Table of contents

    Combating Business Email Compromise with Context Intelligence

    Business Email Compromise (BEC) is an attack in which the bad actor delivers phishing, fraud, or malware via a previously compromised, legitimate user account. BEC attacks typically originate from well-known suppliers and other business partners and use a sophisticated series of steps to ultimately trick the victim into providing valuable information or moving money directly into the attacker’s bank account.

    According to the FBI, Business Email Compromise alone accounted for nearly 35% of all cybercrime losses in 2021, and that number is only growing as threat actors become more effective. Cybercriminals are constantly innovating, launching new attack tools and technologies to get through traditional cybersecurity defenses such as signature-based gateways and into the accounts that are most valuable to them. They use advanced social engineering tactics and techniques, including spear phishing, to gain access to corporate email accounts and send fraudulent emails to steal money from the target company.

    Fundamental Limitations of Legacy Systems

    Over the past few decades, email security solutions have looked to mitigate email risk by preventing previously seen attacks from occurring again. Mail server reputations, fast sharing of intel and signatures, URL rewriting, dynamic analysis of files and URLsmany approaches have been developed to cope with the changing nature of email threats. But these approaches inevitably result in playing catch-up with bad actors. Legacy security tools reliant on signatures and threat feeds are ill-equipped to tackle the new age of rapidly evolving cyber threats.

    Modern email attacks like BEC are highly personalized, exploit trusted relationships (Fig. 1), and use untainted senders and infrastructure. Attackers dynamically create “fresh” malicious links and unmarked attachments, which render the previously strong indicators obsolete. As a result, more and more malicious emails reach your employees' inboxes where they increase the risk of breach, overhead, and friction. 

    image4-2

    Fig 1. BEC involves an attacker abusing a compromised, legitimate email account to send malicious messages. In this example, the allegedly compromised sender’s email address might be placed in the display name creating the impression that it was the actual business partner who sent the email.

    How to respond when the email attack surface is dynamic and threat actors are relentless in their onslaught against it? A constantly evolving cyber-attack landscape requires a step up in your detection capability.

    Replacing Threat Intelligence with Context Intelligence

    Context Intelligence can help you regain the upper hand. Completely independent of third-party threat intelligence,  Context Intelligence brings together data and signals from different internal and external sources, giving you the visibility you need to understand and adapt the attack surface to the dynamic needs of your organization. Without context:

    • You’re flying blind: You don’t know what constitutes the attack surface you’re managing. Which types of documents are frequently exchanged and are business relevant? What cloud services are used? What can be blocked? What needs to be allowed? Where do you need other mitigating controls? 
    • You accept a higher risk of breach: Bad actors tailor their attacks to the context of your organization to increase the probability of success. Not knowing that context minimizes your chances of identifying and stopping these threats. Would you recognize if somebody impersonated a business partner of yours? For that, you first need to know who your business partners are.
    • You can’t govern: Your business now operates in an increasingly interconnected world, with various entities maintaining different kinds of relationships with your organization. Understanding the nature of these relationships helps to establish more granular security and data protection policies. Are your IT suppliers sneaking in software updates by attaching encrypted archives to emails? Knowing this will allow you to take action and to adapt and enforce new policies.

    With Context Intelligence, you will finally be able to understand and minimize your attack surface, identify modern threats more accurately, and detect anomalies in trusted communication. Here's how you can start.

    Three steps to Context Intelligence

    1. Monitor: Start monitoring incoming, outgoing, and internal communication.
    2. Aggregate: Aggregate data from all the messages you see over the entire organization or per user.
    3. Enrich: Extend your intelligence with data from other sources, e.g., domain registration dates, domain reputations, etc.

    When you get visibility into and understand what legitimate communication looks like for your organization, you can understand your unique environment, filter the noise, and take action where potential risks are identified.

    To find out more about how you can apply Context Intelligence to protect your organization against BEC and zero-day email attacks, check out  The CISO Guide to Smarter Email Security.