Detecting Vendor Email Compromise in Supply Chain Attacks
24
Mar 2021
Learn how Antigena Email stopped a supply chain attack by identifying a behavioral shift in the emails, while still allowing legitimate traffic through.
Supply chain account takeover – also known as Vendor Email Compromise — is the single most pressing issue facing email security at the moment. There has been a wave of high-profile supply chain attacks recently and this trend will only increase over 2021 as cyber-criminals continue to find success in such methods. Traditional security tools are powerless to stop such attacks: since the malicious emails come from trusted partners and suppliers, they slip through the gateway.
The recent SolarWinds cyber-attack shows just how devastating a supply chain compromise can be. Business partnerships are more complex than ever, which means that a single breach can affect dozens of organizations at all levels of a global supply chain, from small local companies to government departments.
This blog examines a compromised third-party provider which sent malicious emails to a customer trialing Antigena Email. Despite the emails coming from a trusted source, the AI technology recognized a behavioral shift – that they were anomalous when compared with the previous behavior of the sender. When the contact realized their account had been compromised and issued a warning via email to their regular contacts, Antigena recognized these emails as benign. But as the attacker continued sending emails of a malicious nature on their account, those threatening emails, which bypassed the company’s other security tools, were held back by Darktrace.
Supply chain compromise
Let’s set the scene. The company in question is one of the world’s largest beverage suppliers with around 15,000 email users alone. It has a sprawling global supply chain with many partners and trusted vendors. After one of these third parties was compromised, malicious actors sent phishing emails across the supply chain to compromise as many organizations as they could. Our beverage company was one of the main targets.
The trusted relationship with the third party can be seen through Darktrace’s Email tags, which were applied to the previous legitimate emails sent in from the supplier.
Figure 1: A snapshot of Antigena Email’s interface
Shortly after this legitimate email was seen, a wave of new emails came in from the same account. Using this authentic traffic to their advantage, the attacker successfully evaded other tools and blended into legitimate communications. In supply chain attacks, such camouflage is key to a successful compromise.
However, due to slight changes in the behavior of the sender when compared with their previous history, Darktrace was able to identify that the account had been compromised, shown by the Out of Character and Suspicious Link tags.
Figure 2: A snapshot of Antigena Email’s interface
Darktrace’s AI detected a range of anomalies, including:
the source of the email;
the nature of the links and their association with the company;
the language and intention of the email body.
These extremely subtle shifts in email can only be detected by using Darktrace’s sophisticated unsupervised machine learning approach. By understanding how the user typically acts and interacts with their peers and other organizations, Darktrace’s AI is able to identify anomalous behavior that indicates account takeover and impersonation.
Attack breakdown: Doubting the trustworthy
In the emails, there was a link directing the user to a legitimate file storage site (‘canva.com’), which was being used to host a malicious payload. This tactic is commonly used by cyber-criminals to bypass legacy security gateways, because traditional gateways fail to defend against malicious file storage links using reputation checks, since the domains themselves are legitimate.
Antigena Email, however, identified that this email did not belong and flagged the email as 100% anomalous. The figure below shows three of the malicious emails, and the scores assigned to them by Antigena Email’s machine learning. The top email is the supplier emailing the company legitimately, to warn of the compromised account. Despite arriving shortly after the malicious emails, the email was given only a 31% threat score, with no actions suggested. This proves just how valuable Antigena Email is not only in stopping the bad emails, but also in accurately identifying benign emails – ensuring it does not interfere with legitimate communication.
Figure 3: Antigena Email clearly distinguishes the benign communication from harmful emails
Antigena Email’s action of choice was to hold the emails back from the inbox entirely, protecting the recipient from any potential solicitation or attempt to take communications to a less secure platform.
Blind trust: The rise of supply chain attacks
This year will undoubtedly see the highly lucrative supply chain fraud continue to rise, as cyber-criminals focus on the weakest links and target partners and suppliers to gain a foothold in a range of organizations. In fact, it is likely that supply chain attacks will become more common than CEO fraud this year. Whereas the C-suite are often well protected by vigilant security teams, third parties offer a plethora of ways into a company. Security teams are blind to third-party environments and gateways rarely flag emails which come from legitimate sources.
