Site icon Easy Prey Podcast

Preventing Email Attacks with Kiri Addison

Easy Prey
“Email is still the number one attack vector and always evolving.” - Kiri Addison Click To Tweet

Phishing emails are constantly evolving to take advantage of current trends, news, and holidays. Typically poor grammar or the time an email was sent could help you identify if it is authentic. But with AI, these obvious signs may soon disappear.

Today’s guest is Kiri Addison. Kiri is the Detection and Efficacy Product Manager at Mimecast, working on security products to defend against new and evolving threats. Previously she was head of data science for threat intelligence and has worked in the public sector creating systems to detect and prevent cyber attacks and fraud. 

“70% of phishing emails are opened by end users. End users know the basics on what to look for but they don’t necessarily know the latest threat.” - Kiri Addison Click To Tweet

Show Notes:

“It’s not just volume that is increasing, it is some of the techniques and social engineering that are changing.” - Kiri Addison Click To Tweet

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

Links and Resources:

Transcript:

Kiri, thank you so much for coming on the Easy Prey Podcast today.

Thanks, Chris. Great to be here.

Can you give myself and the listeners a little bit of background about who you are and what you do?

Sure. My name is Kiri Addison. I'm a product manager at Mimecast, which is a cybersecurity company focused very much on email security. There, I work very closely with our researchers, with our engineers, building and developing products to keep up with the ever-changing threat landscape and make sure customers are protected from malicious emails.

Awesome. Is there something that got you interested in that field? Or was it just the natural course of your career?

I've always been very much interested in technology from a very young age. I have more of an academic background in the sciences. I suppose I really fell into cybersecurity quite a bit of luck, really.

Once I'd finished my studies, I knew I wanted to get out of the academic world, into the real world. I was lucky enough to find a job working for the UK Government as a tax fraud and risk analyst there. I really loved that kind of work. From there, it was the natural progression into cybersecurity.

That's great. One of the questions that I ask many of my guests is have you ever been a victim of a cybersecurity incident, scam, or fraud?

I don't think I have. Maybe I'll make myself a bit of a target by saying that. I don't remember ever being so, but I certainly know people very close to me and my family who have.

I've often heard it said that either you know you're a victim of a cybersecurity incident or you didn't realize it, but one of the two.

Being the cybersecurity person in the family, I always feel a bit of responsibility.

Yeah, I'm the same way. Let's talk about the trends that you're seeing in email security and cybersecurity. Specifically, I think one of the interesting things is how criminals are just constantly evolving with the latest news, with the latest tech. But what is it that you guys are seeing?

Email, obviously, is still the number one attack vector and ever increasing. -Kiri Addison Click To Tweet

Email, obviously, is still the number one attack vector and ever increasing. Like you say, criminals are always finding new things to exploit, new techniques, particularly based on what's going on in the world around us, particular events. One thing that is dying off, thankfully, is the COVID emails. We saw a lot of these for a long time. They are thankfully dropping off. Really, it's anything that's going on.

Just earlier today, I was looking at some samples that have come through. I saw an Easter-themed Amazon scam. They'll jump on anything.

How quickly do they implement newsworthy things in the scams? Is it days, weeks, months, hours?

It varies, but it can be very, very quick because some events like Easter or Christmas, there's a big lead up to it. Particularly, with things like Christmas, it feels like it's going on forever. But some things, they happen there and then. You're not expecting it. They jump in on that as quickly as they can before people forget about it, and it becomes irrelevant.

I've sometimes been surprised at the speed of like, I just saw that on the news yesterday and it's already in a scam email. I'm like, wow. I wonder if in the scammer offices, there is a person who's dedicated to just reading the news every day and looking for breaking news to say, “Hey, that's our vector for today.”

Yeah, and [inaudible 00:04:46] their intelligence division.

I guess there are two questions. Is the technology getting better at preventing the phishing scam and these types of emails from getting into the inboxes? Are users getting any better about not falling for them?

That's an interesting question. Yes. Overall, we can say technology is improving. I think there's good coverage against basic attacks and techniques. We still recommend layering up your defenses when it comes to email security just because things evolve so quickly. You're going to have your basic email provider, and then sticking up a security solution on top to cover the emerging new threats.

