GreatHorn detects the most carefully planned email attacks

Its ability to unmask phishing and social engineering attacks based on context truly sets it apart.

phishing hack scam malware binary code

It’s no secret that successful cyber-attacks against organizations in all sectors are on the rise. One of the most popular attack tools today is a phishing email combined with social engineering. Why go through all the trouble of trying to break into a network, find critical assets and slowly exfiltrate data when you can simply ask a user to send you the information you want to steal? Better yet, why not ask for a couple hundred thousand dollars while you're at it? Believe it or not, those types of “please hand me the cash” attacks are also highly successful.

The reason these types of phishing attacks are so successful is because a good attacker does a lot of research. Users don’t think they are transferring cash to a hacker. They believe they are paying a legitimate bill, giving critical information to their boss or resetting a password for a friend. And because most email gateway appliances only scan for known bad domains or the presence of malware (neither of which needs to be present in these types of social engineering attacks) they normally breeze through security.

GreatHorn was designed to close that security gap, as well as lock down the rest of the mail stream, which remains one of the most popular avenues for launching cyber attacks. GreatHorn is a software as a service (SaaS) product that exists inside the cloud. It works particularly well with Microsoft Azure, where it can run in tandem with a corporate mail server for Office 365 users. But it also works elsewhere. In fact, installation involved simply heading over to the signup page and providing credentials for our approved test account.

I have reviewed countless email gateway appliances in the past, and while they all do a good job at stopping things like malware attachments, they don’t have any contextual information about how to stop modern, targeted social-based attacks. They also require things like changing MX records and routing pathways. Plus, when they do catch something, the only option is generally to quarantine the mail and have a human, eventually, take a look to see if the mail is in fact malicious. That can take time, and false positives are fairly common.

GreatHorn Install John Breeden II/IDG

Installing GreatHorn is extremely easy. Just visit the webpage and provide your credentials.

GreatHorn works differently. Because it integrates with the mail software within the same cloud, the installation is seamless and mostly invisible. Once it’s up and running, it uses machine learning and the knowledge of billions of previously scanned emails to provide context when examining the mail stream.

Behind the scenes, the product works by first delivering mail sent to a user into a hidden folder, where it is examined. Then that mail, if approved, goes into the user's inbox. Besides a second or two delay when receiving mail, GreatHorn is seamless to a user and invisible unless it finds that something is amiss.

GreatHorn console John Breeden II/IDG

The GreatHorn console shows all actions taken by the program, including the types of attacks that have been detected in the email stream.

To test GreatHorn’s cognitive capabilities, we tried to send what would be considered a phishing email to a protected user. Prior to our testing, officials at GreatHorn set up a small test company populated with real users. Those users sent one another email and generally had a history of relationships established and recorded by the program, just like if it were deployed at a real company.

GreatHorn analyzes phishing email John Breeden II/IDG

Here GreatHorn analyzes a special type of attack that would have easily slipped through most other mail scanners. Using context, a portrait of a user trying to trick a company official out of data or money is created.

We looked at the email list and found the name of a C-level employee. We then setup a Gmail account with their name, and sent a note to another employee asking for W-2 forms for a survey we were conducting. Now, in real life, a truly targeted attack would have the attacker studying things like LinkedIn posts to get the cadence and language patterns of the person they were trying to impersonate. The attack would likely not use a spoofed domain, because that could be caught by email scanners. Instead it would just utilize a normal-sounding request from someone’s supposedly home or personal email. It would contain no malicious files and would likely be sent at a strategic time, like just before work ends, to encourage quick action by the target.

GreatHorn immediately flagged our mail as suspicious. It read the name that we were using and realized that it was a match for someone inside the company, the person we were attempting to impersonate. It also made the connection that our new email, despite containing their name, was neither that person’s company address, or any of the personal ones that they had encountered in the past. Furthermore, it had no record from any of its instances, with any of its clients, or within its massive history file going back years, of the email address having ever used. It’s not that the email address had a bad reputation. It’s that it had no reputation at all, having just been created for this test.

Setting up the GreatHorn Console John Breeden II/IDG

Administrators can set their GreatHorn Console to perform a number of actions based on what factors are out of bounds within a captured email.

Based on all of that, GreatHorn flagged it as suspicious, even though it was just words on the page, with no bad links or attached malware. In this case, the program was set to take mail with suspicious tendencies and add a large red banner flagging it as a potential threat and explaining why. The banner showed up just fine on a desktop computer’s mail client, using webmail, and when checking mail remotely with a mobile device. So, the mail was forwarded to the user’s inbox, but the potential phishing threat was unmasked. There are other options as well, including quarantining the mail or outright trashing it, though the flag and forward option seemed the most elegant, basically unmasking the threat but also giving users some training that these types of attacks are happening, and potentially targeting them.

Example of actions GreatHorn can take John Breeden II/IDG

This is an example of one action that GreatHorn can take, allowing the email to go through, but warning the user that there are a lot of suspicious factors with it, and that it may be targeting them with an advanced phishing campaign.

Normal threats with things like malicious links were also stopped by GreatHorn like any other mail appliance might. But its ability to unmask phishing and social engineering attacks based on context truly sets it apart from other mail protection programs. It’s machine learning capabilities already have a rich history of deceptive email to draw upon, but it also would become more effective the longer it exists at an organization, allowing it time to suss out the complex relationships between employees, and learn things like their true personal accounts.

Running any type of organization without adequate mail protection these days is like heading to the boardroom without a pair of pants. It’s simply not done, and will eventually get you into trouble. Given that mail protection is a requirement, it makes sense to use a product like GreatHorn, which can not only stop the most obvious threats like malware and corrupt links, but also those that come sneaking in insidiously from the most dangerous type of threat on the planet: other humans. 

Copyright © 2017 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)