Email Security: The Seismic Shift To Highly-Targeted Attacks

The really unfortunate situation faced by organizations today is that legacy email security solutions are being outpaced by a rapidly-changing threat landscape and a steep rise in targeted attacks. Email security isn’t foolproof either. And the solutions that organizations have deployed are no longer keeping up with the sophistication of attackers.

The Not-So-Sincere Bakery Order

Matt Cooke set the stage with an example of a father corresponding via email with a bakery about ordering goods for his son’s birthday. After the bakery fails to receive the attachment containing the order details, it requests sending the info via FAX. In turn, the father asks for the email address of a coworker to try again.

Is the father even a real customer? Security professionals were probably not fooled by this highly-personalized phishing attack. Once the attacker was blocked by the first contact, additional employee contact points are requested. This behavior is symptomatic of a shift in the threat landscape towards more targeted campaigns. The majority of these attacks seek to exploit human vulnerability rather than technical vulnerability.

A Shift In Strategy To Highly-Targeted Attacks

The types of people in organizations that are getting attacked most often are not necessarily the owners. From the cyber-attacker’s perspective, seek out the people with the right type of access to data. Email remains the preferred channel for attacks, but only 7% of security spending is on the email category, according to a Gartner Information Security spending study in 2018.

Attackers are using these targeted people in 3 ways: by running the attackers’ code for them, handing over credentials to them, and social engineering (acting as someone in a power role), such as a request to transfer funds or data to them.

  • Malware Needs Users to Click: The new Snowden book announcement has been leveraged by attackers to “give away” snippets or a preview of the content (with a choice for users from multiple languages) by downloading an attachment that unfortunately contains a Trojan. This is the majority of malware attacks, which is unlike the buzz created in media about ransomware attacks, which Proofpoint found represent only 1% of all malware infestations.
  • Users Need to Give Credentials Away: Users are requested to click or visit a website to authenticate and/or view an online document. The request is a phishing attack. Microsoft Office 365 phishing attacks are the highest volume observed by Proofpoint in 2019.
  • Business Email Compromise (BEC): Pure text, often an email, replicates urgent correspondence from an executive. Imposter emails went up over 400% from 2017 to 2018 due to attackers seeing how effective the attack has been.

Defenders Do Not Focus On People, But The Attackers Do!

Threats are using social engineering rather than vulnerabilities. The shift to the cloud creates a new threat vector and data exposure. Imposter email fraud, such as the BEC example, becomes a board-level issue with $26.2 billion in losses from this type of attack since 2016.

As attackers learn what type of method is working, the level of customization by attackers has shifted from infrastructure attacks towards finding the workers with the most access to sensitive data. As a result, attackers see platforms such as LinkedIn as a channel to increase their return on investment (ROI). Security teams must think like an attacker.

Adaptive Controls To Align With Individual Requirements

Security teams do not lack technical controls to thwart the issue of highly-personal cyber-attacks. Knowing the individual’s level of visibility, attack profile, and privileges informs InfoSec how to personalize adaptive controls to the individual worker. The problem with all the layers of controls in place is that they do not communicate with each other.

Modern Email Security Deployment Models

Q: Please explain email security deployment models. Are these modern email security solutions done on-premise, in the cloud, or how?

Wherever is right for the organization. More commonly, email security is deployed in the cloud, but that’s not the right strategy for every organization. You have options.

The goal remains to respond quickly to these threats. If your organization is already migrating to the cloud, there is no business reason to have email security on-premise. You will get quicker visibility from shared telemetry at other organizations when using the cloud. The outcome is to protect you much more quickly.


Leave a Comment

Your email address will not be published. Required fields are marked *