Antigena Email is the only email security technology which looks at each individual email in the wider context of the organization, the recipient, and past interactions with the sender, stopping anomalous emails sent with malicious intent, no matter who has sent them.
Oops! Something went wrong while submitting the form.
Newsletter
Enjoying the blog?
Sign up to receive the latest news and insights from the Darktrace newsletter – delivered directly to your inbox
Thanks for signing up!
Look out for your first newsletter, coming soon.
Oops! Something went wrong while submitting the form.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Dan Fein
VP, Product
Based in New York, Dan joined Darktrace’s technical team in 2015, helping customers quickly achieve a complete and granular understanding of Darktrace’s product suite. Dan has a particular focus on Darktrace/Email, ensuring that it is effectively deployed in complex digital environments, and works closely with the development, marketing, sales, and technical teams. Dan holds a Bachelor’s degree in Computer Science from New York University.
Reimagining Your SOC: Overcoming Alert Fatigue with AI-Led Investigations
The efficiency of a Security Operations Center (SOC) hinges on its ability to detect, analyze and respond to threats effectively. With advancements in AI and automation, key early SOC team metrics such as Mean Time to Detect (MTTD) have seen significant improvements:
96% of defenders believing AI-powered solutions significantly boost the speed and efficiency of prevention, detection, response, and recovery.
Organizations leveraging AI and automation can shorten their breach lifecycle by an average of 108 days compared to those without these technologies.
While tool advances have improved performance and effectiveness in the detection phase, this has not been as beneficial to the next step of the process where initial alerts are investigated further to determine their relevance and how they relate to other activities. This is often measured with the metric Mean Time to Analysis (MTTA), although some SOC teams operate a two-level process with teams for initial triage to filter out more obviously uninteresting alerts and for more detailed analysis of the remainder. SOC teams continue to grapple with alert fatigue, overwhelmed analysts, and inefficient triage processes, preventing them from achieving the operational efficiency necessary for a high-performing SOC.
Addressing this core inefficiency requires extending AI's capabilities beyond detection to streamline and optimize the following investigative workflows that underpin effective analysis.
Challenges with SOC alert investigation
Detecting cyber threats is only the beginning of a much broader challenge of SOC efficiency. The real bottleneck often lies in the investigation process.
Detection tools and techniques have evolved significantly with the use of machine learning methods, improving early threat detection. However, after a detection pops up, human analysts still typically step in to evaluate the alert, gather context, and determine whether it’s a true threat or a false alarm and why. If it is a threat, further investigation must be performed to understand the full scope of what may be a much larger problem. This phase, measured by the mean time to analysis, is critical for swift incident response.
Challenges with manual alert investigation:
Too many alerts
Alerts lack context
Cognitive load sits with analysts
Insufficient talent in the industry
Fierce competition for experienced analysts
For many organizations, investigation is where the struggle of efficiency intensifies. Analysts face overwhelming volumes of alerts, a lack of consolidated context, and the mental strain of juggling multiple systems. With a worldwide shortage of 4 million experienced level two and three SOC analysts, the cognitive burden placed on teams is immense, often leading to alert fatigue and missed threats.
Even with advanced systems in place not all potential detections are investigated. In many cases, only a quarter of initial alerts are triaged (or analyzed). However, the issue runs deeper. Triaging occurs after detection engineering and alert tuning, which often disable many alerts that could potentially reveal true threats but are not accurate enough to justify the time and effort of the security team. This means some potential threats slip through unnoticed.
Understanding alerts in the SOC: Stopping cyber incidents is hard
Let’s take a look at the cyber-attack lifecycle and the steps involved in detecting and stopping an attack:
First we need a trace of an attack…
The attack will produce some sort of digital trace. Novel attacks, insider threats, and attacker techniques such as living-off-the-land can make attacker activities extremely hard to distinguish.
A detection is created…
Then we have to detect the trace, for example some beaconing to a rare domain. Initial detection alerts being raised underpin the MTTD (mean time to detection). Reducing this initial unseen duration is where we have seen significant improvement with modern threat detection tools.
