Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

See a sneak peek of Tessian in action featuring admin and end user experiences. Watch the Product Tour →

guide icon

Tessian Blog

See All Posts
Email DLP, Data Exfiltration
Why Taking Your Work With You When You Leave a Company Isn’t a Smart Idea
By Andrew Webb
Tuesday, February 15th, 2022
Our latest research into The Great Resignation contains some startling statistics from IT security leaders. 71% told us the Great Resignation has increased security risks in their company. What’s more, 45% say incidents of data exfiltration have increased in the last year, as people took data when they left their jobs. But we also got the employees’ perspective. And it was clear that many staff thought that at least some of the work that they did while at their employer belonged to them. Not only that, it was okay to take that work with them when they moved on from the organization.    In fact one in three (29%) employees surveyed admitted to having taken data with them when they quit. And when you isolate employees in the US, this jumps to two-fifths (40%).   So here’s the question ‘does your work belong to you?’
Who’s taking data?    We saw noticeable differences in behaviors across typical departments found in most organizations. And the number one team to exfiltrate data? Marketing. A whopping 63% of respondents in this department admitted to taking data when they move on.    After marketing, employees in HR (37%) and IT (37%) had the next highest levels of exfiltration. Incidentally, rates of data exfiltration are much lower in highly regulated functions like accounting and finance, operations and legal, as these sectors have to comply with strict data regulations on a daily basis. Just 16% of workers in operations and 22% in accounting and finance say they have taken data with them when they’ve left a job.   !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");  
Why are people taking data on their way out?  According to Infosecurity magazine, 70% of intellectual property (IP) theft occurs within the 90 days before an employee’s resignation announcement.  But why are people taking data when they leave? Here are some of the most common reasons.    Competitive advantage  Maliciously-minded insiders can steal company data to get a competitive edge in their new role. 58% of workers we surveyed told us the information would help them in their new job. Think customer lists, software, project documents, frameworks and methodologies, and ultimately, IP.. This is more common than you might think. For example, a General Electric employee was imprisoned in 2020 for stealing the company’s trade secrets for his own business in China.    A belief they own it Many employees have a mentality that if they worked on that presentation, source code, or project, it’s theirs. In fact 53% of respondents to our survey felt this way, saying that because they worked on the document, and they believed the information belonged to them.   Financial gain The right sort of data in the wrong hands can be extremely valuable. Former staff can sell customer’s information on the dark web. There’s a huge market for personal information—research suggests you can steal a person’s identity for around $1,100. 40% of the people we surveyed said they intended to make money from the information.
So who does own your work?   But back to our original question. Does your work belong to you? Well, chances are – no. In nearly all sectors and jurisdictions, if you’re fully employed by the company they own the output of your endeavors. The situation might be slightly different if you’re a freelance contractor. In the end it all comes down to the contract.    But there are exceptions. Obviously personal items that belonged to you prior to starting employment remain yours. Secondly, you can leave with items that you have permission to take. There’s also knowledge that you obtained during the role – such as the names of the firm’s five biggest customers. This is why many senior roles in firms have non-compete clauses built into their employment contracts.
What does The Great Resignation mean for security teams?    With 55% of respondents revealing that they’re thinking about leaving their jobs in 2022, and two in five (39%) currently working their notice or actively looking for a new job in the next 6 months, it’s clear IT and security teams are under pressure to keep company data safe during the Great Resignation.   But this research shouldn’t be used to berate employees – as an security leader, that’s not your job. Rather it should be used to refresh the dialogue about security culture, and weave it into broader discussion about data loss prevention.    Josh Yavor, Chief Information Security Officer at Tessian comments, “It’s a rather common occurrence for employees in certain roles and teams to take data when they quit their job. While some people do take documents with malicious intent, many don’t even realize that what they are doing is wrong. Organizations have a duty to clearly communicate expectations regarding data ownership, and we need to recognize where there might be a breakdown in communication which has led to a cultural acceptance of employees taking documents when they leave.   “The Great Resignation, and the sharp increase in employee turnover, has exposed an opportunity for security and business leaders to consider a more effective way of addressing insider risk. It comes down to building better security cultures, gaining greater visibility into data loss threats, and defining and communicating expectations around data sharing to employees – both company-wide and at departmental level. Being proactive in setting the right policies and expectations is   How does Tessian prevent data exfiltration attempts?   Prevent unauthorized emails Whether it’s an employee sending sensitive information to less secure, personal accounts or a bad leaver maliciously exfiltrating data, Tessian automatically prevents data exfiltration over email. Learn more   Deeply understand your risk Whether careless, negligent, or malicious, insider threats are difficult to combat and even harder to detect. But with Tessian, you can quickly find and report the key areas of insider risk, use insights to predict future behavior, and take remedial action to prevent exfiltrations attempts. Learn more   In-the-moment educational warnings Tessian warnings act as in-the-moment training for employees, continuously educating them about treats, reinforcing your policies, and nudging them toward safe email behavior. Automatically build individualized policies at scale to reduce high-risk email use and track trends in unsafe activity over time. Learn more
Read Blog Post
ATO/BEC, Threat Intel
Spear Phishing Attack Impersonating C-Suite Targets Junior Employees at Law Firm
By Charles Brook
Thursday, February 10th, 2022
In late January 2022 a specialist law firm was the target of a spear phishing campaign flagged by Tessian Defender where the threat actor attempted to impersonate the Chairman of the firm. Leveraging common social engineering tactics, the threat actor then targeted the firm’s junior employees. This is known as CEO Fraud.
Impersonation attacks are becoming a mainstay for threat actors. Based on our investigation  into the 2021 spear phishing landscape, we determined that 60% of the malicious emails seen in Tessian’s network relied on generic impersonation techniques, including freemail impersonation and Display Name Impersonation. An additional 30% relied on more advanced impersonation techniques, including direct impersonation like domain spoofing, direct spoofing and account takeover (ATO).
The Attack   The attacker leveraged the name of the chairman and used a freemail domain. Display name and domain name impersonation spoofs accounted for 4.9% of all malicious email detected and prevented by Tessian in 2021.
Email Content: Sender Address: <Name of Chairman>.<Website Domain>@gmail[.]com Display Name <Name of Chairman> Subject:  <Name of Chairman> Body: Asking if recipients have time available Expressing a sense of urgency Links & Attachments None   The threat actor registered an email address using Gmail and chose a username that contained the name of the law firm’s chairman, together with the domain used for it’s website. They also changed the display name associated with the account to match the name of the chairman as it appeared on the firm’s website.   After that, the attacker drafted an email with a generic message containing a call to action, asking the recipient “are you available?”. It was sent to +200 individuals at the firm.   The email did not contain links or attachments when it was sent, just the message added by the threat actor. This indicates intent to engage in social engineering via correspondence with recipients.
This style of phishing usually leads to the threat actor trying to convince the recipient to send money or share information that could be leveraged for a more advanced phishing attack. This low-cost-of-effort phishing attempt explains why social engineering now accounts for 70-90% of all successful breaches.   In other cases it can involve sending a few messages back and forth to establish a baseline of trust, before sending a malicious attachment or URL in subsequent emails. Having established trust, the recipient is more likely to click without feeling much concern or suspicion. This also explains why advanced social engineering threats bypass detection by legacy Secure Email Gateways (SEGs), either due to the sophisticated degree of subterfuge in name and domain name spoofing, or because the malicious payload is not present in the initial email.
The Approach   The majority of phishing attacks using this approach will typically come from addresses registered by a threat actor, for example, looking something like “partner1234@gmail[.]com” or “manager5678@hotmail[.]com”.    Attackers use freemail accounts because of their utility in carrying out attacks and zero cost. Freemail accounts that deliver malicious payloads via a proxy server are also notoriously difficult to trace for attribution. Accounts like this will continue to be used to target multiple organizations.   In the case of this attack the address was created as “<Name of Chairman>.<Website Domain>@gmail[.]com”, this indicates deliberate intent to target this firm specifically.    The fact that the threat actor sent the email to +200 junior members of the firm indicates a higher level of planning and reconnaissance than most of these types of attacks typically have.    Our research confirms that law firms are targeted 31% of the time for impersonation style phishing attacks.  And firms tend to post details of most employees on their websites including names, email addresses and positions held. Many are also active on networking platforms like LinkedIn. This makes reconnaissance very easy for threat actors.
In the case of this impersonation campaign, the threat actor will have found the firm’s people page, searched for a senior individual to impersonate, then filtered down to the more junior individuals to target.    The C-Suite was impersonated in this attack to amplify the call to action in the messaging and to increase the sense of urgency felt by the targets. Likewise, junior employees were targeted in this attack because they were possibly seen as being more likely to comply with instructions received from senior management.    Another hypothesis could be that the threat actor was seeking to gain more information to wage a secondary spear phishing attack, targeting more strategic positions in the firm such as the finance department.
Real-time, comprehensive email protection Tessian was able to detect the phishing techniques deployed by the threat actor for this campaign. Tessian recognized the law firm’s domain in the local part of the email address and the name of the chairman in the display name. It also detected suspicious keywords indicative of an urgent call to action, which included “are you available?” and “quick”.    Tessian also detected that the address used by the attacker had not been observed in historical emails sent to anyone at the law firm.   Many of the recipients at the law firm responded to the in-the-moment security warning message from Tessian and confirmed that the email was actually malicious.   All it takes is one click.    This example underscores the relentless pursuit of threat actors, attempting to gain access to an organization’s crown jewels. As attacks become more advanced, it requires a defense-in-depth approach to email security. Leveraging email security solutions that have behavioral detection and in-the-moment security awareness training capabilities is now table stakes to securing your email ecosystem.
Appendix: MITRE ATT&CK Framework The tactics and techniques used by the threat actor can be inferred up to the point the email was received.   TA0043: Reconnaissance – https://attack.mitre.org/tactics/TA0043/ Gather Victim Org Information – https://attack.mitre.org/techniques/T1591/ Identify Roles – https://attack.mitre.org/techniques/T1591/004/   T1589: Gather VIctim Identity Information – https://attack.mitre.org/techniques/T1589 T1589.002: Email Addresses – https://attack.mitre.org/techniques/T1589/002 T1589.003: Employee Names – https://attack.mitre.org/techniques/T1589/003   The threat actor carried out reconnaissance activities against the target’s website. Here they identified the key individuals to impersonate and target. Using the people directory available on the website they were able to identify the chairman of the law firm to impersonate via email and get a list of names and email addresses for associates at the firm to target.    TA0042: Resource Development – https://attack.mitre.org/tactics/TA0042 T1585: Establish Accounts – https://attack.mitre.org/techniques/T1585/ T1585.002: Email Accounts – https://attack.mitre.org/techniques/T1585/002/   After identifying a high ranking member of the firm, the threat actor registered an email account with Gmail. They created an account with a username containing the name of the chairman of the firm as well as the domain used for the firm’s website. They also changed the display name associated with the account to that of the chairman.   TA0001: Initial Access – https://attack.mitre.org/tactics/TA0001 T1566: Phishing – https://attack.mitre.org/techniques/T1566/   With a free email address registered, a senior staff member to impersonate and a list of victims to target, the threat actor sent an email to more than 200 associates at the firm. The email contained a message explaining they were the chairman of the firm and wanted to know if they were available to help them quickly.    TA0005: Defense Evasion – https://attack.mitre.org/tactics/TA0005/   The threat actor avoided detection through conventional means by registering a new email address and not including a malicious link or attachment in their initial email. SEGs typically rely on known IOCs to be able to detect malicious activity. Since there was no attachment or URL in this case, there was nothing to scan or lookup the reputation for.   MITRE D3FEND Framework Most of the techniques used by the threat actor were reconnaissance-based and occured at the pre-compromise phase outside of the scope of typical defenses and controls meaning they could not be easily mitigated without advanced email protection.   Detect – https://d3fend.mitre.org/tactic/d3f:Detect D3-SRA: Sender Reputation Analysis – https://d3fend.mitre.org/technique/d3f:SenderReputationAnalysis   Sender reputation analysis can be used to detect unwanted or malicious emails by analyzing information about the sender. This can include information over time such as the number of emails received, number of recipients, number of emails replied to etc.   The problem with this attack is the email address used by the threat actor will likely have been recently registered using a reputable freemail service and would have been unseen to the law firm before. This means there is limited information available to determine the sender reputation. Detection can be done based on the email address having not been seen before; however with legacy email security controls this type of detection can generate high levels of alerts and false positives.  
