Email attack trend predictions for 2020

Evan Reiser, CEO of Abnormal Security, and Cyber Work podcast host Chris Sienko discuss where email attacks are headed in 2020 and how AI and machine learning can help detect business email compromise.

– Get your FREE cybersecurity training resources:
– View Cyber Work Podcast transcripts and additional episodes:

Chris Sienko: Welcome to this week's episode of the Cyber Work with Infosec podcast. Each week I sit down with a different industry thought leader and we discuss the latest cybersecurity trends, how those trends are affecting the work of infosec professionals, while offering tips for those trying to break in or move up the ladder in the cybersecurity industry. A few weeks back, we had Sam Bouso on our show to talk about security concerns surrounding the escalated quality, quantity of online shopping that people do around the end of year, holiday gift-giving season. And now, it's time for that other hallowed holiday, the predictions for the New Year. Today's guest, Evan Reiser, is the co-founder and CEO of Abnormal Security, an email security company that uses AI and machine-learning to prevent socially-engineered, email-based cyber attacks. As with many other forms of cybercrime, email cyber attacks are only partly based in technology, and a have a lot more to do with social-engineering and cell use of the existing technology to get you to respond before you've had a chance to think about what you're being asked. We've seen some technology rise impressively in the past few years, becoming more effective at stopping malicious operations before they can get started. That just means that the mental game is still the strongest game in town. So Evan and I are gonna talk about some email attack trends that he's predicting will be on the rise in 2020 and beyond. Evan Reiser is CEO and co-founder of Abnormal Security, an expert in applied machine learning solutions, with over a decade of operational experience building enterprise behavioral profiling technologies. Evan most recently led product management and machine-learning teams for Twitter's advertising business, and prior than that, co-founded several successful companies, including Bloomspot, acquired by JPM Chase, and AdStack, acquired by TellApart. Evan started his career at Eastman Kodak, doing research and development in machine-learning for intelligence applications. He holds a B.S. in computer systems engineering from Rensselaer Polytechnic Industry, Institute. Evan, thank you for joining us today.

Evan Reiser: Thank you so much for having me. I appreciate the--

Chris: Got so close and then beefed it on the last one there. So we always like to start out with origin stories, so tell us how you got involved in computers and tech originally. And when did security enter the mix?

Evan: Sure, so I got involved with kinda computers and technology long before security, actually. So, like many people that grew up in the late 90's, the initial introduction to computers was through video games, and, you know, I was always trying to figure out how to make my computer my powerful so I could actually play games, and got into, you know, building computers, you know, in high school. I then decided to apply to colleges to do computer engineering. I thought computer engineering, at the time, was like building computers, like to do fun stuff.

Chris: Right.

Evan: Obviously it was like electrical engineering and math, but went to school for that. You know, got into computer science, and you know, building software. You know, primarily to kinda fuel more video game hobbies. And then ended up taking a job doing nothing related to anything I studied. No electrical engineering or math, it was actually just doing web development. You know, worked in, you know, started off workin' on Wall Street, quit that after about 18 months, doing software, did a bunch of startups for, like, the next, you know 10 years or so, and then really kinda recently got into cybersecurity by, you know, just meeting some people in the industry and realizing what a big problem it was.

Chris: Okay. Was there something particularly that drew you to it? Or was it more that just that there was a niche that needed to be filled?

Evan: So I've worked, you know, the last 10 years so I've worked in product management. And you know, part of the reason, I've always been a builder of sorts. I think the thing that kind of attracted me to workin' with enterprise businesses is getting to sit down with people, listen to their problems, and then kinda bring them, you know, these awesome solutions that they would get excited by. So the thing that actually pulled me into cybersecurity, and email security specifically, was really just meeting a lot of customers. I had met some investors that I worked with and they introduced me to probably about, maybe 20 or so Fortune 500 CIO's, and I sat down with them, and I asked them, well, what is a product that you kinda wished the market would produce? Like, what would you like to buy in the next six months that costs, you know, a quarter of a million dollars or more? And very surprising. I thought they wanted, you know, data infrastructure and, you know, these other things. And just, you know, this was at the end of, I guess the beginning of 2018, and the number one thing they all said then was we're having problems with social engineering, executive impersonation, fraud, account takeover, and that was like the main thing. And you know, I kinda didn't believe it. I ended up finding these stats from the FBI that kinda talked about what a big problem it was. And they probably didn't realize that kinda my background, and my team's background in machine-learning was kind of gonna be a great way to solve that problem. So I kind of got, you know, sucked into it. And I was little bit skeptical whether it was gonna be the right thing for me, but, you know, I've actually really fallen in love with cybersecurity and feel really fortunate to work in this space.

Chris: That's great. So, we've touched on this briefly, but let's sorta dig into it. How did your early interests, jobs, experiences, studies and other opportunities bring you from a burgeoning interest in tech into leading an email security company? Like, what are some of the sort of steps along the way where I learned this here and that helped, and I learned this there and that helped, things like that, whether it's education, whether it's previous jobs?

Evan: Yeah. You know I think my kind of my early startup career I worked in consumer startups, right? I think the, you know, the interesting thing about consumer startups is you kinda have this very fast development cycle where you're tryin' to build things, see if people like it, and they kind of, you know, just iterate really quickly. And so it kind of helps you too, and you're just like, you know, speed of development, you know, capabilities. Right? And just like it resets your mindset of what it means to kind of build things. I then move into enterprise software and you know, built, you know, worked on several different products kind of that we sold to large enterprises. And I think the thing that I, you know, learned from that and really enjoyed about that is you gotta sit down with people right? Instead of just publishing stuff on your website and kinda seeing did the stats go up or down? You gotta sit down with someone and really understand, you know, here's the problems they have, here's the environment they live in, here's their kind of hopes and dreams of what they wish people would do. And I think just my experience, you know as a product manager, working with people and tryin', you know, to take technology that I knew about and kind of apply that to maybe new areas. I think just kinda that, you know, human back and forth in development, and kinda really learning and empathizing, I think was the third thing. And then I think, finally, just on the technology side, I'd spend a bunch of, you know most of my career in advertising and technology. Advertising and technology is really about you know, trying to understand the behavior of people and try to figure out, you know, how do you influence that? Or what causes things to be, you know, them to be influence it? It's really, technology is all about you know, predicting behavior, and I think just kinda the intersection of, it's high speed development, this kinda customer-focused, you know, product development and then kind of the, you know, my background in, you know, machine-learning technology. One's kind of, you know, I heard about these problems that, you know, large enterprise were having with email secure and social engineering, it just coincidentally, that experience I think was really helpful in us, you know, building a, ultimately kind of working with those customers and helping them solve these problems.

Chris: Well, that dovetails nicely into our main topic today, which, of course, is email attacks and how we think they might change in 2020 and beyond. So first, you know, just to make sure we know what we're talking about, let's define our terms. When you say email attacks, are we just talking about phishing? Or are there multiple variant attack factors that we're speaking of with this term?

Evan: Yeah, it's a great question, and I'm a bit, you know, a bit of a novice, right, in cybersecurity, and so I think one thing I'm surprised by when we first started was just how many terms there were and how overlapping they are. Right? Sometimes people use phrases like business email compromised, and sometimes they mean phishing, sometimes they mean executive impersonation, sometimes they mean account takeover, right? And they kind of all blend together. And there's a couple different frameworks people use to, you know, talk about different types of email attacks. I think, you know, they all, you know there's a lot of kind of marketing folded in there, it's kinda hard to know what people mean. One way that we use to think about it is just, you know, talking about kinda the fundamentals of what is the attack? And there's kind of three categories that we use. So, one is any sort of link based attack. Right? So you know, traditional phishing where they're trying to get you to go to some website, or if could be some, you know maybe sophisticated advertising. The second category is some sort of file or attachment based attack, where people are, they're trying to use ransomware or malware to do a bunch of things. The third category, which is where we really specialize in, is, I think Gartner calls it payloadless attacks. The idea is that there's kinda no link and there's no attachment, so a lot of the kind of conventional mechanisms for stopping it don't really work. So, you know really that category, it's called, you know, payloadless, 'cause there is no traditional payload, I think those are generally, I would refer to those generally as like social engineering attacks. Kind of objectives vary, it could be, you know, stealing data. It's usually stealing money. But, you know, I would call them social engineering. They're not really payload-less, right? You know the social engineering attacks, they have a payload, it's just like in the text, in the words, and they're trying to create almost like--

Chris: Right. It's still driving you toward an action that results in a problem, yeah.

