Content:
Unfortunately for attackers, what happens in the inbox doesn’t stay in the inbox. Clues are everywhere (if you’ve got the time to find them).
These days, email threat defense and Security Operations Center (SOC) capabilities are converging like never before, and AI is leading the charge. That’s because rooting out email threats now takes more than a few email scans, malware sweeps, and some blocklists.
Sneaky Business Email Compromise (BEC) scams, in particular, leave nothing for advanced tools to detect. So SOCs have to dig in deep and look for clues left behind. And that can be hard work.
Which is why AI is upping the security game when it comes to email defense, and it’s bringing automated SOC capabilities to the table to do it.
What is a BEC Attack?
A BEC attack is where an attacker pretends to be a trusted coworker, often times in leadership position, to extract sensitive data for financial gain in most cases. It’s an effective scam that costs companies billions of dollars a year.
Where Current Email Security Falls Short
Traditional email security means things like spam filters, DNS authentication (DMARC, SPF, DKIM), signature-based malware detection, and antivirus tools. Advanced email security emerged when malware became “better,” and you got things like obfuscated code and polymorphic ransomware that can change its shape mid-flight.
Guess what? Those are all still needed.
But they’re not enough. At least not against BEC attacks.
BEC is the Future of Email Attacks. SOCs Are the Only Thing Catching It.
BEC has been around for a long time, and that’s because its simplicity makes it ingeniously difficult to catch. There are no malware-infected links that email scans can detect. There are no infected attachments or URL redirects for advanced tools to sandbox.
Attackers saw our leveled-up defenses and raised us a strategy that defied them all: human deception. And it’s been working. Per the latest FBI IC3 report, BEC accounted for a total of $2.77 billion in losses, over eighty times the amount incurred by ransomware. BEC not only benefits the attacker; it critically injures the attacked.
And as an added bonus, there are no “easy to catch” traditional giveaways. Instead, there are a host of metadata clues, contextual and semantic data points, and minor anomalies that only SOCs can catch, with a lot of digging, correlating, and hard work.
That’s because no one artifact alone is enough to implicate a BEC scan. Instead, a critical mass of these clues is required to claim a BEC attack in progress and catch it before money leaves hands.
But assembling those clues takes time. And when inundated with disparate threat feeds, logs, alerts, and responsibilities, time is not something SOCs have. Consequently, BEC scams historically got away.
That is, until AI was brought into the process.
Enter AI and the AI SOC
It’s discouraging to realize that the best defense against BEC attacks at scale is still the processing power of a human-staffed SOC.
Sure, force-multiplying tools exist. But those are point solutions from which SOC staffers still have to draw data. Then, they need to analyze the data, correlate it, connect the dots, and draw the conclusions.
Only then can they launch a response. But by then, it might be too late.
Enter: The AI SOC.AI SOC Analyst Platforms are revolutionizing the way we do email security. They are doing the mind work and foot work of human analysts, and they are doing it at scale.
How an AI SOC Platform Works
AI SOC Platforms are especially geared to catch things like BEC. That is because they automate the simple, everyday tasks we thought only SOCs could do.
Consider their capabilities within the context of a BEC investigation. What is needed to stop a BEC attack in the act (or even to spot one)?
- An initial clue. Employees are trusted to spot red flags like “urgent” or “I need a quick favor” when they read through their emails. But not everyone can.
- An AI SOC Platform uses AI and machine learning to detect these phrases and analyze them for intent and meaning. If those intents align with previous BEC scams, they are flagged for further review.
- Proven anomalous behavior. Things like the email being sent at a time the sender is usually offline, or from a different geography, can be another method of detection. SOC analysts scan the logs for actions like these and additional indicators like new mailbox rules being created (for example, forward all emails containing “invoice” to this external address).
- AI SOC Platforms aggregate all telemetry and scour all logs for these one-off clues, bringing them together to piece together the attack story. AI SOC Platform company Prophet Security notes that BEC-critical metadata to collect and analyze includes:
- X-headers (insights into the sending infrastructure)
- The full received header chain (uncovers mail server routing)
- MIME boundaries (inconsistencies reveal tampering)
- Authentication results (DMARK, DKIM, SPF)
- AI SOC Platforms aggregate all telemetry and scour all logs for these one-off clues, bringing them together to piece together the attack story. AI SOC Platform company Prophet Security notes that BEC-critical metadata to collect and analyze includes:
- Unusual process changes. Attempts to alter the typical way of doing things may escape the notice of even a well-intentioned employee. And yet these are the things humans are trusted to see. A transaction request that skirts around the usual invoice process, like a vendor changing bank accounts without the required approvals, is a sign that something is afoot.
- An AI SOC Platform makes note of these changes and can notify SOCs when they occur. This saves countless hours and missed opportunities as analysts couldn’t possibly see or police the content of each message request at scale.
AI at the Center of the SOC
AI, and AI SOC Analyst Platforms, are not replacing typical SOCs. They are, however, taking over Tier 1 and Tier 2 investigations processes so practitioners can save their brains for the hard stuff.
Flagging all suspicious email behaviors, at any time, from anywhere, would take SOCs all day (every day). This isn’t feasible. Going forward, SOCs are going to rely more and more on the AI-based processes that can do these things just like they would, only faster, with greater accuracy, and without getting overwhelmed.
Email attacks have evolved to avoid powerful automated tools that can detect them at scale. But with the advent of AI SOC Platforms, they still haven’t evolved far enough.
For a list of the top AI SOC Platforms to watch for, check out this article.
In other words, they don’t miss essential BEC giveaways because they’re not stuck hunting down (or missing) alerts.
