Cisco Talos researchers detailed an intent-based approach to mitigating business email compromises. (Photo by Justin Sullivan/Getty Images)

Researchers on Wednesday explained an innovative new way to mitigate business email compromise (BEC) attacks, an intent-based approach using neural networks that detects the BEC and then classifies it into a specific type of scam.

In a blog post, Cisco Talos researchers said in the intent-based approach, the system catches BEC messages irrespective of whether a threat actor impersonates a C-level executive or any rank-and-file employee in the organization. This approach extracts text from an email, converts sentences to numeric vectors by encoding the meaning of words in the sentences, using the neural network language model (NNLM) or Bi-directional Encoder Representations from Transformers (BERT) encodings. It then performs detection and classification using deep neural networks.

The researchers say classification based on the type of scam can help security teams identify which segment of an organization was targeted and which employees were impersonated by the attackers. So the intent-based approach not only detects the BECs, but also labels it into the of BEC scam. This can range from payroll, money transfer, initial lure, gift card scams, invoice scams, acquisitions scams, W2 scams, and aging reports.

"Layering an intent-based detection system for business email compromise (BEC) has the potential to help security teams detect and prevent exploitation of BECs and scams,” said Patrick Tiquet, vice president, security and architecture at Keeper Security.

However, Tiquet said the strongest defense will always be a layered approach, with traditional email security best-practices, employee security awareness training, and the implementation of secure business processes and procedures. 

“The problem with algorithm-based detection methods is that false-negatives and false-positives are still possible,” Tiquet said. “The algorithm produces a probability score for the detection, and depending on what the threshold is configured to trigger, the detection either gets classified as positive or negative.”

Tiquet said algorithm-based detections have been used for a long time in the consumer and enterprise endpoint detection market to detect malware, and false-positives and false-negatives still occur in even the best algorithm-based systems.

“Organizations, if they were to deploy such a system, should not think that they are 100% protected from such attacks,” said Tiquet. “At the end of the day, they must still train employees to identify possible BECs, and put procedures in place to help protect against BEC exploitation and scams.” 

Intent-based approaches are good for executive impersonation, however, it can have high false positives, because intent gets determined based on behavioral analysis and it’s only as good as past behavior, said Patrick Harr, chief executive officer at SlashNext. Harr said these false positives are often a nuisance for the organization.

“What’s often detrimental to an organization are false negatives,” Harr said. “This can happen when an employee’s account has been compromised through account takeover. Intent is not going to be flagged here if the account sends a request that’s considered standard behavior. And that’s why credential harvesting has become the most popular of threats at the start of the attack chain and still stands as the No. 1 cause of a breaches, including BECs.”