Anatomy of an Account Compromise
Email attacks have always been a threat to businesses since their inception, but over the last decade they have exponentially evolved in sophistication and frequency. Instead of using detectable malware, links and attachments, they use social engineering to impersonate trusted sources. These extremely believable impersonations have led to a surge in account takeovers. And it all happens very quickly, with half of compromised accounts accessed within 12 hours of an attack. Unfortunately, the ongoing COVID-19 pandemic has added fuel to the fire. A rise in remote working alongside fear and uncertainty has created not only the ideal content for incredibly realistic phishing emails, but workforces who are more likely to fall victim to attacks.
With the evolving email threats that we are facing, traditional tools that focus on finding malicious emails, based on past campaigns are falling far short. The problem is that these breaches are often zero-day, unique attacks that haven’t been seen before. All threat actors need to do is to compromise one person’s email account to make headway through the business. They can then get their hands on employee credentials, sensitive information, and financial details, all of which can empower them to cause chaos.
What an Attack Looks Like
Account compromise attacks are among the most difficult to detect as well as being the most destructive to businesses. As they aren’t easy to uncover, they can lie in wait for some time, and that’s just what they do. Cybercriminals are stealthy and constantly find new ways to remain undetected for long periods of time so they can maximise their impact. In fact, more than one-third of hijacked accounts see cybercriminals dwelling for more than a week before launching their attack.
Understanding attacker behaviour and what an attack looks like is the first step towards proper protection. Here is the typical attack chain cybercriminals employ to breach your business:
- Obtain Credentials – cybercriminals use phishing attacks to collect email account details or purchase credentials using the dark web.
- Gain Control – once they have account details, attackers can log in, change passwords and set forwarders to ensure they have full control.
- Monitor activity – at this point, it’s all about reconnaissance. Attackers lay low, monitor activity, and wait for the optimal moment to join the conversation.
- Launch Attack – this is where the real attack happens; an incredibly realistic email will be sent to try to fool the recipient into assuming it’s from a trusted source.
- Trick Recipient – they may harvest more credentials, obtain sensitive or valuable information, or spread ransomware, but will remain as if they are a legitimate user.
Mitigation Strategies Against Account Compromise
It’s vital for you to be able to detect unauthorised users within legitimate email accounts if you are to defend against account compromise. Of course, this is no mean feat as there aren’t the usual indicators of compromise to look out for, and secure email gateways are rendered useless. The fact is that emails trick both humans and traditional security tools every day. To stand a chance, you need a defence in depth approach with advanced threat protection alongside artificial intelligence (AI) and machine learning-based technology:
- Defence in depth – a single layer of protection isn’t enough to protect against today’s sophisticated attacks. Defence in depth layers protection across your organisation. You’ll not only have traditional defences, such as secure email gateways, antivirus solutions, authentication and encryption, but threat intelligence and behavioural analysis. It is the latter that can pick up on zero-day attacks that lack traditional indicators of compromise.
- AI and Machine Learning – with cybercriminals deploying their best tactics, you need to deploy best-in-field technology. AI and machine learning can spot unusual activity by analysing behaviour and building a contextual understanding. By understanding good email behaviours, AI can then spot anomalies and patterns. Every email from every user and device is scrutinised to ensure previously established accounts can be trusted before anything reaches the inbox.
How to Protect Your Business
Email is a primary attack vector for cybercriminals. In fact, 78% of attackers don’t access any applications outside of email. So, it pays to ensure you are fully protected against the most advanced and sophisticated attacks. To find out how well your business is defended, get in touch with InfoTrust today for an email security assessment.
If you'd like to find out about the anatomy of a vendor email compromise, click here.
see our
Related resources
Mimecast recently released its State of Email Security Report for 2021. The fifth edition of its annual report used interviews with over twelve hundred of information technology and cybersecurity professionals across the globe to gather vital cybersecurity insights. The report offers an insight into the latest email threats along with advice on how to build cyber resilience and mitigate the risks of email-borne attacks.
Cyber attacks and data breaches have been commonplace in the news headlines for some time now. Although a warning from the media is certainly helpful, there is so much more that can be done when it comes to threat intelligence sharing. Threat intelligence sharing is an important part of the global cybersecurity community effort to tackle cybercrime and should form a part of every organisation’s cybersecurity strategy. Sharing cyber threat intelligence enables organisations to make informed decisions about their cybersecurity, building more effective and robust cyber defences.
One of my favourite annual reports to read is the Verizon Data Breach Investigations Report. It’s packed full of insights about the threat landscape and security leaders, in my opinion, should read this report to get a pulse on what’s happening in cyber-scape.
After all, as cyber leaders, we are here to stop breaches – so the insights gained from real cyber incidents and breaches is gold in learning how to tighten up our defences.
All businesses, large and small, are under increasing pressure to demonstrate that they are managing the risk of cyberattacks. This means having the right processes and controls in place to identify risks and vulnerabilities, protect information, as well as detect, respond, and recover in the event of cybersecurity incidents. As such, many businesses are turning to certification authorities and security frameworks to demonstrate privacy and security best practice and achieve compliance with regulatory bodies. System and Organisation Controls (SOC 2) is one such compliance framework that can help organisations to create a structured approach to cybersecurity.
Frost & Sullivan has recently released its 2021 Frost Radar: Email Security report, where its findings provide a benchmarking framework to help businesses protect their email from cyber threats.
As we operate in an increasingly digital world, every business collect, store, and share more and more data. And, amongst that data is personal information. With the OAIC marking this year’s Privacy Awareness Week (PAW) from Monday 3 May to Sunday 9 May 2021, it’s time for us all to review how we protect our customers’ personal information.
We're Here To Help