Tessian Blog

Security teams are deploying an increasing number of security tools to defend against the rapidly evolving threat landscape and protect against data loss. Each security tool generates granular insights into a business’s cyber risks, events and incidents. Security teams at large enterprises typically manage 64 security tools on average, which leads to high overhead and little room for active investigation. Even with a comprehensive security stack, teams face increased need to gain consolidated visibility and improve their business’s cyber security posture. It is no surprise that a third of security teams (33%) feel as though they are being drained of time because of administrative tasks and 70% of SOC teams feel emotionally overwhelmed.  Cybersecurity has become a boardroom issue and needs to be communicated effectively to stakeholders throughout the business. Security teams find themselves spending over half their time producing reports across a number of different security tools in an effort to paint an accurate picture of their cyber security controls and their contribution to risk reduction.  Drowning in data?  The true value of a well curated security stack is amplified through consolidation of data from separate applications focused on specific security problems to form a holistic picture of an organization’s investment in the protection of their core assets and customers’ data.  Today Tessian has released an native application for Splunk® Enterprise and Splunk Cloud customers which allows security teams to ingest data from the Tessian Cloud Email Security Platform into their Splunk instance, enabling them to gain further visibility of security events across multiple tools in one place. As a well-established leader in Security Information and Event Management (SIEM) Splunk empowers organizations to collect, analyze, and visualize data at scale.  When customers consolidate Tessian’s email security data with other solutions within Splunk Enterprise and Splunk Cloud, it enables the streamlining of processes and workflows and provides a more contextualized and complete risk profile of their environment, down to the employee level.  The Tessian Splunk integration allows security events and more to be ingested into Splunk Enterprise and Splunk Cloud, and facilitate the following crucial use cases: Advanced threat analysis for email based attacks  Email continues to be one of the most significant risks in any organization. In 2022 phishing and business email compromise cost an organization, on average, $4.9 million per year—ten times the cost of DDOS and ransomware attacks combined.  Customers can leverage Tessian event data within Splunk Enterprise and Splunk Cloud to correlate email-based threats with other security events across an organization. Splunk collects and analyzes data from any source set up by the security teams, including network traffic, system logs, and endpoint security solutions, to create a comprehensive view of security threats. This holistic approach enables security teams to identify patterns and trends in cyber-attacks and potential risks for data loss, which can help to prevent future incidents and will accelerate diagnostics of the extent of any attack. Unified and Customizable Reporting  The ability to efficiently monitor, analyze and correlate every data point associated with a security event in one place is instrumental to enabling security teams to take a more proactive approach to tackling the issue of advanced threats and data loss on email. A unified view of cyber risk driven by clear reporting not only saves a security teams’ time but also improves cyber risk management.  The customizable dashboard building experience of the Splunk platform provides visibility into email security events, enabling security teams to quickly identify and analyze threats, whilst factoring in insights from other security tools. The dashboards and data views can be customized to meet specific business needs such as team, business or compliance KPIs, drive boardroom conversations and tactical decision making. Tessian customers have used the Splunk platform to triage email security events, prioritizing key actions for team members to efficiently and effectively manage their operations.  Ultimately, the Tessian Splunk Integration allows security teams to:  Gain a unified view of email security data within the context of data from many different security tools to provide holistic picture of threats to the business Save security teams hours on manual reporting, giving them time to focus on actions and investigations  Mature the reporting process with customized dashboards for risk committees, insider threat programs and executive teams  Build Tessian data into security operations workflows, automating threat team notifications, incident reviews and user follow ups By combining the Tessian Cloud Email Security Platform which protects against advanced threats and data loss on email, with Splunk software’s analysis and automation capabilities, security teams can significantly raise the efficiency of their threat and risk management processes.

Recently Tessian’s Threat Engineering Group identified an emerging threat detected by Tessian Defender targeting around 45 of our customers. The campaign was an email credential harvesting attack and was not detected by Microsoft Exchange Online Protection (EOP) when the attack began.  Anatomy of the attack The attack email was able to bypass legacy security solutions, like secure email gateways, as well as Microsoft 365. Let’s explore some of the reasons why it was able to do that: Firstly, the email was ‘sent’ by Amazon Simple Email Service (SES), which is a common tool leveraged by attackers to send automated attacks. However, the display name impersonated the company being targeted, no doubt attempting to add legitimacy, • The display name was actually dynamically generated, taking the first three letters of the recipient address and pretending to be the company name. • This is done to avoid basic aggregation and detection methods by secure email gateways and native security controls of email providers. • Looking at the subject of the email, it’s fairly innocuous, and again a rule in a SEG to flag the word ‘payment’ would trigger hundreds of false positives. • Finally, the body of the email itself is benign, simply stating “Please consider the environment before printing this email”. If anything, the attack attempt is a little too spartan in content, which might have raised suspicions in the user that received it. Let’s now look at the HTM attachment, which contains JavaScript, which is encoded (below) And when decoded twice it looks like this. Note that some of the content is still encoded. All this encoding and obfuscation is attempting to hide the fact that the script redirects the user to a credential harvesting form. The form is hosted on a domain registered one day before the first phishing email was seen on the Tessian network. What’s more, to add legitimacy, the customer’s logo is hosted at the top of the form. Remember, this attack went to several organizations, so the logo must be dynamic. It’s therefore likely that it was scraped by the attacker using automated tooling. The user the “username” field is already pre-populated with the recipient’s email address. Again, adding legitimacy and lower the amount of effort for the recipient to share their password. Finally, when the password is entered, it is posted to a PHP script hosted on the same domain. How did Tessian Defender detect this threat? So how did Tessian Defender stop this threat when SEGs and Microsoft 365 didn’t? Well, as well as detecting unusual file characteristics, Tessian’s Behavioural Intelligence models detected additional anomalies increasing our confidence score to 100/100. They are as follows:   The recipient company name was used in the display name.  The recipient has no historical relationship with the sender. Multiple emails were sent to each customer in a short period of time, to unconnected employees, this is known as a bust attack.  Tessian’s Natural Language Processing (NLP) models classified the email as being payments-related Depending on the specific customer configuration, Tessian Defender either hard-quarantined this email or displayed the following warning message to end users, coaching them and raising their security awareness Indicators of Compromise (IOCs) Tessian Threat Engineering Group reacted to add the below IOCs to the Tessian Unified Threat Interface. We recommend readers do the same Sender Address: jorgezamora@powderiverdev[.]com Credential Harvesting Site Domain: https://emdghouseltd4[.]pro Contributors: Ed Bishop and Catalin Giana.

