News, news analysis, and commentary on the latest trends in cybersecurity technology.

Fighting Supply Chain Email Attacks With AI

Supply chain account takeover is the most pressing issue facing email security today, but artificial intelligence can head off such attempts.

Tony Jarvis, Director of Enterprise Security, Asia Pacific and Japan, Darktrace

January 26, 2022

4 Min Read
Illustration of metal gears stamped with business terms like Supply Chain Management, Logistics, and Network
Source: EtiAmmos via Adobe Stock

Email is the lifeblood of most organizations, so it's no surprise that email attacks consistently rank among the top concerns CISOs face. Up to 94% of phishing attacks are delivered via email, with attackers still favoring this essential business tool as their preferred method of gaining access to victims' networks. According to the FBI's 2020 Internet Crime Report, business email attacks, which include both spear-phishing and whaling, accounted for $1.8 billion in losses.

The SolarWinds Orion breach, the Kaseya attack, and most recently the Log4j vulnerability all underscore the devastating consequences of successful supply chain attacks. Vendor email compromise, which refers to the account takeovers of parties who regularly communicate with an organization, is one of the most serious email-based threats today. These third parties often have weaker security than the intended victim and, once compromised, allow attackers to leverage that trusted relationship in order to compromise the target environment. Such threats require advanced protection techniques, such as artificial intelligence (AI).

Traditional Defenses Are Not Enough
Email has long been an attractive target for attackers; thus, most organizations have at least some level of protection in place. Nevertheless, malicious emails are still making their way past these defenses and arriving in users' inboxes. From there, they often entice the victim into opening an attachment or a link, setting off a chain of events that ultimately results in the device being compromised.

Legacy email protections focus on detecting indicators that are known to be malicious. For example, the email may originate from a suspicious domain, contain a link to a harmful website, or include an attachment with a signature that matches that of known malware. These techniques cannot protect against email threats sent by trusted parties or messages containing links or attachments that have not been seen before.

Imagine for a moment a multinational organization with not only thousands of email users, but a considerable number of partners with which they regularly communicate. Such a scenario provides attackers with multiple angles of attack, as any of these partners could potentially be used as an entry point into the desired victim's network.

However, if an AI system can develop an understanding of what constitutes expected behavior across email communications, it can neutralize any deviations that indicate a threat. Previous correspondence can be leveraged to build an understanding of whether the sender has communicated with the organization before, whether the domain is recognized, and whether the organization has a valid business relationship with that domain. AI can analyze the frequency of communications and even the type of language used within the emails in order to spot suspicious activity indicative of a threat.

AI Sees What Others Miss
Should a partner's email account be compromised, the AI system's understanding of "normal" will play a pivotal role in protecting the enterprise. AI will evaluate any links sent from this account, and if those links point to a domain that none of the internal hosts has ever accessed, then this can be considered unusual. Another indicator of threat may be if the link itself is hidden from the user within the body of the email.

From hundreds of data points, today's AI systems will piece together these subtle signals of threat to determine the most appropriate response — the least aggressive action necessary to contain the threat, without disrupting business operations and hampering productivity.

Attackers often attempt to bypass legacy security tools by sending links to reputable websites that legacy reputation checks alone will not detect. Not only does the AI-powered approach described here correctly identify that such links are anomalous, but it performs further analysis of the language within the email to confirm that the user is being induced into clicking. Rather than taking a heavy-handed approach of simply blocking all emails from this sender, the AI system can allow legitimate emails through.

AI Responds to Evolving Threats
Attackers know and exploit the limitations of traditional protections. AI can pinpoint and respond to deviations from normal patterns of activity, while allowing regular business operations to continue uninterrupted. Such tools can correlate the natural language used within emails with other indicators to determine whether potentially malicious activity is present. This allows an organization to catch attacks that would have gone unnoticed if it simply relied on a domain's reputation or a file's signature.

Email remains a favorite attack vector for cybercriminals because it continues to yield results. Existing defenses can be bypassed with relative ease, and compromised accounts of trusted third parties in an organization's supply chain account for a growing number of cases. By using AI, each email will appear within the context of the organization's established activities, so anything that doesn't belong has nowhere to hide.

About the Author(s)

Tony Jarvis

Director of Enterprise Security, Asia Pacific and Japan, Darktrace

Tony Jarvis is Director of Enterprise Security, Asia Pacific and Japan, at Darktrace. Tony is a seasoned cybersecurity strategist who has advised Fortune 500 companies around the world on best practice for managing cyber-risk. He has counseled governments, major banks, and multinational companies, and his comments on cybersecurity and the rising threat to critical national infrastructure have been reported in local and international media including CNBC, Channel News Asia, and The Straits Times. Before joining Darktrace, Tony previously served as CTO at Check Point and held senior advisory positions at FireEye, Standard Chartered Bank, and Telstra. Tony holds a BA in Information Systems from the University of Melbourne.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights