InfoSec Guide: Mitigating Email Threats

infosec-101Despite the rise in popularity of social media and instant messaging, email is still an important communication tool for business organizations. Unfortunately, its widespread use also makes it an ideal platform for cybercrime. This article will cover four particular types of email-based threats: Spam, Phishing, Spoofing and Business Email Compromise (BEC).

Spam: Despite the number of ways to filter out unwanted email, spam still presents a number of challenges to organizations. While ordinary spam is simply considered a nuisance, the true danger lies in the malware that can be delivered by spam. In 2016, 71% of ransomware was delivered via spam, making it the most common attack vector. Like phishing emails, spam can also be designed to appear like they're being sent by legitimate sources such as banks or online merchants, which increases the chance for unwitting users to download suspicious files. Notable incidents involving Cerber, Petya, and Locky ransomware also demonstrated how malspam can evolve depending on the size and scope of attack.

Quick Tip: Network administrators should ensure that antispam filters, including policy management and threat detection level thresholds, are properly configured. In addition, comprehensive email security gateways will often come with features such as web reputation tracking, document exploit detection and custom threat intelligence that are designed to weed out targeted attacks before they can reach endpoint users.

Phishing:  Phishing is a type of email threat that uses psychological manipulation to bait recipients into divulging sensitive information that can be sold or exploited for malicious purposes. A phishing attack typically consists of an authentic-looking sender and a socially engineered message, making it difficult to detect for ordinary users who lack awareness of these types of scams. Phishing emails could also contain malware attachments, links to fraudulent websites, or a combination of both.

Spear phishing is a more targeted form of phishing that uses highly customized attacks aimed at specific individuals and organizations. In these types of scenarios, cyber criminals will often do extensive research on their potential victims to make their emails seem more legitimate. While ordinary users are often the target of spear phishing attacks, large organizations can also fall prey to unscrupulous elements, as seen in 2016’s Operation Pawn Storm campaign.

Quick Tip: Cybercriminals will use different kinds of social engineering tactics to pressure potential victims into downloading files or giving out sensitive information so it is important to educate employees on how to avoid phishing attacks. If the organization’s security software comes with integrated anti-phishing measures, then these should be set up and configured correctly.

Spoofing:   In a spoofed email, a cybercriminal will masquerade as a legitimate source by changing the identity of the sender to reflect a person or organization familiar to the victim. Spoofing presents two distinct threats for organizations. The first involves a spoofed organization domain name, which can be used to send malicious emails to other people. This kind of spoofing attack can cause great reputation damage, especially if the victims are also customers. The second and perhaps even more significant threat is when cybercriminals use spoofed emails to target the organization’s employees since these can become entry points for malware.

Determined attackers can easily spoof poorly configured servers because Simple Mail Transfer Protocol (SMTP) lacks mechanisms for authenticating addresses. Spoofing becomes particularly dangerous when combined with phishing since it makes the task of distinguishing legitimate emails from malicious ones even more difficult.

Quick Tip: To prevent cybercriminals from spoofing the company domain, IT professionals should adopt security measures such as Sender Policy Framework (SPF), Sender ID, DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC). Protecting the organization from spoofing, on the other hand, involves vigilance at the end user level.  It is important to educate employees on the importance of reading email message headers as well as identifying threat indicators in the message content, such as typographical errors or an unusual link address (which should not be clicked but only hovered above). Network administrators can look into customizing the filtration levels of inbound emails via the email security gateway if the company’s security solution has this option.

Business Email Compromise:  Business Email Compromise (BEC) is a type of social engineering scam that involves trickery at the highest echelons of an organization. BEC is also known as CEO Fraud because a variation of the scam consists of cybercriminals compromising the email of an executive. This email account is then used to trick an employee working in the financial or accounting department to transfer funds to an account controlled by the scammer. Other BEC schemes follow the same pattern, using compromised email accounts to manipulate customers or suppliers to send funds to a fraudulent account. BEC scams have caused as much as $3 billion in losses, according to an FBI public service announcement.

Quick Tip: Organizations should consider using a multilayered identification process for transferring resources as this can cut down on a large number of BEC incidents. IT professionals and organization employees alike should also familiarize themselves with BEC indicators and practice proper email protocols such as scrutinizing the source and content of both inbound and outbound messages.

Best practices for email-based threats

Set up a central point for reporting suspicious email – Collecting security data can be a daunting task, especially for organizations with thousands of endpoint users. To streamline and centralize information gathering, IT professionals need to provide an avenue for employees to report all suspicious email in a convenient and accessible manner.

Use a Sandbox to analyze attachments – A large number of email threats contain suspicious attachments that deliver a payload.  This makes sandboxing an essential defensive measure against email attacks because it gives administrators the ability to isolate and analyze potential malicious code in a secure environment without compromising the whole network. For sophisticated email threats, smart sandboxes can provide more advanced information gathering and analysis. IT professionals can also look into solutions that combine both an email security gateway and sandbox analysis in their list of features.

Customize solutions according to organizational requirements– Email security is not just a matter of installing a security solution or application and expecting it to automatically safeguard against every attack. It requires a comprehensive strategy that will change according to the situation and need of the organization. For example, organizations with cloud-based email hosting might need to use specific solutions that are different from those who use on-site email hosting.

Recovering from email-based attacks

No matter how well-implemented a company’s security policies are, there can still be instances where cybercriminals successfully infiltrate the organizational network. Recovery for these attacks will vary on a case-to-case basis depending on the payload. For phishing attacks, a password reset followed by proactive email deletion should be the priority. Network administrators should also preemptively notify users not to click on unverified email links or executable files.

Building a culture of security

Protecting the organization from email-based threats is ultimately a collaboration between all levels of an organization, from the CEO down to the rank-and-file. For IT professionals, it is imperative that security solutions and other relevant software are configured properly and updated regularly.  End users should also be educated on the best security practices such as double checking the content of an email and refraining from clicking links embedded in the message. The bottom line is that an organization is only as good as its people. Building a culture of security will be just as effective as any solution that is designed to combat malware.

Trend Micro Solutions:

Trend Micro™ InterScan™ Messaging Security stops email threats in the cloud with global threat intelligence, protects your data with data loss prevention and encryption, and identifies targeted email attacks, ransomware, and APTs as part of the Trend Micro Network Defense Solution. The hybrid SaaS deployment combines the privacy and control of an on-premises virtual appliance with the proactive protection of a cloud-based pre-filter service.

Trend MicroDeep Discovery™ provides detection, in-depth analysis, and proactive response to attacks using exploits through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect threats like the above mentioned zero-day attacks even without any engine or pattern update.

 Trend Micro Hosted Email Security is a no-maintenance cloud solution that delivers continuously updated protection to stop spam, malware, spear phishing, ransomware, and advanced targeted attacks before they reach your network. It protects Microsoft Exchange, Microsoft Office 365, Google Apps, and other hosted and on-premises email solutions.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.