Below the Surface – S1E4
STEPHANANIE CAVIGLIANO [00:02:02] Hello and welcome to this episode of Below the Surface. I’m your host, Stephanie Cavigliano. Here comes my co-host, Darshna Kamani.
DARSHNA KAMANI [00:02:11] Thank you, Stephanie. And hello, everyone, I hope you’re all well ready for the week, Stephanie?
STEPHANANIE CAVIGLIANO [00:02:17] Ready as I’ll ever be, Darshna. But I have some good news for you today. Today is actually National Creme Brulee Day.
DARSHNA KAMANI [00:02:24] I’m not sure how I feel about Creme Brulee. One of your favourites?
STEPHANANIE CAVIGLIANO [00:02:28] No, it’s not. I fancy myself a bit of a desert, kind of “sour” and I could kind of take or leave creme burlee but any excuse to indulge is fine by me.
DARSHNA KAMANI [00:02:37] Oh, I’m with you on the indulgence for sure.
STEPHANANIE CAVIGLIANO [00:02:42] What would you pick if you could pick a “sweet fruit”?
DARSHNA KAMANI [00:02:45] It have to be something with chocolate. 100% like being a chocolate cake. Anything, yeah, anything?
STEPHANANIE CAVIGLIANO [00:02:55] Chocolate cake with vanilla ice cream?
DARSHNA KAMANI [00:02:57] Oh, yes, “warmed up” chocolate cake with vanilla ice cream?
STEPHANANIE CAVIGLIANO [00:03:02] Classic combo, classic combo.
DARSHNA KAMANI [00:03:03] How about you?
STEPHANANIE CAVIGLIANO [00:03:05] Same, I have an ice cream problem. A bit of cookie dough also
DARSHNA KAMANI [00:03:13] Cooki dough? Your thing?
STEPHANANIE CAVIGLIANO [00:03:13] In any form. I don’t discriminate.
DARSHNA KAMANI [00:03:20] So dessert is for this week.
STEPHANANIE CAVIGLIANO [00:03:22] I mean, we can make this the whole hour if you want. I don’t know how the audience feels…
DARSHNA KAMANI [00:03:29] And do we have some good guests, too? Or maybe they have some options they like.
STEPHANANIE CAVIGLIANO [00:03:34] Yeah. You know, if you’re if you’re viewing now, weigh in. Let us know how you feel about creme brulee And if there’s a better alternative in your opinion. I’m curious. Maybe that’s certainly the topic. Our next friend report.
DARSHNA KAMANI [00:03:48] I think so. And spearfishing, “I’m sure they’re good to go”.
STEPHANANIE CAVIGLIANO [00:03:52] That’s right. Well, if you all joined us last week, you’ll remember that we spoke to Fleming Shi, who is our CTO at Barracuda, and we talked about the future of SD-WAN. And of course, we had mentioned Barracuda’s, new Cloud Gen WAN, which is the first secure global SD-WAN service built natively and available on Microsoft Azure. So a super interesting conversation last week with Fleming. If you missed it, you can always check it out on demand. Head over to our LinkedIn page and you can find a YouTube link. So we do have a great show for you all lined up today, a topic very close to my heart that is separate from dessert. Another topic close to my heart. So before we bring on our guests, a very quick reminder that you can ask us questions by typing them into the comments section below or feel free to just say hello and let us know where you’re watching from.
DARSHNA KAMANI [00:04:44] Indeed, Stephanie, we really do have a great line-up for you today and a very relevant topic. Last week, Barracuda released key findings about the way cyber criminals are attacking and exploiting e-mail accounts. The report reveals a specialised economy emerging around email account takeover and takes an in-depth look at the threats organisations face and the types of defence strategies you need to have in place.
STEPHANANIE CAVIGLIANO [00:05:09] I’m intrigued. It’s crazy to think that attackers are creating this whole economy around email attacks. So let’s find out some more and really delve into the report. Now, I’d like to welcome our guests today, Asaf Cidon Associate Professor at the University of Columbia and valued advisor to Barracuda, as well as Neil Shah, a Software Engineering Specialist. Welcome to the show, gentlemen.
NEIL SHAH [00:05:34] Thank you for having as on.
