Email security appears grounded as attacks continue to take flight

With clever cybercriminals finding creative new ways to get to users, has email security lost the battle to protect.

1 2 Page 2
Page 2 of 2
  • Ransomware attacks. These are commonly sent from an imposter or a compromised account but sometimes come from apparent strangers. Like BEC attacks, they are often targeted and use social engineering techniques to create ‘believable’ content that convinces people to open a malware-infected document or click on a malicious link. Sometimes this content is a fake invoice; sometimes, a link to an apparent news article or some salacious material. Up-to-date anti-virus software is helpful, but no guarantee of protection since the attackers commonly use crypters to obfuscate their payload. Employee awareness is also helpful, but commonly circumvented. Filters that identify identity deception and potentially dangerous emails from strangers can address a large portion of the problem.
  • Business email compromise (BEC) attacks. These can come from either an impostor or from a legitimate but compromised account. These types of attacks typically target key employees, such as financial controllers, HR managers, and CFOs; and almost always use social engineering methods to create ‘believable’ content for a fraudulent email. The attackers either aim to steal sensitive data (such as W-2 information for employees of the targeted organization) or to trick the recipient to initiate a funds transfer. The emails almost never rely on URLs or attachments with malware payload so traditional blacklisting methods rarely catch them. The most appropriate defense against BEC attacks is one that identifies identity deception.
  • Phishing attacks. A phishing attack is a social engineering attack aimed at stealing credentials, typically those associated with a financial institution or an email account. Attackers often use phishing as a launchpad for other types of attacks, since it gives the attackers contextual information useful for targeting — in addition to an account that can be used to deceive contacts of the phishing victim. Traditional artifact-based filters are doing a decent job detecting and blocking scattershot phishing attacks, but are almost entirely useless when it comes to targeted attacks. Filters that detect identity deception are useful, especially when configured to detect the abuse of trusted brands. Companies that use the open DMARC standard get very good protection against a form of identity deception that is very common in the context of brand-name impersonation — namely spoofing attacks.

What can be done?

Jakobsson said there is also a common misconception that email authentication and spam filters will stop all attacks. “While these are key steps to creating a trusted inbox, it is far from what is needed today. For example, many companies understand that ransomware is a huge threat to their business, but still don’t have the right protections in place,” he said. “Free tools have been adopted, but many enterprises don’t realize ongoing investment is needed to truly minimize the threat of these attacks. Free tools often only prevent one type of attack, but today there are hundreds and thousands of variants of ransomware that each require a unique solution. Even then, ransomware strains are often updated to bypass these tools, making them near useless.”

A multi-layered approach is needed to truly secure against email attacks, he said. And even then, companies need to constantly assess the landscape to understand what other attack methods cyber criminals have been creating to bypass current technologies. “But it all comes back to understanding the nature of the threat, and to having a common language so that we can reason about what solution does what, and against what threat,” he said.

Cidon agrees to the multi-layer approach. The first layer is sandboxing. Effective sandboxing and APT prevention should be able to block malware before it ever reaches the corporate mail server, he said. The second layer is anti-phishing protection. Advanced phishing engines look for links to websites that contain malicious code. Links to these compromised websites are blocked, even if those links are buried within the contents of a document. The third layer is employee training and awareness. Regular training and testing of employees will increase their awareness and help them catch targeted attacks without compromising the internal network.

Averett pointed to multi-factor authentication as key to combatting email attacks. A highly effective first step to defending against these types of threats can be both low-cost and simple via multi-factor authentication (MFA). While not a panacea, MFA makes an attacker’s job significantly more difficult.”

MFA is easy to enable on many platforms, including Rackspace, Microsoft’s Office 365 and Google’s G-Suite, he said. Email encryption is an additional layer of protection that can be enabled by some providers. “It works because recipients do not possess their own local copy of email that could be compromised and the transmission of encrypted messages occur over a secure channel, eliminating the number of plain text copies of an email message that ever exist,” Averett said.

Is it the vendors’ fault?

“Ultimately, the problem we’re trying to solve is simple and uniform: protecting the confidentiality of sensitive data, whether it’s traveling in the body of the message or an attachment. If we can focus on this core problem, protecting the data, many of these competing messages can align around a single goal. And we can solve the problem of securing email once and for all,” Shirk said.

However some vendors believe the market is fractured because everyone wants to create a niche product.

Jakobsson said some anti-virus vendors may prefer that their potential customers focus on the malware aspect of the problem, as opposed to worrying about emails that are plain social engineering and have no malware. Similarly, vendors that block scattershot phishing attacks would rather speak of the percentage of phishing emails they catch — especially since scattershot attacks involve millions of recipients — and not talk about the much greater risks associated with targeted attacks, which are few and far between, but have a much higher success rate, he said.

“This is a very short-sighted approach. While I can see why individual vendors avoid talking about attacks they don’t defend against, this is harmful both to society, and, I suspect, to security vendors as a group. Instead, I am hoping for increased cross-vendor collaboration — both in terms of establishing a common language that allows meaningful comparisons, and in terms of exchanging data,” he said.

Another major factor is the challenge of communicating extremely complex cyber tactics into information that enterprises and consumers can easily understand, he said.

What can be done to begin winning back the faith of users?

Faith in the system is the key element, Shirk said. “We always say that ‘security that is unusable will go unused.’ The best way to approach this is to focus on working on employees' terms — what tools do they use? How do they use them? What are their expectations for how email should work? That's the starting point. From there, it's a usability and discovery problem. You have to earn back trust one message at a time. Show people that they can keep control over their communications, without undue burden, and you're making the first, most important step.”

Add your comments on this story over on our Facebook page.

Copyright © 2017 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 hot cybersecurity trends (and 2 going cold)