When it comes to threat detection, the possibilities are vast. Your initial lead could come from anything: an alert about unusual network activity, a potential known malware detection, or an odd email. Once that lead comes in, it’s up to your security team to investigate further and determine if this is this a legitimate threat or a false alarm and what the context is behind the alert.
Investigation begins…
It doesn’t just stop at a detection. Typically, humans also need to look at the alert, investigate, understand, analyze, and conclude whether this is a genuine threat that needs a response. We normally measure this as MTTA (mean time to analyze).
Conducting the investigation effectively requires a high degree of skill and efficiency, as every second counts in mitigating potential damage. Security teams must analyze the available data, correlate it across multiple sources, and piece together the timeline of events to understand the full scope of the incident. This process involves navigating through vast amounts of information, identifying patterns, and discerning relevant details. All while managing the pressure of minimizing downtime and preventing further escalation.
Containment begins…
Once we confirm something as a threat, and the human team determines a response is required and understand the scope, we need to contain the incident. That's normally the MTTC (mean time to containment) and can be further split into immediate and more permanent measures.
The challenge is not only in 1) detecting threats quickly, but also 2) triaging and investigating them rapidly and with precision, and 3) prioritizing the most critical findings to avoid missed opportunities. Effective investigation demands a combination of advanced tools, robust workflows, and the expertise to interpret and act on the insights they generate. Without these, organizations risk delaying critical containment and response efforts, leaving them vulnerable to greater impacts.
While there are further steps (remediation, and of course complete recovery) here we will focus on investigation.
Developing an AI analyst: How Darktrace replicates human investigation
Darktrace has been working on understanding the investigative process of a skilled analyst since 2017. By conducting internal research between Darktrace expert SOC analysts and machine learning engineers, we developed a formalized understanding of investigative processes. This understanding formed the basis of a multi-layered AI system that systematically investigates data, taking advantage of the speed and breadth afforded by machine systems.
With this research we found that the investigative process often revolves around iterating three key steps: hypothesis creation, data collection, and results evaluation.
All these details are crucial for an analyst to determine the nature of a potential threat. Similarly, they are integral components of our Cyber AI Analyst which is an integral component across our product suite. In doing so, Darktrace has been able to replicate the human-driven approach to investigating alerts using machine learning speed and scale.
Here’s how it works:
When an initial or third-party alert is triggered, the Cyber AI Analyst initiates a forensic investigation by building multiple hypotheses and gathering relevant data to confirm or refute the nature of suspicious activity, iterating as necessary, and continuously refining the original hypothesis as new data emerges throughout the investigation.
Using a combination of machine learning including supervised and unsupervised methods, NLP and graph theory to assess activity, this investigation engine conducts a deep analysis with incidents raised to the human team only when the behavior is deemed sufficiently concerning.
After classification, the incident information is organized and processed to generate the analysis summary, including the most important descriptive details, and priority classification, ensuring that critical alerts are prioritized for further action by the human-analyst team.
If the alert is deemed unimportant, the complete analysis process is made available to the human team so that they can see what investigation was performed and why this conclusion was drawn.
To illustrate this via example, if a laptop is beaconing to a rare domain, the Cyber AI Analyst would create hypotheses including whether this could be command and control traffic, data exfiltration, or something else. The AI analyst then collects data, analyzes it, makes decisions, iterates, and ultimately raises a new high-level incident alert describing and detailing its findings for human analysts to review and follow up.
To create a mature and proactive SOC, addressing the inefficiencies in the alert investigation process is essential. By extending AI's capabilities beyond detection, SOC teams can streamline and optimize investigative workflows, reducing alert fatigue and enhancing analyst efficiency.
This holistic approach not only improves Mean Time to Analysis (MTTA) but also ensures that SOCs are well-equipped to handle the evolving threat landscape. Embracing AI augmentation and automation in every phase of threat management will pave the way for a more resilient and proactive security posture, ultimately leading to a high-performing SOC that can effectively safeguard organizational assets.
Every relevant alert is investigated
The Cyber AI Analyst is not a generative AI system, or an XDR or SEIM aggregator that simply prompts you on what to do next. It uses a multi-layered combination of many different specialized AI methods to investigate every relevant alert from across your enterprise, native, 3rd party, and manual triggers, operating at machine speed and scale. This also positively affects detection engineering and alert tuning, because it does not suffer from fatigue when presented with low accuracy but potentially valuable alerts.
