Why the Rule-based approach to Spear Phishing is failing

Introducing Defender

Business Email Compromise scams were responsible for over $5.3 billion in global losses from 2013 to 2017. According to the FBI, these types of attacks are also becoming more prolific, jumping 2,370% from 2015 to 2016 alone.

Most enterprises have anti-spam and anti-phishing filters in place to protect their emails. Unfortunately, bad actors are outpacing these safeguards and are finding more intelligent ways to break through to their targets.

This is where Tessian comes in.

Since 2013, we have been developing machine intelligent technology to prevent threats that rule-based legacy gateways and platforms cannot. Tessian Defender is our latest advancement.

Defender protects from threats executed by humans rather than just code, using the Tessian's Parallax Engine and natural language processing technology to keep the most sensitive data and systems private and secure.

The Problem

Spear phishing is effective because of its highly targeted approach. When it successfully dupes individuals into sending money, sharing data, or downloading malware, it brings significant reputational and monetary risk. Defender protects against these threats through comprehensive safeguards against weak and strong-form impersonation alike.

Weak-form impersonation can generally be detected and prevented through the rule-based controls that many enterprises already use. Often this is done by authenticating SPF, DKIM, and DMARC records to estimate the legitimacy of the sender. This entails cross-referencing IP addresses, scouring for invisible signatures, and linking senders to their domain names and broader email protocols. Rule-based defences also perform checks to find matches with known display names, modifications to “reply-to” addresses, and newly registered domains.

Unfortunately, this is not enough. These systems are limited in scope and not always implemented. DMARC authentication, for example, only protects a domain against direct impersonation, where a bad actor is trying to spoof someone’s actual email address. It fails to address domain or display name lookalike impersonation. Furthermore, global DMARC adoption rates are low.

Legacy technology stacks find it difficult to query large datasets in real-time, which means it is often a challenge for systems to quickly recognise and filter phishing emails. Even where these systems are sufficient, weak-form spear phishing is now evolving into a more advanced threat: strong-form spear phishing. This type of spear phishing subverts legacy email security systems by turning to tactics that are difficult for humans and rule-based email security processes to detect. Traditional, pre-defined rule sets cannot fend off strong-form spear phishing because of the almost infinite number of domain and sub-domain, display name and address, and freemail permutations impersonation allows for.

Even where they do detect certain impersonations, legacy systems cannot capture the evolving dynamics of email networks, with enterprises developing new relationships every day over email. A rule set would need to constantly be updated in order to remain effective. This is time consuming and resource intensive and inefficient.

The Solution

Tessian Defender is specifically designed to tackle strong-form impersonation spear phishing. Due to the complexity of strong-form impersonation techniques, having an understanding of email relationships based on historical data and user behavior is critical.

Using stateful machine intelligence, Tessian has developed a new approach to thwart spear phishing. Tessian’s Parallax Engine can predict for this user, at this point in time, does this email look like a security threat? Tessian Defender also uses natural language processing (NLP) to understand content within an email and will automatically classify its intent, so it can provide more context to the end user within a warning message, and also highlight the specific risk to security teams.

Book a demo to learn more about our email security platform.