As we explored 48 hours ago, the recent turbulence in the banking sector provided a potential opportunity for threat actors to launch attacks. So it comes as no surprise that we’re starting to see domains spun up for just such purposes. Tessian’s Threat Intel Team have been monitoring the situation as it unfolds, and found that multiple domains featuring both SVB and HSBC were registered. Malicious domains are being added to Tessian’s Unified Threat Feed to proactively protect our customers from future phishing attacks. What is interesting about this is that some are for legitimate, if a little unorthodox, activities like driving traffic, marketing and selling merchandise. It’s in this ‘fog of war’ that bad actors like to hide, and clearly some have been registered with attacks in mind. So let’s look at those first.  Siiiconvalleybank[.]com and siliconvalleybonk[.]com have clearly been set up to launch impersonation attacks, hoping people don’t notice those typos in the URLS. Other examples include myaccount-hsbc[.]com and thesiliconvalleybank[.]com. Meanwhile Svb-usdc[.]com and svb-usdc[.]net are both already set up to launch phishing attacks. Google is already blocking these and alerts any visitors to that effect. Exploring beyond that warning reveals a ‘lookalike’ site offering a reward program and clicking ‘claim’ opens a QR code. Fake URLs to drive traffic Some of the newly registered URLs are also being used to drive traffic. hsbcinvestdirect.co[.]in uses HSBC brand in order to gain more traffic for an Indian-based website with adult content. Meanwhile SVBlogin[.]com loads up All Day Capital Partners website offering to ‘help’ SVB customers. Many of the others are cybersquatting, no doubt hoping to sell on, while others registered but don’t contain any content or redirect, as if waiting to see how things pan out. Perhaps one of the oddest is svbbankrun2023[.]com, which hosts a merchandise shop selling SVB-themed items.   Tessian Recommends: The following list should be used as a blocklist at your own risk, but we advise adding the newly registered domains on a watchlist for monitoring purposes. Here’s a full list of SVB and HSBC URLs we’ve documented so far.    Hsbcsvb[.]com Siiiconvalleybank[.]com Login-svb[.]com Svbankcollapseclaimants[.]com Svbankcollapselawsuit[.]com Svblawsuits[.]com Hsbcinvestdirect.co[.]in Svbanklegal[.]com Svbankcollapse[.]com Svbankcollapseclaims[.]com siliconvalleybankfilm[.]com siliconvalleybankcrash[.]com siliconvalleybankcollaps[.]com siliconvalleybankcolapse[.]com siliconvalleyfederalbank[.]us silliconvalley[.]ink siliconvalleyfederalbank[.]net siliconvalleybank-usdc[.]com siliconvalleybonk[.]com ziliconvalley[.]sk siliconvalleybankcustomerservice[.]com siliconvalleybankhelp[.]com siliconvalleyentrepreneursbank[.]com siliconvalleybankcreditors[.]com siliconvalleyentrepreneurbank[.]com siliconvalleybankclasaction[.]com wwwsiliconvalleybankclassaction[.]com siliconvalleybankfailures[.]com siliconvalleybanksettlement[.]com siliconvalleybank[.]xyz siliconvalleybank[.]lol siliconvalleyfederalbank[.]biz siliconvalleyfederalbank[.]lol siliconvalleybankmovie[.]com siliconvalleybank[.]biz siliconvalleybn[.]com siliconvalleybanklawsuit[.]com siliconvalleybankclassaction[.]com siliconvalleybankreceivershipcertificate[.]com siliconvalleybankcollapse[.]com siliconvalleybust[.]com svbbankrun2023[.]com svbalternative[.]com svbankclassaction[.]com svbanklawsuit[.]com svb-cash[.]com svbfdic[.]com svbwiki[.]com svbcollapseexplained[.]com banksvb[.]com svbdeposit.fyi svbcollapse[.]net svbbailout[.]org fucksvb[.]com svbcoin[.]xyz svbchain[.]xyz svb-usdc[.]com svb-usdc[.]net svbfailure[.]com svbopenletter[.]com svbplaintiffs[.]com svbinfo[.]com svbbankrun[.]com svbrecovery[.]com svbmeltdown[.]fyi wefundsvbclients[.]com svbreceivership[.]com svblogin[.]com svbcollapse[.]com svbclaim[.]com svbdebt[.]com svbclaims[.]net svbbailout[.]com svbi[.]io svbank[.]com hsbcbdubai[.]com hsbc079[.]com hsbc757[.]com Hsbc736[.]com hsbc119[.]com hsbc719[.]com hsbc938[.]com Hsbc891[.]com Hsbc-premium[.]com Hsbckyc[.]com Hsbclogin[.]co Myaccount-hsbc[.]com Thesiliconvalleybank[.]com 1svb[.]com Circle-svb[.]com Svb2023[.]com Svbgate[.]com Svbtoken[.]com Svbnfts[.]com whatissvb[.]com

The recent banking turmoil involving Silicon Valley Bank and Signature Bank sent shockwaves through technology firms globally as they scrambled to transfer their capital, secure payroll, and pay their bills. However, this mass changeover in banking details is exactly the situation that breeds targeted cyberattacks. Although the swift intervention of The Federal Reserve, The Bank of England, HSBC and others helped calm the liquidity crisis, a cyber threat crisis is likely now brewing as threat actors spin up a host of impersonation attacks and campaigns. The Tessian Threat Intel Team has already seen dozens of SVB and HSBC-themed URLs registered, some of which are used to launch phishing campaigns.  Money, distraction, urgency Bad actors are driven by money. And there is a lot of money at play with this crisis. The streaming firm Roku indicated it has about $487 million in deposits at SVB. They are likely making changes now to diversify where they deposit this money and, accordingly, updating wiring instructions to reflect these new banking relationships. In their Q4 Risk Insights index, Corvus Insurance indicated 28% of all claims in Q4 2022 were due to fraudulent funds transfers. Threat actors relish the confusion and rapid changes that come with a crisis like this. The sheer number of updates to wiring instructions increases the chances that standard operating procedures around changing wiring instructions are ignored. Common operating procedures around changing wiring instructions might include (a) verifying the authenticity of each request by calling the person (using a known, existing phone number, not one provided in a new email) (b) implementing a call-back verification system for each vendor when any wiring instructions are changed, and (c) implementing dual control and multiple “eyes” on every wire change request. Tessian is already seeing genuine email traffic related to changing wiring instructions and expects to see advanced attacks leveraging this crisis soon. Finally, the scale of this crisis is huge and information about it is widespread. There are a large number of affected entities – Reuters published a list detailing not only the firms affected but their financial exposure – ensuring a target rich environment for the bad guys. Fraudulent (and genuine) wire transfers The top 2 common attack vectors with fraudulent funds transfers are (1) impersonation attacks and (2) targeted phishing attacks. In an impersonation attack, the bad actor impersonates someone or some company that is known to the organization. They will typically do this by registering a new domain name that is largely similar to the targeted company’s domain. In this example, the attacker registered a new domain name (salesciricle-receivables.com) which looks similar to salescircle.com. They are reaching out to the finance department at Acme to request a change in bank accounts for future payments. Sophisticated attackers will conduct research using publicly available information (10-K annual reports, LinkedIn blog posts, LinkedIn connections to the CFO or Accounts payable personnel, and any website mentions) to build a convincing approach.  A targeted phishing attack would use similar impersonation methods while attempting to gain access – either electronically with a username and password or via socially engineered approach – to implement a fraudulent funds transfer. In the below example, the attacker is impersonating a known, trusted domain and attempting to gain access to an accounts payable employee.  Recommended next steps Tessian’s Threat Engineering teams are monitoring our datasets closely for emergent threat signals and updating Tessian’s Global Threat Library and Behavioral Intelligence Model in response. Our existing Defender customers will automatically benefit from this protection. In addition, we are recommending the following steps to further protect our existing customers: Deployment hygiene: review your deployment coverage to ensure Defender’s protection is configured to apply to all mailboxes on all devices. Schedule a deployment health-check.  Enable warnings for money requests: for additional protection, Defender Customers can leverage Defender’s Custom Protection to detect and warn users when an email “requests money”.  Reinforce approval processes: work with your finance teams to revise and review your payment approval workflows, and consider adding an additional internal verification layer to account for the increased risk  How Tessian stops wire fraud attacks Built ready: The SVB crisis and other events like this are exactly the sort of thing Tessian was built to handle. Tessian covers fraudulent fund transfer attacks and other scenarios that are difficult to detect and that are often missed by legacy email security tools. Tessian is built to detect and prevent any variations of wire fraud attacks. Spotting imposters: Tessian catches thread hijacking attempts by looking for subtle indications of domain spoofing and small changes in behavior that suggest the sender isn’t who they say they are.  Custom protection: All Tessian customers have access to an additional layer of protection that allows them to educate users at the point of receiving a suspicious email including those involving fraudulent funds transfers. Defender’s Custom Protection gives organizations an additional layer of security by alerting users when an email triggers specified conditions. This provides further fine tuning around threats specific to your organization or specific groups within your organization. Proactive defense: As this situation evolves, Tessian’s Threat Engineering Team are closely monitoring incoming emails for new phishing tactics and upward trends in existing ones, continuously improving the breadth and accuracy of the protection we provide to our customers. Our threat intelligence team can also respond to new phishing campaigns in a matter of minutes by updating our global threat library, ensuring that all of our customers are protected against malicious sender domains and URLs. Guidance: While we may see more basic attacks leveraging the SVB crisis initially, threat actors will quickly evolve in sophistication to take advantage of the sheer volume of wire changes occurring to better target organizations. Legacy email security tools that use rules and policies are more likely to miss these attacks or report large numbers of false positives. Tessian’s guidance to our customers and anyone else is to expect a significant uptick in volume and in quality (more convincing) attacks on your employees over the coming weeks and months. See Defender in action (video) or request a free trial of Tessian to start detecting wire fraud attacks today.