ASAF CIDON [00:05:35] Glad to be here.
DARSHNA KAMANI [00:05:37] It’s great to have you guys. Before we start. Favourite dessert? So creme burlee…
NEIL SHAH [00:05:44] Probably a “Snickerdoodle” ice cream with vanilla ice. “We started thinking, you know, we would vanilla ice cream warmed up”
ASAF CIDON [00:05:50] All right. I’m not a dessert person, to be honest. I think it’s a waste of time. Just give me a bigger steak or something.
DARSHNA KAMANI [00:05:57] No way I would skip everything for dessert.
STEPHANANIE CAVIGLIANO [00:06:00] I’m the same, I’ll never understood it. More dessert for us.
DARSHNA KAMANI [00:06:06] Exactly. We’ll hav yours any day.
ASAF CIDON [00:06:09] No problem.
DARSHNA KAMANI [00:06:11] Thank you for joining us today. We have so much to cover. So I’m going to jump straight in. So email tech is such a hot topic. In fact, I can’t compromise incidents on business email compromise continuously in the news. Have there been any stories lately that really alarmed you?
NEIL SHAH [00:06:30] I think two weeks ago we saw the Twitter hack, and that was a pretty surprising attack given that was executed by four people who barely knew each other. And one of the people actually got into the slack account. The internal accounts for Twitter and was able to see some credentials being transferred between employees. And that’s how they actually got in. So I thought that was pretty interesting, given that potentially being shared and and certain employees are even given access to kind of this internal server that’s able to reset passwords for accounts and disable to two factor auth.. So it kind of illustrates the idea and security of least privilege and separation of responsibility, I think.
ASAF CIDON [00:07:16] Yeah. I mean, I think that Twitter compromise is kind of something that kind of everybody in the security world has been focussed on, more or less so. And then I think another one that’s a little bit more e-mail related. So we saw these attempted email attacks against the British Premier League football. So I think that, you know. So for those who are not familiar with that, the attackers were able to impersonate one of the parties in a transfer of a player between two different teams. And so there’s a pattern of attacks we’ve been seeing actually for a very long time in other domains. We’ve been seeing, for example, attackers take over real estate based firms that are involved in real estate transactions and then kind of direct the wire transfer to a different bank account. And so it was kind of interesting to see that they’re also going after, you know, the kind of top tier sports organisations. But, you know, that doesn’t surprise, surprise me. But it seems like they’re you know, they’re they’re not shy. And the attackers are quite audacious in terms of their targets.
STEPHANANIE CAVIGLIANO [00:08:32] Even larger organisations are, you know, not exempt from being the victim of these types of attacks. And I think a good reminder for all of us don’t share log-in credentials over chat channels. You would find yourself typing your password into service. Somebody else just stop.
ASAF CIDON [00:08:51] Yup, that’s a good. I think we can end the show now. Yeah.
STEPHANANIE CAVIGLIANO [00:08:56] Words of wisdom. Yeah. So, you know, it’s very clear that these attacks can be so devastating. I think those real estate examples really pull it, pull it out of our heartstrings. People losing their down payments and just massive amounts of money. So I think it kind of goes without saying. But I want to hear it from you guys, the pros. Why is email such an attractive “right” factor?
ASAF CIDON [00:09:22] So, yeah, so I mean, there are various stats out there on, you know, 90% of cyber attacks, start with the email and even and in our report, you know, initially this report started out actually the goal of it was just to kind of characterise account takeover, generally, not just e-mail focussed, but it’s interesting that Niel found that I’m actually even though so specifically this report was done on Office 365 accounts and even Office 365 accounts contain a lot of different enterprise applications from Microsoft teams, you know, Skype for business, One Drive SharePoint, et cetera. Still about 80% of the tax only involved e-mail. So that that kind of reinforces that e-mail is such an important target. And I think the reason for that is because it’s kind of still a place where you can communicate. You basically can send an e-mail to anybody in the world and authentication is quite weak, right? You don’t you know, you can create anybody. You know, I can just go ahead and create a gmail account or outlook account and send an email to basically anybody in the world. And, you know, by and large, that “implies” a decent chance of actually getting, you know, arriving to that person. And so that just opens up, you know, a lot of possibilities for attackers to try and target the system.