In terms of end users, I think we see that 70% of phishing emails are still opened by end users. -Kiri Addison Click To Tweet

It's definitely something that's constantly changing. In terms of end users, I think we see that 70% of phishing emails are still opened by end users. We're not saying that necessarily they’re interacting, giving away their credentials, but there are still some improvements and ways to go there.

I think as well, it comes down to awareness training so that end users know the basics. Look out for poor spelling and stuff like that, but they don't necessarily know what's the latest threat. If someone's seen something on the news, like you were saying, and they send out any phishing email based on that, they're probably not thinking I need to be aware of what's going on currently when I'm thinking about phishing emails as well.

Is there a mindset that, “Oh, my email provider, my ISP, my company, has done the most excellent job on the planet, and there's no way that a phishing email could possibly get into my inbox, therefore any email must be legitimate”? Is there a bit of that going around?

Yeah, potentially. There is a lot. We've seen ourselves with awareness training, end users who have regular awareness training, and know that these things do get through. And if they can get through, we want to know about it. It improves click rates on malicious links. End users who have regular awareness training are five times less likely to click on malicious links.

End users who have regular awareness training are five times less likely to click on malicious links. -Kiri Addison Click To Tweet

That's a significant impact with that training. Was there any research done on how frequently that training needs to be done to maintain that level of awareness?

Yeah, that's an interesting question. When we were looking at those stats, the training was done at least quarterly, perhaps more. It can't just be something you do once a year to tick a box. You have to keep on top of it.

It's good that there's at least a quarter's worth of retention in people's minds. I think about what I do, and I wonder, “Would I have that much retention several months out?”

Yeah, exactly.

Is it getting more complicated with ChatGPT addressing some of the grammar issues? Do you think it's getting more difficult for threat intelligence?

I do wonder with ChatGPT if we're going to have to change our advice to people. Instead of looking out for spelling mistakes, look out for grammar that's too good to have come from a human instead. There's obviously been a lot of talk around how it's going to revolutionize phishing.

I can't say that I've seen a load of phishing emails created by ChatGPT, but then it's very hard to say if they have been or not. I think we're still in the early stages of really seeing actually, what is the impact? Is it just hype or is it real?

Yeah. Let's switch from the end user perspective to the corporate side. I know we've had people from Amazon on and they talk about everything that they're doing to educate their customers and trying to communicate. I own my own small business. Let's say we're talking to someone who wants a business. What sort of thing should they be doing both to protect their outbound email and protect their inbound email to their staff?

Inbound, there are a lot of technical controls that you can put in place: email security scanning capabilities, and that needs to, obviously, also cover malicious attachments or potentially malicious attachments and scanning of links as well that can be clicked on. That's a big thing to cover inbound. Internally, you've got your end user awareness training. Making sure that your users are aware of the impact that they can have by clicking or opening a malicious attachment.

Like I said, I tried to think about telling them about what potential impact it could have on their personal lives. In a lot of the advice and training, we say don't re-use your personal passwords because they can be used to get into your work account. Don't use your work passwords because they could be used to get into your personal accounts. Maybe that might help get the message through to people to make it a bit more personal.

Definitely, awareness training is vital there. You mentioned outbound email as well. Again, technical email inspection, email security scanning, applying exactly the same controls as you would on the inbound to the outbound as well.

I know there are a number of protocols. One of the things we've talked about on the podcast in the past is that the internet was never designed from a security perspective, at least not initially. Handling of email was never designed with security in mind. It was always this implicit trust of, “I claim that I'm from this educational institution, and this email is from this email account at this institution. Here you go.”

When it was educational institution to educational institution, that worked, and I don't think anyone really thought of, “Well, gosh. We really need to authenticate who's giving us email.” How has that hodgepodge of security protocols and authentication protocols actually helped?

They definitely do help if you're thinking about how you can protect your brand from being impersonated with spoof, but it's a case of implementing them and implementing them correctly. See, you've got the SPF, which is all about validating who was allowed to send on your behalf. You've got the DKIM, which is about ensuring that your message comes from who claims it comes from, and then you've got the DMARC protocol, which combines both of those pieces. It uses the best of those together.

