The Rising Threat of Business Email Compromise

State and city governments are in cybercriminal crosshairs because they tick a lot of boxes. Many government divisions have been dealt with the mandate of digital transformation, but this road to increased efficiency is pockmarked by hybrid systems, a sprawling ecosystem of third-party applications, and processes that arguably privilege current productivity over lasting security.

The result? Not one day seemingly goes by without a local government falling prey to a cyberattack. The attack vector? A majority of the time, email is the Achilles heel.

Ryuk runs riot

Over the past year, the ‘Ryuk’ strain of ransomware has caused widespread havoc across state lines. Last June, the city council of Riviera Beach, Florida, voted to pay $600,000 in ransom after attackers shut down the city’s website, employee email accounts, VoIP (Voice over IP) phones, and even the local water utility division’s capacity to collect online payments. In July, La Porte County paid $130,000 after Ryuk got into their backup servers. In December, the city of New Orleans declared a state of emergency and shut down more than 4000 computers and servers in yet another Ryuk-related compromise.

Research published by Recorded Future last year found that publicly acknowledged ransomware attacks against state and local governments jumped 39% in 2018, with a total of 169 attacks going back to 2013. And while it’s easy for our eyes to snap towards the actual ransomware with Sauron-like intensity, there’s one other thing common across all these attacks: email.

The attack on Riviera Beach began when an employee in the city’s police department opened an email. After the attack on La Porte County, local cyber crimes expert Eric Tamashasky said, “Don’t click on unknown links. Don’t respond to emails that you didn’t ask for.” Kim LaGrue, New Orleans Chief Information Officer, said, “When we look at how our environment was permeated, it was through a compromise of credentials that belong to city employees.”

Sponsorships Available

Sponsorships Available

Sponsorships Available

Why governments are particularly affected

Government organizations can have multiple layers of security technologies deployed, but it only takes one instance of human oversight (or more accurately, humans being manipulated) to trigger an attack with far-reaching consequences. Email has persisted as the vector of choice for these attempts at ‘human compromise’.

State and local governments are particularly affected by email compromise for a variety of reasons:

Large attack surface

Local governments usually exist in federated structures where information flows from centralized locations, but individual units still retain autonomy. While these structures lead to operational efficiency, one weak link easily snowballs into something more sinister. According to research, 24 of the 169 attacks were against local schools or colleges, 41 were against law enforcement offices, and there was some overlap because attacks that entered through one system then spread to other systems with relative ease.

Federated structures also make it difficult to standardize and enforce protection mechanisms such as employee phishing awareness and training programs.

Vendor and third-party interactions

Even if employee awareness and spam filters can keep out high-volume phishing attempts, inbound email attacks are gaining in sophistication by the second. A prime example is vendor email compromise. Attackers can gain access to email accounts of third-party vendors that do business with local governments. They then silently sit and read through all the emails that flow through the vendor’s inbox, before inserting themselves into legitimate mail threads and attempting to divert government funds to private bank accounts.

So a state government can have the technologies and systems in place to avoid email compromise, but still be the victim of a cybersecurity attack because an external vendor’s account was taken over by malicious actors. Taking into account the sheer volume of third-party vendors that governments usually interact with, this portends a sobering reality going forward.

Perception and ‘hype’

Research suggests that city and state governments are actually less likely to pay ransom after being affected by cyberattacks. But these attacks fill up column inches in newspapers much quicker than compromises in the private sector. The disproportionate media attention turns into a vicious cycle, with more attackers now homing in on vulnerable government systems, that in turn leads to more attacks.

Government as ‘attacker’

Looking beyond cyberattacks aimed at government institutions, there’s also ‘government impersonation’ to contend with. A phishing attempt on the citizens of Newark, California had attackers impersonating the City of Newark and sending emails that asked for personal information. The aim was ostensibly to use the personal information to carry out financial fraud on individuals. Since the government holds a position of authority in our minds, email communications from them (or people pretending to be them) usually pass through tests of skepticism.

Let’s talk about context

In fairness, state and local governments are aware that email is a security issue that pervades yesterday, today, and tomorrow. But the sheer volume and variety of attack techniques has reduced focus on how exactly the email attacks of today operate.

Mass-produced phishing attacks still exist, of course, and are often detected by legacy products. But there are entire categories of email compromise that escape metadata-based detection, manipulate language and intent, and lull victims into a false sense of security that the email they’re replying to is legitimate.

These emails may not contain attachments that can be analyzed and deemed malicious. The attackers are often willing to play a waiting game, sending emails with no apparent purpose except to gain the recipient’s trust, before suddenly slipping a Bitcoin-shaped knife in the back. And sometimes there’s literally nothing in the email that gives the attacker away, because they’ve gained access to a legitimate user’s account and are using it to nefarious ends (the industry calls this ‘email account compromise’ or ‘account takeover’).

There’s only so far visual tests and phishing awareness can take us. Security vendors need to take a more holistic approach to analyzing email content, context, and metadata. Based on attacks we’ve witnessed recently, here’s an outline of signal categories that vendors should look at:

Identity

Email security vendors need to exhaustively analyze who users are in order to prevent impersonation and spoofing attempts. What’s the user’s name, role, and hierarchical status within the organization? What devices, browsers, and email clients do they normally use?

Behavior

Identity is a critical part of email analysis, but these signals can turn noisy if used in isolation. It’s also important to analyze what users do, create a behavior baseline, and study any anomalies from this baseline to accurately detect problems such as account takeovers and insider threats. What’s the extent of interaction that a user has with internal and external recipients? What time of the day do they normally send most of their emails? What location and IP address do they usually login from?

Language

If cybercriminals are able to mask their identity and/or behavior, understanding the language in the email and the intent behind the email can be analysis signals that stop a pernicious attack. What’s a user’s normal writing style and are they noticeably deviating from it? Does the email have a tone of inordinate tenor and urgency?

Analyzing a confluence of signals across identity, behavior, and language can enable security vendors to detect attacks that email gateways might let through. And with recent advancements in Natural Language Understanding (NLU) and machine comprehension, technology today is capable of making this breadth and depth of analysis a reality. State and local governments deal with billions of emails that these NLU models could learn from before establishing baselines and forming a much-needed layer of defense against targeted attacks.

Coming to the question of deployment, there’s another technological shift that can make things easier for government organizations: APIs. State and local governments – strapped for resources at the best of times – are right to be cautious about deploying, integrating, and managing ‘yet another security solution’. But cloud-native security solutions can integrate with Office 365 or GSuite over APIs to reduce the complexity of deployment and simplify maintenance updates without unreasonably getting in the way of email flows.