ValueWalk’s Q&A session with Dave Baggett, the CEO and Founder of Inky, discussing how the company operates, the email phishing problem, brand impersonation attempts, data breaches, if Apple computers safe from viruses, and if there are any quantum computers that can breach defenses.
Can you tell us about your background?
Our founder studied at the MIT AI Lab and previously co-authored the Crash Bandicoot series for Naughty Dog/Sony and co-founded ITA Software, now Google Flights. He has assembled a team of experts in cybersecurity, machine learning, operations, and go-to-market to solve the email phishing problem once and for all using AI, and to rapidly bring this solution to enterprises worldwide.
The following is our rough coverage of the 2021 Sohn Investment Conference, which is being held virtually and features Brad Gerstner, Bill Gurley, Octahedron's Ram Parameswaran, Glenernie's Andrew Nunneley, and Lux's Josh Wolfe. Q1 2021 hedge fund letters, conferences and more Keep checking back as we will be updating this post as the conference goes Read More
What does Inky do?
Inky provides a cloud-based email protection solution that like incumbent Secure Email Gateway (SEG) products identifies and blocks spam, malware, and phishing emails. Inky goes beyond legacy SEGs, however, in several key areas:
- Inky uses computer vision algorithms to identify and block zero-day brand forgery emails – attempts to impersonate familiar brands like Microsoft that often lead to credential theft. Inky does this even for emails that have never been reported to any threat feed, because INKY’s algorithms “see” each email visually much like a human recipient.
- Inky uses anomaly detection algorithms to identify and block zero-day spear phishing and BEC emails – attempts to impersonate known individuals both inside and outside the victim’s company. Here again, INKY does these even for previously unseen and highly targeted attack.
- Inky annotates each email with a color-coded banner giving the end user guidance on the email. If the email demands caution is about something sensitive like wiring money, the banner will be yellow. Emails INKY identifies as malicious can either be delivered with a red Danger banner or sent directly to quarantine, as configured by the customer.
INKY’s catch rates far exceed legacy SEG catch rates: we’ve measured the real-world differences, and they are statistically very significant.
What products do you have that help defend against threats?
Our flagship product is Inky Phish Fence. It can be deployed either as an MX-based solution like a SEG or as an inline solution downstream from a legacy SEG, as the last line of defense.
The latest trends in tech are very hard to understand unless you are an expert – can you tell us about the threats landscape?
We have several white papers in which we try to educate users on what phishing is and how crooks perpetrate these attacks which we are happy to provide. For phishing in particular, the fundamental problem is that attackers now craft these emails to both fool the legacy SEGs and to look very convincing to end users. By leveraging recent innovations in machine learning and computer vision / deep learning, we’re able to make INKY “see” emails visually and use the convincing nature of the criminals’ phishing emails against them.
There have been a lot of data breaches lately can you tell us some of the major ones?
We have a list of breaches we can provide. However the key insight is that according to the SANS Institute, the root cause of fully 90% of breaches is a phishing email. This is why we’ve focused so much effort and innovation on truly solving the phishing problem rather than just producing marketing claims about it.
Do these companies typically have cyber insurance which would cover an event like this?
Our customers generally do not have cyber insurance that covers loss from phishing emails.
How do they differ in technical aspects?
Phishing attacks vary widely, but we broadly classify them into 1) impersonation of a brand and 2) impersonation of individuals. The exact techniques vary and we can provide specific examples of tactics, but in simple terms attackers use a variety of tricks to make emails look legitimate to legacy SEGs while also looking very plausible to end users. Attackers can use Unicode characters and typos in subtle ways, can hide text by setting the font width on the text to zero, and so on. They can even, very simply, take a real mail from a brand and resend it from a plausible-sounding domain (say, microsott-mail.com), changing a single link in the mail to point to their own fake O365 login page. Finally we know that scammers now scrape LinkedIn and other social media sources to create scripts that harvest both employee and VIP email addresses to automatically craft and send highly targeted spear phishing emails.
Is a hack the same as a data breach?
It depends on who you ask; these aren’t technical terms. We generally think of “hack” as meaning some of kind of trick or workaround that wasn’t intended or foreseen. A breach implies some kind of penetration of a line of defense. In other words, you can use a hack to do many things, but if you breached a system, that means you got inside something you weren’t supposed to.
