A new report by email and data security company Mimecast has revealed a staggering increase in the number of Business Email Compromise (BEC) cyber-attacks.
The quarterly Email Security Risk Assessment (ESRA) report, released today, found a 269% increase in the number of BEC attacks in quarter two of 2019, compared to the first quarter of the year.
BEC attacks are sophisticated scams that typically target businesses working with foreign suppliers and businesses that regularly perform wire-transfer payments. Formerly known as Man-in-the-Email scams, these schemes compromise official business email accounts to conduct unauthorized funds transfers.
According to the FBI, there are five main types of BEC scams, all of which allow threat actors to commit email-based impersonation fraud using methods that evade many traditional email security systems.
The Bogus Invoice Scheme involves an attacker impersonating a company's supplier and requesting funds transfers to the attacker's bank account in payment of services rendered. An attacker committing CEO Fraud will pose as one of the company's most senior executives and send an email to the finance department requesting that money be transferred to an account they control.
If the attack is an Account Compromise, an executive or employee’s email account is hacked and used to request invoice payments to vendors listed in their email contacts. Payments are then sent to fraudulent bank accounts.
A Data Theft BEC attack targets employees in the HR and finance departments to fraudulently obtain personally identifiable information (PII) or tax statements of employees and executives, which can be sold on the dark web or used for future attacks.
Finally, threat actors can launch an Attorney Impersonation BEC attack, in which they pretend to be a lawyer or someone from a law firm in order to access confidential information.
A further finding of the ESRA report is that 28,783,892 spam emails, 28,808 malware attachments, and 28,726 dangerous files types were all missed by incumbent providers and delivered to users’ inboxes.
The sharp rise in BEC attacks identified by the report echoes the findings of the State of Email Security 2019 report, which revealed that 85% of the 1,025 global respondents experienced an impersonation attack in 2018, with 73% of those victims having experienced a direct business impact, like financial, data, or customer loss.
An industry initiative to allow data sharing and interoperability in the cybersecurity sector has won the support of 18 vendors.
The Open Cybersecurity Alliance (OCA), created by international consortium OASIS, will unite end users and organizations in an open cybersecurity ecosystem where products can share information, insights, orchestrated responses, and analytics.
The OCA will strive to increase the cybersecurity value of existing products and discover new security insights by supporting commonly developed code and tooling and encouraging practices for interoperability and sharing data among cybersecurity tools.
A key aim of the OCA will be to make it easier for different cybersecurity technologies to work together across the entire lifecycle of a threat.
In a statement issued earlier today, the OCA wrote: "According to industry analyst firm, Enterprise Strategy Group, organizations use 25 to 49 different security tools from up to 10 vendors on average, each of which generates siloed data.
"Connecting these tools and data requires complex integrations, taking away from time that could be spent hunting and responding to threats. To accelerate and optimize security for enterprise users, the OCA will develop protocols and standards which enable tools to work together and share information across vendors."
The alliance was spearheaded by IBM Security and McAfee and quickly attracted the support of Advanced Cyber Security Corp, Corsa, CrowdStrike, CyberArk, Cybereason, DFLabs, EclecticIQ, Electric Power Research Institute, Fortinet, Indegy, New Context, ReversingLabs, SafeBreach, Syncurity, ThreatQuotient, and Tufin.
At OCA's heart will be two technologies developed by its founding members. The first is McAfee's cybersecurity messaging format OpenDXL Standard Ontology. The second is STIX-Shifter, a search capability for all types of security products based on an IBM open source library. This useful tool can identify information in data repositories that relates to potential threats, pop it into a usable format, and share it with any enabled security tool.
"Attackers maximize damage by sharing data with one another. Our best defense strategy is to share data too," said D.J. Long, vice president of business development at McAfee.
"Organizations will be able to seamlessly exchange data between products and tools from any provider that adopts the OCA project deliverables. We’re looking at the potential for unprecedented real-time security intelligence."
Researchers at the University of Arizona are developing a fresh approach to cybersecurity modeled on the human central nervous system.