Read Blog Post
ATO/BEC
It Started With a Click… Huge Rise in Romance Scams for Second Year Running
By Andrew Webb
Thursday, February 10th, 2022
If you thought the end of lockdowns might mean a drop in romance fraud scams, well, prepare to be heart broken… Lonely hearts looking for love are highly attractive… to scammers that is. The number of people targeted by romance fraud scams has nearly doubled in 2021, according to our latest research.
By adopting a fake identity or even impersonating a celebrity online, cybercriminals will spin a story to trick and manipulate their victims into sharing money or information that could be used to later commit identity fraud. Oftentimes, they won’t ask for the money outright. They’ll build trust over time, building a relationship. These are tried and tested social engineering tactics that are designed to manipulate human emotions – and they sadly can work on anyone.   32% of respondents have received a romance fraud scam in the last 12 months – a significant increase from the 18% of people surveyed previously.  Isolating the US, 43% said they had received a romance fraud scam – up from 29% in 2021 – and in the UK, 14% said they had been targeted by romance scammers – up from 8% in 2021.    Why are scammers investing in this particular type of attack? Because vulnerable people make easy targets. Loneliness was a public health issue back in 2018, and COVID just made everything a lot worse. Which is why incidents of romance fraud have surged during the pandemic. What’s more, we’re now much more used to conducting all aspects of our lives online, often asynchronously, rather than face to face in real life.
How are romance scams delivered? Email remains – just – the most popular attack vector for romance scams. When we asked which platforms they had received ‘romance’ messages on, personal email ranked top with 51% of respondents saying they had received fraudulent phishing emails from ‘love interests’ via this channel. This was hotly followed by 50% of respondents, who said they had received messages via Facebook. 45% had been targeted over text messages. Of course this may be the ‘tip of the iceberg’, as many victims are too embarrassed to come forward.
The rise of the celebrity love interest   Worryingly, a number of stories of cybercriminals impersonating celebrities have been reported to the media in the last 12 months. One woman was duped by a scammer pretending to be Nicolas Cage, conning her out of nearly $14,000. The continuing rise in romance fraud shows just how cybercriminals continue to exploit people’s vulnerabilities as they did during the pandemic.
Tessian’s top tips for spotting a romance scam   • Here’s our advice to avoid falling for a romance scam:    • Question any requests for personal or financial information from individuals you do not know or have not met in person, and to verify the identity of someone they’re speaking to via a video call.   • Never send money or a gift online to someone who you haven’t met in person.   • Keep social media profiles and posts private. Scammers will trawl social media to discover their victims and find information that they can use to build a relationship with you.    • Don’t accept friend requests or DMs from people you don’t know personally.    • Be suspicious of requests from someone you’ve met on the internet. Scammers will often ask for money via wire transfers or reload cards because they’re difficult to reverse.   • Be wary of any email you receive from someone you don’t know.    • Never click on a link or download an attachment from an unusual email address.   • Remember, if it sounds too good to be true, it probably is.   The FBI and Action Fraud has also provided citizens with useful advice on how to avoid falling for a romance scam and guidance for anyone who thinks they may have already been targeted by a scammer. 
Read Blog Post
ATO/BEC, Email DLP, Human Layer Security
Secure Email Gateways (SEGs) vs. Integrated Cloud Email Security (ICES) Solutions
By John Filitz
Wednesday, February 9th, 2022
Recent market developments in email security signal there is a new player in town. And what has been considered a solved-for cybersecurity challenge is receiving renewed attention, both in the enterprise and in the analyst community.    The next generation of email security, referred to by Gartner as Integrated Cloud Email Security (ICES) solutions, bring a welcome and new approach to solving for increasingly sophisticated and elusive email security threats.
Advanced threats require a new approach to addressing email security risk   Threat actors are using more sophisticated techniques, and attacks are achieving greater success. This is largely due to the commercialization of cybercrime, with Phishing-as-a-Service and Ransomware-as-a-Service offerings becoming more prevalent on the dark web.    The pace of digital transformation underway and key shifts in the way we work help explain it, too. In the wake of the pandemic, the accelerated adoption of public cloud has significantly expanded attack surface risk, with employees working from home, and often on personal devices.  Threat actors are exploiting these developments by targeting the most common threat vector for a breach, phishing via email.
Secure Email Gateways (SEGs)   SEGs were, until recently, considered a staple in the cybersecurity stack. But SEGs that run on static, rule-based detection engines are finding it increasingly challenging to protect in today’s threatscape. This is  largely due to SEGs relying on adversaries exploiting common and well-known attack vectors.    SEG solutions sit in-line and filter all inbound emails. SEGs use a threat intelligence engine that is combined with manual policy orchestration, creating “allow” or “deny” lists. In the world of SEGs, security administrators have to configure MX records, develop specific emails security policies, block domains, and triage incidents – with many of these incidents false positives due to its “wide-net” email filtering approach.    Given the threat engine for SEGs also relies on known threats, it can enable threat actors to bypass SEG controls, for example, by registering new domains which are combined with advanced impersonation techniques. That’s why Tessian saw 2 million malicious, inbound emails evade SEGs in a 12-month period.   And once an adversary has compromised an organization’s email (i.e. passed through the gateway) there is little stopping them. SEGs also offer very limited protection against insider threats or advanced methods for email based data exfiltration, for example renaming document file names to bypass manual orchestrated SEG DLP policy labels. 
The key attributes of SEGs include:   Designed to protect against commonly seen threats i.e. mainstream phishing activity, malware and spam The redirection of mail via MX records pointing to the SEG to scan all incoming email  Using a sandbox for detecting, isolating, and detonating suspected malicious emails or attachments Clawback ability for internal email only No ability to detect lateral movement by a threat actor that has breached the gateway Supplemental scanning solutions are often required to detect advanced inbound threats Manual orchestration of basic DLP policies
Integrated Cloud Email Security (ICES) Solutions   The main distinguishing characteristic of ICES solutions like Tessian compared to SEGs, is that ICES solutions were born in the cloud, for the cloud. But, they’re also able to provide protection for hybrid and on-premise environments.    Using machine learning and connecting via connectors or an API, the algorithm of an ICES solution develops a historical behavioral map of an organization’s email ecosystem. This historical behavioral map is leveraged along with Natural Language Processing (NLP) and Natural Language Understanding (NLU) capabilities, to dynamically, and in-real-time, scan and detect any anomalous email behavior on both the inbound and the outbound side.    ICES solutions also offer a high degree of email security automation, including triaging of security incidents, which significantly reduces the SOC burden and ultimately improves security effectiveness.
The key attributes of ICES solutions include:   Designed to detect advanced social engineering attacks including phishing, impersonation attacks, business email compromise (BEC), and account takeover (ATO) Require no MX record changes and scan incoming emails downstream from the MX record, either pre-delivery via a connector, or post-delivery via an API Behavioral detection engine for advanced inbound and outbound threats, resulting in greater detection efficacy and lower false positives i.e. less business interruption and  more SOC optimization A banner can be added to an incoming email indicating the level of risk of the scanned email Lateral attack detection capability Malicious emails are hidden from users’ inboxes. With the pre-delivery option, only email that is determined to be safe is delivered. Post-delivery solutions will claw-back a suspected email determined to be malicious All of the email fields are analyzed and compared against a historical mapping of email correspondence. Fields scanned include the sender, recipient, subject line, body, URL and attachments Prompts the end-user with in-the-moment contextual warnings on suspected malicious emails to take safe action, in real-time Some have advanced DLP capability
The evolution of the threatscape combined with the mainstream adoption of public cloud offerings and associated productivity suites, helps contextualize the emergence of the ICES vendor category.    Many of the productivity suites such as Microsoft 365 and Google Workspace include SEG-like features as part of their standard offerings. And Gartner predicts that by 2023, 40% of enterprises will be leveraging an ICES solution like Tessian with a public cloud’s productivity suite for comprehensive email protection. 
Want to learn more? See how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video, download our platform architecture whitepaper, or book a demo.
Read Blog Post
ATO/BEC
15 Examples of Real Social Engineering Attacks
Monday, February 7th, 2022
Social engineering attacks are one of the main ways bad actors can scam companies. Here’s 15 of the biggest attacks, and how they happened.
1.  $100 Million Google and Facebook Spear Phishing Scam The biggest social engineering attack of all time (as far as we know) was perpetrated by Lithuanian national, Evaldas Rimasauskas, against two of the world’s biggest companies: Google and Facebook. Rimasauskas and his team set up a fake company, pretending to be a computer manufacturer that worked with Google and Facebook. Rimsauskas also set up bank accounts in the company’s name.   The scammers then sent phishing emails to specific Google and Facebook employees, invoicing them for goods and services that the manufacturer had genuinely provided — but directing them to deposit money into their fraudulent accounts. Between 2013 and 2015, Rimasauskas and his associates cheated the two tech giants out of over $100 million.     2. Persuasive email phishing attack imitates US Department of Labor In January 2022, Bleeping Computer described a sophisticated phishing attack designed to steal Office 365 credentials in which the attackers imitated the US Department of Labor (DoL). The scam is a noteworthy example of how convincing phishing attempts are becoming.   The attack used two methods to impersonate the DoL’s email address—spoofing the actual DoL email domain (reply@dol[.]gov) and buying up look-a-like domains, including “dol-gov[.]com” and “dol-gov[.]us”. Using these domains, the phishing emails sailed through the target organizations’ security gateways.   The emails used official DoL branding and were professionally written and invited recipients to bid on a government project. The supposed bidding instructions were included in a three-page PDF with a “Bid Now” button embedded.   On clicking the link, targets were redirected to a phishing site that looked identical to the actual DoL site, hosted at a URL such as bid-dolgov[.]us. The fake bidding site instructed users to enter their Office 365 credentials. The site even displayed an “error” message after the first input, ensuring the target would enter their credentials twice and thus reducing the possibility of mistyped credentials.   It’s easy to see how even a relatively scrupulous employee could fall for an attack like this—but the problem would not have arisen if the target organization had better email security measures in place.     3. Russian hacking group targets Ukraine with spear phishing As world leaders debate the best response to the increasingly tense situation between Russia and Ukraine, Microsoft warned in February 2022 of a new spear phishing campaign by a Russian hacking group targeting Ukrainian government agencies and NGOs. The group—known as Gamaredon and tracked by Microsoft as ACTINIUM—has allegedly been targeting “organizations critical to emergency response and ensuring the security of Ukrainian territory” since 2021. The initial phase of Gamaredon’s attack relies on spear phishing emails containing malware. The emails also contain a tracking pixel that informs the cybercriminals whether it has been opened. The case is an important reminder of how cybersecurity plays an increasingly central role in international conflicts—and how all organizations should be taking steps to improve their security posture and protect against social engineering attacks.