NEIL SHAH [00:10:49] In going off of kind of what Asaf was saying with these Cloud applications. There needs to be some level of general level of sophistication needed to kind of access these that these applications and actually be able to know kind of manoeuvre where the data is located, for example. Well, in the email, everything is very well contained and you have access to the context lists. You have access to the inbox. You can even set up an email outside and have reasonable emails being forwarded. That’s something that we’ve actually seen in some of our work and even previous work. So it’s it basically gives an attacker kind of being able to kind of access information in one collective place versus having data scattered around in other applications.
DARSHNA KAMANI [00:11:36] Domain emails is definitely is such an important part of everyone’s life and business and personal so you can see why it’s so attractive to attackers. So you’ve mentioned the report. Let’s delve in a bit more into detail and stuff. And now you and your teams collaborated to study the internal lifecycle of a compromised accounts. You examined 859 applies to cars that spanned 111 organisations. You’ve got to have an account taken by a can happen. How long attachers have access to the compromised account and how tech has used the information from these accounts? So that’s a high level report goes into. Can you tell us what some of the key findings are that you guys found interesting from the research?
ASAF CIDON [00:12:19] Sure. So, of course, you know Neil “chime in” as well. For me, the kind of maybe the most interesting takeaway, and this is something we’ve suspected for a long time, but we’ve never had real hard evidence for, is the amount of time that these can pick. I daresay even I wouldn’t call them a task. I’d call them campaigns. So the amount of time that these campaigns take is can be truly high. So in the report we… so I just wanted to give a little bit of context, actually. These attacks are quite difficult to characterise because the attacker is kind of stealing the credentials of an employee, but it actually co-exists with that employee in the same account. So it’s very hard to actually tell, you know, which actions taken on this e-mail account were taken by the legitimate users in which were taken by the attacker. And this is also why these attacks are so confounding to you know I.T. and security teams, because they don’t necessarily know whether the account is a particular kind of compromised at a given time. So, you know, a lot of the work here was to painstakingly go through the data and actually determine when did the attack start, when it did end, or at least our best guess when it ended. And it turns out that, yes, in some of these campaigns, the attackers, once they get initial access to the account, they sit it in for weeks and even months at end on a particular enterprise account. I’m kind of biding their time, infiltrating multiple accounts with multiple users within that organisation. And then, you know, collecting reconnaissance and launching additional attacks. So the sad truth is that for, you know, a lot a lot of I.T. and security teams, this is it isn’t a you know, a type of attack where you just stop, you know one and play got infected and you’re done. And it’s very likely that you know, that either, you know, that attack has spread throughout the organisation and may reside for weeks and months on end. And so I think, you know, people need to be really aware of that. It’s kind of like an infection not to put too much into COVID 19 examples here, but it’s similar, right? Once an infection takes root in a kind of close environment, it is very hard to kind of deal with.
NEIL SHAH [00:14:44] And I think as as we were kind of going through our findings and for example, this is one of our one of the biggest ones that the self mentioned. We also kind of saw the importance of kind of having a detector. If you have, like a non real-time detector that flags after the initial compromise, the importance of having continuous monitoring of attack activity, because as I was mentioning, attackers are active in these accounts for long periods of time. So having a detector that can continuously monitor over a longer time horizon can prevent significant damage. It’s something that we saw. And I think one more thing that I thought that was interesting was that we actually had access to kind of a third party data breach alert provider, and we saw that 20% of the accounts were actually compromised by an online password data breach. So I thought that was interesting because you have the potential problem of password reuse, right? Between personal and email accounts. And these are the accounts that are being compromised via this data breach wouldn’t be detected immediately. Right? So having kind of a detector that’s able to fly over continuous amounts of time is really useful, I think, for this purpose especially.
STEPHANANIE CAVIGLIANO [00:16:00] That’s a great point. If they have if the hackers have your actual credentials, what’s to stop them from using them to log into your account? That’s kind of scary. You know, I have to say, I’m talking to my mom yesterday and she said I just had an e-mail from a bank I don’t think with. Asking me to reset my password. And I said, Mom, don’t click the link. Right. That’s a spearphishing attack thing, it’s just it’s rampant and it can and it can affect anybody from personal accounts to business accounts. So some really interesting findings and especially interesting that attackers who compromised an account, they access the account and they may not act for days or even weeks at a time. They may just wait until the perfect time. Is that right, guys?
NEIL SHAH [00:16:46] Yeah, it’s a challenging right to to detect attack activities, you might have an attacker. That’s been an account for a long period of time and you don’t seem much kind of suspicious activity until a certain point in time. So.
NEIL SHAH [00:16:59] I mean, when you think about it. Right. The amount of money an attacker can extract from us, you know, from a successful campaign like this is, you know, easily in the tens of thousands, you know, up to millions of dollars. So they’re willing to wait. Right. You know, so they’re willing to be strategic about it. Yeah. As we mentioned, in the beginning of the conversation. Right. You know, this is this could even affect individuals who don’t even have to go to enterprises. So when you do go to enterprises, obviously, you know, there’s so many touch points, so many people that are involved with various business dealings transactions that, you know, just a very strategic kind of touch point. Like there’s a particular payment going out to a vendor. Right. If you send the right e-mail the right time, you can extract a lot of, you know, a lot of money out of the organisation. So attackers know that and they’re willing to be patient.
DARSHNA KAMANI [00:17:59] That’s what that graph was showing us, that was showing us the likelihood or frequency of attack based on the day of the week.
ASAF CIDON [00:18:07] Yeah. And that’s you know, that’s another kind of interesting thing, right? The attackers understand kind of… So they kind of understand marketing one to one. Right. I don’t know how many of the audience are familiar with this stuff. Right. But like, if you ever talk to, like, marketing people or salespeople, they’ll always tell you you don’t know. You never sell never sales e-mail on Sunday. Right. I think although it’s something I think maybe there’s some kind of people that would say because nobody else is sending it, I’ll send it. But in any case, you know, I think attackers are really following kind of best practises almost of like emails, sales and marketing. Right. So, yeah, they’ll you know, like when we looked at, like time of day, day of the week that these attacks occur, we really couldn’t. That is kind of a worthless signal, to be honest. Because attackers understand, you know, for example, if they’re attacking a particular organisation that’s based in a location. They’ll just time there. You know, the emails they send based on their working work hours, they’re not stupid. Right. So those kind of very obvious things are, you know, they won’t fall into those very obvious traps.
STEPHANANIE CAVIGLIANO [00:19:10] So in this report, you also highlighted the new specialised economy that’s emerging around these types of attacks. So how does that work and why do you think that that’s developing?
NEIL SHAH [00:19:21] Yes, so we actually set out to once we kind of had an idea of how long the attackers were active in these compromised accounts, we set out to try to see what are the different attacker usage patterns that exist within these accounts. So we actually found kind of two segments for these accounts. So we saw that around 50% of the accounts attackers. There is a single attacker that seemed to be compromising his account. So we saw small durations of attacker activity and small time gaps between the attackers. So attackers probably compromised and uses the accountant, the same attacker for a short period of time. And another kind of on the opposite side of the spectrum. We saw that we had kind of some inclination that maybe there were multiple attackers and some of these accounts. So we kind of tried to understand, like, why are we seeing these large time gaps between attacker’s activity. So we would see large time windows between when an attacker first acts in the account and then when they continue to act. So we kind of wanted to understand, like, okay, is there some some way that there’s actually a multiple attackers at play where one attacker compromises the account while another kind of extracts value and uses the account? So we actually saw that in quite a fair amount of accounts. 31% of the accounts suggested signs of multiple attackers. So we kind of saw that by this by this finding that attackers are likely starting to specialise in their rules. So you have attackers that are kind of developing a skill set to compromise accounts. While attackers are developing a skill set to use the accounts, right? So likely that the ones that are compromising the accounts are then taking those accounts, turning it around and selling them or transferring credentials to other attackers. So it’s a good way for them to. It’s a way for them to make money based on selling these credentials and then these other attackers that actually use the accounts, they are able to extract more value from them and maybe perform more lateral phishing attacks or any any type of other attack they want to.