The new method, which is being created as part of the Partnership for Proactive Cybersecurity Training project, will aim to detect and neutralize cyber-threats in their earliest stages before they have a chance to do any serious damage.
Inspiration for the project came from human biological responses; for example, how the body's immune system fights a virus and how a person will instinctively pull their fingers away from a burning hot surface before their brain has even received the message that the body is at risk of harm.
"I felt we could learn about how the body protects us by reacting to threats and maybe apply it to cyber by building a 'cyber immune system,'" said Salim Hariri, UA electrical and computer engineering professor and the project's principal investigator.
"We're trying to build these abilities where, when somebody attacks your computer, these measures can detect the attack and act on it before you're even aware something is compromised."
In contrast with security methods that deal with cyber-threats in a reactive way, the new system being constructed is being designed to function proactively. The plan is to use artificial intelligence and machine learning to train machines to recognize cyber-threats on their own, as a doctor might recognize diseases from their symptoms.
To stop the threats before they infect a network or device, researchers will also teach the machines how to recognize threats as they evolve and how to execute a wide range of cures. With an encyclopedia of remedies at their disposal, the machines will be able to search for the one that is most appropriate and automatically apply it to the threat.
"An attacker can reach hundreds of thousands of devices in a fraction of a second, so we need our ability to detect threats and protect a system to work just as quickly," said Hariri.
The National Nuclear Security Administration's Minority Serving Institution Partnership Program has awarded the project a $3 million grant to be paid over a three-year period. Under the terms of the grant, researchers will train students, especially underrepresented minorities, from the University of Arizona, Howard University, and Navajo Technical University as they work to develop new cybersecurity techniques.
Don’t treat cyber-risk any differently to any other risk to your business, as engagement with senior management continues to be a challenge.
Speaking at the ATM & Cybersecurity 2019 conference in London, Nina Paine, global head of cyber partnerships and government strategy, Standard Chartered (UK), discussed the need to keep senior management engaged when creating and maintaining a cybersecurity culture internally.
Paine said that with growing teams there is a “race to keep pace against cyber-criminals and cyber-threat actors” and this means that security teams “cannot do it alone and it is incredibly important that we share knowledge and insights and key learnings with partners across the world.”
Paine said that people ask if a cybersecurity culture can be driven from the “top down or bottom up” and she said that it is probably both as “the tone from the top and senior executive engagement is the key differentiator.” She also said that cyber-leaders are clear on the strategic implications that cyber-risks represent, and this may be about metrics that the business has put in place.
One tone to adopt for senior executives is to stress that “cybersecurity is tremendously important to our customers.” Therefore, cybersecurity has to be treated as a business risk, “as we know the consequences of not doing so are stark.”
Paine also said that cyber-risk should be “normalized as part of enterprise risk management as a whole.”
So how cybersecurity can be part of the wider business discussion? This needs to be done with a trickle down through the business, and not just by having a technical team in a separate room, Paine advised. She said that at Standard Chartered, cybersecurity is treated as a principal risk type, and this means it is subjected to enterprise-wide risk management rules.
She added: “Whether you have got that or not, you have got some principles to think about within each function around challenges and assurance that are absolutely vital to all firms.”
Paine recommended setting up a layered effort to enable better adoption of culture, and one thing firms have done is to set up a senior executives’ safe space “where there are not stupid questions and everybody is a human.” She said that this forum can allow increased understanding of risks, as we “cannot simply rely on small groups of technical experts to keep our organization safe.”
She acknowledged that employee awareness can “sound pink and fluffy,” but you can make it a hard skill set and discipline through automated platforms. She said that as Standard Chartered was automating its awareness, this will enable training and results and learning to be better collected, adding an element of gamification.
To conclude, she pointed out that “what gets measured gets done” and recommended introducing security measurement tools, as well as publishing test scores to divisional heads, as that can drive cultural change in a business.
“I’d like to reiterate that cybersecurity risk and its management is very much a shared responsibility, and everyone from the board to the front line has a critical role to play,” she said. “Whilst an organization’s risk culture does have formal risk policies in it, there is also a really important people side.”
