Natural Language Understanding

With more than 347.3 billion emails sent and received every day, email has become highly susceptible to business email compromise (BEC). Defending against BEC is critical for the SOC or SIOC professional. Today, solutions for email security are available from many vendors. Reports further reveal that the global BEC market grew to $1.1 billion in 2022, with expectations of it reaching $2.8 billion when 2027 rolls in.

But this approach to securing traditional email is becoming a smaller part of today’s threat environment. CSOs and CISOs must now defend against social engineering attacks, insider threats, ransomware, policy violations, and more – delivered not only via email, but through popular cloud workplace channels such as M365, Slack, Salesforce, LinkedIn, Zoom, WhatsApp, Telegram, and more. At least 45% of business communications now take place over cloud channels, and attackers are rapidly deploying social engineering and language-based attacks. These types of attacks can’t be discovered by existing email security solutions.

Integrated cloud communications security (ICCS) offers CSOs and CISOs visibility across the growing number of cloud workplace channels. But understanding the context and intent of messages is key to responding quickly and stopping risks earlier in the kill chain.

SafeGuard Cyber uses patented Natural Language Understanding (NLU) technology to quickly and accurately identify and defend against social engineering attacks, insider threats, ransomware, and policy violations. NLU can understand the context and intent of communications in cloud communication channels – both inbound and outbound. By evaluating attributes such as lexical features, spelling features, and topical features, NLU can determine the likelihood that the source message is a social engineering attack.

With deep visibility into 30 channels of business communications and the ability to understand more than 52 languages, SafeGuard Cyber correlates events across channels, allowing security organizations to have full visibility across all of their cloud workspace channels.

• Cybersecurity attacks using digital communications are rampant. No matter how many layers of security solutions are implemented, organizations and their networks remain vulnerable.

• With the increasing use of cloud apps to do business, these popular channels are increasing the overall attack surface, and attacks are becoming more focused on social engineering.

• Social engineering attacks in these channels can evade traditional cybersecurity detection methods. Attacks come in typical forms of human communications, so there are no links or files to investigate.

• Many organizations don’t have the visibility to prevent attacks taking place over cloud communications channels. They may be using solutions to protect email communications, but these solutions can’t extend to the burgeoning cloud workspace.

To help CSOs and CISOs bring expert security to the cloud workspace, SafeGuard Cyber deploys a patented Natural Language Understanding to analyze, identify and prevent social engineering attacks across more than 30 cloud communications channels, protecting organizations from business communication compromise (BCC).

The progress of machine learning-powered solutions has been nothing but astronomical. From information extractors to text translators, Natural language processing (NLP) and understanding have evolved dramatically. Now, with tools like ChatGPT, people can generate content that looks, feels, and reads “human”, expediting processes and providing advantages to its users.

But even before the advent of ChatGPT, SafeGuard Cyber has been wielding AI and NLU capabilities to fight digital threats online – from phishing attacks to ransomware, to insider threats.

SafeGuard Cyber security combines Natural Language Understanding and AI machine learning to understand the human elements of context and intent in cloud communications. Language-based elements in a conversation, including lexical features, spelling, and topical elements are automatically analyzed and evaluated against models to identify social engineering attacks. Now, with visibility across channels and NLU analysis of context and intent, organizations can respond faster and stop attacks earlier in the kill chain.

Natural Language Understanding processes communications in three phases:

1. The first phase is pre-processing and text preparation. In this phase, the input message goes through initial attributes extraction and token extraction. The text preparation portion of the first phase of processing begins by detecting what language the source message uses. This is important to ensure that text tokenization is done in the appropriate manner. For example, languages like Japanese do not use spacing the way western languages do and must be processed appropriately. This requirement applies to all of the NLP processing steps.

2. In the second phase, features are extracted from the original message or the message tokens and passed to a trained machine model. Once the language has been detected, a text preparer begins text tokenization. The text preparer receives the input text and breaks it up into logical tokens that are to be evaluated in the feature extraction phase. The text preparer can include programming for updating the text message to include part of speech (POS) tags for each word in the text. This includes labels like noun, proper noun, verb, adverb, etc. In addition, the text preparer removes unnecessary words from the text, such as “is”, “the”, “a” and others that are not needed for future action.

3. In the third phase, all features are extracted from the message and scored using the model. The output of the model is a final risk assessment indicating if the analyzed message is potentially a social engineering attack, and such risk assessment can be followed by appropriate remedial action.

After evaluation is completed, a lexical feature extractor assesses the attributes list generated in the pre-processing phase to determine whether any elements within these attributes may be a sign of attack. For example, the inclusion of a URL that has an IP address instead of a domain name is not normal in business communications.

