In this episode of Infosec’s Cyber Work podcast series, host Chris Sienko chats with Evan Reiser, CEO of Abnormal Security. They discuss where email attacks are headed in 2020, as well as how machine learning and AI can help detect email attacks such as business email compromise.
Evan uses machine learning and AI to prevent email-based attacks, such as business email compromise and social engineering, and as you will see, the human mental game is still the strongest game in town. Before this, Evan led teams for Twitter’s advertising business and was working with startups for ten years before co-founding Abnormal Security.
How did you first get involved with computers and security?
Like many growing up in the late nineties, Evan’s passion was driven by his love for video games. He began by building computers for better gaming capabilities and decided on majoring in computer engineering in college. He got into computer science and building software and ended up working a job in web development after college. He worked on Wall Street for 18 months before quitting and going to work for startups in product development.
Evan got into email security by sitting down with CIOs and asking them what product they would ideally buy in the next six months. The number one answer he kept getting was a solution to better handle email attacks such as social engineering, executive impersonation and account take over. It was at this point that Evan realized his background in machine learning placed him in a great position to address this business need.
What were the steps along the way that brought you to email security?
Evan’s early career was focused on working with consumer startups that had quick product development turnaround. He then moved into enterprise software, selling multiple products to large enterprises.
He enjoyed sitting down with people to understand their problems, their environments, and their hopes and dreams about what they wished people would do. Evan would then take this human experience and combine it with technology to apply to new areas. On the technology side, Evan spent time with advertising tech that was really about trying to understand people’s behavior and how to influence it.
This intersection between a high-speed, customer-focused product development with a background in machine learning technology fits well with the cybersecurity needs that businesses have.
When you say email attacks, what do you mean?
When Evan was more of a novice in cybersecurity, he was surprised to see how many terms there are and the amount of overlap between them. For example, business email compromise can mean phishing or account takeover.
With this said, there are a couple of different frameworks used to describe email attacks — link-based attacks (such as phishing), file attachment-based attacks (such as ransomware or malware) and payload-less attacks where there is no link or attachment where traditional methods of fighting these kinds of attacks does not work. This third type of attack includes social engineering and technically they are not really payload-less, because the payload lies in the words they use and your emotional response to them.
What have been some of the major shifts or changes of attacks in 2018/2019?
Email has come a long way from its early days, where the biggest problem was spam. Over the last ten years or so, anti-spam has gotten a lot better, but this was overshadowed by the rise of phishing, malware and business email compromise.
Attackers discovered the best way to get money from businesses was asking them to send money via social engineering. Instead of hoping that one in a million emails work with spam, they would instead invest the time necessary for social engineering, where maybe one in ten would work.
Can you give an example of an email attack?
These attacks vary in complexity, but a common example is where an executive is impersonated. In this case, an email is sent to an employee saying that the executive is working on a project and requests the employee to pay an invoice for a million dollars. This works maybe once in a hundred attempts, and there are a lot of different flavors of this, such as requesting that it be paid in gift cards.
This author can tell you that he was once the target of such a campaign. In this case, the only thing stopping the attack was well-founded critical thinking skills.
Do you have examples of more complex or unusual email attacks?
Evan says he sees a new type of attack every week, which can be mind-boggling!
In one example, the target was the treasurer of a company and the attackers found information about the treasurer on LinkedIn. With this information in mind, the attackers created a Microsoft OneDrive account which looked very legitimate.
This targeted campaign ended up tricking the treasurer into using their Microsoft login credentials on the login page with two-factor authentication, which led to a deprecated link. The treasurer was then told they would receive a new file. With these login credentials, attackers found out how the company processes legitimate wire transfers and tricked the treasurer into sending money to a bank in China. It was not discovered for a long time.
Can you think of an unlikely tactic that works more than it should?
There are a lot of examples to choose from, but Evan says he often hears about a campaign where users are targeted by Microsoft impersonators saying the user missed a voicemail. Another example is where users are targeted by emails saying their bank cards have been broken into, which had a 20% open rate.
Has awareness changed or are we reinventing the wheel?
He says there have been significant improvements involving training, awareness and education. Evan feels that people have given up solving this problem with technology and moved on to non-technology solutions. This has proven to be successful, but businesses do not want to spend ten minutes every day training staff how to detect email attacks.
What should security awareness training be focused on?
Currently, a lot of training is focused on the mechanics of these attacks, such as spotting misspellings and malicious links. This will work on the average phishing campaign, but we are seeing more and more sophisticated impersonation attacks that are carefully crafted to come from someone you know and go to some place that is not suspicious, such as a Google Drive account that contains a phishing link.
Evan thinks that awareness training will shift from specific tactics to the psychology of attacks where attackers try to get users to bypass their normal critical thinking skills. He adds this may not be the best for businesses, as they do not want employees playing mental calculus all day long. There is a lot to be said for 30 seconds on the phone — which still may be the best defensive strategy.
Is there any indication that C-suite executives are receiving better training in this regard these days?
He thinks so, but most companies have ruled out training awareness programs. Most executives are aware of email attacks, but people may be unaware about just how sophisticated real attacks can get. It can be challenging to convince people about the danger of email attacks because of the embarrassment that comes from being a victim.
I recently saw statistics saying that the number of internet users will exceed three billion users in the next few years. With most of these users being new, how do we quickly onramp them to being conscious about email attacks?
The general pattern we as humans have is to treat digital communications like a face-to-face conversation, and we place a lot of trust in it. People tend to think that if an email says it is from someone, we believe it. If people understand the danger in placing this trust in an email, it would help a lot in getting people up to speed with email attack security consciousness.
Do you have any recommendations for education of executive-level users about email attacks?
While not sure if he has seen great examples of educating executives specifically in real life, Evan says that companies that have the intellectual honesty to talk about this subject will be better prepared. Companies should realize that email attacks are moving more toward supply chain compromise attacks.
Do you have any tips regarding third party vendors?
Users need to realize that just because an email is coming from a third-party vendor email account does not mean it is legitimate. Recently, researchers at Abnormal Security have been seeing more vendor account compromise than previously.
One thing that organizations can do is to stick to their business practices regarding third-party vendors. An example of how business practices can be used would be if you see a vendor check with a different routing and/or account number – nobody does this in the normal course of business.
Going beyond 2020, where do you see email attacks going in the next 5 years? Do you think there will be a point when AI will make email attacks less of a threat?
Evan says that he thinks so. 20 years ago, spam held this threat position and today it is not effective at all — just think of how few spam emails actually make it into your inbox. Email attacks have shifted more towards phishing, social engineering and executive impersonation.
He thinks that advances in technology (particularly machine learning and AI) will help with email attacks in the future, but at the end of the day if you can successfully attack human judgement, you can bypass all of these security measures.
Tell me about Abnormal Security and some of the strategies and services you provide to your clients
Abnormal are an email security company that does what you think email security companies do, but also have a focus on social engineering, business email compromise and executive impersonation. Instead of relying only on threat intelligence, they use machine learning to understand connected enterprises through APIs to predict normal business behavior and where we see deviance is where we focus our efforts. Examples being secure emails not coming through secure gateways, accounts being compromised and next-generation attacks.
Curious about Evan Reiser and Abnormal Security? You can check them out at abnormalsecurity.com, and you can find Evan on Twitter @evanreiser. If you want to check out this podcast yourself, you can find it on Infosec’s YouTube page.
- Email attack trend predictions for 2020, Infosec (YouTube)