The number of cybersecurity threats is growing every day, increasing the need for comprehensive security monitoring, analysis, and communication. With the sudden explosion of remote workers, we are encountering even more challenges and reasons for concern. The attackers are taking full advantage in these trying times, and it is critical for the security community to pool our collective intel on the shifting threat landscape.
On April 16 2020, Ed Bishop, co-founder and Chief Technology Officer of Tessian, joined a SecureWorld panel of industry leaders — Erich Kron, Security Awareness Advocate for KnowBe4, Elvis Chan, Supervisory Special Agent from the FBI, and Mark Lance, Senior Director of Cyber Defense for GuidePoint Security — to discuss emerging threats being experienced in the wild, and strategies for staying ahead of cybercriminals. The panel was hosted by Bruce Sussman, Director of Content and host of weekly podcast, The SecureWorld Sessions.
Listen to the full session below:
Below is a truncated transcript of Ed’s responses to Bruce’s questions.
Bruce Sussman: What do you see as new or growing security vulnerabilities in the rush to work remotely?
Ed Bishop: Yeah, I was just going to chip in and just say with the work from home I think it’s really important to highlight how much of a change this is for the individuals as well. It’s not just about the technology. People’s lives have been turned upside down and everything is super uncertain. And what we’re seeing is people are just trying to take advantage of that with COVID-19-related attacks. They’re specifically targeting that uncertainty and the fact that people’s technology stacks are changing and that they’re expecting to get emails about new video conferencing or VPN software, and I just think it’s important to bring it back to thinking about the people or the end users and not just focusing on the technology and really this is where we’re going to stop getting security vulnerabilities. People just attacking that uncertainty and taking advantage of it.
Bruce Sussman: What do you see as current or emerging human-caused security risks on email?
Ed Bishop: We’re seeing a lot of emerging threats. I actually think it’s interesting because I think maybe a lot of these threats have existed for a long time, and it’s just been considered the cost of doing email. If you want to send email, you need to open yourself up to phishing attacks and you need to open yourself up to data exfiltration etcetera. And it’s only recently in the last five years that we’ve been thinking about this as the real threat and then we’re seeing these threats get more and more advanced. And that’s why I think we’re seeing the emergence of the term emerging. So yeah I think you break it down into how to think about a new threat… it’s about the Human Layer. People make mistakes on email so that means you can basically just accidentally send an email to absolutely anyone with very sensitive information. That’s one of the number one reported data incidents to Information Commissioner’s office in the UK.
People break the rules and this is around all kinds of data exfiltration. It’s about doing things on email that they’re not supposed to do. And then finally what we’ve just been discussing is people can get tricked into this and we’re seeing this a lot with COVID-19 attacks. But specifically this is all about Human Layer problems. It’s about understanding how people work, it’s about understanding their behaviors, it’s understanding their historical email data sets. Really it’s the only way that you can actually go about starting to tackle these emerging trends. We believe that kind of rule-based technologies play a good job at tackling standard threats, but for the emerging threats, the advanced threats, that we’re seeing today. You really need to take a different approach and that’s about understanding people, understanding their data points and really using and leveraging technologies like machine learning to be able to tackle these advanced threats.
Bruce Sussman: What role will Artificial Intelligence play in cybersecurity and any ideas on how criminals also use AI?
Ed Bishop: Tessian obviously is a machine learning company on the defense side so we think there’s a huge role to play for AI in detecting some of these emerging threats if we just bring it back to one of the core topics of this panel: email. I would say that there’s just so much work still to be done on the defense side that attackers don’t even need to be thinking about AI on the offense side.
It is quite frankly far, far too easy to send very convincing impersonation emails taking advantage of COVID-19 and just bypass existing technologies and get straight to the end user to take advantage of those human vulnerabilities and social engineering. Although we’re seeing very interesting things, I think DeepFake is a great example of where it’s truly being used on the offensive side. If we take it back to email where 91 percent of all cyberattacks originate, I think we’re going to see a lot of work on the defense side where attackers can just be using really simple phishing kits to bypass existing solutions.
Bruce Sussman: Interesting and so that’s why we have to have to the machine learning in an AI on defense. Is that what you’re saying?
Ed Bishop: Exactly. I think the legacy approach to tackling things like phishing and business email compromise is really predominately like Blacklist Space, where you have to assume the attack in a number of accounts or using basic respects or rules and quite frankly it seems if you introduce rules people are going to break those rules. Rules are made to be broken and attackers are constantly playing this game of cat and mouse. So yeah it’s all about defense, it’s understanding people, it’s understanding how they operate, what normal looks like for those end users and training machine learning models then that can detect people sending advanced impersonation emails.
Bruce Sussman: Are insider threats becoming more of a danger with the pandemic?
Ed Bishop: Yeah, I think that’s a great point that’s been mentioned. Obviously data exfiltration has been painted with quite a negative kind of brush and rightly so. But data exfiltration also covers people who aren’t necessarily being malicious, but they’re just trying to do that job and accidentally essentially breaking that IT policy. So to give you an example you’re working from home, how you’re going to print something? Are you going to go through the headache of trying to set up your home printer with your work computer even though USB is disabled, Bluetooth disabled? You know what you’re probably going to do is you’re just going to forward that email to your freemail account, go onto your personal device and print it. You just exfiltrated data. Your data maybe travel to another jurisdiction just due to that event. We are seeing a trend of not necessarily malicious data exfiltration but definitely an increase in data exfiltration because people are trying to do their job effectively. And their workforce hasn’t provided them with the technology to do that so they’re always going to just go to the path of least resistance, which is often exfiltrate data to their personal email accounts.
Bruce Sussman: There are plenty of examples where the traditional cybersecurity methods prove ineffective. Why is this and will attackers always be a step ahead?
Ed Bishop: I think it’s a great point like why does it always feel like that they’re a step ahead. Remember that I think we always try and think of it at Tessian as a numbers game for the attacker: they can send 1000 emails and they only need one email for you to click that link, or for you to wire that money. Don’t forget that they probably sent 9999 other emails that were unsuccessful. But the point is all they need is one email to be successful and that’s why you will always hear about data breaches in the news and in the press. I think bringing it back to why traditional data security methods are ineffective, it really just comes down to this the game of cat and mouse.
Putting myself in the shoes of the attacker, if I can go onto a security vendor’s website and go on to that WIKI and see how to set up policies that are rule-based, what are the attackers going to do going to? They’re going to send an attack that just flies past those rules because they just got an expose what that technology is looking for and how they can prevent it.
I just also highlighted another kind of, I guess, traditional cybersecurity method, which is effective to some degree: Training and Awareness. But I think far too many companies rely on that as a silver bullet and again attackers know this. They know what people are trained against, they know the types of threats that people are trained against but there are just such sophisticated attacks out there that we cannot rely on people to detect. We need technology to do a better job and really understand kind of what normal looks like and be able to spot those anomalies.