By Eyal Benishti
Did you know that, according to Aberdeen, within 80 seconds of a phishing message arriving in an organization, someone has interacted with the message, and detonated its contents? Such rapid engagement is primarily due to the fact that modern phishing and spear-phishing emails appear to originate from a legitimate partner or senior executive and give specific instructions to recipients to make payments or ship goods.
Such sophisticated attacks all but nullify traditional email security, such as firewalls and secure email gateways (SEGs), which have not kept pace with the rapid advances in hacking and phishing strategies, including advanced persistent threats (APTs), business email compromise (BEC), ransomware, and other types of file-less attacks in which there is no malicious payload.
Just last month, the IBM X-Force Incident Response & Intelligence Service Team (IRIS) discovered a massive email scam targeting Fortune 500s worldwide. According to an article highlighting the groups findings, “attackers created mail filters to ensure that communications were conducted only between the attacker and victim and, in some cases, to monitor a compromised user’s inbox. Using this approach, both SEGs and DMARC were ineffective in identifying this type of BEC attack.
BEC attacks, such as email spoofing and CEO impersonation, are estimated to exceed $9 billion in damages in 2018, due in large part to looking so authentic and lacking the attachments and links that phishing aware users are instructed to look out for. As such, its abundantly clear that sophisticated and targeted emails can now bypass gateway-based filters, and that organizations require new mailbox-level solutions for comprehensive phishing prevention.
The History of Email Security
Email has been the critical communications medium for more than two decades, and from the homes of consumers to the hallways of Fortune 100 companies, it’s often the primary means for distributing private and sensitive information. Yet when email was created in the early m1970s, it was never intended to be a secure and controlled protocol. Prakash Linga, CTO of Vera, told Help Net Security that early attempts to address security shortcomings relied on public-key cryptography. Pretty Good Privacy (PGP) encryption was created in 1991 after which other early-stage protocols such as (Transport Layer Security) TLS, GNU Privacy Guard (GPG) and Secure/Multipurpose Internet Mail Extensions (S/MINE) evolved.
Fast forward to the early 2000s and the gateway model for email security was created to address existing email security protocol shortcomings and emerging threats. The premise of SEG’s was simple – to monitor emails being sent to an organization for unwanted content like spam, malware and phishing attacks and prevent such messages from reaching the mailbox. In its early days, secure email gateways offered many benefits and were credited with alleviating lots of spam. But as hackers upped their usage of attack tools and techniques, and with phishing-as-a-service kits available online, vulnerabilities inherent to SEGs have become problematic.
As we’ve written about before, phishing attacks have become the primary vector to infect systems with malware. Many of these attacks are now specifically targeted to businesses, and SEGs can no longer keep pace with the growing complexity of business email compromise phishing schemes.
For example, Dark Reading reports that between the months of September and early October 2017, Microsoft Office 365’s email security client missed more than 34,000 malicious phishing emails, almost 10 percent of the total emails studied. With millions of Office 365 users worldwide, this lapse in security is sure to have caused some businesses a headache or two.
Mailbox Level Security to Combat BEC & Ransomware
While gateway-level solutions are still beneficial for spam and malware filtering, they can no longer be expected to catch all malicious emails, as complex phishing messages are specifically designed to penetrate even the most advanced email security systems and make it to inboxes.
Today email spoofing is one of the most successful ways to trick users. And through a number of strategies, including Simple Mail Transfer Protocol (SMTP), a nefarious actor can send a customized phishing email that is almost impossible to identify. And as we always say, it only takes one single successful phishing email to an untrained person to put an entire organization at risk.
The best way to mitigate the risks of BEC and ransomware is through the adoption of mailbox-level security. This new technology takes a “bottom-up approach,” using machine learning algorithms and deep scans in the mailbox itself to ensure an unprecedented level of phishing prevention. With mailbox-level email security, organizations can detect phishing attacks that make it through SEG’s, and subsequently alert users through inline messages to mitigate and remediate the threat as soon as possible.
There are three main benefits that mailbox level security offers that cannot be achieved with sever security:
- Sender Reputation Scoring – Dynamic and ongoing list building of trusted external and internal senders and domains. Anti-impersonation technology and sender reputation scoring can monitor communication habits at the mailbox level to create a picture of what a user and sender’s “normal” email communications typically look like.
- Inbox Behavioral Analysis – Once a baseline of normal communication is established, the system can monitor every email inbox individually, based on correspondence and attachment/link interaction. Through this local reputation analysis, it can help users better identify email spoofing and spear-phishing attacks. A mailbox-level security system can scan multiple data points from the mailbox and cross-reference to determine if the sender or email is bad.
- InMail alerts or Instant Block – Based on an employees’ phishing confidence level, mailbox-level security can analyze past and current email interactions with any specific sender. This prompts visually identifications that can provide an augmented email experience (InMail alerts) and mechanism (report button) to help employees better spot and easily report suspicious messages. Algorithms continually improve the detection of both anomalies and irregular communication patterns based on learned experiences.
Putting Email Phishing Attacks in the Crosshairs
A major part of the IRONSCALES platform is IronSights, the most advanced mailbox level anomaly detection, based on a patented contextual and human behavioral analysis that proactively combats impersonation and spoofing emails in real-time. Using machine learning algorithms, IronSights continuously studies every employee’s inbox to detect anomalies and communication habits based on a sophisticated user behavioral analysis. All suspicious emails are visually flagged the second an email hits an inbox, and a quick button link inside Outlook & Gmail toolbar enables instant SOC team notification while prompting security tools for further investigation and immediate remediation.
Acting as a Virtual Security Analyst to flag suspicious emails as they hit the user’s inbox, IronSights utilizes machine intelligence to reduce the risk of human error in identifying malicious emails, and it gives organizations a mailbox-layer of defense to ensure unprecedented protection and threat remediation. And when an attack is detected, IronTraps, our automated incident response module, kicks into action with fully-automated remediation and enterprise-wide removal of all malicious emails.
(From IRONSCALES blog).