With Business Email Compromise (BEC) attacks remaining the number one cybercrime in 2022, and 82% of data breaches involving humans – email continues to be the largest threat vector for any organization. The effectiveness of legacy gateway solutions like Proofpoint, Ironport, and Mimecast has come under scrutiny as organizations look to solve new security concerns in a cloud-first world. Organizations that have already begun adopting cloud-hosted productivity suites, like Microsoft 365, are finding an overlap in their native-security capabilities, which legacy email security solutions have traditionally addressed.  Microsoft has made significant strides in improving the native-security features built into their different licensing models. This allows security leaders to reduce cost and complexity within their security stack, as the email security capabilities offered by Microsoft 365 mirror that of a Secure Email Gateway (SEG):  Traditional Email Security URL & Attachment Protection Manual Investigation & Response Rule-Based DLP Policies  These overlapping capabilities have given security leaders a good enough option to move beyond legacy SEGs, but understanding what is included within each Microsoft licensing model is key to effectively securing an organization’s email environment. Microsoft offers various packaging bundles and add-ons, allowing flexibility for security leaders to maintain the same level of protection offered by their legacy gateway solutions. Is good enough really good enough?  The global shift to a remote workforce has also opened up new threat vectors and emerging attack types that security leaders are still struggling to prevent. Round-the-clock access to sensitive data has increased the human risk of malicious, negligent, and accidental data loss. Attackers are leveraging social engineering to trick end-users by abusing trusted relationships. Relying solely on traditional detection methods to defend against advanced attacks and rule-based policies to protect against insider risk, is leaving organizations more vulnerable than ever before.  A more intelligent approach is needed. Organizations can continue to rely on traditional detection methods to filter out bulk phishing and spam, but simply put, scanning for malicious signatures based on known threat intelligence doesn’t stop the advanced threats that security leaders face today. There is, however, a solution. The advanced detection capabilities of an Integrated Cloud Email Security (ICES) solution close the gaps where legacy, rule-based detection or current Microsoft tools fall short. ICES solutions employ advanced machine learning to map an organization’s typical email behavior and detect unusual communication patterns, providing a more accurate defence against BEC attacks. In addition, ICES solutions can warn end-users of potential misdirected emails or instances of sensitive data loss. In this Solution Guide, we discuss the decline of legacy gateway solutions, how to reduce cost & complexity by migrating to Microsoft 365, and what email security capabilities are available in each Microsoft licensing package. In the end, readers will understand how Tessian + Microsoft 365 enables the most complete Integrated Cloud Email Security platform.

The Tessian Threat Intel team continues its focus on business email compromise (BEC) campaigns. We issued a Threat Advisory for a PayPal themed campaign we have been tracking since January.   The threat actors in this campaign are seeking to illicit payment fraud and potentially compromise credentials. Other key threats that we are focussing on include increasingly advanced methods for Account Takeover (ATO) and the persistent threat of email-delivered ransomware, including a spike of wiper-malware. Sign-up for our Threat Intel update to get this monthly update straight to your inbox.   Tessian Threat Intelligence has recently tracked and observed scammers, on numerous occasions sending emails with fake invoice payment requests from payment service providers such as PayPal. From early evidence we are seeing, online fraud campaigns are on the rise, with the potential to evolve to ATO based attacks. Although the primary targets are private consumers, we are likely to see similar attacks targeting vendors and suppliers in the enterprise. The increasing sophistication and targeted nature of attacks observed across the cybercrime landscape represent the maturation of cyber crime, with threat actors targeting specific entities rather than random targets. A number of these phishing attacks are leveraging open source information, as well as relying on information gathered from previous data breaches to identify high yield targets.   Tessian Threat Intel continues to track BEC and payment fraud campaigns with executive impersonation observed as a consistent theme.  Cryptocurrency payment fraud has already resulted in over $1billion in losses according to the FTC and is up 60x in 2021 compared to 2018. Ransomware-as-a-Service gang activity emanating from Russia is on the rise once again, with REvil re-emerging after an initial law enforcement crackdown. Wiper-malware is surging in 2022, first seen in Russian cyber attacks against Ukraine. Russian APT groups have been observed exploiting the Follina vulnerability.  Microsoft released a patch for Follina in June but we may see a spike in attachment-themed phishing abusing the vulnerability before the fix is widely implemented. Chinese APT groups have been using ransomware as a decoy to carry out espionage campaigns. Other attack campaigns that have captured our attention include the increasing phenomenon of voicemail themed phishing campaigns observed by Zscaler. We expect email delivered ransomware, including the growing prominence of wiper-malware to remain leading threats in 2022. A recently launched carding site ‘BidenCash’ gave away a list of stolen card details for free across darkweb forums to promote their store.   Having intelligent and layered cybersecurity defenses in place, particularly securing email and the endpoint, are critical for staying safe. Leveraging behavioral cybersecurity solutions that can detect sophisticated social engineering attempts is essential, as threat actors continually develop intelligent methods to bypass rule-based security controls. Practicing good cybersecurity hygiene and regularly testing your security controls, including business continuity and disaster resilience capabilities, are of fundamental importance to cyber resilience. Conducting in-the-moment and contextual cybersecurity awareness training on advanced email threats for your employees should be prioritized  – end-users are your first line of defense. To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn

Cybercrime is big business. But just how big? Well, big. A recent report from Cybercrime Magazine predicted cybercrime would cost the world $10.5 trillion annually by 2025. Bear in mind that estimates in 2020 were just over half that, at $6 trillion, and up from $2.9 trillion in 2015. So ,why is there a cybercriminal gold rush? And why are attacks getting increasingly more sophisticated, more numerous, and more successful? Legacy solutions are no match for today’s attacks   As we noted in our recent Spear Phishing Threat Landscape Report, attacks are getting more sophisticated and are bypassing traditional defense systems like rule-based Secure Email Gateways (SEGs). We know this because we examined platform data and found that between July 2020 and July 2021, Tessian scanned nearly 4 billion emails and flagged nearly 2 million as malicious. These emails sailed right past our customers’ Secure Email Gateways (SEGs) and native tools and would have left employees as the last line of defense if it wasn’t for Tessian. Not only that, attacks are getting more frequent. Cybersecurity Magazine estimated a new ransomware attack hits every 11 seconds.    Oftentimes, big problems (like paying out millions for a ransom) can be traced back to small oversights. Like not using Multi-Factor Authentication (MFA). This is particularly common in mid-market SMEs, despite the fact that Microsoft Research found that MFA blocks 99.9% of all automated attacks. As Dave Kennedy, Founder of TrustedSec said at our Spring 2022 Human Layer Security Summit, just 22% of O365 users have MFA enabled. And so attackers can target these firms much more easily. SMEs also have smaller budgets and headcount allocated to cyber compared to the enterprise. The result: 60% of SMEs file for bankruptcy within six months of a breach.  https://www.tessian.com/wp-content/uploads/2022/04/MFA-quote-Dave-Kennedy-Trusted-Sec.m4v Email is inherently flawed   If someone broke into your office, chances are you’d know about it quickly and do something about it. Unfortunately, the same doesn’t apply to many organizations’ networks and inboxes. From a simple way of sending asynchronous ASCII messages between user accounts on an academic network in the 1970s, email has grown into a world-devouring beast that is the very backbone of commerce and information exchange. Over 7 billion users globally send and receive 333.2 billion emails a day. Such a vast user base means email is the number one threat vector.  After all, for many, moving data via email IS their job. What’s more, email is on all our devices: desktops, tablets, and phones. But as Will Patterson, Enterprise Customer Success Lead, notes in this webinar, email has some inherent problems when it comes to security. Firstly, it’s open (in that you can email anyone) and secondly, email attacks are cheap to deploy; they’re effective and can be launched from anywhere. A big audience and low entry bar make it the ideal medium in which to conduct attacks.   It’s no wonder 90% of phishing occurs via email. Cybercrime pays out – big time   Cybercriminals continue to attack because those attacks continue to be successful, netting potentially hundreds of thousands of dollars from companies for little effort and risk (compared with other types of crime).    The international nature of cybercrime adds another layer of complexity and helps shield attackers from law enforcement. According to the FBI, in 2021, BEC scammers made over $2.4 billion – far more than via any other type of cybercrime. Of course, the cost to the company isn’t just these initial losses, it’s the further costs of containing, reporting, and remediating the breach. IBM currently puts the cost to businesses at $4.24 million per breach.  It’s faster, easier, and cheaper than ever to execute attacks   With such a big potential target group, attackers are using automation and off-the-shelf tools to not only launch attacks but process the data they exfiltrate in the process. And as James McQuiggan, Security Awareness Advocate at KnowBe4, said at our Fall Human Layer Security Summit, “the bad guys are buying the same hardware and software configurations we’re using – they’re then testing their attacks and then see what gets through”. So if criminals are automating many of their repetitive processes, you should too.   Not only that, but it’s also easier and cheaper than ever to execute attacks, and technical skills are no longer required. There are numerous tools, platforms, and services that make executing attacks as easy as building a webpage. The following open-source intelligence (OSINT) apps and tools can be used to gather precise information about a person’s social media details, location, and their work email address, making it impossibly easy to identify and manipulate a target.   Security teams are burned out   Against this cybercrime tsunami stands the CISO and the company’s security team, and the daily battle to keep employees and the organization safe. That’s taking its toll on security teams, who are often stressed and burned out. Our Lost Hours Report found CISOs regularly working extra hours and overtime to keep the company secure from threats.    The CISOs we surveyed worked, on average, 11 hours more than they’re contracted to each week. Nearly 1 in 10 work 20-24 hours more a week. What’s eating up that time is dealing with potential breaches. A quarter of respondents say they spend 9-12 hours investigating and remediating each threat caused by human error, while more than 1 in 10 spend more than a day.    A global study by The Ponemon Institute found that the average amount of time required to identify a data breach is 197 days. that’s over six months. It then takes another 69 days on average to contain and deal with the fallout of that breach. Better alerts and warning systems, as well as swift procedures in place to respond to them, are a must. Over six months is more than enough time to wreak havoc in a network. In medicine, there’s the concept of ‘the golden hour’, security needs to aim for a golden 24 hours because the faster an organization can respond the better and faster its recovery will be.  Employees are busy, stressed, and distracted   The modern workplace is a fuzzy blend of devices (laptop/phone) and locations (home/office/coffee shop etc) with people constantly switching between them trying to juggle, on average, around 100 emails a day. You can see why our Psychology of Human Error report found that 26% of people fell for a phishing email at work in the last 12 months alone. People are maxed out trying to do their jobs, and it’s exactly this pressure that attackers are looking to exploit and manipulate, which underscores the important of building a positive security culture alongside HR.   So, as cybercrime is becoming more and more profitable, here’s what you need to do to strengthen your security stack and keep your people and organization safe:   Layer up your security stack with Integrated Cloud Email Security (ICES) to augment your SEG Implement better email monitoring Automate repetitive security tasks Improve your response time and processes Work with the people team on fostering a positive security culture and engaging security awareness training programs And don’t forget to switch on MFA ASAP!