DMARC works. It's something that you can do to understand who might be trying to spoof your brand and send it on your behalf, but it can be a very tricky thing to set up and get it working smoothly, and it can take a long time. Small businesses, it may be something that you would require help to do, but definitely it’s worth doing it. If everyone did it, then we'd all help each other out.

Is that one of the challenges, because there are so many different authentication methodologies out there, they're potentially really messy to implement, and if you're not careful, they're like, “Oh, I've now started to use MailChimp to send on my behalf, and I forget to update these things. Gosh, none of my newsletters are getting to my people?” Has that made email security in general more difficult?

Yeah, definitely. You need to have a certain level of understanding of how this could potentially go wrong and impact you to be able to get on it quickly and resolve the issues. I also think sometimes people are looking at compliance. It's just a tick box to say, “You have DMARC.” You're not really enforcing it. You're using it, and that's just enough.

I historically have gotten emails from “security researchers.” It's always phrased this way: “Your website is vulnerable because you don't have DMARC enabled. Your website is not secure because of DMARC.” I'm like, “No, those are different things.”

It's funny because on some of these platforms, there's ways to implement them such that they're technically implemented, but they're not actually doing anything. We've got these flags, and all these things are in this test mode.

Yeah, it just got set and forgotten.

Are there things that companies should be doing? Let me ask your position on this. Companies that force their employees to change their passwords on a semi-frequent basis—either monthly, quarterly, or annually—do you see that as a good practice to prevent employee emails from being hacked?

I think it's better to encourage people to not reuse their passwords and create strong passwords the first time you use password managers. If you force someone to change their password constantly, they're probably just going to add 1, 2, or 3 at the end. I don't think it's the most effective method.

I think it's better to encourage people to not reuse their passwords and create strong passwords the first time you use password managers. If you force someone to change their password constantly, they're probably just going to add… Click To Tweet

From working in IT, I've realized that that was the most common thing that people do. They just reuse the same password and added one, added two, or added the year at the end of the password. “Hey, this is my compromised password for this year.” Are you seeing more companies utilizing 2FA, whether it's SMS or authenticator apps for their employee emails? I'm thinking in terms of keeping employee emails from being used to either scam other employees or scam customers, that sort of thing.

Yeah, we're definitely seeing an increase in that being used, which is good. I think, generally, people are getting the message. Multi-factor authentication is a good thing to do. I've heard it. It's more region-dependent, though. We have a lot of people in the UK and US doing it, but not so much in other regions.

Got you. I guess on the flip side of it, what would you recommend for end users to do both to protect inbound and outbound?

Be suspicious. Take a bit of time. Don't feel pressured. I think the number one thing that attackers are doing at the moment, particularly with your business email compromised attacks is using social engineering. Trying to put some pressure on you, making something sound urgent.

You may impersonate a senior person within the organization. A typical thing is to say, “Oh, can you help me with these urgent tasks? I really need your help quickly.” That's to start a conversation with them, maybe, to try and get them to switch communication channels. If you think something's off, just pause. Don't be pressured and report it.

It's always those urgency from someone that has a level of authority, whether they're our boss, whether they're law enforcement, whether they're government, and some emotional element of, “If this does happen quickly, something good will happen, and if this doesn't happen, something bad will happen.”

Yeah, exactly.

It's unfortunate because those are also techniques that are used in general marketing to a lesser extent. Just because there's urgency, doesn't necessarily mean that it's a scam, but it's a good indicator.

Yeah, not necessarily. I guess it comes down to, what's the potential impact of this? Are they asking me to make a huge wire transfer or send them some information, which is potentially sensitive?

I've never seen a company that I've worked for, but I've seen those alerts at the top or the bottom of the email saying, “Hey, this email came in from someone outside of the company.” I assume the intent is to either get people aware of this really isn't a person inside of the company, but it's just to help prevent impersonation or someone who used an email address that looks similar to the boss's email address. Using their name, so it catches that and alerts the person that they're outside.

