Library Header Image Library Header Image

From Alert Fatigue to Actionable Insight: Investigating BEC with AI


Posted on by Josh Breaker-Rolfe

Trusting employees to spot a dupe and catch Business Email Compromise (BEC) messages in the wild is getting harder, thanks to AI. However, trusting technology to catch BEC in the wild is getting easier – also thanks to AI.

Here’s how investigating BEC becomes a faster, better proposition with an AI SOC in the loop.

Why BEC Is So Hard to Catch

Attackers today are leaning further into social engineering tactics because they are incredibly hard for traditional email security defenses to catch. Even advanced Secure Email Gateways (SEGs) are still only trained to spot malicious signatures. What do you do when emails come in “clean” but still get your employees to click anyway?

That’s where digging into the metadata, the sender information, the context, headers, and more comes into play. However, this is also where a lot of human expertise is needed – not to mention cycles. 

As noted by AI SOC Platform company Prophet Security, the essential questions when vetting potential BEC emails include: 

  • Was the domain spoofed? The “From” could be spoofed to look legitimate, when in reality it was never authorized by the domain owner, making Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) validation key.
  • Was the account legitimately compromised? A full account takeover could have taken place, allowing the malicious sender to send safely from a user’s inbox. This means the team needs to rely on anomalous clues in geography, timing, and device to determine whether a compromise has occurred. 
  • Is there a lookalike domain? Look for typo squatting or character substitution in the domain names. This is a low-tech (but highly effective) method for slipping past human defenders. However, AI Security Operations Centers (SOCs) are not so easily fooled. 

All of these things take time to find. Even after alerts are sorted (by manual investigation, often), teams still need to ask these integral investigative questions and chase down BEC leads one by one. Typically, this would mean that SOCs have to roll their sleeves up and start investigating these leads one by one, asking these same questions for each. 

This takes hours, if not days, and most of the time, the alerts are nonstop. Many times, SOCs throw up their hands in frustration and simply pick and choose which alerts they can follow up on; according to a 2023 study published by Vectra AI, “Security analysts are unable to deal with 67% of the daily alerts received, with 83% reporting that alerts are false positives and not worth their time."

Teams need something to force-multiply the process, from start to finish. 

Enter: AI SOC

AI Reduces False Positives in BEC Investigation

An AI SOC would take over from here. Using Agentic AI – the kind of AI that can not only analyze data and draw conclusions, but actually “think” for a team and make decisions – an AI SOC can automatically investigate and triage those alerts for them. This leaves an organization’s actual SOC with only the absolutely critical investigations to do, which is probably what they want to do anyway.

Studies suggest that anywhere from 40% to 80% of alerts are false positives. With so many route investigations and useless leads out of the way, thanks to an AI SOC, actual SOC team members can have more time on their hands – and might actually get out from under the “pile.”

This is how it works: An alert for a suspicious login attempt hits a system. An AI SOC takes that alert and automatically runs through more questions.

  • Was there evidence of malicious access?
  • Was a role assumed?
  • Did any nefarious actions take place?

By following these threads, an AI SOC can analyze these incidents using the same logic as human analysts, finding answers, learning from historical data, and filtering out false positives.

AI Accelerates BEC Triage Within the SOC

Once false positives are eliminated, an AI SOC moves into threat hunting mode, taking the next step of chasing down the alerts that count.

This means making decisions. Integrated into an organization’s security solution, AI SOCs can continue triaging valid BEC alerts. They autonomously:

  • Summarize alerts and build an investigation plan
  • Retrieve, aggregate, and correlate threat data across sources
  • Prioritize alerts by severity

All ultimately determine and act on remediation next steps: revoking active sessions, quarantining endpoints, blocking malicious IPs, and so forth.

BEC is getting so hard to keep up with in part because adversaries themselves are using BEC (liberally) to their advantage. Without AI on their side, organizations today are not prepared to keep up.

By using AI SOCs to offload the additional burden that AI-powered attackers have put on, organizations today can keep up with alerts at scale, investigate and triage autonomously, and leave only the essential tasks to human experts. 

Contributors
Josh Breaker-Rolfe

Writer, Bora Design

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSAC™ Conference, or any other co-sponsors. RSAC Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs