Our mission is making INBOX.CLEAN™ a reality: stop phishing attacks — the root cause of 95% of breaches — before they reach users. Get the only solution that preemptively stops Business Email Compromise, malware, ransomware and other advanced threats by discovering and eliminating them before they cause damage.
Email Security has certainly come a long way. With cloud messaging now the standard versus the legacy on premise approach (Lotus Notes anyone?) the strategy of securing these clouds has also experienced a revolution.
Area 1’s cloud-native SaaS solution supports three key use cases: preemptive anti-phishing across all threat vectors (email, web, social, network); cloud email security / SEG replacement; and phishing security automation for SOC teams.
Area 1 is a Microsoft Certified Partner and a Google Cloud Security Technology Partner of the Year. We also integrate with a number of SIEM, SOAR, SEG and firewall technology providers to fit your unique infrastructure. Learn More
FIND A CHANNEL PARTNER
Work with trusted cybersecurity experts across the globe to secure your business. Learn about our partnerships with Legato Security, Optiv, SADA Systems, SYNNEX and others. Channel Partners Become A Channel Partner
The United States government recently formally charged a North Korean hacker in the infamous 2014 Sony phishing attack. Although the Sony attack is old news, the criminal complaint provides new insight into the hacker’s phishing campaign assembly line that we can learn from to better defend from attacks. The complaint makes it clear that the hacker has a “playbook,” consisting of phishing methods and tactics that easily bypass cybersecurity defenses. These were used and reused again and again by the hacker, over several years, to successfully attack many victims, including entertainment companies, financial institutions, defense contractors, and others. The playbook enabled this hacker to extract information and steal money, inflicting significant damage to victims.
In football, a playbook can make or break a team. If you can get hold of your opponent’s playbook, you have a huge advantage. Instead of waiting for your opponent’s next move, scrambling to respond and hoping for the best, you can preemptively execute a defense that stops opponents in their tracks.
So what lessons can we learn about phishing attack defense by studying the playbook outlined in the North Korean hacker criminal complaint?
Email Authentication can’t protect against phishing attacks.
The hacker established multiple accounts with email service providers, such as Gmail and Hotmail, to send spear-phishing emails to victims and receive exfiltrated data from victims’ systems. Because the email service providers that the hacker used to send their email comply with the latest email authentication standards (DMARC), the hacker’s phishing emails easily passed the victim’s email authentication security checks. Email authentication isn’t a reliable way to protect from phishing email because it’s just as easy for bad guys as it is for good guys to establish and use email accounts that pass authentication checks.
Hackers reuse email accounts across campaigns.
The North Korean hacker used and reused the same email accounts to execute campaigns against multiple organizations and industries, including campaigns against Sony, Bangladesh Bank, Lockheed, and others. By proactively tracking hacker activity and the email accounts that hackers use and reuse to execute attacks, security providers have better insight into malicious sender accounts before phishing campaigns launch and can better protect customers from spear-phishing attacks.
Hackers use compromised systems to execute attacks.
The North Korean hacker compromised multiple reputable systems, and then used those systems to execute the attacks. Compromising and using reputable systems to execute attacks helps hackers evade detection by the victim’s security defenses. Security vendors that proactively track hacker activity in the wild can detect systems compromised by the hacker, that they use and reuse for attacks, and can better protect customers from malicious traffic originating from those compromised system IPs or domains.
Hackers continually craft new malware but reuse code.
Similar to any good developer who takes pride in his or her work, a hacker reuses their code across campaigns. if it’s working, why change? The malware used by the North Korean hacker, although mostly unique for each campaign, reused some code across malware payloads. By proactively tracking hacker activity and analyzing associated malware payloads, security providers can discover patterns. Those patterns can then be used by security providers to analyze customer web downloads and email attachments to detect and protect in seconds against the hacker’s newest, previously unseen malware payloads.
As shown above, the security industry can take a lesson from football strategy: threat actors too have a playbook. They figure out the plays that work—those that easily bypass cybersecurity defenses—and use those plays over and over again. If the defense can’t stop your star running back, you’ll keep running down the middle, and likewise, if targeted victims keep clicking a hacker’s credential harvesting phish, the hacker is going to keep sending it.
Business Email Compromise (BEC), also sometimes referred to as email account compromise (EAC) or vendor email compromise (VEC), is a type of phishing attack that takes advantage of an existing relationship between a victim and organization.
https://www.area1security.com/wp-content/uploads/2022/04/BlogEmailBanner_BECAttackType_2022APR14.png13072500Elaine Dzubahttps://www.area1security.com/wp-content/uploads/2022/04/Cloudflare-A1S-Logo-1-1.pngElaine Dzuba2022-04-18 10:07:242022-04-28 08:48:24Understanding the Four Business Email Compromise Attack Types
Dear America’s sports-loving, company-securing fans: Before you find yourself glued this weekend to (what some call) THE biggest game in college basketball history, we are here to crown the 2022 March Hackness winner!
https://www.area1security.com/wp-content/uploads/2022/03/Champion-Banner_2.png10002500Elaine Dzubahttps://www.area1security.com/wp-content/uploads/2022/04/Cloudflare-A1S-Logo-1-1.pngElaine Dzuba2022-03-31 06:00:292022-04-28 08:49:23Area 1 Security Announces the Most Spoofed Brand of 2021
Area 1 Security’s Sixth Annual March Hackness: The Perfect Phishing Bracket is here! Learn who made the list of the top brands that attackers use in phishing lures.
https://www.area1security.com/wp-content/uploads/2022/03/SocialBanner_Blog_MarchHackness2021_2500x1000-Copy-2.jpg10002500Elaine Dzubahttps://www.area1security.com/wp-content/uploads/2022/04/Cloudflare-A1S-Logo-1-1.pngElaine Dzuba2022-03-26 20:45:192022-04-28 08:51:272022 March Hackness: The Return of the Phishing Bracket