Evan: Exactly, and like, the payload is almost like an emotional response, where they're trying to get you to think something, and just like, you know, bypass your traditional way of working. And they're very clever and they kind of change everyday and every week, and so anyway, I think any attack that's trying to, you know, steal something from a company, it's coming in via email, I would generally put that into this bucket of, you know, targeted email attacks.

Chris: So what have been some of the major changes or shifts in tactics that you've seen in email attacks in 2018 and 2019?

Evan: Yeah, so I think when you know, email has come a long way but when people first started using email, the primary, you know, attack was just spam. It was people trying to, if you were you could just send ads to people, and it would, you know hope you would go click on the stuff. They would make, you know, one cent per click or something like that. You know, I think over the last 10 years, we've seen a rise of kinda phishing and malware, just as, you know, anti-spam solutions have gotten better, kinda attackers have gone to like the next most profitable thing. And I think that the big trend which, you know, it started, you know, many years, you know, probably four or five years ago, but I think it really kind of blew up in 2018, was the kinda the rise of business email compromise. It's kind of, you know, it's kind of crazy, right? People realize that like the best way to make money from, you know, harassing businesses is just to ask them to send you money, right? It's a, you know, they're basically stealing money, but convincing people to do it through social engineering. And so I think that's kinda of been the, you know, the big shift as people have realized that, rather than kinda spamming out, you know, millions of emails and hoping that, you know, one of the million work, they're spending time doing a bunch of research and really personalizing these email attacks, hoping that, you know, one out of 10 work, but if it does work, right, it's gonna be a, you know, a $100,000, you know, win for them, right? And they're gonna steal a bunch of money from these companies.

Chris: Can you kind of walk me through, like, a scenario? Like, just a fictional version. Like, what would an example of a customized email look like?

Evan: Yeah, so they really vary in kind of complexity and maybe I could talk about a more complex one, you know, later on.

Chris: Sure.

Evan: But the kind of the example would be it's almost kind of silly to talk about, 'cause it's surprising that these things work, but it is actually I think the number one cyber crime right now. People will go and impersonate an executive. So they might register a new email address, you know, where it would kinda say, you know,, and then they'll send an email to, you know, the company using that executive's name, and they'll send it to maybe the CFO and they'll say, hey, I need, you know, I'm working on this project, I can't tell you about the details because it's, you know, part of this audit. I need you to send a million do-- I need you pay this invoice for $1,000,000 to this company. Can you help me with that today just 'cause I need to finish this up? And, you know, people place so much trust in the identity they see in email that they fall for this. Not all the time, but you know, maybe one in 100, you know, attempts, and you know that's kind of the example. If someone tricks someone into doing something bad, there's 1,000 different flavors. People, they could be stealing, you know, they could be asking for gift cards or invoice payments or, you know, someone's credentials, but that's kind of the, maybe the most, you know, common example.

Chris: Okay. Do you wanna, could you give us an example of the more complex, you said maybe later on, but could you give me a more complex example, or?

Evan: Yeah.

Chris: I'm curious, 'cause I, you know, I know that, you know, yeah, that's sort of a common one is sending it to the payroll person, say I need you to, you know, do this for me or whatever. You know, or it's someone who's new to the job, and oh boy, the boss just told me to do something, I'd better do it, you know, and stuff like that. But what are some of the more sort of like intrepid or unusual ones that you've seen that where you really just kind of shook your head with admiration a little bit?

Evan: Yeah, man. There's a lot. I mean, we probably see like a new attack every week, and like, each one of these you get, you know they're kind of mind boggling. You know, all, I have so many good examples, I'll go through with a relatively straightforward one though.

Chris: Okay.