DARSHNA KAMANI [00:21:27] And that’s not new, right? So having an attack is a different skill sets you’ve got. You mentioned specialised attackers and those that have more general skill sets. That’s not new need but seeing them work together, is that something that’s a new trend or is that something that we’ve seen in the past as well?
ASAF CIDON [00:21:44] We’ve seen this in the past as well. I mean, so there have been study, kind of interesting studies, you know, decade or two back done for up on this “fan” economy that showed that, you know, if you remember the old days of “spam way”, you get, you know, advertising for various pills that you can use and stuff like that. Right. So it was shown that the different actors that, you know, there’s the attackers that create the bot nets to send the spam and then there’s the attackers that actually and they kind of sell their infrastructure to the content attackers that create the craft, the emails. And so we’re seeing a very similar thing here. I mean, so it’s I guess it’s not unexpected. It’s just interesting because this is a relatively new type of threat. You know, that has existed for maybe a couple years and it is on the rise. So it’s just interesting to kind of see this economy emerge even within, you know, e-mail account take over.
NEIL SHAH [00:22:50] And it’s something that as I was mentioning, we kind of had an inclination at the beginning of our study like something that is definitely happening. So it was just kind of cool to see the that we would, we’d actually be able to like seen findings that would kind of confirm what we believed in the beginning with possible transfer of credentials in this longtime gaps.
STEPHANANIE CAVIGLIANO [00:23:15] The press hinted at this earlier. You know, the payoff for these cyber criminals can be massive. So it’s well worth their time. Can you tell us a little bit more how they’re using these accounts once they do get it?
NEIL SHAH [00:23:31] Yes. So there’s many ways that we’ve seen in the attacker’s kind of use these accounts, so kind of one common ways they infiltrate one account. And because this is especially in an enterprise setting. Right. When they when they can compromise in employee account, they could potentially launch additional attacks against other users using this trusted identity. So they’ve compromised a legitimate employee account and they can launch additional attacks other ways. Right. Like we’ve seen, there’s a lot of sensitive enterprise emails within these accounts as well as sensitive data. So, for example, just simply like if people are going back to their Twitter hack, right. If people are transferring credentials across emails, which hopelfully they aren’t. But if that’s going on, then it’s a way for attackers to kind of leverage in and get into more accounts and credential. Right. So those are kind of two common ways that I think are leveraged by attackers. I don’t know if this off has any other.
ASAF CIDON [00:24:32] Yeah, and I think that reconnaissance and, you know, actually using the e-mail account to launch other attacks is a very common.
DARSHNA KAMANI [00:24:43] So now you mention of Twitter and you know sharing of account details. So what are the other ways the attacks are getting in? And then Stephanie briefly mentioned that they’re staying in the accounts for a long time. How long are they staying in? And why did they wait?
NEIL SHAH [00:25:03] Yes. So I think the kind of the common ways that attackers are getting into accounts is through phishing, right? We all experience kind of those, as you guys are mentioning, kind of those same type of emails where they ask you to go into your credentials. So that’s the most common way. But we’ve also seen right with as we mentioned, with kind of the data breaches that we saw were accounts and passwords were being leaked and shared between personal e-mail accounts. So think those are the two kind of common ways that we’ve seen attackers get into accounts. And with respect to, like, why they wait. I think the primary reason is, I mean, one reason why that attack attackers, we could possibly like that they’re trying to kind of evade detection. So if they’re acting very continuously like some attackers, they do act continuously. Their goal is to quickly attack an account and then kind of stop using the account. But attackers is a wait and kind of blend in with the regular traffic. And that’s then something else that we saw as the attackers do tend to blend in with traffic. So they use and have proxy services and have ways to blend in with IP addresses, for example. So that’s one way where attackers are starting to kind of get more sophisticated in terms of evading detection. And it’s something that we’ve seen in previous work. And that’s one reason why they can spend a long time in accounts.
