‘Impossible Travel’ Tests Limits of Anomalous Detection

“Impossible travel” enjoys a droll reputation as one of the more apparent indicators of a cyber anomaly. Knowing that a person can’t be in two places at once, today’s cybersecurity software can detect anomalous behavior and take actions such as raising alerts or isolating messages as needed. 

When a user logs into the cloud, the system records a timestamp and a user’s GPS and IP addresses. The next time the user logs in, the system automatically checks the last login data and calculates the difference between the locations. By Microsoft’s definition, impossible travel occurs “if the same user connects from two different countries and the time between those connections can’t be made through conventional air travel.”[1]

Sounds straightforward, except that many of these alerts result in false positives. Hybrid work has exacerbated the issue. Many knowledge workers log into servers from around the globe, using VPNs that complicate location verification. Cybersecurity software may monitor logs showing that a trusted user last checked in from Paris, France, but is logging in 75 minutes later via Paris, Texas.

Improperly managed, impossible travel adds to a security team’s daily noise. The average security team fields over 11,000 alerts per day, mainly manually, according to Forrester’s State of SecOps in 2021 report. Nearly a third of those alerts are false positives.[2]

Can Artificial Intelligence Meet This Challenge?     

Intriguing or not, impossible travel is another of the challenges faced daily by security teams — an indicator that could signify malicious activity such as phishing or ransomware.

In other words, impossible travel represents the sort of email threat that machine learning and artificial intelligence (AI) can detect and manage. And that’s important because the risk is undiminished. In Mimecast’s State of Email Security 2022 (SOES) report, 72% of respondents said the number of email-based threats had increased in the past 12 months, with 26% describing the threat level as significant. Yet, the SOES study also indicates that fewer than half of respondents’ companies have a system for monitoring email attacks. 

Still, security pros believe AI can improve their effectiveness. In the SOES study, 56% of respondents confirmed that AI had increased threat detection accuracy. However, for many security teams, the constant challenge is weeding out false positives. One approach entails looking at each case manually. One security maven on Reddit (r/cybersecurity) noted that to prove an alert is a false positive, you “need to provide a plausible benign scenario that explains the anomalous activity.” If not, he would prohibit the activity.[3]

Yet, amid continued staffing shortages, the more significant problems concern a lack of time and resources to intervene manually. Rather than try to resolve each alert on a one-off basis, many organizations apply AI, automation, and integration to prevent breaches. Mimecast’s email security approach blocks email threats with AI-powered detection, including identity and social graphing for anomaly and phishing detection. 

These capabilities detect and block targeted email threats such as:

• Anomalous behaviors associated with malicious email.
• Misaddressed emails, to prevent data loss by mistakenly emailing the wrong people.
• Highly targeted spearfishing attacks.
• Trackers embedded in emails.

Recognizing the New Normal

Social graphing is technology that uses machine learning to recognize what’s normal and what’s not about email and communications. Mimecast CyberGraph deploys this technology to map an organization’s communications patterns, tracking connections between senders and recipients, including the strength or proximity of those relationships. 

The resulting data enables security teams to spot anomalous behaviors and block targeted and malicious email attacks that rely on tactics like social engineering and fileless malware. And CyberGraph continually finetunes results using a feedback loop to reduce false positive rates. Mimecast’s software can also heighten employee awareness of risks and threats by inserting contextual, real-time warnings in email, calling out when an email comes from an unknown source. 

Social graphing data can also recognize patterns and help security teams craft relevant policy exceptions. For instance, the Mimecast X1 platform’s global policy engine may recognize that a particular employee is likely to log in or collaborate from anywhere. This knowledge reduces manual efforts, supports compliance, and lessens risk. Creating an exception also reduces stress for a roaming employee who may otherwise get temporarily locked out from email or collaboration. 

In an Enterprise Strategy Group paper called “When the Adversary Knows All About You … Personally,” the author contends that “modern attacks are becoming highly personalized.” The upshot is that attackers tap a range of public information sources and socially engineered communications, among other tricks, to “carry out criminal actions.” Yet, while attackers are getting smarter, technologies such as identity graphs are “helping organizations combat more sophisticated attacks.”

The Bottom Line

Mimecast CyberGraph protects systems from some of the most evasive and hard-to-detect email threats, limiting attacker reconnaissance and mitigating human error. Impossible travel is one of the trickier signs of an attack. Mimecast CyberGraph provides security teams with an approach that integrates into enterprise security environments and applies AI, social graphs, and smart anomaly detection to elevate their ability to detect and mitigate anomalous threats. Delve deeper into CyberGraph’s capabilities.

[1] “Detecting and Remediating Impossible Travel,” Microsoft

[2] “State of SecOps in 2021,” Forrester

[3] “How do you ‘prove’ that an alert is a false positive?”, Reddit