How ML can protect you from phishing attacks

Tarek Kuzbari, Regional Director, Middle East and Turkey, Cybereason.
Tarek Kuzbari, Regional Director, Middle East and Turkey, Cybereason.
5 years ago

Most breaches start with an email. These ubiquitous messages are the most dangerous cyber threat even in the technologically advanced and industrialised Middle East. Whether they hide malware or impersonate an executive ordering money transfers, email-borne attacks are constantly honed to bypass perimeter defences.

Defending an organisation against today’s advanced cyber-threats is a herculean feat. According to a survey, the strain is so acute that 53% of security professionals are considering resigning if they cannot increase their budgets or hire more staff. However, forward-looking decision makers have found an efficient way to alleviate this pain point.

Instead of taking the placebo path and piling countless layers of disparate security solutions on top of one another, in the hopes of filling all cyber-security gaps, IT leaders today are turning to a simpler and smarter approach-enter actionable cyber threat intelligence.

According to the 2019 Gartner Market Guide for Security Threat Intelligence Products and Services, 20% of large enterprises will use commercial cyber threat intelligence services by 2022 to bolster security-an increase from fewer than 10% today. But why is threat intelligence suddenly such an appealing approach to combating advanced cyber-threats?

Today’s high-performing companies are embracing threat intelligence for an array of uses, such as security data augmentation, phishing investigations, incident response, vulnerability management and detailed malware analysis. cyber threat intelligence lets security teams improve defences by triaging and prioritising alerts while increasing efficiency and productivity. Often integrated with Security Information Event Management SIEM or Endpoint Detection and Response EDR solutions, cyber threat intelligence correlates data gathered from inside the enterprise with indicators about external threats.

Threat intelligence correlates data gathered from inside the enterprise with indicators about external threats. 

By narrowing the range of threats marked for investigation, threat intelligence can more quickly and accurately identify the risk of a breach, or a breach that is penetrating your infrastructure. But, in one area, threat intelligence makes all the difference: email.

Data collected by researchers in the past 12 months indicates that the global volume of spam has increased 48% year-over-year. Spam remains a key delivery mechanism for malware, banking Trojans, ransomware, or scams like the Nigerian prince, fraud and impersonation business email compromise, business email compromise.

Spam is the go-to weapon for cybercriminals. It can help in social engineering by gaining victims’ trust and compelling them to quickly open an attachment, click a link, type in a password, or even wire funds directly to the attacker’s account.

Spam takes many elusive forms, some of which can sneak past perimeter-level defences, like next-gen firewalls and intrusion prevention and detection systems IPS, IDS. Spear-phishing and whaling-also members of the spam family-are even bigger threats to an organisation. Whaling scams, also known as business email compromise, BEC, essentially forge a boss’s email address, or compromise the boss’s email account outright in order to send fraudulent messages inside the organisation.

Typically, business email compromise operators ask a victim to transfer funds into a bank account they control. business email compromise scams have so far netted over $12.5 billion, according to the FBI’s cyber-crime fighting group, the IC3. Emails sent in the name of the CEO can easily get past your firewall unless your filters use proper threat intelligence to spot the scam.

So, how can security teams leverage threat intelligence to combat hackers’ most successful attack avenue? Well, it all boils down to the quality of the filters employed to parse the data. This is the key selling point for threat intelligence vendors and the key to success for prospecting buyers alike.

It all boils down to the quality of the filters employed to parse the data.

Applied to spam, phishing, spear-phishing and whaling, threat intelligence can catch malicious emails targeting certain industries, sniff out emails laced with elusive malware, and spot campaigns using sophisticated methods to evade detection. For example, machine learning models analyse the text in the email for even the smallest clues that something is amiss.

Machine learning models analyse the text in the email for even the smallest clues that something is amiss. 

IP, domain and URL reputation spam threshold from those sources are measured constantly for blacklisting and whitelisting. Tags-like employment, lottery, stock, pharma and dating-help categorize emails as suspicious before other filters kick in to infer or rebuff the validity of the email. And the list goes on.

Current threat intelligence vendors overestimate the customer’s capabilities. All of the above can be served up directly to your security team, or, if you lack the manpower and skill in-house, you can outsource it to your vendor’s army of security experts trained to tweak those knobs for you, based on your business model, industry type, technical requirements.

Current threat intelligence vendors overestimate the customer’s capabilities.

In the context of spam, threat intelligence correlates data points from multiple levels and angles to determine whether the email you are looking at is malicious or legitimate.

When choosing your threat intelligence vendor, first look for easy integration with your existing tooling SIEM, TIP, SOAR, targeted threat intelligence based on company profile, and predictive and strategic data.

The best vendors deliver security data and expertise by leveraging dedicated anti-spam, anti-phishing and anti-fraud technologies, indicators of compromise on every layer of your infrastructure, internal crawling systems, email traps, honeypots and data from monitored botnets, advanced heuristics and content analysis.

Top rated solutions also include an internal virtual machine farm that executes prevalent malware and collects threat information and, ideally, collaborates with other cybersecurity industry players, international organisations and law enforcement agencies.

By Tarek Kuzbari, Regional Director Middle East, Bitdefender.

Don't Miss

Ryan Kalember, Executive Vice President, Cyber Security Strategy,  Proofpoint.

Proofpoint introduces new innovations at the 2023 RSA Conference

Proofpoint, a leading cybersecurity and compliance company, announced a host of innovations

The CIOs and CISOs became more engaged now, said Tarek Kuzbari

Tarek Kuzbari, Regional Director, HUMAN describe to Rehisha, Assistant Editor, GEC Media