How AI-Powered Threat Intelligence Can Protect Business Email

There are multiple threat vectors facing companies of all sizes in the modern cybersecurity landscape. Readers of all reviews are commonly facing problems within their email communications such as Phishing. But, beyond this issue, companies are facing threats to their corporate networks and their cloud data.

One vendor offering a compelling solution to these threats is Lastline. They offer Defender, a platform which uses AI based systems to counter intrusions at scale.We sat down with the Director of Threat Intelligence at Lastline, to talk about how the platform works and what the key issues are in these areas.

Can you introduce yourself, and your role at Lastline?

I’m Andy Norton, I look after threat intelligence at Lastline. We have somewhat of a contrarian view on threat intelligence.

Many organisations consume multiples of 10 of threat intelligence feeds, pull it into one system and then apply all of that to what they see internally. This is essentially intel from an external IOC perspective, which is pretty much disposable. So, if I get a file hash, you won’t get it.

We’re trying to encourage the next- generation of internal threat intelligence. So actually, looking at what we can extract from the internal environments to make intelligence more accurate.

A key aspect of cyber resilience is being able to detect irregular and anomalous behaviour with sufficient context to determine the risk. We see our threat intel helping in two areas there.

The first is that we use external information to help you assess when controls fail. So, we can see for example, that one in every 500 emails that arrive within an organisation is malicious. This is important for board metrics and measurement of existing security controls.

The second is getting sufficient context for businesses. AI is mentioned by every vendor, it’s solving the world’s problem, right? One of the by-products of AI usage is the generic labelling of threats. That’s because AI is trained on specific data sets, but they don’t explain the capacity of the different malware.  So, organisations  find an infected device, and the response strategy used by nearly all businesses is to just re-image the system. But the problem is, that one-in-twelve of those generically labelled threats will actually have credential theft capabilities. That’s not addressed in a reimage response playbook. This is why Business Email Compromise is such a big issue.

We are also trying to raise awareness around how companies can improve companies’ level of risk awareness.

There are three different Lastline Products, Defender, Analyst and Detonator.

Yes, we are working to bring everything together under the defender name. That resonates with end users.

Who is the typical customer of this platform, are you selling to email security vendors or end customers?

We have a model that addresses both. We are known for our behavioural insights. Email providers use us as a premium advanced threat protection service.

Our readers are often very focussed on protection from phishing threats. What are Lastline’s capabilities around phishing protection?

Yes, customers come to use for help for phishing, attachments, URLs. We typically sit as the last line of defence.

But Email really is the vector. Web has died, it really is too hard to exploit a browser currently.

How does Lastline work to stop phishing attacks?

It goes through a whole suite of processes. We go from the least computationally extensive to the most and catch the attack along the way. First of all, with phishing, there’s a number of lists available so we consume though. Then there are things we check like how old is the domain?

We’ve also been training our AI engine to spot phishing for the last 12 months. This means we can spot outliers and identify what classifiers define a phishing page. These classifiers are really interesting, so we’ve found that phishing emails are one screen height only, there’s no way to scroll. When you combine these kinds of classifiers you get a really strong probability of being able to stop phishing emails getting into inboxes.

It could be of course, that you receive an attachment, or PDF with a URL in it. This URL leads to a phishing page. So, ultimately, it’s about the credentials. There’s always a one-to-one relationship between the phishing message and the credentials, it’s Outlook or Office 365 or Amazon. We’re seeing an increase in key-logger attacks, and if they get in the exploit on average 28 sets of credentials from infected devices. That’ll be all the browser passwords, local user passwords and email passwords.

Is that the most common issue customers are coming to Lastline for help with?

It’s certainly one of them. I think overall, our customers are looking to stop unauthorized access into their environment, which they would call ‘intrusion.’ If we go into an organization yes, we sit behind their email and give them encounter rates and look at the capacities, but we also see legacy infections as well. The amount of organizations that are pinging sinkholes with previously infected devices is like 100%. So cleaning up those legacy attacks is something as well that organisations come to us for.

Essentially, we are a dashboard for operational certainty. Within 30 days we will have seen everything, we will have the baseline to get the organization back to good levels of security and stability. Then we defend against new threats.

We have some big customers who use us for the behavioural intelligence and want to ensure that their remediation is appropriate.

What kind of threats do you see Lastline having to adapt to looking towards the future?

There’s going to more diversity in threats. Going back to the use of AI, it’s very difficult to get a ‘.exe’ file into an organisation. AI has done a good job of stopping that. But unfortunately, they have changed the nature of the threat. So, we see new file types, new methods and different levels of obfuscation. What they want hasn’t changed though, aside from cyrptojacking.

Ultimately, the three major threats that organizations face are loss of intellectual property, loss of controlled data and loss of operational capacity.

Lastline’s CEO joined the company quite recently. Are there changes happening at Lastline?

Absolutely yes. John has come in to spearhead our enterprise, end user strategy. We also have a new CRO.

We are trying to write and research things that are more influential at a policy and guidance perspective. We are trying to write new standards for malicious code detection and intrusion detection.

We worked on Asynchronous Warfare or Asymmetric War-fare. This is the idea that there’s a time issue between effective defences and the in threats coming into the network. We’re trying to build awareness of this in cyber resilience.

We’re trying to say, risk assessment is really important, and If you’ve got it wrong, you’re in trouble.

Is Lastline an important part of a multi-layered security approach?

We deal with the aspect of cyber defence. So if it’s an attack or a threat on the way into your organization that is our sweet spot. But, in taking an action we would need to integrate with other platforms like endpoint, SOAR or SIEM platforms.

We are very much part of the picture, but intrusion and the way that can manifest is what we go after.

To find out more about the Lastline Platform you can read our full review here: Lastline Review