Email Security Blog

The Threat Taxonomy: A Working Framework to Describe Cyber Attacks

Markus Jakobsson July 24, 2017 How Email Works
Spear Phishing

Imagine going to the doctor and only being able to say “pain” or “sick”. You can’t say where you feel the pain, or what type of pain, or what is making you sick. But without this information, it’s impossible for the doctor to know how to treat you. From a cybersecurity perspective, this is very much like calling every email attack a “phishing” attack or even a “hack”. It limits the ability to identify proper countermeasures, and frustrates meaningful comparison between potential approaches.

With cybercrime on the rise, threatening individuals, enterprises and governments, it has become vital for the security industry to establish a common way of talking about the problem.  It is our responsibility to enable organizations and their information security teams to clearly convey their concerns and request guidance matching their needs.

To address this need for a common language, Agari has developed a classification system for types of cyber threats — a threat taxonomy — that breaks down common Internet attacks in terms of how they are carried out, and what the attackers wish to achieve. . At the same time, this taxonomy serves as a guide for enterprises and organizations with a need to enunciate their security concerns and priorities. While the taxonomy is not in any way limited to Agari’s solutions — it is, after all, meant as a common platform within the industry — it is currently limited to attacks leveraging email or other types of messaging.

The threat taxonomy (which can be seen in full here) describes communication related threats from various perspectives, or dimensions. It starts by considering the sender: is the sender an authentic user, or is it an attacker that uses some form of identity deception? If there is identity deception, what kind? Second, the taxonomy considers a classification of a message: Is it a fraudulent message? An unsolicited email (such as spam advertisements)? Or is it legitimate? The classification category then has sub-categories, such as whether a fraudulent email corresponds to a targeted attack or not, and whether part of the threat is an attachment. Using these two dimensions alone, many of today’s common threats can be described in a straightforward manner. Additional dimensions detail the source and destination of emails, and their objective.

As an in-depth description of the threat taxonomy is beyond the scope of this post, we can instead provide an overview of certain aspects that many of our customers have expressed an interest in. We do this by describing two common types of email based attacks using the taxonomy: Business Email Compromise (BEC) attacks and targeted attacks using compromised accounts, aka Account Takeover (ATO) attacks.

BEC Attacks
BEC attacks were virtually unknown a few years ago, but have since risen to become one of the most prominent email based threats — the FBI estimates these attacks are responsible for more than $5 billion in exposed dollar losses. This dramatic rise can be explained from several perspectives. One is that it is a targeted attack, meaning that the volume is low and the individual variation relatively high, making the use of methods based on blacklisting largely irrelevant. This means that traditional security technologies simply don’t apply, leaving most mail systems vulnerable — which means, in turn, that the malicious emails will be delivered. A second reason is that these attacks take advantage of existing workflows and mimic business-as-usual conversations, making them instantly credible. In one common version of a BEC attack, the criminal simply creates a free webmail account and sets the display name to match the party he or she wishes to impersonate. Since reputation-based email filtering methods will typically deliver all email from webmail accounts — except those that have been observed to spew millions of unwanted emails — malicious BEC emails are almost always delivered; and since most users, even when being careful, rarely look further than the display name when determining who an email is from, this type of identity deception is successful.

Taxonomy of a BEC Attack Shown in Red.

Now, let’s use the threat taxonomy to restate what we just said: Consider the first dimension of the taxonomy: sender. The sender is an impersonator, and commonly uses display name deception. Turning to the second dimension, classification, BEC attacks are frauds, and use social engineering. They are typically targeted, and are what we call cons. While typical phishing emails (i.e., emails aimed at stealing credentials) contain URLs, and many ransomware attacks have attachments, cons like BEC attacks have neither: they are “all talk”. But as such, they are commonly harder to detect — especially for security vendors that use the approach of blacklisting URLs or attachments known to be bad. Turning to the third dimension of the taxonomy, objective, it is clear that today’s BEC attacks are either aiming at stealing funds (objective=monetary) or data (objective=data/credential theft). A common type of data that BEC criminals aim to steal is W-2 data and other personally identifiable information (PII).

