Friday 6 October 09:30 - 10:00, Green room
Abhishek Singh & Fahim Abbasi (Cisco)
In 2021 the IC3 received 19,954 complaints about BEC/EAC scams, which resulted in a loss of $2.4 billion, making it the number one threat we face today. Email account compromise is a sophisticated category of BEC scam in which the threat actor sends phishing/scam emails from a compromised account, which can result in a significant loss to the company. Since the email account is compromised, algorithms that use feature sets such as DMARC check, SPF check, the difference between from and reply-to, checking if the email is sent from a free email address, look-alike domains, spoofed domains, etc., to detect malicious emails will be bypassed.
In the first part of this presentation we will dive into the details of an intent-based approach to detect email account compromise. The design isolates suspicious emails on east-west and outbound traffic. As per the threat actor's intent, suspicious emails are separated based on keywords derived from n-gram analysis of the body and the subject of emails. Once the suspicious emails have been isolated, the past 90 days' record of the sender is extracted. Features that map to the sender's behaviour from the past 90-day historical record and the suspicious email are extracted. These features are correlated to detect email account compromise.
In the second part of the presentation we will share the results of the intent-based approach on the production traffic. We will conclude by comparing the intent-based approach with other approaches to detect email account compromise.
Abhishek Singh is a security R&D leader with 15+ years of experience, passion, and a proven track record of driving research and threat detection engineering, which solves complex problems and results in a winning technology leading to revenue gains at Cisco, FireEye and Microsoft. He holds 34 patents, has authored 17 research papers, seven technical white papers, and contributed to three books. Patents and papers detail work in algorithms, analytics, machine learning-based approaches to detect advanced threats, and architecture of technologies such as the virtual machine-based approach for threat analysis, EDR, RASP, DAST, Active Defense (Deception), email, web and IPS.
Dr Fahim Abbasi is an esteemed cybersecurity researcher, defender and innovator, with over 10 years of invaluable industrial research experience. With a proven track record of working for leading cybersecurity product companies in the network and email security domain, Dr Abbasi's expertise is exemplary. Currently serving as a sr. research scientist at Cisco, he spearheads forward-looking research initiatives, developing cutting-edge prototypes and intelligent algorithms to tackle emerging challenges in the realm of email security. Dr Abbasi's focus lies in combating various threats, including email account compromise, lateral phishing, advance-fee scams, Business email compromise (BEC) and phishing, ultimately strengthening Cisco's email detection technologies like email threat defence (ETD), CSE and ESA.