It’s a fact that C-suite executives are high-profile targets. According to Verizon’s Data Breach Investigations Report, a C-level executive is 12 times more likely to get phished than a junior employee.    Why? Because when you control the head you can control the body. Hack a CxO, and you have the power to command subordinates with requests such as wire transfers, account access resets, network access, corporate credit card details, and company financial functions.    So how can you help better protect your C-suite from attacks?    In former roles, a current Tessian employee used this training technique to test the c-suite’s resilience to an attack and improve their security awareness. Here’s how you can run this experiment on your c-suite; we’ve anonymized and edited some of the details for security and clarity. The technique   The target for the attack is a CxO or another highly senior person in your company. Your first step is to send a ‘spoof’ email from one of the senior VPs on the team to the target. For real attackers, finding the targets is easy enough as most companies list out their senior team on their websites, sometimes even complete with links to their LinkedIn profiles. And even if the information isn’t available there, it’s easy enough to find with a quick Google search or browse around social media.  The message you design from the spoof account has to say something along the lines of “Hey Tom (CxO), Dick here, Harry (another real VP on the team) is being a blocker and I need this out ASAP, can you just take a look at this work he sent me.”    The ‘work’ is of course a document containing the malware. Phrased in this way there is an extremely high probability that Tom, the CxO, will open that attachment. As our anonymous employee explains, “you don’t even need to hack a VP account, you can simply spoof it. I’ve had clicks on this with email metadata that clearly does not match.” The psychology of why this is so effective   Why this works so well, despite not being a particularly technologically sophisticated technique, is all to do with human nature and the power dynamics found in the top tier of organizations. The message is ‘validated’ because it is supported in the target’s mind by using a bond of trust the CxO has in Harry, the innocent VP. But the attacker is borrowing that trust bond to psychologically ‘authenticate’ the email with the target.  This is textbook social engineering, which is the technique of manipulating the victim’s natural emotional responses and reactions. Which is why we see other classic ingredients common in phishing attacks like a sense of urgency (I need this ASAP) and a cry for help or a perceived problem that only the target can rectify. After all, there’s some evidence that humans are born with an urge to help.  Why do senior leaders fall for this?   This exercise manipulates the tendency for senior leaders to overvalue trust bonds from people closest to them and undervalue potentially conflicting information coming from those far below in the org chart. The fact that the message appears to have come from two people that the CXO talks to all the time means they will tend to overvalue communication with them. Furthermore, the message is contextualized around potential turbulence in the relationship dynamic within that inner circle, rather than an external generic ‘your accounts been suspended’ phishing attempt. This only adds to its legitimacy.    As for that relationship turbulence, our recent psychology of Human Error 2022 report found that people make mistakes when they are in highly emotional states. Catch the CxO when they’re distracted, stressed or working quickly and the odds of them clicking only increase.  Finally, traditional SAT training for the C-suite often means they’re aware of it’s deployment across the organization, making it even harder for them to experience a genuine attack moment. Advice for running this experiment in your organization   If you’re looking to run this phishing test on your team, there are two important principles to consider. The first: don’t cause chaos on your own network. The second: this is about building relationships with the security team, not about adversarial content. “The most important thing is consent,” advises our employee. All too often companies run phishing programs that don’t involve other people and teams before they start their campaigns.    To do this successfully, you’ll need to define parameters such as:   Who is this test targeted at? What will the message describe? What am I allowed to include in the payload? Between what dates will I run the test and at what time? What happens after the click?   That last one is perhaps the most important. What program will you have in place for those who fall for the phish? Remember, these are high-profile people with limited time, so your response has to be concise yet impactful.    Consider scheduling a face-to-face 15-minute discussion where you can explain how the attack worked and what the employee should do in the future. Be sure to  back this up by evidence and statistics on what happens when a C-suite member gets hacked, and what the impact is on the organization. The aim is to connect their click event, with specific actionable risks being brought into the business.  Technology can help, too. Tessian Defender would have detected this social engineering attack as the metadata in the email address wouldn’t have matched the legitimate address. Defender could have quarantined it for SOC analysis or alerted Tom, the CxO, in real-time with an ‘in the moment’ notification.    Learn more about how Tessian detects and prevents BEC attacks, ATO attacks, CEO Fraud, and other advanced email threats by watching our product tour, or book a demo to learn more. 