4. Deepfake Attack on UK Energy Company In March 2019, the CEO of a UK energy provider received a phone call from someone who sounded exactly like his boss. The call was so convincing that the CEO ended up transferring $243,000 to a “Hungarian supplier” — a bank account that actually belonged to a scammer.   This “cyber-assisted” attack might sound like something from a sci-fi movie, but, according to Nina Schick, Author of “Deep Fakes and the Infocalypse: What You Urgently Need to Know”, “This is not an emerging threat. This threat is here. Now.”   To learn more about how hackers use AI to mimic speech patterns, watch Nina’s discussion about deepfakes with Elvis Chan, Supervisory Special Agent at the FBI.  
5. $60 Million CEO Fraud Lands CEO In Court   Chinese plane parts manufacturer FACC lost nearly $60 million in a so-called “CEO fraud scam” where scammers impersonated high-level executives and tricked employees into transferring funds. After the incident, FACC then spent more money trying to sue its CEO and finance chief, alleging that they had failed to implement adequate internal security controls.   While the case failed, it’s an important reminder: cybersecurity is business-critical and everyone’s responsibility. In fact, Gartner predicts that by 2024, CEOs could be personally liable for breaches.  
6. Microsoft 365 phishing scam steals user credentials In April 2021, security researchers discovered a Business Email Compromise (BEC) scam that tricks the recipient into installing malicious code on their device. Here’s how the attack works, and it’s actually pretty clever.   The target receives a blank email with a subject line about a “price revision.” The email contains an attachment that looks like an Excel spreadsheet file (.xlsx). However, the “spreadsheet” is actually a .html file in disguise.   Upon opening the (disguised) .html file, the target is directed to a website containing malicious code. The code triggers a pop-up notification, telling the user they’ve been logged out of Microsoft 365, and inviting them to re-enter their login credentials.   You can guess what happens next—the fraudulent web form sends the user’s credentials off to the cybercriminals running the scam.   This type of phishing—which relies on human error combined with weak defenses—has thrived during the pandemic. Phishing rates doubled in 2020, according to the latest FBI data.     7. Singapore bank phishing saga like ‘fighting a war’   Customers of the Oversea-Chinese Banking Corporation (OCBC) were hit by a string of phishing attacks and malicious transactions in 2021, leading to around $8.5 million of losses across approximately 470 customers.   The bank’s CEO Helen Wong described her company’s battle against the phishing attacks and subsequent fraudulent transfers as like “fighting a war.”   OCBC customers were duped into giving up their account details after receiving phishing emails in December 2021. The situation escalated quickly despite the bank shutting down fraudulent domains and alerting customers of the scam.   Wong described how, once the phishing campaign had taken hold, the fraudsters had set up “mule” accounts to receive stolen funds. No matter how quickly the bank’s security team managed to shut down a mule account, the scammers would soon find another to take its place.   The CEO described her dilemma after getting the phishing campaign under control: reimbursing customers felt like the right thing to do, but Wong feared it could incentivize further attacks. So far over 200 customers have been compensated.   8. Ransomware gang hijacks victim’s email account   In April 2021, several employees of U.K. rail operator Merseyrail received an unusual email from their boss’s email account with the subject line “Lockbit Ransomware Attack and Data Theft.” Journalists from several newspapers and tech sites were also copied in.   The email—sent by a fraudster impersonating Merseyrail’s director—revealed that the company had been hacked and had tried to downplay the incident. The email also included an image of a Merseyrail employee’s personal data.   It’s not clear how Merseyrail’s email system got compromised (although security experts suspect a spear phishing attack)—but the “double extortion” involved makes this attack particularly brutal.   The “Lockbit” gang not only exfiltrated Merseyrail’s personal data and demanded a ransom to release it—the scammers used their access to the company’s systems to launch an embarrassing publicity campaign on behalf of its director.
9. Phishing scam uses HTML tables to evade traditional email security Criminals are always looking for new ways to evade email security software. One BEC attack, discovered in April 2021, involves a particularly devious way of sneaking through traditional email security software like Secure Email Gateways (SEGs) and rule-based Data Loss Prevention (DLP).   BEC attacks often rely on impersonating official emails from respected companies. This means embedding the company’s logos and branding into the email as image files.   Some “rule-based” email security software automatically treats image files as suspicious. If a phishing email contains a .png file of the Microsoft Windows logo, the email is more likely to be detected—but without that distinctive branding, the email won’t look like it came from Microsoft.   But once again, cyber criminals have found a way to exploit the rule-based security approach.   To imitate Microsoft’s branding, this attack uses a table instead of an image file—simply a four-square grid, colored to look like the Windows logo. The average employee is unlikely to closely inspect the logo and will automatically trust the contents of the email.   This isn’t the first time fraudsters have used tables to evade rule-based DLP software. For example, some email security filters are set up to detect certain words, like “bitcoin.” One way around this is to create a borderless table and split the word across the columns: “bi | tc | oin.”     10. Sacramento phishing attack exposes health information  Five employees at Sacramento County revealed their login credentials to cybercriminals after receiving phishing emails on June 22, 2021. The attack was discovered five months later, after an internal audit of workers’ email inboxes. The breach occurred after employees received phishing emails containing a link to a malicious website. The targets entered their usernames and passwords into a fake login page which were then harvested by cybercriminals. The attack resulted in a data breach exposing 2,096 records of health information and 816 records of “personal identification information.” The county notified the victims by email and offered free credit monitoring and identity theft services. It remains to be seen whether this proposed resolution by the county will be enough. Protection of health information is particularly tightly regulated in the US, under the Health Insurance Portability and Accountability Act (HIPAA), and data breaches involving health data have led to some hefty lawsuits in the past.
11. Google Drive collaboration scam In late 2020, a novel but simple social engineering scam emerged that exploited Google Drive’s notification system. The fraud begins with the creation of a document containing malicious links to a phishing site. The scammer then tags their target in a comment on the document, asking the person to collaborate. Once tagged, the target receives a legitimate email notification from Google containing the comment’s text and a link to the relevant document.  If the scam works, the victim will view the document, read the comments, and feel flattered at they’re being asked to collaborate. Then, the victim will click one of the malicious links, visit the phishing site, and enter their login credentials or other personal data. This scam is particularly clever because it exploits Google’s email notification system for added legitimacy. Such notifications come straight from Google and are unlikely to trigger a spam filter. But like all social engineering attacks, the Google Drive collaboration scam plays on the victim’s emotions: in this case, the pride and generosity we might feel when called upon for help. Want to see a screenshot of a similar attack? We breakdown a spear phishing attack in which the attacker impersonates Microsoft Teams. Check it out here.   12. Sharepoint phishing fraud targets home workers April 2021 saw yet another phishing attack emerge that appears specifically designed to target remote workers using cloud-based software. The attack begins when the target receives an email—written in the urgent tone favored by phishing scammers—requesting their signature on a document hosted in Microsoft Sharepoint. The email looks legitimate. It includes the Sharepoint logo and branding familiar to many office workers. But the link leads to a phishing site designed to siphon off users’ credentials. Phishing attacks increasingly aim to exploit remote collaboration software—Microsoft research suggests nearly half of IT professionals cited the need for new collaboration tools as a major security vulnerability during the shift to working from home.
13. $75 Million Belgian Bank Whaling Attack   Perhaps the most successful social engineering attack of all time was conducted against Belgian bank, Crelan. While Crelan discovered its CEO had been “whaled” after conducting a routine internal audit, the perpetrators got away with $75 million and have never been brought to justice. Crelan fell victim to “whaling” — a type of spear-phishing where the scammers target high-level executives. Cybercriminals frequently try to harpoon these big targets because they have easy access to funds.     14. High-Profile Twitters Users’ Accounts Compromised After Vishing Scam   In July 2020, Twitter lost control of 130 Twitter accounts, including those of some of the world’s most famous people — Barack Obama, Joe Biden, and Kanye West.   The hackers downloaded some users’ Twitter data, accessed DMs, and made Tweets requesting donations to a Bitcoin wallet. Within minutes — before Twitter could remove the tweets — the perpetrator had earned around $110,000 in Bitcoin across more than 320 transactions.   Twitter has described the incident as a “phone spear phishing” attack (also known as a “vishing” attack). The calls’ details remain unclear, but somehow Twitter employees were tricked into revealing account credentials that allowed access to the compromised accounts.   Following the hack, the FBI launched an investigation into Twitter’s security procedures. The scandal saw Twitter’s share price plummet by 7% in pre-market trading the following day.     15. Texas Attorney-General Warns of Delivery Company Smishing Scam   Nearly everyone gets the occasional text message that looks like it could be a potential scam. But in September 2020, one smishing (SMS phishing) attack became so widespread that the Texas Attorney-General put out a press release warning residents about it.   Victims of this scam received a fraudulent text message purporting to be from a delivery company such as DHL, UPS, or FedEx. The SMS invited the target to click a link and “claim ownership” of an undelivered package. After following the link, the target was asked to provide personal information and credit card details.   The Texas Attorney-General warned all Texans not to follow the link. He stated that delivery companies do not communicate with customers in this way, and urged anyone receiving the text message to report it to the Office of the Attorney General or the Federal Trade Commission.   Top tip: Never to respond to any suspicious message, click links within SMS messages, or reveal personal or company information via SMS.     Prevent social engineering attacks in your organization   There’s one common thread through all of these attacks: they’re really, really hard to spot. That’s where Tessian comes in. Tessian is intelligent cloud email security that stops threats and builds smart security cultures in the modern enterprise.   Powered by machine learning, Tessian analyzes and learns from an organization’s current and historical email data and protects employees against inbound email security threats, including whaling, CEO Fraud, BEC, spear phishing, and other targeted social engineering attacks.   To learn more about how Tessian can protect your people and data against social engineering attacks on email, book a demo today. Or, if you’d rather just stay up-to-date with the latest social engineering attacks, subscribe to our weekly blog digest. You’ll get news, threat intel, and insights from security leaders for security leaders straight to your inbox.
