How the Proofpoint Attack Index Reveals Your Most Targeted Users

January 03, 2019
Craig Huitema

The threat landscape is constantly shifting, and one of the most fundamental changes of the last couple of years is manifested by the simple fact that it is easier to attack people than computers.

Sophisticated attackers target users directly

For attackers, it is easier, faster and less expensive to launch malware by persuading users to click on a link or open an attachment than it is to exploit the vulnerability of network systems. In many cases, a well-crafted email employing even moderate social engineering skills is all that is needed to effectively execute an attack--i.e. there isn’t even any malware involved.  

Many of today’s cybercriminals are well organized, (illegitimate) businesses with org structures and business models that aim to optimize ROI. As such, they are interested in taking the fastest, most efficient path toward their objectives like intellectual property theft, financial gain, and more. It is still critical to protect the infrastructure. However, the incessant parade of massive data breaches reflects the fact that focusing only on infrastructure is not working. A focus on people must be added. This is an ‘and’ not ‘or’ proposition.

Proofpoint’s people-centric security model

Proofpoint’s comprehensive visibility into corporate email, consumer email, social media, network threats and SaaS apps gives us unique threat intelligence regarding what is happening across the kill chain – threat intelligence that is not possible if you are simply looking at malware. We are using this intelligence to surface insight that ultimately lowers risk for your people.

The underlying premise for people-centric security is to identify which people are most attacked, and thus most at risk. Once we understand who they are, we can then prioritize and apply controls. But how do we measure this risk?

Measuring the volume of threats isn’t enough

To understand who in an organization was most attacked and most at risk, we initially look at the volume of threats a given person received in a specific timeframe. This approach tells us who receives the largest volume of threats. But volume alone doesn’t tell who is most at risk.

For example, user Bob may receive ten threats in a week, while another user, Sue, may receive only two. Volume tells us Bob is more attacked and thus more at risk. However, if all 10 of the attacks on Bob are coin miners that are just stealing a few cycles from his machine, and both of the attacks on Sue are RATs, then clearly Sue is more at risk. Highest threat volume alone does not indicate highest risk.          

Proofpoint Attack Index reflects the true risk of threats

As a result, we developed an index that would better reflect the true risk of a given threat, or set of threats, that a person is attacked with. This is the Proofpoint Attack Index. The essence of the Index is that every threat a user receives is given a score. We then add the threat scores up over a given period of time and this yields the Attack Index score for a particular person.

The Attack Index assigns every threat a score of 0 – 1000, based on 3 key components:

  • Actor Type
  • Targeting Type
  • Threat Type

Actor type considers the criminal’s level of sophistication. For example, an APT state actor will be given a higher score than a garden variety small crime actor.

Targeting type speaks to the degree of targeting involved with the threat. Did the threat hit only one user on the entire planet? Was it focused on a particular user, company, vertical or geography? Or was it a spray and pray campaign seen by half the globe? The former will receive a higher score than the latter.

Threat Type addresses the type of malware involved in the attack. This considers how dangerous the threat is, and how much effort went into the threat. In this case, a RAT or stealer is going to have a higher score than a generic consumer cred phish.

So after having gone through this somewhat academic exercise of Attack Index computation, what can we do with it? Lots of cool things! At a high level, it allows us to identify which people have the most risk. Once we understand that, we can prioritize people, based on risk, and implement adaptive controls to reduce that risk.

What this means, in practice, is that we can answer questions like:

Who is the…

  • Most Attacked Person?
  • Most Attacked Domain?
  • Most Cred Phished Person?
  • Most Highly Targeted Person?

A VIP might not be a VAP (Very Attacked Person)

Often times, the assumption is that VIPs (by default, the C suite) are the Very Attacked Persons (VAPs) in an organization. This is indeed the case sometimes. But there are many cases where others are more attacked. These may be IT admins that have significant system privileges or people in PR or investor relations whose names are splashed across many of the company’s web pages, etc.

As we begin to understand who the VAPs are, we also see patterns emerge. In some companies, we may see that a strong contingent of Product Managers may be very attacked (with bad actors seeking intellectual property). In other companies, we’ve seen a propensity to attack salespeople and other customer-facing staff (with bad actors trying to gain information about their customers), etc. These insights can be useful in developing appropriate controls.

At a high level, the key thing here is that the Attack Index can help identify which people are most at risk, such that you can then do something about it. Digging a bit deeper, you can also understand the patterns of the attacks, characterize the threats, the campaigns and the actors. Equipped with this level of insight and visibility, you can then apply controls to reduce that risk.

On December 3, Proofpoint added the Attack Index to the Targeted Attack Protection (TAP) Dashboard. This is additional functionality that is free of charge for existing TAP customers. My next post will discuss the mechanics of how you can use this capability in TAP to gain more visibility and insight into your Very Attacked People.