Yeah, exactly. It's just there to give you a bit of a flag and make the person think, “OK, this person may not be exactly who I think they are.”

It makes me wonder if that helps the success rate where the boss's email actually was compromised.

This is another issue that we're having. We're seeing more and more use of actually compromised accounts. It just makes it even harder for the end user to figure out that this is an attack and not a genuine request from that user.

Are there things that can be done on a technical level to know whether it's the boss sending the email or it's been compromised? I'm just thinking outside of the normal scope of operation here.

First, you can look for abnormal communication patterns. Would this person normally communicate with this person? Is this a genuine compromised account or not? What's the abnormal volume of requests being made? Is it coming from a location that this person would usually be in, or the time this person would normally be sending, is it a device that someone would normally be using? Those anomalies can be used to detect something like that.

I know I just recently got what appeared to be a message from a social media account from a friend of mine. It came in at what would have been 1:00 AM their time. I'm like, “This friend of mine never communicates with me on social media,” which was a dead giveaway. I know they're not up at 1:00 AM asking me how my day was. That's just out of character for them. I fired off an email saying, “Hey, either your accounts have been compromised or it's a cloned account. You better do something.”

Yeah, and checking with the actual person. That's one of the best things you can do.

I suppose that applies particularly for family members if you get an email that appears to be from a family member saying, “Hey, I'm traveling and I lost my passport. Can you wire me some money? I'm stuck overseas.”

Yeah, one of my friends recently was actually fooled by a scam like that. One of their friends' accounts was compromised. She received an email saying, “Oh, my daughter's in trouble. I need to send her some money, but I can't do it. I don't know how to use Apple gift cards. Can you do it for me and send me the voucher codes?”

Unfortunately, she did. Actually, she fell for the scam. But luckily, the voucher codes weren't used by the time she reported it to Apple. She managed to get her money back.

That's pretty good that she was able to. She was very lucky that they hadn't claimed the voucher codes quickly. I think that's particularly insidious. We can do things to be cautious of emails that are coming from random email addresses, but as soon as it comes from a family member's account, names us by name, it starts to get a little bit more difficult to catch those things that are just off.

Yeah, especially when you've got that psychological and emotional element to it manipulating you.

Most of what you provide is for corporate platforms, correct?

Yes.

You may have visibility. Do you see many of those personal types of attacks on corporate accounts?

A little bit, but there is definitely a difference between the stuff that you see in our own personal inboxes and what we see coming through, but you do see a bit of overlap, particularly with the extortion type ones. They hack into your computer and see you do something dodgy over your webcam. “Send me some bitcoin or I'm going to release the video.” Those ones, you do see quite a lot. I suppose there's that level of potential embarrassment there for people that they don't want to have at work.

You talked earlier about email continuing to be the number one threat vector. Is it just increasing? I hear news stories about, “Oh, spam volumes are up; spam volumes are down,” depending on the news organization and the way the wind is blowing. You seem to get different answers. Are you seeing just the overall volume going up?

I wouldn't say it's just the volume. It's some of the techniques as well and the social engineering aspects, which are changing. In particular, we're seeing a lot of abuse of file sharing sites to host malicious content. You'll typically get a link in an email that might take you to SharePoint, for example, which is fine. You're not going to block access to SharePoint. But within that site, there'll be a link that takes you to another phishing page that's designed to harvest your credentials.

For that one, it might even be a further link saying, combining legitimate sites that end users are used to using in their everyday lives, coming from compromised accounts, and then these multistage attacks. Scammers are further and further away from the actual malicious payload to make it harder for your technical controls to detect what's going on.

Scammers are further and further away from the actual malicious payload to make it harder for your technical controls to detect what's going on. - Kiri Addison Click To Tweet

I've definitely gotten waves of those. “So and so has shared this document with you.” I'm like, “I don't know who you are. I don't know what that document service is. I'm not clicking on that.”

In the corporate environment, if I'm not using SharePoint, it's never a thought to me that someone internal in my company is sending me a SharePoint link. It's not going to happen. Although if someone has sent me a Dropbox link or a Box link, maybe that might be a little bit more effective in my organization.