ASAF CIDON [00:26:31] Now, we’ve seen on the more sophisticated side of things, there’s this type of a type, what we call conversation hijacking, where the attacker. So again, if you have imagined you have some type of actual like impending, for example, financial transaction that’s about to take place in the organisation. So the attackers actually will use the compromise account just for reconnaissance. So they’ll just observe, kind of wait and then see this obviously trying to observe accounts, e-mail users that are likely to engage in such a transaction. And then once that transaction is about to take place, perhaps they will then send actually an e-mail. Not necessarily even from a compromised account, maybe from a third party or impersonating a third party, like a vendor, for example, that the company needs to pay and then kind of inject themselves into an existing actually conversation, let’s say, kind of into a reply to chain without the person in the in the infected organisation noticing and kind of and asking, for example, that the money be sent elsewhere. So, you know, reconnaissance gives you a lot. Right. Like it. Because it gives you all this context. And then, you know, even just in the right context, it’s like there’s an impending transaction and there’s a sense of urgency. And the person that’s doing it needs to get it done. Let’s say by a certain deadline. Right. And that’s kind of a perfect storm for these attackers to just inject themselves in. And with just a single email to kind of get like a bunch of money wired somewhere that they need to. So a lot of you know, I think a lot of the work that they do is reconnaissance on these accounts.
STEPHANANIE CAVIGLIANO [00:28:20] Can you guys help us just kind of quickly understand how exactly the hackers are covering their tracks? You sort of hinted at there’s a little bit, but what techniques are they using to make sure that they go undetected?
ASAF CIDON [00:28:34] Yes. So I think as this Asaf was mentioning in previous, where they meet, they actually found that attackers are primarily accessing accounts and sending e-mails, doing normal business hours. Right. And during times that are kind of working out. That’s one way that they’ve seen, we’ve seen that they’ve tried to evade detectionm right, during using these accounts at kind of normal hours that are expected by the user. Another thing we’ve seen is that attackers have tried to kind of blend in with the traffic. So kind of a good proportion of our accounts, we saw that actually attackers are using kind of proxies and IP addresses from the same kind of locations as the true user. So trying to blend in, trying to evade kind of detection schemes that operate on on more anomaly detection techniques. So how suspicious is this location? Well, if they’re coming from a location that’s very similar to kind of the true user of the account, then it’s going to be hard to kind of track down the attacker there. So those are kinda of two main things that we’ve seen.
ASAF CIDON [00:29:42] Yeah, there are other steps attackers take to hide their presences, they will actually proactively delete e-mails that might indicate that they’re in the accounts. Or, for example, if they send an email from the infected account, they might delete their reply to that e-mail or they might delete that e-mail that they sent from the sender items folder. And then another thing they might do is if the e-mail system, for example, generated a security alert. Hey, you know, there’s a new log in from, you know, from your location. Those types of e-mail, they’ll also obviously want to delete because they don’t want the user to be alerted to their presence. Other steps interesting things they do. We do see them sometimes mess around with them what are called inbox forwarding rules. So I don’t know how many of you are familiar with that. But, you know, like, for example, an outlook, you can set these special rules that say, like if a particular e-mail comes from a particular place and then this, you know, here or there. So they might send set up a rule either to hide their tracks or to exfiltrate data outside of the account. So, yeah, they are know very proactive in terms of trying to make sure that their access to the end of the day, that they want to preserve access to this account. And they don’t, you know, so it’s an asset for them. Right. So, yeah, they’re quite proactive in that.
DARSHNA KAMANI [00:31:04] So, I mean, to me, they seem to be attackers, doesn’t seem to be just trying to avoid detection, doing everything they can to stay in the accounts. So what kind of detection can organisations use to catch these kinds of compromises?
