Eradicating email entry
Email is still the most used attack vector for opportunistic and targeted attacks and is typically the starting point for social engineering attacks, the delivery vehicle for a dropper or payload attachment, or the link to an exploit kit or phishing website, according to research firm Gartner. Email threats have become sophisticated to evade detection by technologies that rely only on standard antivirus and reputation.
Gartner said email threats are also being blended, combining social engineering, identity deception, phishing sites, malware and exploits. Technology innovations should be complemented by investments in security awareness training, Gartner said, especially to combat email threats that don’t contain an attachment or a URL.
CRN spoke with eight cybersecurity vendors and one solution provider about what to look for when selecting an email security service. From detecting snowshoe spam and compromised cloud accounts to providing simulated phishing attacks, sentiment analysis and oversight of east-west traffic, here are 10 things companies benefit most from in an email security service.
Review of east-west traffic
When using a cloud-based email security provider, it becomes possible to review the traffic that’s moving internally on an east-west basis, said Al Huger, Cisco Systems’ vice president of security platform and response. Lots of malware is transferred internally when it’s behind an organization’s interface, and Huger said employees are very likely to click on links they believe are from inside the company.
The inferred trust with people inside the company is very high, meaning that the likelihood of successful exploitation is much higher than for the adversary impersonating an external actor, Huger said. Data is exposed via API in cloud-based email systems, which Huger said makes it much easier for security products to examine internal traffic flow.
Monitoring internal traffic with traditional on-premises email systems would require pulling massive amounts of email from different places and reviewing them in real time, according to Huger. But the cloud-based tools offer journaling, which Huger said provides users with real-time access to all sent and received emails along with the ability to apply security controls instantaneously at very little expense.
Flagging sentiments that don’t look right
Crowdsourcing tools have struggled to pick up spear phishing, but the APIs in Office 365 have now made it possible to examine the sentiments in messages in a manner that goes beyond simply classifying them as bad or good, according to McAfee Chief Information Officer Scott Howitt. There’s an opportunity for emerging technology from companies like Abnormal Security to come in and disrupt this space, he said.
The process begins by creating a VIP list of the people in an organization most likely to be targeted with impersonation emails such as the CEO, CFO, CIO, CISO or board members, Howitt said. The API-based approach then looks at the metadata and can identify if an email is coming from an irregular place or asking for something unusual given the executive’s role in the organization, according to Howitt.
This API-based approach is particularly useful when adversaries create a unique email address for a single spear phishing attack, meaning the address in question isn’t going to appear on a blacklist since it’s never been used before, Howitt said. The software doesn’t just sit and watch emails come through, but actually examines the heart of the content and metadata to figure out what looks abnormal, he said.
Ability to detect compromised cloud accounts
The majority of cybercrime losses are now attributable to business email compromise (BEC), where an adversary is spoofing a user’s display name or email address or sending messages from the account of a trusted third party, said Ryan Kalember, Proofpoint’s executive vice president of cybersecurity strategy. Companies must understand where risk lives in their business such as in accounts payable or finance.
The adoption of Office 365 has led to overlap between email threats and cloud threats, meaning that companies must be able to identify compromised accounts, malicious third-party apps or data leakage, Kalember said. Web applications and browser extensions have taken to impersonating something that a user is likely to trust such as SharePoint, and then ask the unassuming user to open a third-party file.
In this scenario, Kalember said the attacker is trying to direct the user to a login portal that feels like the normal process but really leads to the adversary getting a token that represents the user’s credentials. To stop cloud account takeover, Kalember said businesses must be able to identify if an account has been compromised whether that’s directly through a credential or indirectly through some sort of token.
Understanding that blocking spam isn’t enough
Businesses can’t leave spam protection behind but now face threats that didn’t exist when their email server was hosted on-premises such as account takeover, lateral phishing and business email compromise (BEC), said Brian Babineau, senior vice president and general manager for Barracuda MSP. Since Office 365 lives online, Babineau said employee email can now be accessed from any device.
There are limited ways to disrupt on-premises Microsoft Exchange such as through spam or attacks that shut down the server altogether, Babineau said. But with Office 365, Babineau said there’s a fair amount of access and damage that can be done since the adversary doesn’t need to make itself known right away and can move around laterally to look for more opportunities to infiltrate the organization.
It’s easier for an attacker to remain unnoticed in Office 365 as it’s gathering information since the entire service hasn’t been taken down even if the adversary successfully took over an individual’s account, Babineau said. Adversaries of late have shied away from a spam-based approach to bringing applications down in favor of taking a patient approach to account compromise, according to Babineau.
Ability to detect snowshoe spam
Hackers like to use exploits that are very difficult to detect since they were uniquely created with a specific victim in mind, meaning they’ll fly under the radar of email security software, according to Dan Schiappa, chief product officer at Sophos. Adversaries like to capitalize on super-spreading capabilities using everything from EternalBlue for WannaCry to Lemon Duck malware to snowshoe spam, he said.