Definitely. We do see attackers putting effort into obviously researching supply chain users using the logo of the company you're working with. They will, in certain cases, make it as convincing as possible.

Are there any other trends that you're seeing?

Automation of the first stage that they see attacks. Sending out that initial, “Hi, can you help me with a task email?” We used to see that coming from certain actors, criminal groups based in Africa, and that would all be done manually. They'd have teams of people that do that. But more recently, we've seen that first stage being automated, which means they can just send out loads of them and wait for the responses to come in.

How they can do this really is by using compromised office credentials, which they can now very easily get their hands on. They don't have to use one account to send out thousands of emails. They have thousands of accounts, and they can send out a few emails from each one, which means that those compromised accounts don't necessarily get recognized and blocked. That's made a big difference. We've seen exploits in those.

Are there other trends that are interesting, humorous, or unlikely that you've seen happen?

I think the interesting one for me, and we touched on this already, is the ChatGPT and how that may be used. Like I said, it is very hard for us to say whether we received any phishing emails created using this or not. We've been thinking about how we would detect this. We started trying to look at AI text generation detectors. What we found is that they have shelf tools. They have questionable accuracy at the best of times. But even when they do detect it, you can change a word or other spelling mistake, and they recognize it as human rather than AI-generated.

It's interesting to see if that technology will get better. In the meantime, what we're doing is we're creating our own phishing emails using ChatGPT or GPT-3 and adding that to our training set for our machine-learning models, and we can take those into account in that way rather than specifically trying to say this is AI-generated text.

I played around with a number of those ChatGPT detection tools. I would say that most of them would respond back with something like, “This is 80% likely to be ChatGPT-generated” on something that I generated 30 seconds before I plugged it into their tool. Either I'm a robot and I don't know it or these tools just are not very sophisticated yet, or maybe they're just a total scam. I don't know.

Yeah, they're not the best yet.

Not the detection tools, but as generative AI iterates or becomes better, do you see that it’s becoming more and more complicated to protect users against those types of platforms, or not from the platforms, but by things generated by the platforms?

Actually, I am. Again, a lot of it is still going to come down to awareness training of users. You can generate the best content around, but you still have to send it, and there are lots of tells from the actual delivery of the email. I don't think it's going to be like the end of the world. Certainly not.

It doesn't matter how well written the email that I get from Wells Fargo is because I don't use Wells Fargo.

Yeah, exactly.

And those practices of, even if I got an email from my bank, I'm not clicking on anything at it because I'm paranoid when it comes to financial institutions.

Even if it's very well written, I don't click on links. I go directly to the sites.

There's one gentleman that I was interviewing. His position was, “I have a separate computer that does not have email on it that I use for all my financial transactions. It's only turned on and only used for financial transactions. I never do financial transactions on any other device that I have, just so I know I'm not clicking on a link, I'm not going to a fake website, or that I'm being extremely paranoid about it.”

I'm not that paranoid, but I'm definitely not clicking on links. In some sense, I'm still surprised that that email is still a valid vector in terms of phishing and getting people to click on links, given so much news coverage and so much training that it's still the issue that it is.

I think it all comes down to psychology, really, in the manipulation.

Yup. Are there any particular resources that Mimecast has available if people want to learn about what's going on in the state of email security?

Yes. We've recently released our State of Email Security research report. You can find that on our website. We also have a blog section there along with a lot more information, so I'd recommend checking that out.

We'll definitely link to that in the show notes. I know that even if we're not going through corporate trainings on what the latest stuff is, it's really important to at least be tangentially aware of what's going on in terms of email security, what the latest scams are, and the latest techniques. Even if we're not seeing them, it's just best to have that in the back of our head when we have those emails coming in that are suspicious. 

Kiri, if people want to find you and Mimecast online, where can they find you guys?

You can find Mimecast at mimecast.com. It's very easy.

And social media as well?

Yeah, I'm on LinkedIn. We've got Twitter.

Great. Kiri, thank you so much for coming on the Easy Prey Podcast today.

Thanks for having me, Chris.

Exit mobile version