Read Blog Post
ATO/BEC, Threat Intel
Cyber Criminals Leverage Temporary Block on PayPal Account in Phishing Attack
By Charles Brook
Friday, February 4th, 2022
This week, Tessian’s threat intelligence researchers detected a relatively sophisticated phishing attempt impersonating PayPal, the global payment services provider. The threat actor sent an email requesting action from the victim, prompting them to click on the login button, leading to a malicious website. The email that was received  
Social engineering-based cyber attacks like this, usually leveraging a form of phishing via email, have become a common phenomenon both at work and in our personal lives. Threat actors are able to perpetrate these attacks through a range of techniques,  leveraging information gathered by random coincidence or through open source intelligence (OSINT) tactics.    In fact 70-90% of all successful breaches are attributed to social engineering, with 96% of all phishing attacks delivered via email. This is why advanced phishing attacks are seen as a growing cybersecurity challenge.
All it takes is one click   Phishing attempts are used for a range of cybercriminal objectives, for example delivering malware including ransomware onto unsuspecting victims’ computers. Often phishing campaigns are also waged for the harvesting of credentials to execute an account takeover (ATO) attack.    They’re difficult to spot, too. Phishing attempts can appear to be very legitimate, even to the trained eye.
The phishing attempt targeted PayPal customers, and used common phishing tactics, including leveraging corporate logos hosted via a third-party service provider, and creating a sense of urgency by stating that “Your PayPal Account Has Been Temporarily Restricted”.    But, when you actually click “Login to PayPal” as instructed, you’re directed to   hxxps://me2[.]do/xZD4rPKB Which redirects to hxxps://docs[.]05fmxoujyghzb[.]club/tmp/index/wildtt.php?97giuywdae   Despite the unusual URL, the landing page looks legitimate, and will prompt users to enter their login details. This information is then captured by cybercriminals in a scheme known as credential harvesting.    Just as every effort was taken to make the webpage look legitimate, every effort was also taken to mimic the authenticity of a legitimate PayPal customer email, including:
Email images  The email source points to linkpicture[.]com domain, a used free image hosting service. The primary reason for using a free service like this? It enables the threat actor to avoid any tie-backs to personal infrastructure, which enables a relatively high degree of anonymity and separation for carrying out the attack.
Quoted printable encoding   The threat actor also used quoted printable encoding inside key email fields and sections of the HTML body of the email – a common tactic for obfuscating spam filters. Web browsers automatically decode this encoded text to readable text displayed to the end user.  Sender
Display Name Decoded When adding the display name the attacker attempted to double encode part of it but this didn’t work which is why the first string does not fully decode. Body – Email Headline
Email Headline Decoded
Enhancing “authenticity”   Impersonating well-known and trusted brands like PayPal is a common modus operandi for phishing attacks. According to Tessian research and the analysis of 2 million malicious emails, Microsoft, Amazon, and Zoom all ranked among the top most impersonated brands. Likewise, the financial services sector tends to be heavily targeted in phishing attacks.    The threat actor also used what appears to be legitimate footer links from PayPal to enhance the appearance of authenticity of the phishing email – another common tactic observed in phishing attempts. The links included however are empty and have no URL  included.
Additional observations of interest, and avenues for further research   The HTML body contains the name of a UK based retailer “Sainsbury’s” indicating the reuse of this template for likely earlier phishing attempts, targeting a different retailer’s customers. The threat actor has, in this instance, forgotten to update the information. There might be utility in purchasing similar phishing templates off the dark web to identify phishing attack trends and indicators.   It also pays dividends for organizations to stay aware of how email security threats are evolving, with threat actors continuously adapting social engineering methods to bypass legacy, rule-based email security controls. Educating employees about threats and how to spot them is important, too. What to do if an email if you think an email is suspicious   Now that we’ve examined this particular example, we need to address what you should do if you suspect you’re being targeted by a phishing attack.   If anything seems unusual, do not follow or click links or download attachments.  If the email appears to be from a government organization or another trusted institution, visit their website via Google or your preferred search engine, find a support number, and ask them to confirm whether the communication is valid. If the email appears to come from someone you know and trust, like a colleague, reach out to the individual directly by phone, Slack, or a separate email thread. Rest assured, it’s better to confirm and proceed confidently than the alternative.  Contact your line manager and/or IT team immediately and report the email.  
Read Blog Post
Human Layer Security
Everything You Need to Know About CIS Controls
Tuesday, February 1st, 2022
Every organization should constantly be striving to improve its cybersecurity posture. The best way to achieve this is to implement a cybersecurity framework.    While there are several cybersecurity frameworks to choose from, following the Center for Internet Security Critical Security Controls (CIS Controls) is an excellent way for an organization of any size to reduce the risk of a cyberattack.    The framework provides a comprehensive set of security controls to help you identify, detect threats, protect against and respond to cyberattacks, and recover from any attacks that may slip through your defenses.   This article will look at the latest version of the CIS Controls and provide a detailed overview of how you can meet the framework’s requirements.   Want to explore other frameworks? Check out this guide, which broadly covers the NIST Framework, ISO 27000 Series, and PCI-DSS, in addition to CIS Controls.
CIS Controls: The basics   The CIS Controls are a framework of 18 different types of security controls you can put in place to improve your company’s information security and cybersecurity; the framework is well-respected and considered a good security baseline for most organizations.   Note: before the latest CIS Controls update (version 8, released May 2021), there were 20 Controls.   It’s worth noting that in a 2016 California Data Breach Report, Kamala Harris (yes, that Kamala Harris, who was California Attorney-General at the time) said that meeting all 20 CIS Controls represents a reasonable level of security.
Safeguards   Each Control is a broad class of security control and comes with several Safeguards (previously called “Subcontrols”) that provide specific means of implementing the Control. There are 153 Safeguards in total—between 5-14 within each Control group.   There are five types of Safeguard:   Identify Detect Protect Respond Recover   It is advisable to work through the Safeguards in order of priority starting with Identify.
Implementation Groups   Because the CIS Control framework is designed for businesses of all sizes, the framework also distinguishes three “Implementation Groups” (IGs)—types of organizations distinguished by company size and level of resources.   Here’s a good way to think of how the IGs differ:   IG1 companies are typically smaller businesses without much cybersecurity expertise. IG2 companies have employees specifically dedicated to looking after cybersecurity IG3 companies have employees specializing in different aspects of cybersecurity However, even if your organization is very large and well-resourced, the Center for Internet Security recommends that “every enterprise should start with IG1.” Get the basics in place (if you haven’t done so already) before moving on to the more complex controls.
The CIS Controls   Now let’s dive in—we’re going to look at the basic requirements of each CIS Control and list three representative Safeguards for each. Control 1: Inventory and Control of Enterprise Assets   Control 1 requires that you actively manage all enterprise assets (such as workstations, mobile devices, and servers) that are either connected to your infrastructure—physically, virtually, or remotely—or within the cloud.   Having total knowledge and control over your assets might be challenging—particularly in the age of remote-working—but it’s a vital foundation for your security program.   Control 1 Safeguards include:   Establishing and maintaining an asset inventory (all IGs) Using an active discovery tool to detect assets (IGs 2 and 3) Using a passive asset discovery tool (IG3 only)
CIS Control 2: Inventory and Control of Software Assets   Control 2 focuses on control of software assets—the operating systems and apps that your company uses—to ensure that only authorized software can operate on your systems.   As with Control 1, Control 2 reinforces the principle that a detailed knowledge of your assets is crucial to protecting your systems. Using reputable software and keeping it patched is an essential part of keeping threat actors at bay.   Control 2 Safeguards include:   Establishing and maintaining a software inventory (all IGs) Using automated software inventory tools (IGs 2 and 3) Running an allowlist of authorized scripts (IG 3 only)
CIS Control 3: Data Protection   Control 3 requires organizations to maintain good data protection practices: properly identifying, classifying, securing, storing and deleting data.   Data might be your company’s most important asset—and you have a legal and ethical responsibility to protect the data in your control.    Control 3 Safeguards include:   Establishing and maintaining a data management process (all IGs) Establishing and maintaining a data classification scheme (IGs 2 and 3) Deploying a Data Loss Prevention solution (IG 3 only)   The CIS Control framework notes: “While some data is compromised or lost as a result of theft or espionage, the vast majority are a result of poorly understood data management rules, and user error.”   Employing an email security solution is a simple and effective way to prevent data loss through social engineering attacks like phishing, 96% of which are conducted via email.   Read more about why Tessian is a key way of meeting your organization’s data protection requirements.