Growing up we were told Apple users did not need to worry about viruses is this still the case?
No. Windows systems are still more highly targeted but many exploits target OS X, Linux, iOS, and Android now. No system is safe.
Are any of the tech giants doing anything to help guard against data breaches?
They are investing significantly in securing their own systems. However, all platforms are still remarkably vulnerable, and no tech giant has anything like a comprehensive solution for phishing in particular.
If we can break it down on an individual level curious about the big five names.
Google claims to provide phishing protection for Gmail, and does block some reported phish. However, we have G Suite customers and have the data to show that a large number of real-world phishing emails pass through Gmail and are subsequently blocked by INKY.
Apple doesn’t appear to do anything on phishing.
Microsoft claims their EOP and ATP products block phishing emails, but we run both upstream from INKY and find that neither EOP nor ATP find any significant portion of real-world phishing emails.
Amazon doesn’t appear to do anything on phishing. Their WorkMail offering is silent on phishing and does not appear to block it at all.
Facebook isn’t a mail provider, and doesn’t appear to do anything for email-based phishing.
Similiarly, PCs were much more guarded than phones, can phones also be breached?
Absolutely they can. However, it’s still the case that Windows machines are much more vulnerable that mobile devices. To be fair to Microsoft, this is largely because iOS and Android were developed much later than Windows, and are far more locked down than Windows. But they are still vulnerable to, for example, attacks that replace system libraries with and attacker’s replica that introduces an exploit.
What about smartwatches?
In general these have the same threat model as mobile devices. When it comes to phishing, a user reading an email on her smartwatch is just as likely to be phished, if not more so, than via a phone or computer. This is one reason INKY puts its warning banners right inside the mail itself – so these banners show up on every endpoint.
How does one guard against this?
To guard against phishing attacks, use INKY so these attacks either don’t reach your users at all, or at least in borderline cases get annotated with a yellow banner.
To guard against exploits targeting Windows or mobile devices, stay up to date with system patches and be very careful about what software you install.
What did the phishing attacks look like and what did the users see with different cases such as O365, AT&T, and other vendors?
The report provides lots of detail on this with specific examples.
What companies and consumers can do to fend off these more sophisticated and customized phishing attacks?
The only thing we’re aware of that truly blocks this stuff is INKY. Companies can sign up for our service and get protected. We don’t current have a consumer offering, so consumers simply must be vigilant (or paranoid, or both) – and hope their mail providers work with vendors like us to bring new technology to bear to protect them.
Given this continuing direction of attacks, what can we expect in the wave of innovation around phishing in the future?
You can expect two things:
- Increasingly, more of the attackers’ phishing emails will be visually indistinguishable from legitimate mails by their human recipients.
- As system like INKY continue to evolve and improve, an increasing percentage of these phishing emails will be identified by software and blocked.
Phishing is a short- to medium-term problem that new technology is well on the way to solving.
Can Quantum computers breach any defenses we know? Is that something we should worry about?
Theoretically yes, but nobody has built a working quantum computer anywhere near the size required to say, determine a 2048-bit RSA private key from the matching public key. Furthermore, symmetric ciphers like AES are already quantum-resistant, and researchers have developed practical quantum-resistant asymmetric encryption schemes to replace RSA (and Elliptic Curve).
Thoughts going forward on future threats we will see
Expect more attacks – and new kinds of attacks – that exploit the explosion of public information about private people and firms available on social media. Attackers can and do create automated systems that “scrape” these sites to build profiles of victims that are highly accurate and targeted. Expect these automated Black Hat system to become increasingly sophisticated.
Final advice to non-techies about how they can best guard themselves in today’s changing tech environment?
Your most likely route to getting compromised is getting phished by an email. If you’re a company, use INKY. If you’re a consumer, be very paranoid of email and use other mechanisms like message apps or plain old telephone instead of email. For example, if you get what looks like an email from your bank, just ignore the links in the email and go directly to the bank’s website by typing the bank’s name into the search engine. In essence: never assume the validity of any email; verify it using a second mechanism that is NOT email like your browser, phone, or a messaging app.