There is a favorite saying to characterize a situation where the remedy to a problem shows up too late: “It’s like locking the barn door after the horse is stolen.”
When we look at how many User and Entity Behavior Analytics solutions deal with email-borne attacks like spearfishing and ransomware, they focus on “and look how we show you the data leaving your organization” as opposed to “we’ve seen an email that looks like it can lead to an attack.” In other words, “the horse is leaving, good luck.”
While any notification of an attack in progress (or even finished) is necessary for damage control and cleanup, new technologies such as Machine Learning should do better than that.
Much has been made of the value of Machine Learning/behavior analytics—often in packaged as a UEBA solution—to detect cyber-attacks that have evaded real time defenses and typically masquerade with legitimate user credentials.
The “E” in UEBA stands for “Entity”. An entity can be a user, a host, an application; really any IT actor with an IP address. Until now, UEBA Machine Learning has been applied to find small changes in user or host behavior that, when collected over time and put into context, will in aggregate indicate a slowly gestating attack. In other words, a focus on the compromised user or system.
Niara has expanded the definition of “Entity” to now include the attacker. Through the use of UEBA Machine Learning models that focus on the tactics of the exploit, analysts will see these attempts earlier in the kill chain and can take steps to intercept the attacks before they do damage.
This breakthrough came from an exhaustive study of email-based attack campaigns by the Niara threat research team. In a recently published study (“Using Behavioral Analytics to Detect Malicious Email Campaigns and Targeted Attacks”) five of the most lethal email-targeted campaigns such as Lokey, PostMoney and Witness were carefully scrutinized to unearth the TTPs (tools, techniques or procedures) used by attackers. Based on these attack “autopsies”, Niara researchers pinpointed the critical signs of Email-based attacks that include:
- Name spoofing
- Campaign targeting
The most important finding of the study is that the same Machine Learning algorithms that Niara uses to find compromised or malicious insiders can be used on email logs or actual email headers to automatically flag ransomware, spearfishing, whaling, etc.
For example, a typical attack email campaign will attempt to trick a user by “spoofing” the sender address by replacing an “i” with an “l” or a “o” with a zero: instead of “Niara”, it would be “Naira”. With specially trained machine learning models (see Levenshtein Blog) Niara can spot these subtle changes and combine them with other attacker behaviors to deliver a reliable, highly-actionable alert before files are frozen or data leaves the organization.
According to the 2016 Verizon Data Breach Investigations Report, 30% of phishing messages were opened by the target and 12% went on to click the malicious attachment or link, launching a ransomware or exfiltration campaign. Despite the array of security defenses, email-focused or not, these attacks still get through and are only noticed as data flies out or files are corrupted.
Niara has opened a new front in the war on email-borne attacks. By combining the anomalies detected in an attacker’s behavior with other relevant alerts, the doors can be locked and the horses are protected—before the damage is done.