CIS Control 4: Secure Configuration of Enterprise Assets and Software   Control 4 involves the secure configuration of enterprise assets (such as your company’s devices and servers) and software (the operating systems and applications your company uses).   Your devices and apps might not come fully configured for optimal security. Software developers and hardware manufacturers want their products to be easy to use—but the most convenient settings are rarely the most secure.   It’s important to ensure your assets are appropriately configured to offer the best protection against threats.   Control 4 Safeguards include:   Establishing and maintaining a secure configuration process (all IGs) Enforcing automatic device lockout on mobile devices (IGs 2 and 3) Separate enterprise workspaces (i.e. work profiles) on mobile devices (IG 3 only)
CIS Control 5: Account Management   Control 5 is all about managing your user accounts, such as by controlling access and ensuring good password hygiene.   Admin accounts are a particularly significant target for cyberattacks. If a malicious actor gains access to an admin account, they could get control over large portions of your systems and assets.   Control 5 Safeguards include:   Establishing and maintaining an inventory of accounts (all IGs) Using unique passwords (all IGs) Centralizing account management (IGs 2 and 3)
CIS Control 6: Access Control Management   Control 6 is closely linked to Control 5 (Account Management), but it focuses on your ability to create, assign, manage, and revoke access to different types of accounts.   Managing access to accounts is crucial, but so is assigning specific roles to each type of account. You also need to be able to easily provision and de-provision access in the event of a cyber incident.   Control 6 Safeguards include:   Establishing an access-granting process (all IGs) Establishing and maintaining an inventory of authentication and authorization systems (IGs 2 and 3) Defining and maintaining role-based access control
CIS Control 7: Continuous Vulnerability Management   Control 7 helps you develop a plan to monitor and address security vulnerabilities, minimizing the opportunities for attackers. Attackers are often one step ahead of security teams and can utilize “zero-day vulnerabilities” to take organizations by surprise. However, a diligent approach to monitoring, assessing and tracking vulnerabilities makes life a lot harder for threat actors.   Control 7 Safeguards include:   Establishing and maintaining a vulnerability management process (all IGs) Performing automated vulnerability scans of internal enterprise assets (IGs 2 and 3) Remediating detected vulnerabilities (IGs 2 and 3)  
CIS Control 8: Audit Log Management   Control 8 is about logging events to help you better understand your security posture.   Logging and analyzing events allows you to better anticipate threats. Proper log management will help ensure attackers can’t access or erase your logs to hide their tracks.   Control 8 Safeguards include:   Establishing and maintaining an audit log management program (all IGs) Standardizing log time synchronization (IGs 2 and 3) Collecting service provider logs (IG 3 only)
CIS Control 9: Email and Web Browser Protections   Email clients and web browsers are extremely common points of entry for attackers. Social engineering attacks remain among the most common causes of data breaches, and 96% of social engineering occurs via email. Of increasing concern is the growing sophistication of email based threats that make static and rule-based approaches to detecting these threats increasingly ineffective.   According to Tessian platform data, nearly 2 million malicious emails slipped past customers’ Secure Email Gateways (SEGs) and other existing controls.    That’s why locking down your users’ email clients and web browsers is one of the most fundamental steps you can take toward better cybersecurity.   Control 9 Safeguards include:   Using DNS filtering mechanisms (all IGs) Implementing DMARC (IGs 2 and 3) Deploying and maintaining email server anti-malware protections (IG 3)   Many of the protections outlined in the CIS Control 09 can be realized, and in fact be taken to a new level of protection, through the use of next-gen, behavioral-based and adaptive email security solutions such as Tessian.    Unlike the static rule based approaches of legacy email security providers such as SEGs, which rely on DNS filtering and DMARC, Tessian’s algorithm is able to map your users’ normal communication patterns to detect and prevent email-based attacks from occurring, in real-time
CIS Control 10: Malware Defenses   Malware (malicious software) includes threats such as viruses, ransomware, and spyware.   In addition to securing your organization’s entry points (such as email and web browsers), you should be scanning your networks and devices for evidence of malware infection.   Control 10 Safeguards include:   Deploying and maintaining anti-malware software (all IGs) Configuring automatic scanning of removable media (IGs 2 and 3) Using behavior-based anti-malware software (IGs 2 and 3)   CIS Control 11: Data Recovery   Effective security means maintaining access to critical data. If your organization is attacked, you must be able to recover your IT systems and data  quickly.   Control 11 Safeguards include:   Establishing and maintaining a data recovery process (all IGs) Protecting recovery data (IGs 2 and 3) Testing data recovery (IG 3 only)
CIS Control 12: Network Infrastructure Management   Network infrastructure includes gateways, firewalls, wireless access points (WAPs), and routers.    Because network infrastructure is an essential element of your defense against cyberattacks, it’s crucial that you ensure the network devices themselves are secure and properly configured.   Control 12 Safeguards include:   Ensuring network infrastructure is up-to-date (all IGs) Centralizing network Authentication, Authorization, and Auditing (AAA) (IGs 2 and 3) Establishing and maintaining dedicated computing resources for all administrative work (all IGs)   CIS Control 13: Network Monitoring and Defense   Despite your best efforts, network security controls can fail. You must be able to detect and defend against any attacks that break through your network defenses.   Network monitoring and defense is a relatively advanced control and does not contain any Safeguards recommended for IG1 organizations.   Control 13 Safeguards include:   Centralizing security event alerting (IGs 2 and 3) Deploying a host-based intrusion detection solution (IGs 2 and 3) Deploying a network intrusion detection solution (IGs 2 and 3)
CIS Control 14: Security Awareness and Skills Training   Everyone in your organization is responsible—to some extent—for security. Getting your whole team on the same page through security awareness training is a necessary (but insufficient) step toward better security.   Control 14 Safeguards include:   Establishing and maintaining a security awareness program (all IGs) Training workforce members to recognize social engineering attacks (all IGs) Conducting role-specific security awareness and skills training (IGs 2 and 3)   Note that, while vital, security awareness training is not enough to protect your organization from cyberattacks. Increasingly organizations are understanding that context aware and in-the-moment security awareness training is essential to improving cybersecurity culture.
CIS Control 16: Application Software Security   If your organization develops software applications—either for commercial distribution or in-house use—you must ensure these apps are secure.   Application software security is a relatively advanced control and does not contain any Safeguards recommended for IG1 organizations.   Control 16 Safeguards include:   Establishing and maintaining a secure application development process (IGs 2 and 3) Performing “root cause” analysis on security vulnerabilities (IGs 2 and 3) Conducting threat modeling (IG 3 only) CIS Control 17: Incident Response Management   Your security program must cover all bases—protection and detection of threats is crucial, but so is responding and recovering from successful attacks.   Control 17 Safeguards include:   Designating personnel to manage incident handling (all IGs) Establishing and maintaining an incident response process (IGs 2 and 3) Establishing and maintaining security incident thresholds (IG 3 only)  CIS Control 18: Penetration Testing   Penetration testing (or “pen-testing”) puts your defenses to the test.    Conducting independent assessments of your security posture is an important way to identify gaps and weak points that could let “real world” attackers through.   Penetration testing is a relatively advanced control and does not contain any Safeguards recommended for IG1 organizations.   Control 18 Safeguards include:   Establishing and maintaining a penetration testing program (IGs 2 and 3) Performing periodic external penetration tests (IGs 2 and 3) Performing periodic internal penetration tests (IG 3 only)
Email and CIS Controls   While organizations have dozens of threats and entry points to consider, and must have a well-rounded security stack to prevent attacks and breaches, email is mentioned in at least three controls. Control 9 specifically calls for the hardening of email and web browser protections, and underscores the susceptibility of falling victim to successful social engineering attacks.   But email remains a significant threat vector.    In spite of mature email security vendor offerings, breaches continue to proliferate. Phishing, Business Email Compromise (BEC) and account takeover (ATO) incidence are growing year-over-year and are responsible for 70 to 90% of all cybersecurity breaches. Malicious emails were also responsible for 54% of successful ransomware attacks in 2020. A further cybersecurity threat vector that has until recently been unaddressed, is unauthorized data exfiltration, either accidental or malicious – seen as a leading reported incident. Given the increasing sophistication of email-based attacks, the importance of having industry leading email security protection in place must be reemphasized. Tessian can help
How can Tessian help you lock down email?    This is why enterprises are replacing legacy email security solutions for the next-generation of intelligent email security protection from Tessian. By using industry leading machine learning the dynamic real time protection is enhanced with each threat mitigated, guaranteeing unparalleled protection against all email-based attack vectors, including insider threats.   Key features include:   Advanced Spear Phishing Protection Advanced Attachment and URL Protection   Internal Impersonation & CEO Fraud Advanced Spoof Detection Counterparty & Vendor Impersonation  Brand Impersonation External Account Takeover  Invoice Fraud Bulk Remediation Automated Quarantine  Threat Intelligence Insider Threat Management Accidental & Malicious DLP
Read Blog Post
Email DLP, Remote Working, Data Exfiltration
How the Great Resignation is Creating More Security Challenges
By Laura Brooks
Tuesday, February 1st, 2022
New research from Tessian reveals just how deep The Great Resignation is, and how it’s continuing to increase work for security teams.   The Great Resignation of 2021 continues well into 2022, with record high numbers of people quitting their jobs and seeking opportunities for better positions, better pay, better work/life balance and even exploring a career in a completely new industry.   According to our latest survey of 2,000 employees in UK and US businesses, 55% are considering leaving their current employer this year, with two in five (39%) workers currently working their notice or actively looking for a new job in the next six months.    HR departments are under pressure to retain employees and replace the talent they lost. But they’re not the only team feeling the strain.    Our survey also revealed that 71% of IT decision makers in US and UK organizations told us the Great Resignation has increased security risks in their company. What’s more, 45% of IT leaders say incidents of data exfiltration have increased in the last year, as people took data when they left their jobs.    They’re not wrong. One in three (29%) UK and US employees admitted to having taken data with them when they quit. The figures were much higher in the US, with two fifths of US employees (40%) saying they’d taken data with them when they left their job.
Which employees are taking the data?   We see noticeable differences in behaviors across various departments. Employees in marketing were the most likely to data with them when they leave, with a staggering 63% of respondents in this department admitting to doing so. Employees in HR (37%) and IT (37%) followed.    Interestingly, rates of data exfiltration are much lower in highly regulated functions like accounting and finance, operations and legal. With employees in these departments having to comply with strict data regulations on a daily basis, the findings suggest that this impacts their data sharing behaviors and the security cultures in these departments. Just 16% of workers in operations and 22% in accounting and finance say they have taken data with them when they’ve left a job.
Why do employees take data with them?  The majority of employees are not taking data for malicious purposes. The most common reason for taking data, cited by 58% of respondents, was because the information would help them in their new job. In addition, 53% believe that because they worked on the document, it belongs to them.    A significant percentage of employees (44%) said they took the information to share with their new employer, while 40% said they intended to make money from the information.
The consequences of doing nothing   With 70% of US employees and 40% of UK employees thinking about leaving their employer this year, the pressure is on to protect the organization from insider risk.    Even if a company experiences one data exfiltration attack, the consequences can be huge. There’s a lot at stake when it comes to the data in your company’s control, particularly when you consider that the average cost of a data breach now stands at $4.24 million.    What are the causes of these phenomenal costs? Here are three factors:   Containment: Hiring cybersecurity and identity fraud companies to contain a data breach is expensive —not to mention the thousands of hours that can be lost trying to determine the cause.  Lawsuits: Many companies face enormous lawsuits for losing customer data.  Penalties: Laws such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) enable regulators to impose significant fines for personal data breaches.
What can IT and security leaders do to minimize the risk of data exfiltration during the Great Resignation period?   Taking data when leaving an organization has become one of those culturally-accepted things that people feel they can get away with. Let’s be clear, though, this is not a reason to blame and shame employees for their actions.    Rather this is an opportunity to see how we got to this point, assess where there are gaps in our data protection policies, and determine whether policies and guidelines are being communicated effectively to employees – both company-wide and in specific departments.    By defining and communicating the company’s expectations around data sharing and data handling in the organization, and training employees on safe cybersecurity practices, security leaders can start to build stronger security cultures that reduce insider risk.   As well as greater education and training, IT and security teams also need to ensure they have visibility of the risk across all channels, particularly email. A quarter of IT leaders we surveyed said they do not have visibility into incidents of data exfiltration, and this is an important first step.    The Great Resignation shows no sign of slowing down, and people will continue to move around looking for new opportunities throughout 2022. But this is also an opportunity for IT and security teams to build a more robust data loss prevention strategy, streamline defenses against insider risk, and put a safety net in place to stop the company’s most valuable and sensitive data from falling into the wrong hands.    How does Tessian prevent data exfiltration attempts?   Prevent unauthorized emails  Whether it’s an employee sending sensitive information to less secure, personal accounts or a bad leaver maliciously exfiltrating data, Tessian automatically prevents data exfiltration over email. Learn more   Deeply understand your risk Whether careless, negligent, or malicious, insider threats are difficult to combat and even harder to detect. But with Tessian, you can quickly find and report the key areas of insider risk, use insights to predict future behavior, and take remedial action to prevent exfiltrations attempts.  Learn more   In-the-moment educational warnings Tessian warnings act as in-the-moment training for employees, continuously educating them about treats, reinforcing your policies, and nudging them toward safe email behavior. Automatically build individualized policies at scale to reduce high-risk email use and track trends in unsafe activity over time. Learn more
Read Blog Post
Remote Working
The Ultimate Guide to Security for Remote Working
By Andrew Webb
Friday, January 28th, 2022
The future and nature of work is changing. So here’s all you need to know about how to keep your people secure in the ‘new normal’.