The Cyberseek heatmap shows there are over 500,000 cyber job openings in the US alone, and globally over 3.5 million.. With so many unfilled vacancies there must be a skills shortage, right? I’m not so sure. I think our perceived talent and skills shortage is largely self-inflicted because as an industry we’re sadly terrible at hiring, growing, and retaining people.  Too many organizations are chasing a finite number of senior-level people which results in two critical problems. The first is self-inflicted: over the past decade as an industry, we have failed to grow enough people from entry and mid-level positions into senior level roles. The second thing is that many organizations believe they can only hire senior talent rather than grow and retain the talent they already have. If we don’t invest in people earlier in their career, we will never have the talent pool our collective job postings demand. The problem with hiring only senior talent   We tend to spend a lot of time and energy looking for “unicorn hires”. These hires can take months of our energy and attention for each role. In aggregate, we risk incurring opportunity costs that prevent us from  growing a person – or several people – into these capabilities. Of course, the security industry is not the only offender. Many technical roles outside of security are subject to the same type of bad behavior. We allow ourselves to create job postings with requirements that are sometimes impossible – like requesting 10+ years experience in a technology that has literally only existed for five.    So why are situations like this happening? Despite good intentions, a recruitment team supporting a security team without enough investment of time and partnership from the engineering managers is going to get these things wrong. It’s not their fault, but a clear indication that we need to be better together. https://www.tessian.com/wp-content/uploads/2022/03/josh-audiogram.mp4 I challenge hiring managers to answer this important question: Describe the specific skills and experiences that 5-10 years of experience mean to you?    When I ask this, one of two things happens: they either can’t answer it – which is a good indicator that it shouldn’t go in the job description – or they can, and this becomes the start of better job requirements. Chronological time doesn’t tell us all that much about someone’s capabilities, how they grew (or didn’t), or what they’re good at.   Instead, we should be focussing on things like core experiences, history of growth, skill sets, and capabilities. That’s what we should switch our requirements and expectation language to. So we should seek people who have specific experiences or capabilities, such as leading specific team sizes, adapting to rapid change in a high growth organization, or have navigated significant technology migrations. These are more equitable, measurable, and useful capability assessments that don’t rule out qualified candidates by setting minimums for years of work experience. Reminder: if a team runs itself for six months while you hire a manager, you shouldn't be hiring, you should be promoting. — Matt Wallaert (@mattwallaert) November 18, 2020   The great resignation   We’ve covered the great resignation/re-evaluation/migration previously on this blog. But even before this movement, we were already seeing an average ‘in role’ time of just 18 to 36 months for many security individuals. That’s a high turnover, and The Great Migration has only increased it. Senior decision-makers across the US report an average security staff turnover rate of 20% according to research from ThreatConnect. Compare that to another study by Michael Booz that found that the global average for all roles was around 11%. Organizations should be focused on what it takes to keep people longer. To retain people, there are two key factors. First, people must have confidence that they can grow and gain value by staying within the organization. Second, they need to be able to experience recognition, and crucially – rewards, for their increasing value both in the market and in their organization. Too often we prioritize budget for new hires when the best option is to invest in the people we already have on staff and reward them before someone else does.    In my experience, not enough is done during the first two years of employment to give employees confidence that there is an ongoing trajectory for them in terms of growth, recognition, and rewards. And by the time we get to that two-year point, the first time that the organization hears about it is when they’re getting the resignation letter.    Sadly that is THE WORST time to attempt a growth and rewards conversation. Creating a better pipeline   Of course as people levelup and grow into new roles, you need new recruits. But many security leaders are reluctant to have their teams be the first stop in someone’s security career. However, there are plenty of security roles that are great places to get a start in security while applying relevant and overlapping skills from previous non-security roles.    There are very few cases where significant skill transfer from non-security to security roles is not possible. Some of the more obvious examples are IT system administrators becoming enterprise security engineers, software developers being successful in product security roles, etc. We need to look beyond these examples and expand our mapping of critical skills and capabilities to additional roles and backgrounds. Some of the most talented security professionals in our industry today come from much more diverse backgrounds. Some went to university to study linguistics, art, or math, and many never pursued higher education. Your next security hire could come from customer success, marketing, or human resources   One of the things we need to be more conscious of is that security roles don’t just need technical skill sets. In fact training people up in specific technical skills is relatively easy to do. Instead, we should be optimizing security roles for people who are making a job transition. Security teams can benefit hugely from the things that are NOT easy to train people up on, like emotional intelligence, personal relationship management, and communication skills.   I’ve done this myself. I supported hiring someone with a background in customer service for a security operations role. 90% of the job is still based on providing effective customer service and rapidly triaging problems to identify the most appropriate solutions; it’s just a different set of customers and problems. We can train people on how to use our technology and how to think about security. What’s much harder is training people to be effective communicators with empathy and the high emotional intelligence to provide exceptional outcomes while supporting people.    I’ll finish how I started, by saying again that, there isn’t necessarily a skills shortage in many cybersecurity roles. We’re just setting the requirements poorly, largely ignoring retention, failing to take advantage of skill transference opportunities from non-security roles, and not giving people the opportunity to grow. Want to Join us at Tessian and start or develop your security career? Check out our open roles. What’s it like to work here? Here’s 200 reasons why you’ll love it. Want to find out more about diversity and the cyber skills gap? Register for our up-coming LinkedIn Live.

The advancing sophistication of cybersecurity threat campaigns have brought legacy cybersecurity tools into sharp focus. Built for an on-premise world, these manual, rule-based approaches to cybersecurity are unable to ward off adaptive and increasingly intelligent attack methods.   On the other side of the coin are security leaders who are overwhelmed and overworked. This is largely due to the proliferation of threats, juxtaposed against managing their IT environments from a tooling and staff resource perspective.    Tool sprawl is reaching excessive levels that are simply impossible to manage. The average enterprise now has in excess of 45 cybersecurity tools deployed. Research shows excessive tools deployed leads to a decline of security effectiveness.    The bottom line: Increasing complexity warrants tool rationalization.    Keep reading to learn:   Why Secure Email Gateways (SEGs) have become redundant The powerful capabilities (and shortcomings) of Microsoft  The benefits of replacing your SEG with Tessian + Microsoft SEG redundancy   The effectiveness of legacy Secure Email Gateway (SEG) solutions is starting to receive due attention as email related breaches continue to snowball. Depending on the statistic cited, the email threat vector accounts for anywhere between 80-96% of cybersecurity attacks.   Replacing SEGs represents a high return, low risk optimization opportunity, due to declining security effectiveness and the high degree of redundancy in the enterprise.     SEG security effectiveness is declining for two reasons:    The majority of enterprises have adopted cloud hosted productivity suites such as Microsoft 365, which natively provide SEG capabilities including malware, phishing and URL protection. SEGs rely on static, rule-based approaches that are ineffective in safeguarding  email users and data from advanced threats.    Once a threat actor is able to bypass the SEG, they effectively have unmitigated access to carry out their threat campaign. This can (and often does) include Account Takeover (ATO), deploying exploit kits or more damagingly, delivering ransomware. And little protection is offered against insider threats – a growing concern.   The powerful capabilities (and shortcomings) of Microsoft    Microsoft 365, which includes Exchange Online Protection (EOP) and Microsoft 365 Defender, provides a reasonable degree of email security that effectively makes the legacy SEG redundant.   M365 on E5 licensing provides the following capabilities:   Anti-malware protection Anti-phishing protection Anti-spam protection Insider risk management  Protection from malicious URLs and files in email and Office documents (Safe Links and Safe Attachments) Message encryption via issued PKI Audit logging Quarantine Exchange archiving Microsoft alone, however, does not guarantee against advanced email threats. Significant gaps remain in Microsoft’s ability to protect against advanced social engineering campaigns that can result in business email  compromise (BEC), ATO, or zero day exploitation. And this is why these shortcomings are also reflected in Microsoft’s Service Level Agreement (SLA) exclusions, for example excluding guarantees against zero day exploits and phishing in non-English languages.    Microsoft + Tessian = Comprehensive security   This is where a next-gen behavioral cybersecurity solution like Tessian comes into play, providing advanced automated email threat detection and prevention capability.   With Tessian, no mail exchange (MX) records need to be changed. Tessian is able to construct a historical user email pattern map of all email behavior in the organization. The best-in-class algorithm is then able to detect and prevent threats that Microsoft or SEGs have failed to detect within 5 days of deployment.    This dynamic protection improves with each threat that is prevented, and unlike the in-line static nature of SEGs, it ensures 24/7 real time protection against all attack vectors, including insider threats. That is why the leading enterprises are opting for displacing their legacy SEG and augmenting Microsoft’s native security capabilities with Tessian.    Tessian Defender’s capabilities include:   Advanced Spear Phishing Protection Advanced Attachment and URL Protection   Internal Impersonation & CEO Fraud Advanced Spoof Detection Counterparty & Vendor Impersonation  Brand Impersonation External Account Takeover Invoice FraudBulk Remediation Automated Quarantine  Threat Intelligence No black box threat visibility and intelligent risk mitigation   Beyond the cost and resource optimization realized by removing SEGs, Tessian clients see significant efficiency gains in the SOC due to the high degree of automating triage and the enablement of a distilled view on the threats that matter  –  finding that needle in the haystack, in real time and in context.    For example, with one-click, SOC analysts can bulk remediate high volume phishing campaigns (aka burst attacks) that are targeting the organization as they happen. Suspicious emails are also automatically quarantined, with threat remediation context provided.    The platform provides a single pane of glass, giving security and risk leaders visibility of how cybersecurity risk is trending in their organization and the types of threats thwarted, down to individual employee-level risk scoring. Context aware security awareness training  The context-aware security capability of Tessian extends to providing in-the-moment security awareness training to employees. The real-time security notifications flag suspicious and malicious emails received, offer a clear explanation, and provide education to employees in real time. Most enterprises experience a 30% click through rate (CTR) on simulated phishing exercises – including our clients prior to deployment. Tessian clients see simulated phishing exercises returning a less than 5% CTR after deployment – illustrating the effectiveness of Tessian’s security awareness training. Stopping threats, reducing complexity    Tessian enables security teams to focus on mission critical tasks rather than manually and retroactively triaging already occurred security events. Legacy email security approaches relying on SEGs simply no longer have a place in an increasingly crowded cybersecurity stack. By leveraging Microsoft 365’s native capability together with Tessian, presents an opportunity for security leaders to improve security while reducing complexity. This is why according to a Tessian commissioned Forrester study, 58% of cybersecurity leaders are reevaluating legacy email security tools and approaches, and why 56% will be investing in behavioral email security solutions with automated detection capabilities.