Evan: It can get very nuanced. So we found it's an example where someone was targeting a treasurer of a company, and they looked this person up on LinkedIn. They found some information on a LinkedIn profile. They sent a... They created their own kind of Microsoft Instant's and created like a OneDrive file. And basically they kind of did this fake, almost like a OneDrive sharing email so it looked like it was coming from Microsoft, and it was basically from the person's boss, and it was like, you know, Q4 budget plan or something like that. And so they got this email and it looked just like a, you know, Microsoft One-Drive sharing link. The person clicked on it, which was a very targeted spear phishing email. The person clicked on it. They went to a fake Microsoft login page, they type in their credentials. They went to a fake Microsoft two-factor page, so behind the scenes, the attacker then, you know the system triggered the two-factor alert, they got the SMS, they type in their SMS, and then took them to a real OneDrive file. But the OneDrive file said, hey deprecated, you know, I'll send you the new file later. Right?

Chris: Yeah.

Evan: So kind of the user experience was like, oh, my boss just sent me this file but it's no longer, it's out of date already. Right? Okay, whatever. The attacker then, you know, had the credentials, had the two-factor authentication code, logged into the treasurer's account, searched for the phrase wire transfer, found the last time this person had issued a wire transfer. Right? Copied the exact same process, got a copy of this, you know, excel document which was the process for doing a cash transfers inside this company, then sent an email as the treasurer using the real email account, which obviously is authenticated, to the same person they always send it to, and said, hey, here's the new authorization form, here's, you know, this is my signature because they had copied the signature out of the excel file into the new excel file. Yeah, I need this, you know, payment sent to this bank in China. You know, this invoice had a very, you know, kind of nonspecific reason for why it had to be sent, and they ended up sending, you know, this money to China, and you know, they didn't find out for a long time because there's really no, you know, signals in the email. Right? And a lot of these internal emails, they don't go through you know, a secure mail gateway. That's kinda, or some sort of traditional defense. So that's kind of one example, and you know, there's actually even crazier ones, but that's at least one that's kinda of, probably a lot of people can relate to.

Chris: So sort of flipping in the other direction, can you think of like an unlikely tactic that works more than it realistically should? Where like you can see it sort of empirically and say, like, no one's gonna fall for this, but like it, people fall for it all the time.

Evan: Yeah.

Chris: 'Cause you just gave me an example of one where it's like, I might well fall for that. That sounds all too plausible. But like what are ones where you're like, why are you still falling for this? It's so obvious.

Evan: So, there's also a lot to choose from here. You know, one which I hear about all the time is basically these emails that they're trying to impersonate Microsoft, but they're, it's like a, it's like you've missed a voicemail. Right?

Chris: Oh, okay.

Evan: Every business you just show, like, you don't get voicemails through Microsoft. You know? five, right?

Chris: Yeah.

Evan: So that one's actually very common. We see those all the time. The other one I've seen that worked, that I was, you know, somewhat impressed by but and somewhat surprised is an email campaign that had something like, you're car's been broken into. Right? And then you had to like sign into some form to, like, get more information about it. And it had like a 20% open rate or something, but it was really, you know, hopefully people have learned since that. But it's crazy.

Chris: Wow. So have you seen the awareness landscape change in the recent years? Is there any indication on the other hand that people on the whole are becoming more savvy around suspicious emails? Or are we still kind of constantly reinventing the wheel year to year?

Evan: Yeah, no. I mean, I think there has been a lot of improvements around, you know, training and awareness and education. I do have kind of a, maybe a somewhat controversial opinion about this, but like, I do feel like people have kind of given up on software for trying to stop a lot of these technologies. You know, there's no way you can stop these, you know, programmatically, or with software, right? Instead, let's go train our workforce to go like recognize things. And you know, it hasn't been unsuccessful rec, and a lot of companies have gotten, you know, good results by kind of educating the company about it. They say, hey, like look for these things and you know, look at domains and if you don't recognize the sender, the email address, the link, you know just ignore it. And, I'm sure you've seen this, but almost, you know, probably 80% of the Fortune 500, they have like these banners at the top of their email which says, this is from an external source, do not, you know, be very careful.

Chris: Right.

