Behavioral Analytics for Detecting Whaling, Ransomware and Other Email-Based Crime Campaigns

20 Apr

Behavioral Analytics for Detecting Whaling, Ransomware and Other Email-Based Crime Campaigns

in Blog, Perspectives

by Vinay Pidathala

In conjunction with Niara customers, Niara’s security research team has determined that spoofing sender domains is a primary technique used for email-borne attacks. Niara identified these attacks because of security analytics that combine user behavior analytics (e.g., an unusual number of incoming emails, receiving emails from a never before seen country), which identify anomalies, with discrete analytics (e.g., domain spoofing), which helps indicate maliciousness.


During our research, many distinct malicious campaigns were surfaced by Niara’s analytics. For example, in the PostMoney targeted attack campaign, attackers sent a spoofed email that appeared to come from the organization’s CEO to the CFO, and requested a response. Niara detected this targeted attack by applying its multi-dimensional analytics modules to email traffic and flagged it to security analysts, who prevented any further progress. If the attack had happened as planned (meaning the CFO replied), the attacker would have sent another email with information about an account to transfer money into. Attackers have successfully used similar tactics at Snapchat and many other organizations. This technique, known as “whaling,” has cost organizations more than $2.3 billion over the past three years.

Another malicious campaign that Niara detected was the Locky Ransomware campaign. In this campaign, attackers used email as vector to compromise systems and encrypt all the files on the systems. Unlike a data breach, where business operations can easily continue, in a ransomware attack business operations grind to a halt until the system is restored or replaced or the ransom is paid. Ransomware attacks on MedStar, Methodist Hospital and Hollywood Presbyterian have dominated the news lately. In this particular case, Niara surfaced the attack before the ransomware was widely deployed, enabling analysts to limit potential damage.

Other malicious campaigns detected are outlined in our threat advisory, which provides the TTPs (tools, techniques or procedures) used by attackers. Security analysts can use that information to determine if their organization has been targeted by these attacks and take appropriate remediation steps. In the advisory, indicators of compromise (IoCs) that can be used in conjunction with Niara to combat these email-borne attacks are also provided.

But this isn’t about positioning Niara as a malware detection solution because that’s not who we are. We are about security analytics and while researching material for this threat advisory, it was exhilarating to see how our behavioral analytics provided analysts with the machine assistance to detect email-borne attacks, even though there were no suspicious payloads (e.g., known malicious attachments or URLs) that would have triggered perimeter defenses or security monitoring rules.

As we’ve said before, layered security is the key to protecting your organization from cyber attacks. Security analytics that combine local intelligence (i.e., behavioral analytic modules that automatically adapt to the uniqueness of each organization’s environment to baseline normal behavior and identify irregularities) with global intelligence (i.e., identifying anomalies that are irrefutably the result of malicious intent, regardless of organization) will be the new weapon to add to your arsenal. The local intelligence identifies anomalies and the global intelligence more reliably attributes malicious intent. By combining the two, Niara provides security analysts with confidence that they are focusing on the threats that matter.

Tags: Blog, Perspectives