Speaking at the ATM & Cybersecurity 2019 conference in London, detective superintendent Andrew Gould, National Cybercrime Programme Lead, National Police Chief’s Council, detailed common attackers, attack tactics and the most common ways to prevent them from happening.
Saying that the main attack groups were “no great surprise,” he highlighted the hostile states as having different motives but having “really invested in their capabilities” which he said was the main challenge, as “if a hostile state comes after you as an organization they are probably going to get you” unless you have significantly invested in your protection. “For most people though, that is probably not going to be a significant concern.”
However, a rising threat is from organized crime, which he said has involved a blurring between a hostile state and organized crime, whether it is being franchised or “tasked out,” while there are organized crime groups who do this as a way to make money.
What has also been a major concern over the last couple of years is “more and more high-level sovereign state tools leaked out.” He explained that these may have been the preserve of American intelligence agencies, but are now in the wild and “available for anyone to download and use as part of criminal enterprise.”
As well at attacks such as more DDoS and Business Email Compromise, Gould also said that “the most common type of cyber-dependent crime, where computers are attacking computers” and affecting organizations, is ransomware. While he admitted that detections and infections are down, the trend is towards more targeted ransomware, and recommended businesses protect and test backups.
In terms of sophistication, Gould said that attackers are getting better in how they are targeting organizations, as one in five “are successful with spray and pay” techniques. “Actually a lot of criminals are investing time and effort in their targets, and we make it easy for them by putting our personal information online,” he added.
Moving on to the role of the police, he acknowledged that the attitude of the police toward cybercrime has changed over time; “we know there are millions of offences committed in the country each year, but only 25-26,000 of those get reported to Action Fraud.”
However, that has improved, Gould said, “and now we've got teams dealing with cyber-dependent crime like ransomware in every force in England and Wales, when 18 months ago nothing existed.” He continued that every incident is investigated and every victim is advised “to stop them being a victim again.”
He concluded by highlighting the most common mistakes that businesses make in dealing with cyber-incidents, which were:
- No plan, nothing exercised
- Unmapped and poorly understood networks and endpoints
- Business negotiates with blackmailers
- Slow to ask for police help (if at all)
- Only communicate with police through lawyers
- Media messaging does not consider secondary fraud
- Ineffective back ups
Join our webinar on 24th October where we will be discussing advanced attackers, and how to defend against automated attacks - register here
The firms surveyed more than 3000 IT and IT security practitioners in Australia, Brazil, France, Germany, India, Japan, the UK and the US, discovering that whilst nearly half (48%) of all corporate data is stored in the cloud, only 32% of organizations believe protecting data in the cloud is their own responsibility.
What’s more, the study found that organizations consider cloud service providers to be the ones to bear the most responsibility for securing sensitive data in the cloud (35%), although just 23% of respondents said security was a factor to them when selecting a cloud service provider.
Furthermore, the research found that more than half (51%) of businesses and other organizations still do not use encryption or tokenization to protect sensitive data in the cloud, whilst 54% of respondents stated that cloud storage makes it more difficult to protect sensitive data.
“With businesses increasingly looking to use multiple cloud platforms and providers, it’s vital they understand what data is being stored and where,” said Larry Ponemon, chairman and founder of the Ponemon Institute. “Not knowing this information makes it essentially impossible to protect the most sensitive data – ultimately leaving these organizations at risk. We’d encourage all companies to take responsibility for understanding where their data sits to ensure it’s safe and secure.”
Tina Stewart, vice-president of market strategy for cloud protection and licensing activity at Thales, added: “This study shows that businesses today are taking advantage of the opportunities that new cloud options offer, but aren’t adequately addressing data security. Having pushed the responsibility towards cloud providers, it is surprising to see that security is not a primary factor during the selection process. It does not matter what model or provider you choose, the security of your business’ data in the cloud has to be your responsibility. Your organization’s reputation is on the line when a data breach occurs, so it is critical to ensure in-house teams keep a close eye on your security posture and always retain control of encryption keys.”