Evan: So, I think in some ways, like have those helped? Absolutely, right. I'm sure that the number of attack systems have gone down by half, but I do worry that the trend that we're moving towards is where we're using kinda like non-technology. Right? To go stop the attack. And so, you know, I think that there's, you know, I think, yes, that been successful, but I don't think that's going, I don't think you really want to be training all your workers to spend, you know, 10 minutes of every day analyzing emails. Right? It's probably not the kind of productivity that, you know, I'm sure a lot of CIO's, you know, try to email systems.

Chris: Sure, so to that end though, how does one change thinking that drives people to click suspicious links or give their information away? Are there, what are some security awareness things, what you do think that security awareness training should be focused on in these cases?

Evan: Yeah. I mean, that's a good question. I mean, I think a lot it is focused on some of the mechanics, right? And some of these training programs, and if you ask kinda the averaged employee, hey, what should you look for to identify phishing email, right? They'll say, hey look for people you don't know, look for like misspellings in the email, and look for like, you know, bad links, or like weird links. And the challenge of that is like, that's actually a pretty effective way of stopping the, you know, the average phishing email.

Chris: Right.

Evan: But I think we're seeing this trend of personalization where people are, you know, they're sending these more and more sophisticated attacks where it's coming from someone you do know, and there are no typos, right? 'Cause it's been very thoughtfully, you know, put together. There's information that maybe sounds like only this person could know. And the links may not go to places that are very suspicious, right? It could be going to a Google Drive with a phishing link. Right? Or a you know, Microsoft file with a phishing link. And so I think that, you know what I hope would happen, and what I think may happen is people kinda shift the training awareness away from like the individual tactics, to more on hey, like if people are asking you to like bypass a business process and it sounds weird, maybe just pause and take a second, and so I think the general education around, like, what's a psychology behind why these attacks work, the fact they bypass your critical thinking and kinda judgment, you know, parts of the brain.

Chris: Right, right.

Evan: I think more of that would actually arm people, but that's probably not the best solution at the end of the day, 'cause you still probably don't want to have every employee inside a company going through mental calculus for every single email they get.

Chris: Right. But you know, 30 seconds on the phone can probably solve a lot of these problems, right?

Evan: That's true. That's true.

Chris: Yeah. So, you've noted several times it sounds like that spear phishing and whale hunting are probably more prevalent these days. It seems like they're becoming more targeted and to higher levels. So considering the stakes, are there any indications that C-suite executives are receiving better security awareness training to combat that?

Evan: So, I think so. I mean certainly most companies that I've talked to have rolled out some sort of, you know, training awareness program. And even people outside of cybersecurity are fair, you know, if you look in finance teams and kinda the greater IT organizations, people are aware of kind of this email fraud. And I think especially at the, you know, the more senior executives, they're very familiar, and I think maybe, so I would say, like, overall yes, I think the industry is doing a good job of kind of educating people, and companies doing a good job of kind of distributing that. I think that people are still a little bit unaware of just how sophisticated the real attacks get, and you know, my kind of explanation behind that is if you get a very sophisticated attack, right, and you maybe accidentally lose $100,000 or something bad happens, and you don't write a blog post of that, right? You just don't talk about it.

Chris: Yeah.

Evan: You do call up the FBI and you ask them to help you get your money back, but they're, 'cause it's embarrassing and it's, you know, something that no one really likes to talk about. I do think that there's a challenge in kind of helping people understand how sophisticated it is. And so I think that's kind of a potential gap to maybe close.

Chris: Yeah, removing the stigma a little bit.

Evan: Yeah, yeah.

Chris: So I saw a stat that the number of internet users will triple to over 3,000,000,000 in the coming years, and obviously a lot of those are gonna be relative newcomers to technology and thus susceptible to attack, so what are some tips that you have for people who are just getting on the email for the first time, and how do we disseminate such email to newcomers? I mean, we're talking here about people who have probably been using email most of their adult lives. So, like, how do we sort of quickly on-ramp people who are just getting on for the first time?

Evan: Yeah. You know, I've been such a nerd, you know, growing up, and my whole life, that I've probably lost perspective on what it's like to not use email or something like that, so.

Chris: Yeah, exactly the same.

