Our research confirms that law firms are targeted 31% of the time for impersonation style phishing attacks.  And firms tend to post details of most employees on their websites including names, email addresses and positions held. Many are also active on networking platforms like LinkedIn. This makes reconnaissance very easy for threat actors.
In the case of this impersonation campaign, the threat actor will have found the firm’s people page, searched for a senior individual to impersonate, then filtered down to the more junior individuals to target.    The C-Suite was impersonated in this attack to amplify the call to action in the messaging and to increase the sense of urgency felt by the targets. Likewise, junior employees were targeted in this attack because they were possibly seen as being more likely to comply with instructions received from senior management.    Another hypothesis could be that the threat actor was seeking to gain more information to wage a secondary spear phishing attack, targeting more strategic positions in the firm such as the finance department.
Real-time, comprehensive email protection Tessian was able to detect the phishing techniques deployed by the threat actor for this campaign. Tessian recognized the law firm’s domain in the local part of the email address and the name of the chairman in the display name. It also detected suspicious keywords indicative of an urgent call to action, which included “are you available?” and “quick”.    Tessian also detected that the address used by the attacker had not been observed in historical emails sent to anyone at the law firm.   Many of the recipients at the law firm responded to the in-the-moment security warning message from Tessian and confirmed that the email was actually malicious.   All it takes is one click.    This example underscores the relentless pursuit of threat actors, attempting to gain access to an organization’s crown jewels. As attacks become more advanced, it requires a defense-in-depth approach to email security. Leveraging email security solutions that have behavioral detection and in-the-moment security awareness training capabilities is now table stakes to securing your email ecosystem.
Appendix: MITRE ATT&CK Framework The tactics and techniques used by the threat actor can be inferred up to the point the email was received.   TA0043: Reconnaissance – https://attack.mitre.org/tactics/TA0043/ Gather Victim Org Information – https://attack.mitre.org/techniques/T1591/ Identify Roles – https://attack.mitre.org/techniques/T1591/004/   T1589: Gather VIctim Identity Information – https://attack.mitre.org/techniques/T1589 T1589.002: Email Addresses – https://attack.mitre.org/techniques/T1589/002 T1589.003: Employee Names – https://attack.mitre.org/techniques/T1589/003   The threat actor carried out reconnaissance activities against the target’s website. Here they identified the key individuals to impersonate and target. Using the people directory available on the website they were able to identify the chairman of the law firm to impersonate via email and get a list of names and email addresses for associates at the firm to target.    TA0042: Resource Development – https://attack.mitre.org/tactics/TA0042 T1585: Establish Accounts – https://attack.mitre.org/techniques/T1585/ T1585.002: Email Accounts – https://attack.mitre.org/techniques/T1585/002/   After identifying a high ranking member of the firm, the threat actor registered an email account with Gmail. They created an account with a username containing the name of the chairman of the firm as well as the domain used for the firm’s website. They also changed the display name associated with the account to that of the chairman.   TA0001: Initial Access – https://attack.mitre.org/tactics/TA0001 T1566: Phishing – https://attack.mitre.org/techniques/T1566/   With a free email address registered, a senior staff member to impersonate and a list of victims to target, the threat actor sent an email to more than 200 associates at the firm. The email contained a message explaining they were the chairman of the firm and wanted to know if they were available to help them quickly.    TA0005: Defense Evasion – https://attack.mitre.org/tactics/TA0005/   The threat actor avoided detection through conventional means by registering a new email address and not including a malicious link or attachment in their initial email. SEGs typically rely on known IOCs to be able to detect malicious activity. Since there was no attachment or URL in this case, there was nothing to scan or lookup the reputation for.   MITRE D3FEND Framework Most of the techniques used by the threat actor were reconnaissance-based and occured at the pre-compromise phase outside of the scope of typical defenses and controls meaning they could not be easily mitigated without advanced email protection.   Detect – https://d3fend.mitre.org/tactic/d3f:Detect D3-SRA: Sender Reputation Analysis – https://d3fend.mitre.org/technique/d3f:SenderReputationAnalysis   Sender reputation analysis can be used to detect unwanted or malicious emails by analyzing information about the sender. This can include information over time such as the number of emails received, number of recipients, number of emails replied to etc.   The problem with this attack is the email address used by the threat actor will likely have been recently registered using a reputable freemail service and would have been unseen to the law firm before. This means there is limited information available to determine the sender reputation. Detection can be done based on the email address having not been seen before; however with legacy email security controls this type of detection can generate high levels of alerts and false positives.  
ATO/BEC Email DLP Human Layer Security
Secure Email Gateways (SEGs) vs. Integrated Cloud Email Security (ICES) Solutions
By John Filitz
09 February 2022
Recent market developments in email security signal there is a new player in town. And what has been considered a solved-for cybersecurity challenge is receiving renewed attention, both in the enterprise and in the analyst community.    The next generation of email security, referred to by Gartner as Integrated Cloud Email Security (ICES) solutions, bring a welcome and new approach to solving for increasingly sophisticated and elusive email security threats.
Advanced threats require a new approach to addressing email security risk   Threat actors are using more sophisticated techniques, and attacks are achieving greater success. This is largely due to the commercialization of cybercrime, with Phishing-as-a-Service and Ransomware-as-a-Service offerings becoming more prevalent on the dark web.    The pace of digital transformation underway and key shifts in the way we work help explain it, too. In the wake of the pandemic, the accelerated adoption of public cloud has significantly expanded attack surface risk, with employees working from home, and often on personal devices.  Threat actors are exploiting these developments by targeting the most common threat vector for a breach, phishing via email.
Secure Email Gateways (SEGs)   SEGs were, until recently, considered a staple in the cybersecurity stack. But SEGs that run on static, rule-based detection engines are finding it increasingly challenging to protect in today’s threatscape. This is  largely due to SEGs relying on adversaries exploiting common and well-known attack vectors.    SEG solutions sit in-line and filter all inbound emails. SEGs use a threat intelligence engine that is combined with manual policy orchestration, creating “allow” or “deny” lists. In the world of SEGs, security administrators have to configure MX records, develop specific emails security policies, block domains, and triage incidents – with many of these incidents false positives due to its “wide-net” email filtering approach.    Given the threat engine for SEGs also relies on known threats, it can enable threat actors to bypass SEG controls, for example, by registering new domains which are combined with advanced impersonation techniques. That’s why Tessian saw 2 million malicious, inbound emails evade SEGs in a 12-month period.   And once an adversary has compromised an organization’s email (i.e. passed through the gateway) there is little stopping them. SEGs also offer very limited protection against insider threats or advanced methods for email based data exfiltration, for example renaming document file names to bypass manual orchestrated SEG DLP policy labels. 
The key attributes of SEGs include:   Designed to protect against commonly seen threats i.e. mainstream phishing activity, malware and spam The redirection of mail via MX records pointing to the SEG to scan all incoming email  Using a sandbox for detecting, isolating, and detonating suspected malicious emails or attachments Clawback ability for internal email only No ability to detect lateral movement by a threat actor that has breached the gateway Supplemental scanning solutions are often required to detect advanced inbound threats Manual orchestration of basic DLP policies
Integrated Cloud Email Security (ICES) Solutions   The main distinguishing characteristic of ICES solutions like Tessian compared to SEGs, is that ICES solutions were born in the cloud, for the cloud. But, they’re also able to provide protection for hybrid and on-premise environments.    Using machine learning and connecting via connectors or an API, the algorithm of an ICES solution develops a historical behavioral map of an organization’s email ecosystem. This historical behavioral map is leveraged along with Natural Language Processing (NLP) and Natural Language Understanding (NLU) capabilities, to dynamically, and in-real-time, scan and detect any anomalous email behavior on both the inbound and the outbound side.    ICES solutions also offer a high degree of email security automation, including triaging of security incidents, which significantly reduces the SOC burden and ultimately improves security effectiveness.
The key attributes of ICES solutions include:   Designed to detect advanced social engineering attacks including phishing, impersonation attacks, business email compromise (BEC), and account takeover (ATO) Require no MX record changes and scan incoming emails downstream from the MX record, either pre-delivery via a connector, or post-delivery via an API Behavioral detection engine for advanced inbound and outbound threats, resulting in greater detection efficacy and lower false positives i.e. less business interruption and  more SOC optimization A banner can be added to an incoming email indicating the level of risk of the scanned email Lateral attack detection capability Malicious emails are hidden from users’ inboxes. With the pre-delivery option, only email that is determined to be safe is delivered. Post-delivery solutions will claw-back a suspected email determined to be malicious All of the email fields are analyzed and compared against a historical mapping of email correspondence. Fields scanned include the sender, recipient, subject line, body, URL and attachments Prompts the end-user with in-the-moment contextual warnings on suspected malicious emails to take safe action, in real-time Some have advanced DLP capability
The evolution of the threatscape combined with the mainstream adoption of public cloud offerings and associated productivity suites, helps contextualize the emergence of the ICES vendor category.    Many of the productivity suites such as Microsoft 365 and Google Workspace include SEG-like features as part of their standard offerings. And Gartner predicts that by 2023, 40% of enterprises will be leveraging an ICES solution like Tessian with a public cloud’s productivity suite for comprehensive email protection. 
Want to learn more? See how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video, download our platform architecture whitepaper, or book a demo.
Page