One Article Review
| Source |  CISCO Talos |
|---|---|
| Identifiant | 7540074 |
| Date de publication | 2022-10-18 08:41:18 (vue: 2022-10-18 13:06:15) |
| Titre | The benefits of taking an intent-based approach to detecting Business Email Compromise |
| Texte |  By Abhishek Singh.BEC is a multi-stage attack. Adversaries first identify targets, then they establish rapport with the victim before exploiting them for whatever their end goal is. In the case of BEC, a threat actor can impersonate any employee in the organization to trick targets. A policy that checks for authorized email addresses of the sender can prevent BEC attacks. However, scaling the approach for every employee in a large organization is a challenge. Building an executive profile based on email analysis using a machine learning model and scanning emails against that profile will detect BEC. Data collection for building and training machine learning algorithms can take time, though, opening a window of opportunity for threat actors to exploit. Detection of exploitation techniques such as lookalike domains and any differences in the email addresses in the "From" and "Reply-to" fields can also detect BEC messages. However, the final verdict cannot account for the threat actor's intent. The intent-based approach detects BEC and then classifies it into the type of scam. It catches BEC messages, irrespective of whether a threat actor is impersonating a C-level executive or any employee in an organization. Classification based on the type of scam can help identify which segment of an organization was targeted and which employees were being impersonated by the threat actor. The additional information will further assist in better designing preventive features to stop BEC. Business email compromise (BEC) is one of the most financially damaging online crimes. As per the internet crime 221 report, the total loss in 2021 due to BEC is around 2.4 billion dollars. Since 2013, BEC has resulted in a 43 billion dollars loss. The report defines BEC as a scam targeting businesses (not individuals) working with foreign suppliers and companies regularly performing wire transfer payments. Fraudsters carry out these sophisticated scams to conduct the unauthorized transfer of funds. This introduces the challenge of how to detect and block these campaigns as they continue to compromise organizations successfully. There are a variety of approaches to identifying BEC email messages, such as using policy to allow emails from authorized email addresses, detecting exploitation techniques used by threat actors, building profiles by analysis of emails, and validating against the profile to detect BEC. These approaches have a variety of limitations or shortcomings. Cisco Talos is taking a different approach and using an intent-based model to identify and block BEC messages. Before we get too deep into the intent-based model, take a deeper look at the commonly used approaches to block BEC from the simplistic through machine learning (ML) approaches. Policy-based detection The first place to start is with policy-based detection as it is one of the most common and simplistic approaches to blocking BEC campaigns. Let's start by looking at an example of a BEC email. |
| Envoyé | Oui |
| Condensat | a building detection in the to building business detecting even here intent policy the these 2013 2021 221 abhishek above accessing account acquisitions activity actor actors additional address addresses addresses; advantage adversaries against aggregated aging aid alert algorithm algorithms alike all allow also always analysis analytic analyzing anomalies any anyone approach approach a approaches are around assist associated attack attacks attempt attempting authorized banking base based bec before behavior being below benefits bert better billion binary block blocking both brand breaks build building business businesses but bypassed campaigns can cannot capture card carry case catches ceo cfo/ceo challenge challenging checks cisco class classification classifies clear collection combined common commonly companies company compromise conduct confidence constructed contain continue converting corporate corporation create crime crimes damaging data database date deep deeper defines deliver design designed designing details detect detected detecting detection detection the detections detects deviation difference differences different display distinct dollars domain domains down dropped due email emails embedding employee employees encoding encodings end establish etc every everyone example executive executives exploit exploitation exploitation; exploiting extraction feature features feedback field fields final financially first foreign fraudsters fraudulent free from funds further generic geo get gift give gmail goal got graph has have help high homograph how however identifies identify identifying impersonate impersonated impersonating implemented incoming individuals information inherent initial inside insight instructing intent interacts internet introduces invoice involves irrespective itself judgment keeping kept kind labels lack large learning legitimate let level limitation limitations list location look lookalike looking loop loss low lure machine managers marketing meaning message messages method miss model model a money most much multi name names networks neural nnlm non not notice numeric obviously one online only opening opportunity organization organizations originate originating other out output outside overcome payments payroll per performing person place policy prevent preventive probability problem problems profile profiles provides purport raise raised rapport real registered regularly relations reply report reports require resulted rule scalable scaling scam scams scanned scanning score screenshot second segment send sender senior sensitive sent sentences sets shortcomings shows simplistic since singh size solution some sophisticated specified spelled spoofed stage start stop stopped style successfully such suppliers take taking talos target targeted targeting targets technique techniques techniques bec tenant text than them then these third though threat through time to:” too top total to” traffic training transfer trick two type unauthorized uncommon understanding upon use used using validating variety vectors vendor verdict verdict; victim ways what whatever where whether which whom will window wire words working writing “from:” “reply |
| Tags | Threat Medical Cloud |
| Stories | Yahoo Uber APT 38 APT 37 APT 29 APT 19 APT 15 APT 10 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.