How contextual analysis can offer insight into the human element behind cyber threats [Q&A]

Cyber threats can come in many forms, over email, messaging platforms or social media. But what they all have in common is that they seek to exploit human weaknesses.

We spoke to Chris Lehman, CEO of SafeGuard Cyber, to discover how contextual analysis of business conversations can help determine if a conversation is benign or if something suspicious is taking place, allowing action to be taken.

BN: As the business communication ecosystem expands beyond email, how do cybercriminals take advantage of the expanded attack surface?

CL: For most organizations today, cyber threats like phishing are no longer confined to email. Attacks can spread across infrastructure and channels, hopping from email to messaging apps to cloud-based file-sharing platforms such as Microsoft Teams and Slack.

Impersonation attacks outside of email are becoming more prevalent due to several factors:

• Strengthening Email Security Measures: As organizations and individuals become more aware of email-based attacks and implement robust security measures, cybercriminals may shift their attention towards other communication channels that may possess weaker security or less sophisticated anti-phishing technologies.
• Diversification of Communication Channels: With the rising popularity of various communication platforms such as messaging apps, social media, collaboration tools, and other online forums, cybercriminals have expanded opportunities to exploit these channels for impersonation attacks.
• User Behavior and Trust: Users typically exercise greater caution when dealing with emails due to the well-known risks associated with phishing and impersonation. However, in other communications channels, users might harbor a false sense of security and trust more readily, making them susceptible to manipulation and impersonation.
• Social Engineering: Non-email communication platforms often provide cybercriminals with additional information about users, such as their interests, social connections, and behavioral patterns. This data can be exploited for targeted impersonation, rendering the attacks more convincing.
• Mobile Device Usage: The increasing utilization of mobile devices has resulted in a surge in communication through messaging apps and social media, thereby creating new avenues for cybercriminals to exploit.
• Inadequate Security Awareness: While many organizations prioritize email security awareness training, they often overlook the significance of educating employees about potential risks associated with other communication channels.
• Ease of Creating Fake Accounts: Some communication platforms may employ less rigorous verification processes for creating accounts, making it simpler for malicious actors to establish fake profiles and impersonate others.

BN: What recent cyber-attacks highlight the need for contextual analysis?

CL: Some of the most devastating social engineering attacks in 2022 were conducted against Nvidia, Okta and Microsoft by the Lapsus$ group. Hackers used communication channels like WhatsApp, Slack and Teams to gain access to hundreds of gigabytes of Nvidia’s proprietary data, including information about chips that the company is developing. In addition, Lapsus$ claims to have stolen the credentials of thousands of Nvidia employees.

In January, cybercriminals stole 20 GB of credit card information from guests and employees of Marriott International in the UK. In this breach, the threat actors used social engineering attacks to lure an employee into providing access to their employee’s computer.

In March, the Blockchain company Ronin lost almost $615 million worth of cryptocurrency through an attack on Ronin’s network blockchain bridge. Using a fake LinkedIn job offer to phish an employee, the attackers stole 173,600 Ethereum cryptocurrency tokens and $25.5 million in USD Coin in just two transactions.

In September, a 16-year-old cybercriminal took advantage of a loophole in Uber’s security system to crack into the system. Impersonating Uber’s IT team, the attacker sent multiple and continuous MFA push notifications to an employee across SMS and WhatsApp. In this case, the seemingly urgent nature of the notifications eventually wore down the employee who eventually logged in and had their credentials stolen.

A few weeks later, the same cybercriminal compromised an employee at Rockstar Games. Using credentials to impersonate the employee, the criminal breached the company's Slack channel to steal intellectual property and leak it publicly.

In all these attack examples, the ability to analyze the context and intent of the language-based attacks that lead to negative business impacts was missing. With Contextual Analysis, security teams are able to break down those digital conversations to better understand it. It is a modern, highly efficient, and powerful toolset for defenders that gives security teams visibility into the flow of messages in cloud communication channels so they can more easily and quickly locate, identify and neutralize threats. While most security tools are designed to detect traditional attack indicators, such as malicious links or attachments, Contextual Analysis is fundamentally different: it's designed to help teams quickly examine the language in today's complex communications ecosystem for more efficient threat identification and in the above attacks listed didn't have a tool in place to analyse the context and intent of the language based attacks leading to negative business impacts.

BN: Why is there a need for Contextual Analysis for business communications?

CL: As the business communication ecosystem expands, CISOs and SOC teams are discovering that they need greater visibility into the context and intent of cloud business communications across cloud channels in order to prevent business communications compromise (BCC) attacks.

Contextual Analysis enables CISOs and SOCs to gain insight into the context and intent of communications, and provide an outline of how they identified leading threat indicators such as social engineering, unusual communications exchange, and abnormal user behavior.

BN: What are the main elements of Contextual Analysis?

CL: There are five main elements:

• Semantic Analysis extracts insightful information within cloud communications such as emotions, and sentiments to understand, interpret, and derive meanings from sentences and paragraphs. It uses machine learning to analyze the grammatical format of sentences, including the arrangement of words, phrases, and clauses to determine relationships between independent terms in a specific context. By examining the relationship between words in a sentence, semantic analysis helps provide a clear understanding of the context of cloud business communications.
• Metadata Analysis identifies message characteristics such as the sender’s address, receiver’s address, subject, and date, as well as Return-Path, Reply-To Field, and Message-ID. It identifies which servers, ISPs, and platforms the message has passed through, and can also determine if a message arrived at its intended recipient without faults or changes, and can tell if files have been altered since they were first created.
• Digital Identity is an accurate profile of a person created from a history of how, when, and why they use cloud communication channels. The profile builds a history of a person’s past connections, and can determine what is ‘normal’, such as talking to someone in HR every other week. If that person suddenly starts to communicate with someone in a different department, that may be considered anomalous behavior and worthy of further investigation.
• Behavioral Analysis examines all possible trends, patterns and activities of users to understand the difference between the expected and the unexpected. By understanding that a particular employee doesn’t send email at a certain time of day; doesn't use email signatures; doesn't misspell words; or doesn't send email from an unusual geographic location, unusual changes to these typical behaviors are quickly identified, and that person’s messages can be flagged for further analysis.
• Social Graph Analysis maps how people are communicating with each other over cloud communications platforms. It builds a relationship model of people based on their patterns of communications. Unusual connections can be easily identified and combined with behavioral analysis to help detect account takeover and insider risk.

BN: What steps should enterprises take to implement Contextual Analysis into their security posture?

CL: SOC teams need the ability to identify and discover sophisticated social engineering attacks in all cloud communications channels. By using Contextual Analysis to analyze the content and context of a message, including language-based lexical traits, spelling traits and topical traits, it provides security teams with clear insight into the human element behind cyberthreats, including:

• Who is talking?
• What are they talking about?
• What are they saying about those subjects?
• How do they feel?

Based on that insight, SOCs can determine if a conversation is benign or if something suspicious is taking place. By evaluating the WHY and the HOW of business cloud communications with contextual analysis, security teams can detect language-based attacks that are leading indicators of BCC.

Photo Credit: ra2studio/Shutterstock