Traditionally, security leaders view of  nation-state attacks has been ‘as long as you’re not someone like BAE systems or a Government, you’re fine’ But in the last three years nation-state attacks doubled in number to over 200… and we’ve yet to see the full cyber impact of the war in Ukraine. Consequently, nation-state attacks are something all security leaders should be aware of and understand. Here’s what you need to know. How a nation-state attack differs from a regular cyber attack    Nation-state attacks are typically defined as APTs, or advanced persistent threats – a term first defined in 2005. They are referred to as advanced because they have access to exploits and techniques that are more professional, more effective, and more expensive than the average criminal actors.   Nation-state attackers can have teams full of people that can work a 24-hour shift and handoff every 8 hours. There’s also the question of the duration of an attack. APTs play the long-game, and can sometimes take 18 to 24 months before any compromise takes place. The bottom line: nation-state hackers have the resources to wait for the perfect moment to strike. What are the aims of a nation-state APT attack? With the nearly unlimited money and resources of a nation-state , nation-state attackers can try every technique and tactic available until they eventually accomplish their goal. And those goals are nearly always political rather than purely criminal. APT attacks generally aim to do one of the following:    Exfiltrate data containing military secrets or intellectual property Conduct propaganda or disinformation campaigns Compromised sensitive information for further attacks or identity theft sabotage of critical organizational infrastructures  Russia blurs this line in that they use criminal activity in furtherance of political goals, and have been for years. They also have an APT set whose objective is essentially disruption and discord, so that security teams and government agencies don’t know where to place the defense resources. Which businesses are most at risk from a nation-state attack?  A sector all threat actor groups are interested in is Cleared Defense Contractors (CDCs). CDCs are businesses granted clearance by the US Department of Defense to access, receive, or store classified information when bidding for a contract or other supporting activities.   One of the first APT attacks against CDCs was Titan Rain in 2003. Suspected Chinese hackers gained access to the computer networks companies such as Lockheed Martin, Sandia National Laboratories, Redstone Arsenal, and NASA, as well as UK Government departments and companies. What’s more, it’s believed that they were inside the network for over three years.  Infrastructure companies are also popular targets. US infrastructure companies such as Colonial Pipeline have been getting hit more and more frequently, and Ukraine suffered a power grid outage in 2015. And banks – especially national banks – are under continual attack, and in light of the recent removal of Russia from the SWIFT payment system, western banks are presumed to be under increased threat in retaliation. Softer secondary targets   Although traditionally, targets with connections to the military bore the brunt of APTs, there are signs that this is spreading to other industries. In 2021 Microsoft shared detailed information regarding a “state-sponsored threat actor” based in China that targeted a wide range of entities in the U.S. — including law firms. The highly sophisticated cyber-attack used previously unknown exploits to infiltrate Microsoft Exchange Server software, so it’s reasonable to assume that if you have tangential connections to a political target of one of these countries, then you could be at risk. As KC Busch, Tessian’s Head of Security Engineering & Operations explains “APTs might need to spend a million dollars to compromise their direct target. But if they can find a law firm connected with that target that doesn’t encrypt outbound comms or has adequate email protection, then they’re going to go for the law firm rather than the million-dollar target”   This underscores the importance of not just your own cybersecurity posture, but that of every organization in your network or supply chain. You’re only as strong as your weakest link..  The phases of an APT attack   APT attacks come in three phases.    First, there’s network infiltration, typically achieved through compromised credentials. If compromised credentials aren’t an option, or defenses are particularly robust, nation-state attackers might use a zero-day attack. Countries can have teams that will research and write their own zero-days, but more commonly, they will buy them from a gray market of third-party companies that aggregate exploits and sell them without much ethical thought of how they’re used.    This murky world of zero-day exploits and the people that broker them to Governments and security agencies was chronicled by Former New York Times cybersecurity reporter Nicole Perlroth in her recent book, ‘This Is How They Tell Me The World Ends’. Perlorth’s book highlights how for decades, US government agents paid thousands, and later millions of dollars to hackers willing to sell zero-days, and how they lost control of the market. The result is that zero-days are in the hands of hostile nations, who have money to purchase them and a need to deploy them as they’re becoming rarer and more expensive.    The second phase is the expansion of the attack to spread to all parts of the network or system. As we’ve mentioned, APT attacks are not hit-and-run. With time on their side, hackers can wait patiently in the network before gaining full access and control of it.   Thirdly, there’s the attack itself. This could involve collecting data and exfiltrating it, or disrupting critical infrastructure systems. Furthermore, several APT attacks have started with a distributed denial-of-service (DDoS) attack which acts as a smokescreen as data that’s been amassed over what could be months or years is exfiltrated.  Notable nation-state attacks The most sophisticated: Stuxnet is widely believed to have been developed by the USA and Israel for use against Iran’s uranium enrichment program. It disrupted the plant’s uranium centrifuges by varying their spin rate, but not enough to cause them to shut down. Furthermore, false data was displayed back to the controller, so employees thought everything was business as usual.. Designed to be delivered by an infected USB stick, it could cross the air gap that protected the plant. However, it got out into the wild when an engineer took his infected laptop home from the plant, and connected it to the internet.   The biggest: 2015’s Anthem breach (China was reported to be behind it) saw the sensitive personal data of approximately 78.8 million Americans fall into the wrong hands. Brian Benczkowski, the assistant attorney general in charge of the Department of Justice Criminal Division, called the Anthem hack “one of the worst data breaches in history.”    The data wasn’t ransomed back to the company, and the reasons for the attack remain unclear. By 2019 the DOJ unsealed an indictment charging two Chinese nationals for the attack, but an indication of the alleged hackers’ motives or affiliation was noticeably absent. Current thinking is that it will be used for identity theft or to identify interesting individuals or Government employees for further exploitation and attack. Only nation-states have the resources to process that much intel and find the 100 or so people whose credentials can be further targeted. As for Anthem, the breach cost them over $40 millionto settle the resulting claims, and clear up the mess.  What’s the future of nation-state attacks?    The Anthem breach and others led to a very loose set of guidelines on what is, and what is not, acceptable. This was hammered out between former President Obama and President Xi Jinpingof China in 2015, but none of this has the force of law like the Geneva Convention. And with an actor like Russia currently in a highly aggressive position, it’s reasonable to expect an escalation until desired political goals are achieved.  Attack types are likely to evolve, too. One example: wipers.. Unlike ransomware, where you pay the money and (hopefully) get your data back, a wiper will display the message as it’s erasing all your data. They’re a class of malware that have a narrowly targeted use, but if someone decided to let those loose, the damage could be astronomical. And worryingly, they’ve already been spotted in Ukraine. How to protect your organization from nation-state attacks The federal Cybersecurity & Infrastructure Security Agency (CISA) posted a bulletin, titled “Shields Up,” which includes an evolving overview of the current cyber threat environment and specific steps that organizations, corporate leaders, and CEOs can take to bolster their cyber defenses. We have more on those recommendations, as well as how to foster a risk-aware culture, in this blog post. Enacting these defenses and upskilling your team is the best way to protect your organization from Nation-state attacks.   For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn

Phishing, spear phishing, smishing, vishing, and several other *ishing techniques all aim to do one thing: convince targets to reveal information which is either valuable in itself and can be ransomed or sold, or can be used to access financial systems to transfer money.   That information could be account logins, bank details, customer information, or personal identifiable information (PII).  Types of phishing attacks Phishing is a numbers game; hackers send hundreds or thousands of messages in the hope that even just oneeee person is distracted enough to click.    That’s why a lot of attacks leverage popular culture. For example, when the smash hit series Squid Games ended, bad actors wasted no time in sending out ‘exclusive look at season 2’ scams.  TA575 Uses ‘Squid Game’ Lures to Distribute Dridex malware https://t.co/iTTPjTSwWi @proofpoint #SquidGame #Dridex pic.twitter.com/ShwKRnoimi — David Bisson (@DMBisson) November 1, 2021 Scammers are like wasps at a picnic, they’ll try and attack anything to provoke you… even your daily cup of Joe. As one InfoSec attendee at our Human Layer Security Summit in November said, “If a hacker created a fake offer for free pumpkin spiced latte from Starbucks, trust me, this time a year, people will click on it”.   But there’s a much more targeted sub-category of phishing: spear phishing. Spear phishing attacks center on one or a few individuals. Hackers generally use information like a person’s whereabouts, nickname, or details about their work to craft customized, believable messages.   And getting that information is surprisingly easy. We live our lives online, and every action we take leaves a trail of data and information. Social media status updates, geo-located photographs, travel tickets, venue check-ins, all these can be used to build a picture about an individual’s movements and preferences. In fact, our How to Hack a Human report revealed that 90% of people post information related to their personal and professional lives online. One-third of people share business travel updates and photos online, and 93% of people update their social profiles when they get a new job. Out of Office replies also contain plenty of data that can be harnessed for an attack. Our research also revealed that 88% of people have received a suspicious message this year. Can you guess the most popular channel? Email.    Verizon’s 2021 Data Breach Investigations Report found that a staggering 96% of phishing or spear phishing attacks arrive via email (the other means are smishing, which uses SMS, and vishing, which uses faked voicemail or phone calls). Here then, is our ultimate guide to spear phishing attacks: how to spot them, how to stop them, and how to ensure your organization is alert, trained and protected. How big of an issue are we talking about here? It’s a big problem. 2021’s Spear Phishing Threat Landscape Report revealed that 75% of organizations experienced some kind of phishing attack in 2020. Another 65% faced Business Email Compromise (BEC) attacks, and 35% experienced spear phishing attacks. Graph from the FBI’s Internet Crime Report 2020   And according to the FBI, phishing incidents nearly doubled in frequency, from 114,702 in 2019, to 241,324 incidents in 2020. In all, there were more than 11 times as many phishing complaints to the FBI in 2020 compared to 2016. The numbers for 2021 will no doubt be even higher. Our report also found that the average employee receives 14 malicious emails a year. For a 500-person company, that’s 7,000 a year. However, this number rose dramatically in the retail sector to 49 on average. Manufacturing employees received 31, R&D 16, and tech employees 14. The problem is, you just can’t stop people from using email. For many of us, it’s a critical part of our jobs. In fact, according to data from Tessian’s own platform, employees send around 4800 emails a year. Our inboxes are a revolving door of links, documents, and information – a door bad actors are quietly trying to slip through. How a phishing attack starts… Just like real fishing, the cyber version needs bait – something to entice, scare, or shock the target to act. For this, bad actors like to tap into the zeitgeist. Whatever trend, fashion, must-see TV show, or social concern is currently top of mind for their victims, they’ll try to exploit it.   What bad actors like most is something big that affects a large number of people at the same time, and things don’t get much bigger than a global pandemic. At the end of 2020, Britain’s National Cyber Security Centre (NCSC) revealed that it removed more online scams that year than in 2016 to 2019 combined.    In total they found 120 separate phishing campaigns in which the UK’s National Health Service was impersonated – up from just 36 in 2019. The lure commonly used in these scams? The vaccine roll-out. Indeed, the pandemic provided – and is still providing – a once in a lifetime global opportunity for scammers. Our own survey from 2021 found that 35% of US citizens and 22% of UK citizens said they’d received a ‘proof of vaccination’ phishing email this year. On top of these were Zoom link scams as we all went remote, logistic firm scams as we ordered everything online, romance scams as we got lonely, and ‘back to school’ scams as young people went back into in-person education. Scammers even went for tax day scams as everyone prepared to file their tax returns. The hook: impersonation Again, just like real fishing, you need a mechanism to get the bait into the water – the hook. An email has to come from someone, right? And getting someone to click a link that appears to have come from Zoom, Netflix, or their boss means convincing them that it’s really from that organization or person.    Business email compromise (BEC) One way scammers do this is with business email compromise (BEC). BEC is any phishing attack where the attacker uses a hacked, spoofed, or impersonated corporate email address to convince a target that the email is from a legitimate business. Here attackers are looking to spoof big global organizations that everyone will have heard of and therefore trust and potentially use – so think Microsoft, Apple, Google, as well as Amazon, DHL, and UPS. We all receive perfectly legitimate emails from these companies all the time, so our defenses are lower. You can find out more about spoof emails here   As well as global brands and companies, BEC attacks can also impersonate a person, typically a senior executive or leader. The target is often a junior employee who’s instructed to urgently help close a deal by transferring funds. This is called CEO Fraud. CEO fraud   CEO fraud is a particular type of spear phishing in which a fraudster impersonates a senior company executive via email. This could be a CEO, CFO, Head of HR — or anyone with the power to ask employees to make payments or send sensitive information. In these types of attacks, there is again normally a sense of urgency, a perceived external threat, and crucially, often the promise of some sort of incentive for the employee to carry out the action.  Urgency is not always the case however, there’s also the ‘reasonable request’. As Glyn Wintle, CTO and co-founder of Tradecraft, told us, “If you say the request must be actioned in one day, you will get a large number of replies from employees complaining it’s not enough time. If you say it must be actioned in a week, a lot of people will forget about it. If you say it must be actioned in two working days, people think it’s a reasonable period of time and will do it immediately to avoid forgetting about it”. It even happens to Tessian staffers, a hacker impersonated our CEO and co-founder, Tim Sadler, and tried to get an employee to get them some iTunes vouchers. Needless to say, they didn’t fall for it.   Account Takeover (ATO) Attacks launched from Account Takeovers (ATOs) are some of the hardest to stop because the attacker will start the phishing process from a genuine, compromised account belonging to a real person, rather than a spoofed or fake one.  That’s why ATOs are able to slip past traditional phishing solutions like Secure Email Gateways (SEGs).During the pandemic, ATO attacks increased 307% between 2019 and 2021, and for sectors like Fintech the figure was 850% Why we click phishing links Hackers like to take advantage of psychological factors like stress, social relationships, and uncertainty that affect people’s decision-making, as this is often when they make mistakes.    In our Psychology of Human Error report we asked 2,000 professionals about mistakes they’ve made at work. The results made for interesting reading.    Worryingly, nearly half of employees (43%) say they’ve made a mistake at work that had security repercussions for themselves or their company.   One in four employees (25%) said they have clicked on a phishing email at work. Men were twice as likely as women to fall for phishing scams, with 34% of male respondents saying they have clicked on a link in a phishing email versus just 17% of women. Distraction means bad action Nearly half of respondents (45%) surveyed in our report cited distraction as the top reason for falling for a phishing scam. Other reasons for clicking on phishing emails included the perceived legitimacy of the email (43%) and the fact that it appeared to have come from either a senior executive (41%) or a well-known brand (40%). Impersonating a position of trust or authority is a common and effective tactic used by hackers in phishing campaigns. In our spring 2020 Human Layer Summit, Glyn Wintle gave us several examples of how to set up your people and security to mitigate the risks from spear phishing.   So what does a phishing email look like? As we know, 75% of organizations experienced some kind of phishing attack in 2020 and almost all (96%) arrived via email. But what does an actual phishing attack look like? We’re rounded up five REAL examples of typical spear phishing attacks you can read here. All these attacks were detected (and prevented) by Tessian Defender, so no employees were harmed in the making of this blog post. Most employees don’t really understand what a spear phishing email looks like until it’s too late. And while attacks can take lots of different forms and approaches, there are four commonalities in virtually all spear phishing emails: impersonation, motivation, urgency, and payload. When are you most likely to be targeted by a phishing attack? Unsurprisingly, scammers have access to a huge amount of data and, like a regular business sending a newsletter or social media post, they’ve studied when is the best time to launch an attack.    A big event in every scammer’s calendar is Black Friday, and with lots of email, money, and pressure to grab a bargain flying around, it’s easy to see why.  Black Friday came out as the worst time of the year in Our Spear Phishing Threat Landscape report, which details how Tessian detected nearly 2 million malicious emails that slipped past legacy phishing solutions over a 12-month period.   As for the most popular time of day to launch an attack, research shows that after lunch was the most popular time, followed by just before the end of the day. You can see why. People have just eaten, they’ve come back to a newly full inbox, and they’re trying to get on with the rest of their day.   At the end of the day people have one eye on the door, they might be thinking about the commute home, or dinner, or going somewhere…anything except phishing attacks.    You’re secure, but what about your suppliers? Even if you’ve done the best you can to mitigate external risks to your organization’s staff, dangers can still come from your suppliers and other partners you work with. Businesses are porous institutions and rely on other businesses for everything from raw materials to stocking the stationary cupboard. Big businesses rarely publish data on their supply chains, but according to this article from Forbes, Proctor and Gamble list over 75,000 suppliers, while the retailer Walmart uses over 100,000.    Hackers exploit these relationships in software supply chain attacks. These  involve inserting malicious code into a piece of software that is then distributed among multiple organizations, usually the customers of the software company that owns the software. Like all other forms of attack, supply chain attacks are increasing, up 4 fold in 2021 from 2020. The UK’s National Cyber Security Center has detailed examples of typical supply chain attacks, as well as advice on how to defend against them. The impact of an attack Phishing of all types is the threat most security leaders are concerned about for the following reasons: attacks are becoming more frequent, they’re performed at scale, they’re hard-to-spot, they’re time-consuming to investigate, and can be very expensive to recover from.    IBM’s annual Cost of a Data Breach found that the average cost in 2021 was $4.24 million, but can be as high as $7million depending on the sector involved and size of the breach.  Why so much?. There’s the potential ransom from the hacker, but also reputation damage, regulatory fines, and time and resources diverted from other things to deal with the attack. It adds up. The problems with legacy phishing prevention solutions As the attacks have gotten smarter, faster, and more varied, existing solutions are struggling to stop them. Here’s why.    Secure Email Gateways (SEGs) Problem: SEGs lack the intelligence to learn user behavior or rapidly adapt. The backbone of a SEG is traditional email security approaches – static rules, signature based detection, library of known threats, etc. Meanwhile, attackers consistently evolve their techniques, email networks are dynamic in nature, and human behavior is inconsistent and unpredictable. That means rules are out of date as soon as they are created and signature-based approaches are ineffective.   SEGs can’t detect advanced impersonation, account takeover (ATO), third-party supply chain risk, or wire fraud. Karl Knowles, Global Head of Cyber for law firm HFW, told us how there’s been a huge rise in impersonation attacks, accounting for more than half of the threats HFW gets. With domain impersonation attacks also getting more sophisticated, SEGs alone can’t cope. And as James McQuiggan, Security Awareness Advocate at KnowBe4, explained in our Fall Summit, bad actors have upped their game and started to find ways to bypass these systems by buying and configuring the same off- the- shelf hardware and software firms use, and seeing what gets through. Sandboxes Problem: Easily bypassed yet potential bottlenecks to genuine business needs   Any detection made by the sandbox is dependent on a file exhibiting malicious behavior. This is easy to work around. Hackers will often send a PDF that contains a link to a malicious form to avoid detection. Likewise, documents with a URI (Uniform Resource Identifier) have an extremely low footprint for sandboxes to detect. And the short TTL domain doesn’t leave much evidence for event analysis or threat intelligence.   There are issues with latency, too. Emails, communications, downloads, and important files can take several minutes to reach their destination because of the bottleneck sandboxes can create. DMARC Problem: Only one-third of businesses employ DMARC and the info is publicly accessible.   Domain-Based Message Authentication Reporting and Conformance (DMARC), is an added authentication method that uses both Sender Policy Framework (SPF)  and DomainKeys Identified Mail (DKIM) to verify whether or not an email was actually sent by the owner of the domain that the user sees. However, DMARC, SPF, and DKIM records are inherently public information – they need to be so that receiving mail clients can authenticate a sender’s domain. Attackers can see not only if your organization has a DMARC policy, but also how strictly you have configured it. Before trying to impersonate your email domain directly, a sophisticated attacker will check if you have a strict DMARC policy in place. If you do, the attacker can still carry out an advanced spear phishing attack. Ok so what about more security training? You might think that your legacy solutions in conjunction with more security awareness training (SAT), will help mitigate some of these attacks. Training is important, but the trouble with most security training is no matter how fun and engaging you try to make it, pretty much everyone in the room has somewhere else they’d rather be. It’s also expensive, time consuming, and will always be one step behind actual threats.     For most non-IT staff, trying to explain things like how potentially spoofed domain URLs are constructed is just far too technical, and something they’re hardly likely to remember in the heat of their inboxes weeks or months later. After all, as we learned at our Human Layer Security Spring Summit, the average human makes 35,000 decisions a day – analysing a suspect domain URL in detail probably isn’t going to be one of them. Regardless of how frequent, tailored, and engaging it is – security awareness training can’t be your only defense against social engineering. Why? many of the more sophisticated attacks just aren’t detectable by humans. How Tessian can help So the only question left to answer is this. When legacy solutions and training programs aren’t enough, how can we prevent employees from interacting with the malicious emails that land in their inbox? Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises.   Tessian Defender uses machine learning (ML) to protect your people from even the most advanced inbound threats. Here’s how: Tessian’s machine learning algorithms analyze your company’s email data, learn employees’ normal communication patterns, and map their trusted email relationships — both inside and outside your organization. Tessian inspects both the content and metadata of inbound emails for any suspicious or unusual signals pointing to a potential impersonation, ATO, or BEC threat. For example, payloads, anomalous geophysical locations, IP addresses, email clients, and sending patterns. Once it detects a threat, Tessian alerts employees that an email might be unsafe, explaining the threat in easy-to-understand language via an interactive notification. If you’re in InfoSec, you’ll know only too well that your organization is one click away from an ‘Oh Sh*t’ moment. Tessian automatically stops those moments from happening. Questions? We’d be happy to help. Book a demo today.

Data is the lifeblood of a successful business, and email systems are the veins through which it travels. But new Forrester Consulting research commissioned by Tessian shows legacy solutions aren’t enough to protect this vital business organ…   Key insights from the study include:   Nearly 40% of organizations report 10+ employee-related email security incidents per month 61% of our survey respondents think an employee will cause their next data breach Over 75% of  firms report that 20% or more email security incidents get past their existing security controls One-third say they lack visibility into threats and risky behaviors Organizations spend up to 600 hours per month resolving employee-related email security incidents 42% of security and risk leaders are looking to improve their email security postures   To err is human…   While security and risk leaders have a lot to worry about, human error tops the list.    That’s because, on average, organizations experience between one and fifty employee-related email security incidents per month, depending on the company size. Nearly 40% report 10+ incidents a month.   Accidental data loss and business email compromise are most common, with nearly half of respondents saying they’ve experienced an incident in the past 12 months.   It’s no wonder 61% of our survey respondents think an employee will cause their next data breach.    So, how are they trying to solve the problem?   Trying to solve the “people problem”   One thing is for sure: security leaders are trying to bolster their defenses, and they know email is every bit as crucial an environment to protect as network and databases. The problem is, built-in security controls and legacy technology alone aren’t enough to prevent human error. In fact, these solutions are actually creating more work for thinly-stretched security teams.   Over a third of firms say they’re wasting a precious amount of time, money, and effort combating email security challenges.    How much time? According to Forrester’s research, organizations spend up to 600 hours per month resolving employee-related email security incidents.   Alas, despite so much time and effort, over 75% of firms report that 20% or more email security incidents get past their existing security controls and, despite phishing simulations and ongoing security awareness training, roughly one-quarter report that 21% or more of employees have failed a phishing test in the past year.    Accidental data loss is a big problem, too with 24% saying they simply don’t have controls in place to prevent misdirected emails.    That’s a lot of risk, but it could be just the tip of the iceberg…One-third say they lack visibility into threats and risky behaviors, proving traditional security solutions have inherent limitations when it comes to solving for risks posed by people.    In fact, according to Tessian’s State of Data Loss Prevention report, IT leaders working at organizations with 1,000+ people in the US estimate 480 emails are sent to the wrong person every year. In reality, Tessian found that an average of 800 emails are misdirected in organizations with 1,000 employees during a single year.   That’s a big difference… The solution?   Based on all of the above, it’s no wonder 42% of security and risk leaders are looking to improve their email security postures, and are specifically seeking solutions that allow them to gain visibility into risky human behaviors and build unique security identity and risk scores for each employee.    They then want to use this information to feed automated, ML-based threat detection systems to help them predict and protect against unknown threats.  Download the full study.   You can also book a demo to see Tessian’s  platform in action.