ASAF CIDON [00:31:22] “Dracon”. So there are kind of a few steps that are important. So still, you know, we based on our data. I mean, a lot of the attacks still initiated from a phishing email. Right. So the way that attacker. So the majority of ways that the majority of cases attackers infiltrate kind of do the initial infiltration via phishing e-mail that is trying to fish for credentials, for example. So obviously, having a system that can intelligently detect these kind of targeted phishing emails is obviously really important. Then, you know, even after so let’s say, you know, attackers, no e-mail security, no security system is hundred percent perfect. So assuming that, you know, someone in the organisation did get compromised. You want to also have this kind of what Niel was talking about post infiltration detection. Right. So you want to be able to have systems that look at IP log ins, for example, to see if there are any anomalies that look at these for e-mail forwarding rules, to see if there are any where changes and then to also, very importantly, monitor internal traffic, because a lot of traditional e-mail systems don’t look at any emails emanating from within the organisation or between employees. Now, they see in this case that traffic is crucial. And then finally, you need to have tools to kind of we call conduct forensics or invest, you know, post to… so let’s say you confirmed a particular employee was infected. You want to be able to remediate that. So you want to see one lock out off access to that account, of course. But then you also need to track all the e-mails that they may have sent. You want to automatically delete those. And then you want to follow up with those employees as well and see and kind of monitor them as well. So you kind of have to have systems that look at all kind of various steps along the path and but both the initial infection, but also kind of continuously monitor the accounts for infection, looking at across a variety of signals. Finally, I’ll just mention kind of two other kind of technologies that are really important in this. Right. So one is training, which is something, you know, it’s more on the human aspect. But, you know, a lot more and more organisations are setting up security awareness training programmes. But you really want to focus on these scenarios on account takeover. What happens if, you know, when you are simulating these campaigns, simulate a campaign from an internal employee? Similarly, a campaign that is very contextual. You know, like you’re kind of almost act as a red team. Right. So imagine what an attacker would do and you kind of try to simulate a campaign and really make sure employees are aware of that. And then the other technology that’s a kind of really important one is is multifactor authentication and strong password controls. I mean, so all of these attacks, you know, multifactor authentication doesn’t stop everything. And we’ve definitely seen examples of attackers be able to, for example, for a seamless authentication bypass that in various ways. But it does add one extra hurdle for the attackers to cross. So that’s another thing. You know, another technology that we definitely recommend for. For all organisations set up, for all their online systems and in particular email.
STEPHANANIE CAVIGLIANO [00:35:02] So in this report, you also found that a significant number of attackers are only accessing email applications and not other Cloud applications. Why do you think that is?
NEIL SHAH [00:35:13] So I think kind of going back to what we are talking about with understanding why attackers were compromising the accounts. Like, e-mail is kind of the primary way that an attacker can really gain leverage and gain information on an account. Right. It’s all in one central location. You have like inbox the contextless. Well, kind of these other Cloud applications. An attacker would have to learn a little bit more about how to infiltrate those and kind of navigate their way around. So especially for attackers who want to quickly access accounts and quickly gain an extra value. E-mail is kind of a prime target for that.
ASAF CIDON [00:35:56] I also just add to that. We saw some percentage of the attackers’ acess, other applications, for example, SharePoint. If I had to make just off the cuff prediction, I think that over time we will see more attacks targeting other applications. I mean, the Twitter compromise that we mentioned, at least based on reporting, seemed to have originated in slack, for example. So, you know, I really do think that in the future we will see more attacks coming through other systems. Yeah, I think chat’s seems like that would be a pretty obvious place just because it’s, again, a system that’s become pretty ubiquitous and a lot of business oriented information is exchanged there. Right. So that seems to be another that would if I had to guess, I would be kind of know another prime target. But we’ll see. So just given the fact that we at least at this point. Email is probably the main vector, but that doesn’t mean that in the future we won’t see other vectors for attack.
DARSHNA KAMANI [00:37:02] And that I mean, that makes total sense they’ll go where they could get the datal, right. So we’ve talked about e-mail being the main threat vector. We’ve talked about how often the attacks are in the accounts and then what they do there. Are these attacks automated? Or is this a manual process that they go through?
NEIL SHAH [00:37:24] Yes. So we we we saw signs of kind of both. But primarily we saw signs and maybe more manual work done on the part of the attackers and kind of a few reasons why an attacker make might want to like kind of manually infiltrate the account is one, there needs to be at some level like more sophistication for setting up kind of an automated system. Right. And two, there also you can, there can be a level of kind of this idea of like cheap labour. Right. So you can hire someone who can cheaply of navigate their way through the account. So that’s why, manual kind of manual infiltration of these accounts still exists. But we did see some signs of automation as well, primarily from the point of kind of sending these phishing email. So we had an account, we would see like kind of an automated phishing emails being sent. Like, for example, like 50 recipients every single minute, for example. And this is clearly like some sort of automation then by like some sort of bot matter or a computer. Right. So I think it kind of varies based on the attacker and kind of how much time they want to invest as well as like how much money they want to spend. But primarily, we did see mainly manual ways to attack these accounts.
