With losses from business email compromise on financial institutions rising fast, the active defense movement is generating buzz—but what are the ramifications?
Why just raise the shield without wielding the sword, too?
With US-based financial institutions shouldering as much as $12 billion in losses from business email compromise (BEC) attacks since 2013, the notion of using active defense measures that strike back at fraudsters seems to be gaining new currency. But what about the danger?
For those just tuning in, the term “active defense” describes methods by which organizations hit by spear phishing and other cyber attacks can trace them back to their source. More responsible efforts fall short of “hacking back,” and don’t involve counterstrikes meant to cripple the cybercriminals’ systems. But they can still net some serious results.
In one recent case, for instance, Agari researchers developed responsible active defense techniques that enabled them to puzzle together the perpetrators of a large number of email scams targeting several customers.
Taking care to keep the FBI informed of its effort during this 10-month operation, the Agari team captured 78 criminal email accounts and unmasked 10 international cybercrime organizations. By analyzing more than 78,000 email messages contained within the captured scammer email accounts, Agari researchers were able to better understand their tactics, targets, and, in some cases, identify the perpetrators behind these attacks.
Along the way, they warned financial institutions about accounts being used for money laundering and other criminal activities, and provided evidence to law enforcement. In one instance, quick action even helped a company recover its money before it was lost forever.
It’s the kind of technological prowess that’d make even the “Mission Impossible” team proud. But active defense isn’t to be taken lightly. And it can come with some major ramifications.
The appeal of active defense is understandable, of course—especially given the stakes.
Despite billions of dollars of investment and major advances in sophisticated security technology, the vast majority of financial institutions remain utterly vulnerable to BEC attacks, which use sophisticated forms of identity deception to impersonate a trusted contact.
Through social engineering, cybercriminals use these deception techniques to completely bypass traditional perimeter defenses. There’s no malware to detect, nothing suspicious in the code, nothing unfamiliar in the message.
It’s just that the person on the other end of the email isn’t who they claim to be, and their aim is to lure the recipient into revealing sensitive information or making payments to accounts secretly controlled by the fraudsters. And those actions can come with a steep price tag.
As it stands now, a typical BEC campaign has a success rate of 3.7% and will snare its first victim in just under four minutes. In fact, BEC attacks can score $130,000 or more, according to CNBC. But it can climb much higher. As we discussed in part two of this series, there’s reason to believe that the $80 million heist at the Central Bank of Bangladesh in 2016 started with BEC attacks on low- to mid-level bank employees.
Given the fact that so many data breaches begin with email, BEC and other advanced email threats may figure into as much as $4 trillion in worldwide losses from cybercrime in 2018. So who wouldn’t want to hit back hard?
First of all, active defense has yet to become a product you can purchase. Instead, it’s an approach—one that falls within a precarious gray zone between hacking back or “offensive cyber” operations and more passive forms of defense such as firewalls, email filters and so on.
Offensive cyber is really meant for nation states hitting back against other nations or non-state actors. Besides the fact that it’s illegal for companies to conduct such operations, it’s also a very bad idea.
Because of the sophisticated identity deception employed by today’s criminal networks, it’s very easy to end up targeting an innocent third party with your counterstrikes such as malware meant to take down their operations. Even when successful, it can end up just making the criminals set on waging an all-out war on your organization, creating far more trouble than it’s worth.
Within active defense, however, lay a full spectrum of activities ranging from low-risk efforts that include such things as information sharing, honeypots, and intelligence gathering on the dark web. On the higher-impact, higher-risk end of the spectrum, activities can include botnet takedowns, white-hat ransomware, rescue missions to recover assets and more.
Better still: Avoiding the need for any of this in the first place.
Long before considering active defense measures, financial services organizations should have proper BEC protections in place.
Yet today, it’s unclear how many organizations are deploying modern machine learning technologies with the kind of modeling and analytics capabilities needed to go beyond email content analysis and sender infrastructure reputation to assess people, relationships and behaviors in order to stop email attacks from ever reaching their targets.
Who knows? As a growing number of organizations raise a more effective shield against BEC, perhaps we’ll all find less need to draw a sword—and more disruptive ways to use it when we do. To learn more about active defense and its role in stopping the forces behind advanced BEC attacks, download an exclusive report, “Behind the ‘From’ Lines: 10 Cybercriminal Organizations Unmasked“