Remote working, hybrid working, anywhere-working, flexible-working, 4-day-week working, and everything in between – if the pandemic has done one thing, it seems to have destroyed nine-to-five in the office.   Saying so long to the stationary cupboard and “auf wiedersehen” to the water cooler might have been great for staff, but presented a serious challenge for security leaders back in 2020. And while, way back then, many thought the situation was temporary – a few months at most – and would be mitigated by vaccines, that clearly hasn’t been the case   Indeed Forrester’s Predictions 2022 anticipates the following set up:   10% of firms will shift to a fully remote model 🏡 30% will go back to a fully in-office model 🏢 The remaining 60% of firms will shift to a hybrid model 🏡 + 🏢   Those that insist on a fully in-office model, will find that employees simply won’t have it. Attrition at these firms will rise above their industry averages — monthly quit rates will rise to as high as 2.5% for as much of 2022 as needed until executives feel the pain and finally commit to making hybrid work … work.   Our own research bore this out too.    According to our Securing the Future of Hybrid Working report , just 11% of employees said they’d want to work exclusively in the office post-pandemic, with the average employee wanting to work from home at least two days a week. And, over a third of people said they wouldn’t even consider working for a company if it didn’t offer remote working in the future. That represents a lot of employee churn and HR headaches for you and your security team, which we’ll explore shortly. But first, given we are in security, let’s recap the current risks.
What are the security risks with remote working? The majority of IT leaders we surveyed believe permanent remote or hybrid work will put more pressure on their teams, while over a third (34%) were worried about their team becoming stretched too far in terms of time and resources.     While hybrid or flexi-working is great for employees, it’s the worst of both worlds for IT teams who have to simultaneously manage and mitigate security risks that occur in and out of the office, while providing a seamless experience that enables employees to work from anywhere. So if that’s the environment you’re having to work in, what are the risks?
Unsurprisingly, topping the charts is the classic phishing attack. 82% of IT leaders we surveyed believed employees are at greater risk of phishing attacks when working remotely. The pandemic saw a surge in these, with CISA specifically warning of attacks targeting remote workers back in Jan 2021.   Those threats haven’t gone anywhere in the meantime. Indeed, they’ve only increased with our reliance on delivery companies for shopping. But brand impersonations have expanded beyond the usual logistics and utility companies to software providers like Microsoft, Adobe and Zoom.
There’s a strong probability that, as we move forward in this new hybrid environment, remote work blindspots will be exploited.    This begs the question: How do you ensure people’s home networks are secure? There’s also concerns around liability. If company A faces a ransomware attack, it spreads to an employee, their home network, and then their partner’s company device to infect Company B…. Is Company A now liable for the losses Company B suffers?
This scenario is only exacerbated by having a Bring Your Own Device policy. Of course the benefits of BYOD are lower costs, increased flexibility for staff and a more productive workforce. But there are downsides around physical and network security.    An August 2021 survey conducted by Palo Alto Networks found that 83% of companies with relaxed bring-your-own-device (BYOD) usage led to increased security issues. We explore those for both security teams and workers themselves in this post.
How new habits become bad habits  That same Palo Alto survey also found that 35% of companies reported that their employees either circumvented or disabled remote security measures.  Our State of Data Loss Prevention report backs this up with the following alarming stats.   48% of employees say they’re less likely to follow safe data practices when working from home.    84% of IT leaders report DLP is more challenging when their workforce is working remotely.   52% of employees feel they can get away with riskier behavior when working outside of the office.   When asked why they were less likely to follow safe data practices when working from home, employees cited not working on their usual devices (50%) and being distracted (47%) as two of the top three reasons.    We’ve listed the 13 worst cybersecurity sins below. So take a moment to see if people in your organization are making these security errors. 
Evaluate and evolve your current process So, we’ve understood the risks, and are aware of some less-than-perfect security habits. Now we need to examine our processes. You’ve probably implemented some form of remote security processes since the start of the pandemic. But you should always be looking to evolve it to stay on top of your game and in light of new threats and changing circumstances.   Education in security has a huge part to play in making people aware of the risks associated with working remotely, and dispelling some of those new, bad habits. Our views on security awareness training are well-known. An hour-long ‘test quiz’ once a year just isn’t going to cut it. Instead you need to bake security into your organization’s daily operations.
As Bobby Ford, Global Chief Security Officer at Hewlett Packard Enterprise says in this video, how can you get a little bit of cyber into other programs in your organization? And don’t just stop at events, town halls, intranets, or staff newsletters. These are all places to continually beat the drum for good security. So work with your people and comms teams to help enable that. We have a bunch of tips, resources and best practice information in this post that you can use as part of your cyber security refresher training. And if you need support from the C-Suite, here’s how to get it.
We have a bunch of tips, resources and best practice information in this post that you can use as part of your cyber security refresher training. And if you need support from the C-Suite, here’s how to get it. What’s perhaps most remarkable about the switch to remote working is that it happened almost overnight. The efforts and tools IT and security teams put in place quickly ensured that many companies stayed operating – jobs and lives were no doubt saved.   
Now, however, those tools and processes are a permanent part of your business, and reviewing your security stack to ensure it’s fit for purpose in a remote world is critical. So what to look for? Well ask yourself questions like    👩‍💻 Does the application process personal data? If so, why and in what volume? 🌏 Where is the data processed?  📚 Does the application take back-ups of data? If so, how often? 🚫 Who has access to the data in the platform? 📱 Is access conditional upon Multi-Factor Authentication (2FA, for example)?  We’ve fully explored how to onboard remote Collaboration and productivity tools here
The Great Re-Evaluation and the future of remote work Finally, there’s one other aspect of remote working to address, and that’s people themselves. The pandemic caused a lot of soul searching in many employees about their future and the sort of companies they wanted to work for.    The past 18 months has seen unprecedented demand for highly skilled roles, and many people are using this to turbo charge their careers. The person in this BBC article increased her salary by £10,000 in six months, she surely can’t be the only one.  So as well as dealing with protecting your people from external threats, there’s also potential dangers from within. If people are leaving, what better way to make a great impression on the first day at their new gig than by bringing a juicy file of customer data, source code, or other highly valuable IP.    Again, our State of Data Loss Prevention Report found that 45% of employees admit to downloading, saving, or sending work-related documents to their personal accounts before leaving or after being dismissed from a job. Assuming your USB ports are disabled, staff will often extract these assets by emailing them to their personal accounts. This is a particular problem in sectors such as legal, financial services, and entertainment, where a client base and extensive networks are crucial.    We’ve explored in detail how to keep your data safe in The Great Re-Evaluation below
At Tessian, we know being an InfoSec leader is hard. The threats are relentless and the landscape is constantly changing. The halcyon days of rows of desktop PCs in an office block protected by on-prem Secure Email Gateway (SEG) are confined to the history books. Remote work, an infinite perimeter, and sophisticated attacks by email are here to stay.    The only question is, how are you going to deal with them?   To find out how Tessian can help secure your remote teams, get in touch for a demo
Read Blog Post
ATO/BEC
14 Real-World Examples of Business Email Compromise (Updated 2022)
Thursday, January 27th, 2022
With an average cost to businesses of $5.01 million per breach, it’s no surprise that the FBI has named Business Email Compromise (BEC) a “$26 billion scam”, and the threat is only increasing. Business Email Compromise (BEC) attacks use real or impersonated business email accounts to defraud employees. In 2020, BEC scammers made over $1.8 billion – far more than via any other type of cybercrime.    You can find more information on what exactly BEC is and how it works in this article: What is Business Email Compromise and How Does it Work? , and understand how Tessian prevents BEC, across industries here.    But what does a BEC attack look like in real-life? This article details 16 examples of BEC attacks that have cost victims money, time, and reputation, to help you avoid making the same mistakes.
1. Facebook and Google: $121m BEC scam    First, let’s look at the biggest known BEC scam of all time: a VEC attack against tech giants Facebook and Google that resulted in around $121 million in collective losses.   The scam took place between 2013 and 2015 — and the man at the center of this BEC attack, Evaldas Rimasauskas, was sentenced to five years in prison in 2019.   So how did some of the world’s most tech-savvy employees fall for this elaborate hoax?   Rimasauskas and associates set up a fake company named “Quanta Computer”  — the same name as a real hardware supplier. The group then presented Facebook and Google with convincing-looking invoices, which they duly paid to bank accounts controlled by Rimasauskas.   As well as fake invoices, the scammers prepared counterfeit lawyers’ letters and contracts to ensure their banks accepted the transfers.   The Rimasauskas scam stands as a lesson to all organizations. If two of the world’s biggest tech companies lost millions to BEC over a two-year period — it could happen to any business.     2. Ubiquiti: $46.7m vendor fraud In August 2015, IT company Ubiquiti filed a report to the U.S. Securities and Exchange Commission revealing it was the victim of a $46.7 million “business fraud.”   This attack was an example of a type of BEC, sometimes called Vendor Email Compromise (VEC). The scammers impersonated employees at a third-party company and targeted Ubiquiti’s finance department.   We still don’t know precisely how the cybercriminals pulled off this massive scam. VEC attacks previously relied on domain impersonation and email spoofing techniques, but these days, scammers are increasingly turning to the more sophisticated account takeover method.     3. Toyota 2019: $37 million BEC attack Kicking things off with a name you may recognize – in 2019 Japan’s Toyota Boshoku Corporation was hit with a $37 million BEC attack. The huge size of the company meant that though $37 million may appear alarming to you or I, hackers were able to implore an employee to transfer the sum out of the European subsidiary before being detected.    With BEC on the rise, and this attack being the third that Toyota had experienced that year so far, critics say that Toyota should have been on the lookout for the scam.   As Toyota learnt the hard way, BEC attacks often exist in multiples – with one attack opening the door to many more as money, IP, data or identities are stolen.
