Deception. It comes in many forms and it can help mask "good" and "bad" surprises. Let me explain...
Men and women go to extraordinary lengths to deceive their partner regarding the date, time, and location on which they plan to propose. Creative proposals based on deception attract our attention and often provide entertainment on YouTube.
Clearly, deception hides an unpleasant surprise that all companies strive to avoid.
In that case, deception helps hide a pleasant surprise.
Attackers also use deception as part of their efforts to conduct email-based attacks. Without such deception, companies would see that the attacker intends to breach their network and grab something of value.
Clearly, such deception hides an unpleasant surprise that all companies strive to avoid.
While companies know that attackers use deception with email-based attacks, how do they uncover an email's actual purpose or intent? Why do companies struggle in seeing beyond an attacker's deception?
Businesses and Attackers Love Email - For VERY Different Reasons
Despite the emergence of various communications channels, including instant messaging, video conferencing and social media platforms, email communication still dominates the corporate world. According to The Radicati Group in 2014, businesses sent and received over 108.7 billion emails per day. By 2018, the volume per day may reach almost 140 billion.
Within the sea of emails flooding a company's servers, attackers attempt to deceive the company into believing that a malicious email does not pose a threat. In essence, the attacker hides in plain sight amongst routine and perfectly safe business communications.
Traditional Security Won't Suffice
Traditional secure email gateways can help detect malicious email, yet, they have several inherent limitations. Typically, they only scan an email as it attempts to enter the company's infrastructure and they do so using limited and largely static intelligence. Mounting an effective defense requires more than just the deployment of conventional secure email gateways. Cybercriminals love when companies rely exclusively upon static and predictable approaches to protect their networks. As a result, the attacker only has to withstand scrutiny once in order to deceive the organization of their true intent.
Sometimes, when a company recognizes that relying on a single approach to detecting malicious emails exposes their network to considerable risk, they purchase one or more products with the intent of mounting a multi-layered defense. Unfortunately, installing products from different suppliers and expecting them to function effectively within the same ecosystem is unrealistic. Often, this patchwork approach results in duplication of effort and analysis, and the creation of gaping holes that attackers all too easily uncover and exploit.
Evaluating Secure Email Gateway Technology
Here are four questions to help your company determine the effectiveness of its existing or proposed secure email gateway technology:
- Can the technology detect a variety of spam and viruses? As much as we would like to achieve 100% detection of malicious files, it is not realistic. However, layering and integrating high-performing spam and anti-virus detection engines as well as IP reputation filters in a cohesive security architecture can generate a success rate of 99%+. Such an approach will scrutinize email for many forms of deception that attackers use to disguise their "surprise". This multi-faceted analysis will also help reduce the false positive rates. The key concept to grasp is that the tools within the defensive portfolio must integrate, and work automatically and seamlessly within the same environment. In order to keep pace with the dynamic threat landscape, as they develop and implement defensive measures, defenders must employ the attacker's mindset. Further, they must adapt their approach as the threats evolve and mature. As an example, Cisco now sees snowshoe spam, which uses a large number of IP addresses with a low message volume per IP address, as an emerging threat. Unfortunately, many spam detection systems do not detect the messaging associated with this scheme, as the attackers know how to evade per-IP and per-domain reputation metrics. To remain effective and fend off snowshoe campaigns and phishing attacks, email security technology must include contextual analysis that correlates and analyzes elements across spamming infrastructures.
- Can the technology detect blended threats? What happens when an email containing links to websites loaded with malware attempts to enter your environment? Web categorization tools allow security administrators to grant access to certain categories of sites. Web reputation tools provide an additional level of detail that provides a wealth of metrics including how long the site has remained malware-free. Combining these tools allows administrators to grant or deny access to a category of sites as well as specific sites.
- When all else fails and an attacker's deception works, what remedies do you have at your disposal? - Occasionally, an attacker's email will deceive your secure email gateway and enter the organization. This is where retrospective analysis comes into play. On a continuous basis, organizations can analyze files that have traversed the email security gateway, and stay abreast of changing threat levels. It provides the visibility to know who on the network may have been infected by a malicious email-borne file. This type of data allows a company to identify and address an attack, before it has a chance to spread.
- Does the technology incorporate threat intelligence gathered from a community of security professionals? Most security professionals have a desire to implement proactive measures designed to combat emerging threats. Yet, they need access to email and network-related threat intelligence to do so. Determine whether the solution provider incorporates intelligence gathered from their community of users in real-time. The frequency and complexity of email-based threats continues to grow at an alarming rate. Security professionals must have at their disposal a multi-layered, yet fully integrated, secure email gateway technology. Stopping today's highly deceptive attacker is virtually impossible without it.
Paul McCormack, CFE, is a freelance business writer and consultant. His areas of expertise include accounting, banking, cloud computing, corporate governance, corruption, cybersecurity, executive protection, fraud, intellectual property and money laundering.