Evan: I may not have great advice here, but I mean, I think the one thing that's I think is like a general pattern that I think people should be aware of is I think kind of us as humans, right, we treat, you know, these visual communications is very similar to how we do, you know, a face to face conversation. And you really put a lot of trust in the identities of people, and I think people don't really realize that you can't always trust that when it says it's coming from Evan, it really is coming from Evan. And so I think that people just remove this mindset that, like, if it says that there, or if it says Evan's phone number, it's really that person on the other side of the keyboard, the other side of the screen. So I think just that if we could, you know, if that was kind of the one thing that we told people, like, hey, just because it's coming from you know, Evan's email address, right, doesn't mean it's really Evan on the other side of that email. I think if people kind of understood that concept more broadly, I think that would, you know, trigger probably the right type of critical thinking that would, you know, probably stop a lot of these attacks.

Chris: Okay, do you have any specific recommendations for educating executive level users about email attacks?

Evan: Yeah, so I, you know, don't know if I have, I don't know if I've seen kind of really great practices about that. I mean, I think one is just, you know, sharing information about, hey, here's what we've seen in the industry, here's what we've seen in our peers, here's some of the things that were close calls. I think that the companies that, you know, have kinda the intellectual honesty, I think culturally, to really talk about those things, you know, as an executive team, I think those people are more aware and more prepared. So, that's just my observation. And then if, you know, if I could kind of, you know, inject one piece of advice into, you know, executive teams, generally I would say that, you know, a lot of these email attacks are evolving very quickly. You know a year ago, it was all about these business email compromises. Now we're seeing a huge increase in supply chain compromise, where people are saying rather than goin' right to the company, it's actually better to, you know, go and to take over a vendor account and then, you know, hijack a purchase order or invoice and get paid through that. And so, the attacks are kind of moving outside the individual companies, right? They're going into supply chain. I think that will be, you know, probably like the next big, you know, problem that a lot of companies will face.

Chris: Yeah, okay. Any tips on that? About using third party vendors and things like that? What should you, you know, what should companies be changing in terms of their protocols for dealing with outside vendors?

Evan: Yeah, I mean, I think one is just realizing, you know, it's kind of going back to the general advice that just 'cause it's coming from the vendor's email account, doesn't mean it's really the vendor, right? We have seen a lot of email vendor account compromises. I think the other thing is just, you know, generally sticking to, you know, business process, and like removing the number of exceptions that, you know, made or the amount of people that are kind of bypassing that process. You know, that is a, you know that is an effective way, right, to stop the attacks, and just being, you know, being suspicious, right? If someone's changing their account number, routing number, right, things like that, probably, it doesn't normally happen, and so it's probably good to, you know, verify.

Chris: Right. Okay, so going beyond 2020 and sort of deeper into the future, where do you see email attacks going in five or 10 years from now? Do you think there'll be a point in which, like, AI or end-user protection will make email attacks a lower order risk in the way that spam filters have turned that phenomenon into little more than a minor nuisance?

Evan: So I do think so, actually. You know, I'm sure 20 years ago, right, when people said, hey, how are we gonna stop all this spam? It's like seemingly impossible.

Chris: Right.

Evan: I'm sure it sounded like an insurmountable problem. And you know if you look at, you know, there's some companies that deployed, you know, great technology to go do that, right? Microsoft, Google, ProofPoint, you know. You know, a bunch of others. And it's now become quite effective.

Chris: It's a weird exception when a piece of spam actually hits my inbox these days.

Evan: Yeah.

Chris: And that was not the case 20 years ago, yeah.

Evan: Totally, I remember like using like, you know, I guess, you know, spammed it, but I remember, like, even when I was school right in the early, you know early 2000, like, you went to go look at your email, and it was basically like you had to hunt for the real messages, right. And that was kind of the way of doing things.

Chris: Right.