4. Obinwanne Okeke: $11 million in losses In February 2021, celebrated entrepreneur Obinwanne Okeke was sentenced to 10 years in prison for his involvement in a BEC scheme that resulted in at least $11 million in losses to his victims. Using phishing emails to secure the login credentials of business executives (including the CFO of British company Unatrac Holding), these initial phishing scams then acted as a platform for BEC.  As is often the case, BEC was just one part of a tapestry of fraud and cybercrime, with Okeke also creating fraudulent webpages to further manipulate his victims. The money transfers also went directly into overseas accounts, meaning that local law enforcement couldn’t aid in recovering them.   5. Scouler Co.: $17.2m acquisition scam   This example demonstrates how fraudsters can play on a target’s trust and exploit interpersonal relationships. In June 2014, Keith McMurtry, an employee at Scouler Co, a company in Omaha, Nebraska, received an email supposedly from his boss, CEO Chuck Elsea. The email informed McMurty that Scoular was set to acquire a Chinese company.   Elsea instructed McMurty to contact a lawyer at accounting firm KPMG. The lawyer would help facilitate a transfer of funds and close the deal.  McMurty obeyed, and he soon found himself transferring $17.2 million to a Shanghai bank account in the name of “Dadi Co.”   The CEO’s email, as you might have guessed, was fraudulent. The scammers had used email impersonation to create accounts imitating both Elsea and the KPMG lawyer.   Aside from the gargantuan $17.2m loss, what’s special about the Scoular scam? Take a look at this excerpt from the email, provided by FT.com, from “Elsea” to McMurty:   “We need the company to be funded properly and to show sufficient strength toward the Chinese. Keith, I will not forget your professionalism in this deal, and I will show you my appreciation very shortly.”Given the emotive language, the praise, and the promise of future rewards — it’s easy to see why an employee would go along with a scam like this.     6. Homeless Charity, Treasure Island: $625,000 BEC loss BEC rates have been rising for several years, as demonstrated by 2021 data from the FBI’s Internet Crime Complaint Center (IC3). So perhaps it’s unsurprising—if somewhat disheartening—that law enforcement agencies are struggling to cope with all the BEC incidents that companies are reporting to them.   In June 2021, we learned that San Fransisco-based homelessness charity Treasure Island fell victim to a devastating, month-long $625,000 BEC attack after hackers infiltrated the organization’s bookkeeper’s email system.   The hackers found and manipulated a legitimate invoice used by one of Treasure Island’s partner organizations. Staff at Treasure Island transferred a loan intended for the partner organization straight into the cybercriminals’ bank account.    The nonprofit sadly lacked cybercrime insurance. But even worse—the U.S. Attorney’s Office in San Fransisco, which would have been responsible for leading an investigation into the BEC attack, reportedly declined to investigate the incident.   This case serves as a reminder that, when it comes to cybercrime, prevention is always better than cure. Building security into your systems is the only viable way to avoid the losses associated with BEC attacks.     7. Government of Puerto Rico: $2.6 million transfer   In early 2020, while dealing with the aftermath of a 6.4-magnitude earthquake, the Puerto Rican government discovered they had fallen victim to a BEC scam. The direct victim of the scam was Rubén Rivera, finance director of Puerto Rico’s Industrial Development Company who mistakenly transferred over $2.6 million to a fraudulent bank account.   Rivera had received an email explaining that there had been a change to the bank account tied to remittance payments. The email had come from a hacked email account of an employee of the Puerto Rico Employment Retirement System.  Three employees were suspended after the attack and fortunately, the money, which included public pension funds, was frozen by the FBI. Manuel Labor, executive director of the Industrial Development Company insisted that the incident “did not affect and will not affect pension payments to retirees”.
8. St. Ambrose Catholic Parish: $1.75 million   While enjoying the recent restoration and repair of the church roof, St. Ambrose Catholic Parish in Ohio was given a nasty surprise when it fell victim to a BEC attack.   Hackers pretended to be the construction firm that had repaired the roof, and emailed parish officials claiming that they had not been paid in two months. The parish swiftly wired $1.75 million into a fraudulent account, and the perpetrators swept it out before anyone knew what had happened.   On top of hiring a third-party cybersecurity firm to assess their system and policies, the parish resolved to start sending manual checks again instead of wire transfers to stop any future fraudsters in their tracks.   9. Guillermo Perez: $2.2 million From (at least) October 2018 to October 2019, Guillermo Perez and his co-conspirators led a BEC scam that made them $2.2 million richer (allegedly – he’s awaiting trial). As part of the scheme, Perez and co-conspirators provided banks with false and misleading information regarding their affiliations.   Lured into a false sense of security, the banks then opened business accounts for them that were fraudulent. Perez and his fellow attackers then used BEC to manipulate victims into transferring over $2.2 million into the fraudulent accounts – money that was moved swiftly into the attackers’ pockets.   10. Save the Children: $1 million There is seemingly no limit to who BEC attackers will target – as demonstrated in 2018 with an attack on Save the Children that cost the charity $1 million. The attacker gained access to an employee’s email account and from there sent fake invoices and other documents pretending that the money was needed to pay for health centre solar panels in Pakistan.   The charity has had a base there for decades, so the attack was well-researched and effective, and before the scam was exposed the money had already been deposited in a Japanese bank account.     11. Noel Chimezuru Agoha, Sessieu Ange Oulai and Kelechi Arthur Ntibunka: $1.1 million   In March 2021, Noel Chimezuru Agoha, Sessieu Ange Oulai, and Kelechi Arthur Ntibunka were charged with conspiracy to commit wire fraud, conspiracy to commit money laundering, and aggravated identity theft. This was all as (allegedly) part of a series of BEC scams that saw the attackers pose as clients of victims to intercept payments totaling over $1.1 million dollars.   The BEC scam was accompanied by a dating scam, which involved manipulating victims on dating websites into believing they were in a romantic relationship with the scammers, and coaxing them into sending money. These scams exemplify the sophisticated social engineering techniques that are often found in BEC and other forms of cyberattacks.
12. Atlanta BEC scammer: Sentenced after making $250,000+ In June 2021, an Atlanta court sentenced Anthony Dwayne King to two and a half years in prison for his role in a BEC scam—but only after he’d earned nearly $250,000 ripping off businesses and individuals across four U.S. states.   Between October 2018 and February 2019, King and his accomplices conducted BEC and vishing (phone phishing) operations, setting up fake companies and opening fraudulent bank accounts to redirect wire transfers.   The cybercriminals targeted law firms and home movers but were thwarted by Georgia’s Cyber Fraud Task Force. As well as serving federal prison time, King will have to repay the money he stole from his victims.   13. Gift card scams Gift card BEC scams have always been popular amongst the cybercrime community – and according to the FBI, the prevalence of this type of scam is only increasing. Victims receive an email from attackers masquerading as an authority figure asking victims to purchase gift cards for personal or business reasons. Sometimes the attacker will also request a wire transfer payment, much like the classic BEC scam.   An example of this type of attack was seen in 2019 when attackers impersonated Rabbis in Virginia and convinced their synagogue congregants to purchase gift cards for a fundraiser and told them to send back pictures of the serial numbers.   As you might imagine, this type of attack is particularly common during the holiday season and Black Friday. According to a report from the Anti-Phishing Working Group, 66% of BEC attacks included a request for gift card payment in the second quarter of 2020.     14. Snapchat payroll information breach Many high-profile BEC attacks target a company’s finance department and request payment of an invoice to a new account. But not all BEC scams involve wire transfer fraud. Here’s an example of how BEC scams can target data, as well as money.   In February 2016, cybercriminals launched a BEC attack against social media firm Snapchat. Impersonating Snapchat’s CEO, the attackers obtained “payroll information about some current and former employees.”   The scam resulted in a breach of some highly sensitive data, including employees’ Social Security Numbers, tax information, salaries, and healthcare plans. Snapchat offered each affected employee two years of free credit monitoring and up to $1 million in reimbursement.
Read Blog Post
Email DLP
Why Email Security is a Top Cybersecurity Control
By John Filitz
Wednesday, January 26th, 2022
Cybersecurity frameworks play an integral role in ensuring organizations have adopted the latest and best practice standards and strategies to safeguard their information systems and data. The most commonly adopted industry standard frameworks include the NIST Cybersecurity Framework, the CIS Controls, and ISO/IEC 27001/2. But, of these industry frameworks, only the ISO/IEC 27001/2 standard can be certified.    For organizations with well-developed cybersecurity strategies, often led by industry-leading CISOs, email security controls form a core control in preventing unauthorized information system access.    But the relationship between industry standard cybersecurity frameworks and the importance of email security can often appear to be subsumed by higher order security controls. For example only the CIS Controls explicitly mentions email security (control 09).    Read on to see why email security deserves higher priority in your security controls environment.
The market is once again signaling email security as a priority security control    Email security has, until recently, been seen as a low-priority “solved-for” cybersecurity challenge. Many of the analyst firms even stopped providing market coverage on the email security vendorscape, with market maturity cited as the leading reason. This world view saw a handful of legacy email security monoliths, built for an on-premise world, dominating the market on what appeared to be a rather straightforward cybersecurity challenge – filtering unsophisticated phishing attempts and spam.   The threat landscape however did not stop evolving. In fact, over the past 12-24 months there has been a marked shift in the sophistication of social engineering based attacks, which is placing renewed emphasis on email security as a high priority security control.    In spite of mature email security vendor offerings, breaches continue to proliferate. Phishing, Business Email Compromise (BEC) and account takeover (ATO) incidence are growing year-over-year and are responsible for 70 to 90% of all cybersecurity breaches. Malicious emails were also responsible for 54% of successful ransomware attacks in 2020. A further cybersecurity threat vector that has until recently been unaddressed, is unauthorized data exfiltration, either accidental or malicious – seen as a leading reported incident.   The growing threat reality of poorly secured email has called into question legacy email security vendors and approaches, with increasing displacement taking place by a new breed of advanced email security solutions.
Cybersecurity Frameworks    Given this evolving threat landscape, it’s worthwhile revisiting the mainstream adopted cybersecurity frameworks and the centrality of email security as a core element of cybersecurity resilience.   CIS Controls    Dating back to 2008, the CIS Controls dating back is seen by many in the industry as the gold standard of cybersecurity controls. In fact the NIST Cybersecurity Framework references the CIS Controls as an “informative resource,” with most practioners using the CIS Controls in conjunction with the NIST Cybersecurity Framework.   The CIS  Controls undergo periodic review; currently there are 18 controls:    CIS Control 1: Inventory and Control of Enterprise Assets   CIS Control 2: Inventory and Control of Software Assets   CIS Control 3: Data Protection  CIS Control 4: Secure Configuration of Enterprise Assets and Software  CIS Control 5: Account Management  CIS Control 6: Access Control Management  CIS Control 7: Continuous Vulnerability Management  CIS Control 8: Audit Log Management  CIS Control 9: Email Web Browser and Protections  CIS Control 10: Malware Defenses  CIS Control 11: Data Recovery  CIS Control 12: Network Infrastructure Management  CIS Control 13: Network Monitoring and Defense  CIS Control 14: Security Awareness and Skills Training  CIS Control 15: Service Provider Management  CIS Control 16: Application Software Security  CIS Control 17: Incident Response Management  CIS Control 18: Penetration Testing Control 9 is of specific relevance to this discussion, calling for the hardening of email and web browser protections, and underscores the susceptibility of falling victim to successful social engineering attacks:.
