Protect your business by securing your e-mail
Since its introduction, email has been the most common form of office communication, but also a vector for targeted attacks on enterprises. According to Proofpoint 94% of targeted attacks on companies start with an email. E-mail is also the main tool of the so-called lateral movement. The attacker “distributes” himself to other endpoints using the mailbox (and thus – identity) of the infected computer. In this article, we will ignore spam and focus on significant attacks.
Email attacks usually start with spoofing – attempts to impersonate a trusted sender. We can divide them into 3 groups.
Attacks designed to install malware on the computer
Usually it is just an email with an attachment – excel, pdf or docx.
Among the payload of such e-mails it is worth highlighting:
- Ransomware– restricting access to the computer usually by encrypting the contents of the disk. The most common goal is to obtain a ransom for restoring access. In addition, data loss and business process interruption can ultimately result in loss of customer trust and loss of market position.
- Device Take-Over Malware – the goal is to establish a command & control connection with the attacker’s computer so that he can perform further actions (data theft, funds transfer, internal spread within the company network).
- Spyware – tracks user actions on the computer. Its purpose is most often to collect access data – but it can be any information
Attacks containing a link to a website where data can be compromised or malware downloaded
Typically, the destination of the redirection is a spoofed domain – the criminal spoofs the sender’s address (“MESSAGE FROM” / “return path”) using a trusted domain. The recipient sees the spoofed address, not the sender’s actual domain. Domains that resemble other domains. To get through anti-spoofing measures, criminals often register domains that resemble the domains they are trying to spoof. In the name of such domains, for example, there may be the digit “0” instead of the letter “O” – (“0net.pl”) or the substitution of letters, eg lower “l” instead of capital “I” (“lvesBank.com”).
The three main scenarios we see are:
- Credential Theft-Phishing – stealing access data when you try to log into a fake website. Spear-phishing is a sub–type worth highlighting here.
- Wire-transfer Theft – an unaware user or attacker transfers money to the account indicated by the attacker through a fake website that allows you to transfer money.
- File-less Malware – after clicking on the link, the running program, such as Java or Flash, configures the Office, WMI or PowerShell macros to perform actions directed against itself – the user and the system. The tactic known as “living-off-land“.
Attacks aimed at taking over the inbox of the victim
These are attacks aimed at taking over the user’s inbox and using it to perform:
- Business Email Compromise – taking over communication from a given mailbox through access to the entire archive as well as active communication with customers and business partners. Gartner predicts that the number of BEC attacks will double year on year, causing real losses worth $ 5 billion by 2023.
- Lateral movement – the attacker “spreads” to other computers on the network using the identity of the intercepted mailbox.
- Data exfiltration – outbound e-mail can be used to exfiltrate e-mail, databases, calendars, financial or legal documents, images and almost any object existing in the system or constituting sensitive data. This data can be forwarded to a third party as an e-mail, text message or as a file attachment.
Wort remembering!
When designing e-mail channel protection, it should be remembered that regardless of the goal of the attack and the type of software, they target both technical imperfections and human weaknesses. Therefore, to defend against them, user-oriented security measures are needed. In addition to the methods of analyzing connection parameters and payload, they will “pay attention” to user behavior anomalies.
Currently, email channel protection is a challenge divided into 5 areas:
- Protection against threats.
- Information protection.
- User protection.
- Access protection.
- Protection of compliance with regulations.
Modern E-mail Security Gateway solutions involve many stages of verification – in line with the defense-in-depth principle.
Authentication
It neutralizes attacks which involves e-mail impersonating a given sender (spoofing), where data can be exfiltrated or malware downloaded. It does this by preventing spoofing of the domain in the return path, in the email header.
For this purpose it uses:
- Sender Policy Framework (SPF) – the mechanism verifies whether a given mail server (sender) is authorized to send mail (read included in the DNS record) from a given domain. If the domain (via – ENVELOPE FROM) and the sender’s address (header – FROM) do not match (FROM = / ENVELOPE FROM) – the email is rejected.
- Domains-Key Identified Mail (DKIM) – can confirm both the domain of the “envelope” and “header” sender. The mechanism encrypts the content of the message with a private key matched with the public key in the domain – the same domain from which the sender’s e-mail is sent. Upon receipt, the domain’s DNS “queries” for the public key and authenticates the email.
- Domain-based Message Authentication, Reporting and Conformance (DMARC) – Verifies the use of SPF and DKIM. At least one of these mechanisms must confirm the domain of the header sender (FROM = ENVELOPE FROM) for DMARC to pass the message.
At this stage it is crucial to get the correct verification using DMARC. The best practices will automatically save and add to the global address database the identified malicious zero-day domains. Access to global knowledge is crucial due to the divergent application of the techniques in different geographic zones.
Scanning
Neutralizes malware and malicious links. The purpose is to validate the uploaded content, attachments and linked pages.
Scanned mechanisms use the following analyzes:
- Files – based on code, signature and heuristic analysis (behavior correlation).
- Reptuation – by verifying the domain certificate and reputation – domain and additionally IP address (optional traffic – IP can be changed). Today, software vendors also run huge data lakes that analyze domain behavior over time and add historical data context to their solutions.
- Behavioral– consisting in the correlation with identified trends in behavior. Whether the message contains a suspicious subject in relation to the others identified parameters – is it “typical” for them? Have the sender and recipient already had e-mail contact? Does the content of the email look suspicious in terms of the words and phrases used?
- Sandboxing – protects against suspicious but unclassified files and e-mails. Sandboxing allows you to “detonate” a file in a test environment (usually in the smallest details resembling a normal system). This is currently the best protection against zero-day attacks.
Access analysis – cloud access
Along with the growing adoption of the cloud, therefore, the type of access to the e-mail account (e.g. via a mobile application or access via a browser), we can additionally check:
- account activity – unusual operations such as adding multiple copies hidden in emails or setting a calendar redirection policy,
- context – unusual logons from places too distant to come from one user or from new devices, through unknown networks and at unusual times,
- correlation with known attack trends – allows correlation, with the help of a global analysis of activities aimed at specific positions or groups, to the group and position of the user. It is then included in the risk assessment.
After applying the above steps, the solution presents the correlated level of risk based on the above factors and applies an appropriate action, e.g. block. Due to the number of e-mail attacks, automated threat response capabilities become invaluable – they are automating key parts of the incident response process.
The following are examples of actions that can be set to take place automatically when an attempted attack is detected in the user’s inbox:
- extracting phishing e-mails containing URLs that have become unsafe after delivery, including any copies that have been forwarded to other users,
- removing unwanted messages from internal accounts that have been infected,
- quarantining e-mails reported by users as potentially sent by fraudsters,
- forcing a password reset,
- suspending infected accounts,
- cancellation of any active user session,
- enforcement of multi-level authentication due to the identified risk level.