The biggest security loophole in any system, is its human operator and cyber criminals are well aware of this, writes Colin Tankard, pictured, Managing Director, at the cyber firm Digital Pathways.
Attacks have been changing from mass random email spam messages to highly personalised attacks, such as CEO fraud, where an email appears to come from/to the CEO, and spear phishing. The UK government’s Cyber Security Breaches Survey 2020 showed almost half of businesses (46pc) and a quarter of charities (26pc) reporting having cyber security breaches, or attacks, in the last 12 months. Like previous years, this is higher among large businesses (75pc), medium businesses (68pc) and high-income charities (57pc).
The survey also highlighted the change in the character of attacks and stated, “the nature of cyber-attacks has also changed since 2017. Over this period, there has been, among those identifying any breaches or attacks, a rise in businesses experiencing phishing attacks (from 72pc to 86pc), and a fall in viruses or other malware (from 33pc to 16pc).”
Organisations have responded in adding more email protection. Still, despite investing a record $3billion in Secure Email Gateways (SEGs) in 2019/20, US companies still lost $1.7billion to phishing, as reported by the US firm McKinsey & Company.
But how are the attackers using sophisticated tactics, bypassing the SEG and tricking users into taking the bait and transferring the requested money?
Activating or uploading malicious content to a target web page, only after the email has been scanned, is not a new scam. Advanced SEGs countered this tactic with ‘time-of-click’ detection, which automatically rescans an email when the user clicks the link. It gives the SEG one last chance to detect a malicious URL.
However, it is not without flaws. Spear phishing and Business Email Compromise (BEC) attacks don’t contain URLs or attachments, so they appear harmless to the SEG. Once the tainted email has evaded the SEG, the user is the last line of defence.
Often a Business Email Compromise attack uses an organisations own internal communications to listen, learn, and execute a crime. The attacker might target, and then observe, the mailbox of a well-placed employee to know when, for example, an executive is going on holiday, what payments are falling due and, who is responsible for making business payments. This information can be used to plan a convincing funds transfer fraud assault.
Evasion tactics trick not only systems such as SEGs but also users. Half of users click on links because social engineering creates a sense of urgency, especially when:
– legitimate domains (YouTube) are used to obfuscate URLs
– Punycode attacks where characters can look the same to the naked eye but actually have a different web address
– Attackers deliver local versions of a spoofed site, so the domain looks legitimate when landed on, but isn’t.
An example of a BEC attack may be that an employee receives an email saying a security vulnerability in the supplier’s company application, that the employee is using, has just been patched and asks, ‘please click now to update and verify your ID.’ Not only does the counterfeit email/site look and act like the real thing, but it also has all the typical security trappings, such as an SSL connection. Even the most vigilant, security-trained users fall for these tricks.
Bad actors even manage to evade detection by cyber security professionals. They learn the IP address ranges of these companies and block the connection attempt. Or they change a couple of pixels in a fingerprinted image, so tampering is not detected. Target website HTML code is often obfuscated and encrypted.
This means companies today cannot rely on a single technology nor just hope their employees will see the bad email; it is time to layer Inbox Detection and Response (IDR) on top of SEGs.
IDR solutions hook into users’ inboxes and continuously scan all inbound and outbound emails in all folders. It can protect against new threats by continuously monitoring every user’s mailbox and can track behaviours and user interactions in the mailbox, and identify anomalies.
If a new threat is discovered at any time, IDR can automatically delete every copy across every mailbox. This automatic remediation removes the burden on the security analyst and reduces the cost to respond. It can also provide a framework for users to interact with detection technologies, incorporating user feedback quickly, and automatically, to identify and protect against phishing attacks.
Data collected through the framework can be correlated to determine whether an email is malicious, and the action which should be taken. Incident and case management workflows can eliminate false positives and help email administrators and security analysts identify threats for further investigation.
Finally, IDR can create a fast feedback loop to reinforce machine-learning algorithms. This uses the outputs captured by continuously scanning emails, monitoring user behaviours, and tracking URLs. Through analysis of this data, IDR can better detect anomalies, predict what the next threat might look like and push intelligence to SEGs and other security assets, strengthening the organisation’s security posture as a whole.
IDR brings continuous monitoring, detection and response to email security, using technology that cannot be deployed at the SEG. In turn, the SEG provides technologies that cannot be deployed in the inbox, so it will continue to play a role as part of an email security stack.
Cyber criminals are keeping up with technological progress. Their attack patterns are becoming more complex, and multi-vector attacks are no longer a rarity. With emails the primary vector of such attacks, companies are finding it increasingly difficult to protect themselves. Office 365 Suite users run an exceptionally high risk of cyber attacks via the email gateway. For them, it is essential to protect email communication, at all levels, with third-party security solutions.
Cyber attacks should be taken as seriously as other crimes. Alongside the theft of sensitive data from private individuals and companies, cyber attacks can inflict immense financial and reputational damage to an organisation. Given the average business person receives 121 emails per day, the ‘bad guys’ have a lot of scope available to them.
Cyber crime is a growing threat, and a downward trend is not expected in the near future.