Evan: And I think that there was always kind of this, like, mental overload that was required by people to kind of effectively use email. I think that's now shifted to some of these, you know, there's phishing attacks, and these social engineering attacks, and there's kind of more similar space. And now it seems almost cra-- you know, almost unsurmountable. Could you build technology and software that could dynamically predict, you know, a new attack every day that's never been seen before. How is that even possible, right? Using kind of state of the art technology. And you know the answer is, right now, if you look at kinda what's been done for the last five years, like, that's certainly not good enough. There's no way that that could go work. I do think that, you know, five years from now, I think that these solutions will improve, right? Of course, I'm not biased. I'm biased here as a cybersecurity, email security inventor, right? So I do think that, you know, these problems, I do think we can invent new technology across the industry that goes and stops this. And there will be, you know, some of that's more advanced. Right? When attackers find out this isn't worth it and move to something else. But I do think that, just given the pow-- just, if some of the new, the more recent inventions and kind of deploy machine-learning towards this, I think the reduction of costs and computational power, I think those things are gonna make it really easy, or much easier for us to go combat kind of the next generation of threats. And my guess is they'll probably stick to be very similar. I think at the end of the day, it's very hard to break through cryptography or break through firewalls, but there are kinds of open channels of communication, whether it's email or phones or Slack of Skype or whatever it is, those technologies are designed to like let people talk to each other. At the end of the day, I think attackers are gonna be targeting, you know, human judgment, rather than kind of these technology systems. I think that's gonna be the fastest way into these enterprises.

Chris: Okay. So, as we wrap up today, let's talk about that. Tell me about Abnormal Security and some of the strategies and services that you provide to your clients.

Evan: Yeah, so, I mean, Abnormal Security, we're an email security company. We do all the things you'd hope an email security company would do. But where we focus is the social engineering attacks. Right? The different types of business email compromise, you know, executive impersonation. We also do the kind of the more sophisticated account takeover prevention. Like similar to what I mentioned earlier. And the way we do it is a little bit different. Right? Rather than purely relying on threat intelligence, where we're trying to recognize all the bad patterns, you know, of behavior we've seen in the past, we basically use machine-learning to go and understand, you know, we connect to enterprises through API's. We basically build a profile of, like, what is this organization? Who are the people? Who do they talk to about what things? And we use that to predict what are the normal behavior of business. Then when we see kind of things that looks suspicious, right, they kind of deviate from this, you know, normal pattern of behavior, we use that as kind of the mechanism for stopping attacks. That becomes very effective for stopping, you know, these different class of social engineering attacks. Right? Phishing emails that've been seen before, emails without links and attachments, you know accounts that get compromised, they're sending internal emails that don't go through a secure mail gateway. So that's kind of where we focus, and, you know, we work with large enterprises to help them, you know, stop the next generation of target email attacks.

Chris: Okay. If our listeners want to know more about Abnormal Security, or Evan Reiser, where can they go online?

Evan: Yeah, so I mean, if they're curious about Abnormal Security, our website's actually good. We show off, you know, what our product does, and what our technology does, and we try to be very transparent about, you know, some of the things we're doing. So it actually has, you know it's kind of like a non-cyber security website, where we'll show everything we do. So I'd recommend that. And then--

Chris: What's the URL again?

Evan: Yep,

Chris: Okay.

Evan: And if you're curious to hear my random musings, then you can follow me on Twitter. Which is just Evan Reiser.

Chris: Okay. R-E-I-S-E-R.

Evan: That's right.

Chris: Okay, Evan thank you so much for joining us today.

Evan: Yeah, thank you, Chris. I really appreciate you takin' the time.

Chris: Okay, and thank you all for listening and watching today. If you enjoyed today's video, you can find many more on our YouTube page. Just go to and type in Cyber Work with Infosec to check out our collection of tutorials, interviews, and past webinars. If you'd rather have us in your ears during your workday, all of our videos are also available as audio podcasts. Just search Cyber Work with Infosec in your favorite podcast catcher of choice. To see the current promotional offers available to listeners of this podcast, go to And as we've been saying for awhile now, you can download our free election security training resources to educate co-workers and volunteers on the cyber security threats they may face during this election season. For information on how to download your free training packet, visit, or click the link in the description down there or down there, I don't know where. Thanks once again to Evan Reiser, and thank you all for watching and listening. We'll speak to you next week.

Free cybersecurity training resources!

Infosec recently developed 12 role-guided training plans — all backed by research into skills requested by employers and a panel of cybersecurity subject matter experts. Cyber Work listeners can get all 12 for free — plus free training courses and other resources.


Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.


Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.


Level up your skills

Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.