Even if the message being distributed via snowshoe spam has been customized, Schiappa said a good email security product can still detect it since the delivery mechanism leads to unusual spreading patterns. Snowshoe spam messages with an urgent call to action around something like COVID-19 tend to get high levels of engagement since people’s stress and anxiety cause them to click, Schiappa said.
Non-email communication paths like Microsoft Teams or Slack also pose security risks, but unlike email –which can be held and inspected before getting passed on–Teams and Slack are more of a real-time communication platform, Schiappa said. Vendors use the same security inspection techniques on Teams and Slack as email, but the multi-person, real-time nature of communication can make it difficult.
Protection against phishing campaigns
The industry has struggled with protecting against targeted and shotgun phishing campaigns even though email remains the main avenue of compromise for organizations, according to Cisco’s Huger. Natural language technology can help dissect the tone, destination and style of writing to assess if a particular email looks like other messages sent by that user, Huger said.
Recent machine-learning technology needs to be applied to catch spear phishing attacks since they’re hand-crafted with a specific target in mind, according to Huger. Machine learning can be used to create a baseline of what messages from a particular user normally look like in terms of tone of writing and common spelling mistakes to provide a point of comparison for future messages, he said.
Combining machine learning with natural language processing allows for the creation of a profile that can evaluate at machine speed what a user normally looks like when they’re sending an email, Huger said. The highest-quality machine-learning algorithms are created by people whose research has been vetted by third parties and published in reputable outlets, according to Huger.
Look holistically at data, information beyond email
Customers are looking to consolidate the number of vendors they’re working with, and an email security service that can help with phishing and impersonation attacks, exploits and security awareness training provides more value to the business, according to Kurt Mills, Mimecast’s vice president of channel sales. Employees aren’t always sure where they’re going and can bring bad things back with them, he said.
Organizations today have many people working from home who had never done so before, and their habits around web browsers between business calls can make the company susceptible to spoofing or impersonation attacks, Mills said. Given the volume of new attack vectors businesses face, Mills said organizations must have a holistic way of looking at and acting upon data and information.
Since customers are no longer sitting inside the perimeter of their corporate network, Mills said security awareness training can help users sharpen their skills around which messages are real and which ones aren’t. The training can address what the best practices are for an organization philosophically as well as put controls in place to ensure employees participate before going about their day-to-day tasks.
Addressing email traffic flow around cloud adoption
Businesses need to ensure that outbound messages aren’t being used to defraud others and that inbound messages aren’t being used to get malware or ransomware into the organization, according to Nico Fischbach, global chief technology officer at Forcepoint. Ensuring the business isn’t being used as a launching point for attacks against others is a good way of staying out of the headlines, Fischbach said.
Businesses too often fail to think about their email traffic flow when migrating from a hosted version of Microsoft Exchange to Office 365, resulting in strong hygiene policies getting lost along the way, he said. Email security knowledge is often in silos since businesses often have one team taking care of legacy applications like Exchange and another team handling cloud or SaaS-based applications like Office 365.
And once a business switches over to Office 365, the email will just go directly to Office 365 and not pass through the company’s existing architecture, which Fischbach said has security implications. With a little bit of effort, Fischbach said the policies defined for on-premises email products can be replicated and applied consistently in the cloud.
Simulated phishing attacks
Users need to be educated around how bad actors get into our digital lives and what malicious emails typically look like, according to Hal Lonas, chief technology officer of SMB and consumer for OpenText. Employees should be trained to question things such as instructions from a supervisor to wire money or provide assistance with a password, Lonas said.
Workers only retain the lessons from security awareness training for a few months, so Lonas said users need to be constantly retrained and reminded of the latest security threats. Specifically, Lonas said running a companywide phishing simulation and scoring users on how well they respond can be eye-opening, particularly for a small business.
Small businesses often think they’re OK and are subsequently surprised by how much their employees click on, which Lonas said shines a light on what future security training should focus on. Organizations can do recurring phishing simulations to fulfill compliance requirements and ensure they’re getting better over time, according to Lonas.
Protection against malicious attachments
Email security services need to go beyond filtering and address end-user or human error to the maximum extent possible, according to Hannah O’Donnell, director of sales at Collabrance. Microsoft’s Advanced Spam Filter (ASF) settings detect and protect against malicious attachments and flag messages that might contain suspicious activity to verify the user wants to click on them, O’Donnell said.
This protection should extend beyond Exchange and other include other pieces of the Microsoft Suite such as Word and Teams to ensure that suspicious or abnormal activity is highlighted, according to O’Donnell. Meanwhile, O’Donnell said advanced spam filtering blocks suspicious messages from getting into a user’s inbox to help employees avoid clicking on something they shouldn’t click on.
Btely, O’Donnell said no email security service can prevent human error, so customers must be educated to check the sender’s email address and examine the email header and body for unusual spelling mistakes to ensure the sender is legitimate before clicking on links. Companies should also familiarize themselves with popular scams and implement security awareness training via automated campaigns.