Retain and improve analyst skills
Transferring most analysis processes to AI systems can risk team skills if they don't maintain or build them and if the AI doesn't explain its process. This can reduce the ability to challenge or build on AI results and cause issues if the AI is unavailable. The Cyber AI Analyst, by revealing its investigation process, data gathering, and decisions, promotes and improves these skills. Its deep understanding of cyber incidents can be used for skill training and incident response practice by simulating incidents for security teams to handle.
Create time for cyber risk reduction
Human cybersecurity professionals excel in areas that require critical thinking, strategic planning, and nuanced decision-making. With alert fatigue minimized and investigations streamlined, your analysts can avoid the tedious data collection and analysis stages and instead focus on critical decision-making tasks such as implementing recovery actions and performing threat hunting.
Stay tuned for part 3/3
Part 3/3 in the Reimagine your SOC series explores the preventative security solutions market and effective risk management strategies.
Bytesize Security: Insider Threats in Google Workspace
What is an insider threat?
An insider threat is a cyber risk originating from within an organization. These threats can involve actions such as an employee inadvertently clicking on a malicious link (e.g., a phishing email) or an employee with malicious intent conducting data exfiltration for corporate sabotage.
Insiders often exploit their knowledge and access to legitimate corporate tools, presenting a continuous risk to organizations. Defenders must protect their digital estate against threats from both within and outside the organization.
For example, in the summer of 2024, Darktrace / IDENTITY successfully detected a user in a customer environment attempting to steal sensitive data from a trusted Google Workspace service. Despite the use of a legitimate and compliant corporate tool, Darktrace identified anomalies in the user’s behavior that indicated malicious intent.
Attack overview: Insider threat
In June 2024, Darktrace detected unusual activity involving the Software-as-a-Service (SaaS) account of a former employee from a customer organization. This individual, who had recently left the company, was observed downloading a significant amount of data in the form of a “.INDD” file (an Adobe InDesign document typically used to create page layouts [1]) from Google Drive.
While the use of Google Drive and other Google Workspace platforms was not unexpected for this employee, Darktrace identified that the user had logged in from an unfamiliar and suspicious IPv6 address before initiating the download. This anomaly triggered a model alert in Darktrace / IDENTITY, flagging the activity as potentially malicious.
Figure 1: A Model Alert in Darktrace / IDENTITY showing the unusual “.INDD” file being downloaded from Google Workspace.
Following this detection, the customer reached out to Darktrace’s Security Operations Center (SOC) team via the Security Operations Support service for assistance in triaging and investigating the incident further. Darktrace’s SOC team conducted an in-depth investigation, enabling the customer to identify the exact moment of the file download, as well as the contents of the stolen documents. The customer later confirmed that the downloaded files contained sensitive corporate data, including customer details and payment information, likely intended for reuse or sharing with a new employer.
In this particular instance, Darktrace’s Autonomous Response capability was not active, allowing the malicious insider to successfully exfiltrate the files. If Autonomous Response had been enabled, Darktrace would have immediately acted upon detecting the login from an unusual (in this case 100% rare) location by logging out and disabling the SaaS user. This would have provided the customer with the necessary time to review the activity and verify whether the user was authorized to access their SaaS environments.
Conclusion
Insider threats pose a significant challenge for traditional security tools as they involve internal users who are expected to access SaaS platforms. These insiders have preexisting knowledge of the environment, sensitive data, and how to make their activities appear normal, as seen in this case with the use of Google Workspace. This familiarity allows them to avoid having to use more easily detectable intrusion methods like phishing campaigns.
Darktrace’s anomaly detection capabilities, which focus on identifying unusual activity rather than relying on specific rules and signatures, enable it to effectively detect deviations from a user’s expected behavior. For instance, an unusual login from a new location, as in this example, can be flagged even if the subsequent malicious activity appears innocuous due to the use of a trusted application like Google Drive.
Credit to Vivek Rajan (Cyber Analyst) and Ryan Traill (Analyst Content Lead)
Appendices
Darktrace Model Detections
SaaS / Resource::Unusual Download Of Externally Shared Google Workspace File