ASAF CIDON [00:38:45] Well, I just had a little important point here. I mean, we’ve talked a lot about kind of sophisticated attacks, but you know, still a lot of the attackers aren’t sophisticated. Right. So there’s a whole spectrum. Right. So, you know, again, at the high end, you’re seeing attackers that leverage these compromised accounts to do conversation hijacking and do these super contextualised kind of attacks. But then on the low end, you know, it’s probably some, you know, someone who is just probably read some kind of online blog and how to do this thing and they just copy a template maybe that’s, you know, someone posted on the dark web or on some, you know, attack or forum and they just copy paste it and they use it over and over again. Right. So, yeah. So, you know, I’m not sure that, like, probably some good percentage of these attackers don’t even have the technical capability to automate the attacks while some of them are, you know, are quite sophisticated. So there’s just a whole a whole spectrum.
STEPHANANIE CAVIGLIANO [00:39:47] In the research, you also pointed out that 93% of compromised accounts were actually not used to send phishing attacks. So why should organisations care if their account has been compromised?
ASAF CIDON [00:39:59] Yes, so, I mean, again, reconnaissance is is it worth a lot. Right. In this world. So, I mean, that that kind of demonstrates the value that these attackers are actually placing on reconnaissance in patients. So, you know, the fact that at least the study covered a particular timespan of these accounts and we start from time x to time y. And we looked at different accounts of how they evolved during that time. But keep in mind, like uninterrupted. You know, I guess our we would guess that one hundred percent of these accounts would eventually have had, you know, experienced a real attack from these compromised accounts. So, you know, these attackers are just biding their time and waiting for the right moment. So, you know, better catch you know, better catch them before that right moment occurs rather than after, you know, your organisation is, you know, accidentally wired, you know, a million pounds, like in the case of these “Primary League clubs”. Right. So better, you know, better catch it when you’re infected. But before the harm was done.
DARSHNA KAMANI [00:41:09] Okay, well, thank you. And we are unfortunately getting to the end of the show, which is a shame. I really enjoyed this conversation with you. But before we let you go, one final question, one piece of advice or one final thought around the report or, you know, how can organisations keep themselves protected? Any thing you want to end the show with.
ASAF CIDON [00:41:31] I was just gonna say, I really think this multi you really want to think about this holistically, right? So, again, from intelligence, you know, maybe A.I. driven kind of email security and continuous detection. I mean, so that’s obviously very important. But you need to also think about your people, kind of a human firewall and make them aware of these attacks across, especially in departments that deal with financial transactions or health care or, you know, sensitive departments. And then finally, think about how our passwords and credentials managed. So this is it. Each one of these on its own is probably not good enough. You really want to have a holistic strategy for these types of attacks.
NEIL SHAH [00:42:17] A “soft tech words out of my mouth” but…
ASAF CIDON [00:42:19] I knew. I read your thoughts. That’s why…
NEIL SHAH [00:42:23] Yeah. There’s one system is not going to be perfect. Right. So having kind of this kind of security, defence in depth kind of a system where you have kind of the detector. But yes. Well, you have security training for employees and kind of best practises. That’s kind of the best way to go.
STEPHANANIE CAVIGLIANO [00:42:43] Security at every stepm right? Indeed. Well, thank you, Niel, thank you Asaf. Thanks so much for joining us today. It’s been an absolute pleasure and we’ve learn so much. So thank you.
ASAF CIDON [00:42:54] Thank you.
NEIL SHAH [00:42:55] Thank you for having us.
DARSHNA KAMANI [00:42:58] Thank you. Some really interesting insights, maybe even a bit of a reality check on how you respond to e-mails. How you, look out of your passwords and this really brings it all to life. So if you want to delve in, though, even deeper into the report, you can download the report at barracuda.com or register for the webinar, which is being held on the 12th of August. Details are in the comments below.
STEPHANANIE CAVIGLIANO [00:43:23] Also, don’t forget to follow Barracuda on LinkedIn to see our previous shows, as well as to find out what’s coming up next on Below the Surface. Until next time. Have a safe journey.