NIST Cybersecurity Framework    First introduced in 2014 and revised in 2018, the NIST Cybersecurity framework version 1.1 is premised on five key security controls:   Identify – developing an organizational understanding of cybersecurity risk to systems, people, assets, data and capabilities. Activities include Asset Management, Governance, Risk Assessment, Risk Management Strategy, and Supply Chain Risk Management.   Protect – developing and implementing safeguards to ensure the safe delivery of critical services. Activities include Identity and Access Management, Security Awareness Training, Data Security, Information Protection Processes and Procedures, Maintenance, and Protective Technology.  Detect – develop and implement capabilities that enable early cybersecurity event detection. Activities include detecting Anomalies and Events, Security Continuous Monitoring, and Detection Processes. Respond – develop and implement capabilities that enable a well-managed response after an incident has occured. Activities include Incident Response Planning, Communications, Analysis, Mitigation, and Improvements. Recover – develop and implement capabilities that enable the ability to recover after a cybersecurity incident has occured. Activities include Recovery Planning, Improvements, and Communications.   The hardening of email security controls relates directly to: Security controls 2 (Protect): Providing advanced Data Security and Information Protection Technology Security control 3 (Detect): Providing Anomalies and Events, Continuous Monitoring and Detection Processes capabilities
ISO/IEC 27001 and ISO27002   ISO 27001:2005 Information Technology – Security Techniques – Information Security Management Systems – Requirements, commonly referred to as ISO 27001, is used in conjunction with ISO 27002:2013 Code of Practice for Information Security Management, commonly referred to as ISO 27002.    ISO 27001/2 is the only cybersecurity framework that can be certified internationally by the ISO  standards body. To achieve ISO 27001/2 certification requires that organizations build an Information Security Management System that among other requirements, entails adopting all 14 of the Security Control categories listed under Annex A.    In total there are 114 security controls in the 14 categories. The CIS Controls and NIST Cybersecurity  Framework can also be mapped to the ISO 27001 controls.    The 14 security control categories include:     Annex A. 5 Information Security Policies   Annex A. 6 Organization of Information Security   Annex A. 7 Human Resource Security   Annex A. 8 Asset Management    Annex A. 9 Access Control   Annex A. 10 Cryptography   Annex A. 11 Physical and Environmental Security   Annex A. 12 Operations Security   Annex A. 13 Communications Security   Annex A. 14 System Acquisition, Development and Maintenance   Annex A. 15 Supplier Relationships   Annex A. 16 Information Security Incident Management    Annex A. 17 Information Security Aspects of Business Continuity Management   Annex. 18 Compliance    Of the 14 security control categories, control A12 Operations Security and A13 Communications Security underscore the importance of having robust email security in place. The two sub-controls under A12 and A13 that have direct relevance to email security are:   A. 12.2.1 Controls Against Malware – detection, prevention and recovery controls that protect against malware and also entail appropriate user security awareness. A. 13.2.3 Electronic Messaging – any information that is involved in any form of electronic messaging needs to be appropriately protected to prevent unauthorized access.
General Data protection Regulation (GDPR)   Although not a cybersecurity control framework, GDPR does outline legal processes and procedures to protect the data of European Union member countries’ citizens. Other similar data privacy and security legislation is being enacted around the world, calling for similar controls to be put in place. GDPR however is notorious for imposing the most stringent interpretations of its data privacy and data security regulations, along with handing out record setting financial penalties for infringements.   Chapter 4, Articles 25-43 set out the necessary legal stipulations for data controllers and processors, essentially calling for data protection by design and default.    Key information security principles listed in chapter 4  (Article 32) include:   Pseudonymisation and encryption of personal data. The ability to ensure the confidentiality, integrity, availability and resilience of processing systems and services. Ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident. A process for regular testing, assessing and evaluating the effectiveness of technical, and organizational measures for ensuring the security of the data processing.   Data loss, phishing, unauthorized access and ransomware are among the top reported incidents to the UK’s Information Commissioner Office (ICO) – the UK’s enforcing body for GDPR. Inadequate and ineffective email security controls is the leading cause of these incidents.  
MITRE ATT&CK Framework   Popular with threat intelligence, security operations centers, as well as the cybersecurity vendor community, the MITRE ATT&CK Framework is starting to gain mainstream recognition in the enterprise. Developed in 2013 and also referred to as the ATT&CK Framework, its utility for benchmarking the effectiveness of security controls is becoming increasingly apparent as attacks grow in sophistication and scope.   Although consisting of three matrices, the MITRE ATT&CK Framework for Enterprise is the most commonly used matrix. By offering an adversarial perspective on threat and attack vectors aka attack chain – starting with reconnaissance, resource development, initial access and ending with impact – enables security and risk leaders to gauge the robustness and breadth of controls in place.    According to the ATT&CK framework, social engineering based attacks, including phishing, remain one of the most common attack vectors enabling unauthorized access to information systems. The full matrix is available here.
Email security as a core control   Email security vulnerability remains a significant threat vector and features as a core cybersecurity control in all of the most widely adopted cybersecurity frameworks. And, given the increasing sophistication of email-based attacks, the importance of having industry leading email security protection in place must be reemphasized. Only by prioritizing email security will the risk of an email-related breach be significantly mitigated.
How can Tessian help you lock down email?    This is why enterprises are replacing legacy email security solutions for the next-generation of intelligent email security protection from Tessian. Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises.   By using industry leading machine learning the dynamic real time protection is enhanced with each threat mitigated, guaranteeing unparalleled protection against all email-based attack vectors, including insider threats.   Key features include:   Advanced Spear Phishing Protection Advanced Attachment and URL Protection   Internal Impersonation & CEO Fraud Advanced Spoof Detection Counterparty & Vendor Impersonation  Brand Impersonation External Account Takeover  Invoice Fraud Bulk Remediation Automated Quarantine  Threat Intelligence Insider Threat Management Accidental & Malicious DLP
Read Blog Post
ATO/BEC, Email DLP
What is an Integrated Cloud Email Security (ICES) Solution?
Friday, January 21st, 2022
In recent years, the shift away from on-prem email platforms to cloud-based platforms has been dramatic, with Gartner estimating that 70% of organizations now use cloud productivity suites like Microsoft 365 and Google Workspace. But as email migrates from legacy on-prem approaches to the cloud, securing these cloud based services becomes the next big challenge.   Cloud productivity suites have traditional SEG security capabilities natively included. Do stand-alone SEGs have a place in this rapidly evolving new reality?   This article takes a look at the ‘Who? What? And Why?’ of Integrated Cloud Email Security (ICES) solutions – explaining what they are, the benefits of using them, and how you can best evaluate those on offer.
What is an Integrated Cloud Email Security (ICES) Solution?   The term ‘Integrated Cloud Email Security (ICES)’ was coined in the Gartner 2021 Market Guide for Email Security. ICES solutions were introduced as a new category, and positioned as the best defense against advanced phishing threats that evade traditional email security controls.     ICES solutions are cloud-based, and use APIs to detect anomalies in emails with advanced techniques such as natural language understanding (NLU), natural language processing (NLP) and image recognition. Using API access to the cloud email provider, these solutions have much faster deployment and time to value, analyzing email content without the need to change the Mail Exchange (MX) record.   Taking it one step further, ICES solutions can also provide in-the-moment prompts that can help reinforce security awareness training (SAT), and are able to detect compromised internal accounts. In the report, Gartner reflected on the future of ICES solutions, suggesting that they would eventually render SEGs redundant:   “Initially, these solutions are deployed as a supplement to existing gateway solutions, but increasingly the combination of the cloud email providers’ native capabilities and an ICES is replacing the traditional SEG.”
Gartner predicts that by 2023, at least 40% of all organizations will use built-in protection capabilities from cloud email providers rather than a secure email gateway (SEG)… But why? In short, legacy SEGs are no match for the cyber threats of tomorrow. Email is responsible for 96% of cybersecurity breaches, making it the greatest threat vector. In fact, in the 12 months between July 2020 and July 2021, Tessian detected 2 million malicious emails that had bypassed SEGs. So why are traditional SEGs not fit for today’s cybersecurity landscape?
Rule-based approaches don’t cut it SEGs were developed in 2004 with on-premise email servers in mind and use a rule-based approach to threat detection. They use deny lists, allow lists and signatures for message authentication to help stop attacks – with these lists created using threat intelligence. They are reactive by design, and protect email data against threats that are already known. This means that SEGs offer no protection against zero-day attacks (a significant and growing threat vector), and are easily evaded by attackers using advanced social engineering campaigns. SEGs also fail to detect business email compromise (BEC), account takeover (ATO) and advanced spear phishing attacks.
The migration to the cloud   More and more, organizations are adopting SaaS offerings like Microsoft 365 – which have SEG capabilities natively included. This shift was well underway before the pandemic, but has since been accelerated with data suggesting that ICES solutions are here to stay and will displace SEGs from the cybersecurity stack.. The rise of offerings like Microsoft 365 and Google Workspace and the move away from SEGs comes as no surprise, with enhanced functionality at the platform level that can include:   Blocking emails from known bad senders Scanning attachments with AV Blocking emails with known bad URLs Content analysis to identify SPAM   Given these native SEG-like capabilities in cloud productivity suites, makes ICES solutions the perfect supplement to ensuring comprehensive email protection. ICES solutions are so effective because they  provide protection against many of the threats SEGs fail to detect – when used in combination with SaaS offerings like Microsoft 365.
What are the benefits of ICES solutions?   ICES solutions offer more than just threat detection. Key features of ICES solutions  can include:   BEC and ATO Attack detection using NLU, NLP, social graph analysis and image recognition Context-aware banners to warn users Phish Reporting Mail Security Orchestration, Automation and Response (MSOAR) capabilities to assist in automatic reclassification of emails and removal from inboxes
How to evaluate ICES vendors   The number of  ICES solutions available on the market is continually growing. There are a few key things you should consider when evaluating which ICES solution to use. Taking a look at your current email security framework and comparing it to your end goal, the following elements should be analyzed:   Time-to-value, return-on-investment time horizon Cost of effort to install and manage False positive rate ML- and AI-based technology to detect advanced social engineering attacks including BEC and ATO attacks Ability to analyze and map conversation history Computer vision to analyze suspicious data and links in emails User education controls to reinforce training, including context-aware banners and/or in-line prompts Ability to analyze emails prior to delivery to the end user API integration  of email events into Extended Detection and Response (XDR) or Security Information and Event Management/Security Orchestration, Automation and Response (SIEM/SOAR) solutions   Still struggling to decide? Have a look at the 2021 Gartner Market Guide to Email Security, which contains further information on ICES vendors, including Tessian.
Why choose Tessian?   Tessian was recognized as a Representative Vendor for Integrated Cloud Email Security (ICES) in the recently released 2021 Gartner Market Guide for Email Security.     What sets Tessian apart from other ICES solutions is its advanced email security and email data loss prevention (DLP) capability, including:   Advanced Spear Phishing Protection Advanced Attachment and URL Protection   Internal Impersonation & CEO Fraud Advanced Spoof Detection Counterparty & Vendor Impersonation  Brand Impersonation External Account Takeover  Invoice Fraud Bulk Remediation Automated Quarantine  Threat Intelligence   Tessian also offers protection against both malicious and accidental data loss, in-the-moment security awareness training for suspected phishing emails and in-the-moment security awareness notifications. 
To summarize, there are four key Tessian differentiators:   Threat prevention: Tessian protects against both known and unknown email attacks, including business email compromise, account takeover, spear-phishing, and all impersonation attacks that bypass SEGs, M365, and G Suite. Protection also includes class leading email DLP. Education and awareness: With Tessian’s in-the-moment training, organizations can educate and empower users to build continuous email security awareness  Reduced admin overhead: Tessian removes the burden on SOC and admins by automating repetitive tasks such as maintaining triage and review. This eliminates the need for human verification of email threats, reducing FTE requirements. Data-rich dashboards: With Tessian, security teams have clear visibility and the ability to demonstrate clear ROI     To find out more about Tessian as an ICES solution, and the key findings listed in the 2021 Gartner® Market Guide for Email Security, click here. 
Read Blog Post
Page