ATO attacks
While the Account TakeOver attack is relatively uncommon, it is increasing dramatically in commonality due to its abilities to circumvent all traditional countermeasures, whether the technique is used to infiltrate victim organizations, plant ransomware or steal sensitive data. This is because if the criminal uses compromised accounts as launchpads to attack the contacts of the users whose accounts were compromised, the intended victims receive emails from people they have interacted with in the past.

Typical security solutions implicitly assume that this is “good” email traffic — almost independently of the content of the email — which means the malicious emails get delivered. And if the attack is crafted in a cunning manner, the users receiving these emails believe these messages are secure — and go ahead opening attachments or following instructions that they would have ignored if the email came from a stranger.

The most common type of email compromise involves a user getting phished. For concreteness, let’s say that Alice receives an email that looks like it comes from her email provider, and it instructs her to log in. Maybe under the premise that unwanted access attempts have been made (as in the John Podesta attack), or maybe because Alice needs to “acknowledge a new privacy policy, or she will not receive emails anymore”. As Alice “logs in”,  the attacker steals her password. The attacker automatically searches Alice’s email communications and determines that Alice interacts with Bob, a very wealthy businessman. And now, the attacker  sends an email from Alice’s account to Bob, saying “Sorry about the long wait! I just realized that I never got around to send this. Talk to you soon!” … and then attaches a file, that when opened, will put ransomware on Bob’s computer.

Taxonomy of an ATO Attack, Showing in Red How an Attack Originated.

Now, let’s say the same thing using the taxonomy. Above, we show part of the “sender” portion of the taxonomy, with an expansion of the “compromise” part. We call that expansion “origin”, and it addresses how the the compromise came about. Whereas Alice and Bob may not care much about what exactly happened — after they both suffer the consequences — this classification is valuable in terms of understanding how to detect and stop the attempt to attack Bob. The headers of an email, which are not visible to the typical end user, carry a lot of valuable information, some of which can be used to distinguish the case of when an attacker commands a trusted account from the (much more common) case where the actual account owner sent the message. According to the example above, the attacker gained control over Alice’s account by phishing her — that corresponds to “compromised credentials”, and is the most common attack vector for ATO attacks these days. In contrast, the Google Docs Worm that spread through the Internet in late May 2017 stole OAuth credentials, which is a special case of “API Access” in the taxonomy. Both of these, fortunately, are relatively easy to automatically detect, making the common cases behind ATO attacks possible to address at a large scale.

In conclusion, there are many different email-based attacks. Their similarities and differences are best understood by breaking down the nature of the attacks, which can be done using the taxonomy we describe above. We have shown how to describe two important attacks using this taxonomy — BEC attacks and ATO attacks. These, of course, are just two examples. To understand a full range of email enabled attacks, check out our full threat taxonomy — please feel free to drop us a line if you have questions about attacks not explicitly described in that document. We hope you find this taxonomy useful within your organization.

Resources Applying the Threat Taxonomy:

Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

February 20, 2018 Jacob Rideout

Strengthen DKIM Signatures with DCRUP

In this final post of the DMARC series we’ll discuss the latest crypto updates to…

2 factor authentication

February 15, 2018 Markus Jakobsson

How SMS 2FA Might Leave You Vulnerable to Email Account Takeover

One of the biggest challenges for a security strategy is making it accessible and understandable…

Agari Blog Image

February 13, 2018 Jacob Rideout

The Arrival of ARC

As we mentioned in the first post of this series, with the arrival of ARC,…

Agari Blog Image

September 28, 2016 Gabriel Ortiz

Software Ate My Infrastructure: 2 Years on AWS with Ansible, Terraform and Packer - Part 2

Agari has made significant investment into infrastructure as code. Almost two years into this project,…

Agari Blog Image

August 31, 2016 Gabriel Ortiz

Software Ate My Infrastructure: 2 Years on AWS with Ansible, Terraform and Packer - Part 1

Agari has made significant investment into infrastructure as code. Almost two years into this project,…

mobile image