The use of an unusually long URL in the message is often seen as a strategy to mask a suspicious domain or subdomain of the URL. A lexical feature extractor determines if possible fake domains are in use. For instance, “facebok.com” or “amazn.com” may be employed in an attack.

In these cases, the domain in use is extremely close to facebook.com and amazon.com. Most users will not notice the difference and consider them safe. The results of these components can be combined into a vector that will be combined with other text features and passed to the model evaluator for analysis.

A spelling feature extractor receives the list of cleaned tokens and analyzes them for spelling errors. For example, the spelling feature extractor can count the number of misspelled words in a message or document and then generate a normalized metric for this count based on the length of the message. This normalized misspelled word count can be used in conjunction with other extracted features by the model. Also, the spelling feature extractor outputs a ratio of spelling mistakes for further processing.

Then, the topics feature extractor evaluates the list for common topics included in social engineering attack messages, detecting questionable attributes such as:

Urgency

where the message recipient is being pressured to do something

Surprise/award

where there is some sort of gift or unexpected award offered in the message

Privacy/secrecy

where there is pressure to keep the communication private

Credentials

where the message recipient is being asked to verify or change their password or credentials

Suspicious activity

where an attacker is trying to get the recipient to believe that there is something wrong with their account or that they have been attacked

Payment/invoice

where the intent is to get the message recipient to make a payment on a fake invoice

Authority/boss

where the sender attempts to impersonate an individual with authority

A call to action

where the message asks the recipient to do something questionable

The final phase of the process is model analysis. Here, the combined features vector is passed to a pre-trained model evaluator that predicts the overall risk score of the received message. The model evaluator outputs a risk score, calculated as a value between zero and one. Any score above a 0.5 is considered a possible social engineering attack.

SafeGuard Cyber’s own Natural Language Understanding and AI-powered platform performs these tasks effectively and efficiently. As a result, our platform can effectively stop social engineering and phishing attacks in their tracks.

Here are some real-world examples, lifted from the SGC platform:

Figure 1. An Indian phishing scam flagged by the SafeGuard Cyber platform

Aside from using controversial stories to pique interest and attract attention, social engineers and phishers often use scams and false promises to convince people to either give out money or information, as evidenced by the example below:

Figure 2. A UK Visa scam email flagged by the SafeGuard Cyber platform.

These tie into the various use cases of Natural Language Understanding and AI to protect industries from:

• Impersonation

• Insider Threats

• Malware & Ransomware

• Social Engineering

Moreover, NLU benefits companies by addressing compliance requirements for mobile messaging, CRM free text, and social selling, especially for highly-regulated industries like life science and financial services companies.

SafeGuard Cyber’s NLU benefits enterprises by operating in a variety of environments. One example environment is an electronic mail system where hundreds, thousands or even millions of e-mail messages are received every day. Emails may be sent to one or more employees of the organization, where the email contains a sender email address, a subject matter description and the body copy. The address, subject matter description and email body copy may be considered an electronic message or source messaging, which includes message metadata.

SafeGuard Cyber NLU can process hundreds, thousands or even millions of messages in near real-time. Messages that are flagged as meeting a risk threshold are kept from immediate transmission or processed in an effort to thwart or minimize the perceived risk. In this step, only messages that are not perceived to be risky are passed to the intended recipients. Source messages that are considered a risk can be evaluated further and deleted, transmitted to proper authorities or otherwise acted upon as deemed appropriate.

How NLU determines context and intent to detect attacks across channels and language

There are significant disruptions taking place in the overall messaging environment. First, organizations are moving away from Microsoft Outlook email servers to use applications in the cloud, such as Microsoft 365.

Second, attacks are changing; no one is sending just malicious links any more. Attacks have become more targeted, more social engineering focused, and attacks have broadened their scope to target everyone in an organization. This means that file analysis and link analysis is only marginally useful.

The email market is so massive, that everyone who needs it has some level of email security. But many of these legacy solutions are based on an older generation of technology and have become unable to detect attacks that take advantage of multiple communications channels.

By deploying NLU, SafeGuard Cyber can prevent attacks that reach beyond email. Using APIs instead of agents, we are able to evaluate incoming and outgoing communications in cloud workspaces such as Slack, Teams and chat. This is a high-level differentiator. But the differentiation in this space is beyond just detections.

Many solutions perform metadata analysis, but all they are doing is checking the domain to see if it has a strong reputation; how old it is; or when it was created. A lot of companies’ solutions connect to Microsoft 365, but they do not deploy machine learning and are not complete solutions.