Last week, we discussed the evolution of email threats from nuisance spam to elusive phishing attacks. In this second part of our three-part series, we address why a modern approach to email security is essential for protection before, during, and after an email attack.
Striking a balance between technology and psychology
The challenges of most email security solutions have as much to do with a mindset as they do tactics. In particular, the over-reliance of threat intelligence is symptomatic of an antiquated, perimeter/gate mindset. Where the only role of email security is similar to that of an airport security agent: check everything that comes through against a predefined list of “bad” things and let everything that doesn’t “match” through. In the case of airport screening, if something slips through the perimeter defense, recourse can be disruptive and potentially ineffective. The airport security staff may shut down a terminal (or the airport) or run manual security checks on people who have already cleared. The same is true for email security where the so-called “incident response” is often limited to suspending accounts or using PowerShell scripts to identify email that is already in an employee’s inbox.
Modern email security moves away from a simple, perimeter-based defense by striking a balance between layers of email threat detection and automated response actions. Such an approach tries to prevent the majority of email threats from reaching end users, while simultaneously protecting users and organizations from the email threats that do make it through.
In addition to email threat detection, modern email security involves two additional primary areas of consideration: user engagement protection and integrated incident response.
1. End-User Engagement
User engagement leverages and expands upon the user education that originates from security awareness training. Studies have found that user awareness training is effective at conveying knowledge about email-borne threats like phishing and malware but is often ineffective at changing end-user behavior. Modern email security complements the often compliance-driven awareness training with contextualized warnings/banners, business process development, and technology that help users make smart decisions.
For example, phishing awareness training may instruct users to check the email address of the sender and not simply rely on the sender name, which can easily be spoofed. However, such advice is often useless on a mobile device where it can be very difficult to look beyond the display name of an email.
Modern email security makes this easier by cautioning users when there is a disparity between the sending address and the supposed sender, flagging an otherwise “good” email (one that passes email authentication, etc.) as being different from the one usually used by the purported sender. Taking these kinds of prompts one step further, modern email security can contextually reinforce business processes.
For example, it may remind users looking at an email purporting to be from a top executive that wire transfers can’t be authorized over email. The goal in all instances is to turn the users into security assets by providing in situ guidance and context for individual email messages.
Raising red flags
Modern email security enhances the value of security awareness training by providing automatic and “in-the-moment-of-risk” feedback. Today, most sophisticated attacks hinge on social engineering techniques that fool your employees. This is why detection features that can spot phishing attacks and build on user-awareness training are every bit as important as the raw scanning and detection capabilities. Beyond that, however, organizations need to understand their biggest risks and exposures and operationalize email security throughout their organization.
Email isn’t just used to launch attacks on victim organizations. It is also a favored avenue for stealing data and intellectual property from compromised firms. Organizations need to identify sensitive stored data on their networks and develop (and enforce) business processes that dictate how such information is shared and communicated—both internally and externally. Establishing such processes and coupling them with contextual reminders helps to ensure adherence to corporate information security policies.
In recent years, countless firms have stepped in to offer user awareness training for organizations. While useful, training is too often isolated and disconnected from the day-to-day activities of users. Despite its significance, security awareness training alone does not guarantee your employees will make the right decision when presented with a real-life phishing attempt.
Modern email security also helps reinforce critical secure business processes
BEC or business email compromise attacks often target lax business processes around money and data transfers, to the benefit of cybercriminals. Modern email security can reinforce secure business processes with reminders to users that key off of message content, subject lines and so on. For example, email messages discussing wire transfers, the transmission of W-2 forms, or other personally identifying information can trigger “in the moment of risk” banner messages and other queues to remind your users about company policies requiring a phone or in-person authorization for such actions. Those warnings can prompt out of band communications that can quickly expose the ruse.
2. Integrated Incident Response
When malicious or suspicious email messages are identified, organizations need tools and procedures to remediate that threat across their organization. These could include quick, comprehensive threat identification and removal capabilities, insight into user engagement with newly identified threats (i.e. “User X spotted the phishing email. How many others received the same email? How many clicked the link?”), and so on. Each of these components should continuously inform the other stages in the cycle so that over time, security improves and naturally attunes itself to an organization’s unique risk profile and tolerance.
When a phishing attempt evades detection mechanisms, what do you do?
In cases where a malicious threat slips by initial scanning, modern email security should also be engineered to make it easier for security staff to investigate those incidents and remediate any threat they pose.
It is rare for email-based attacks to target just one person within an organization. In the event of a compromise, targeted firms want to understand the full scope of a malicious campaign. That’s why incident response is a critical component of modern email security.
Threat intelligence capabilities applied to email traffic can enhance your security team’s ability to do incident response. For example, identifying users throughout an organization who have clicked on suspicious or known malicious links early is critical when isolating and remediating attacks. However, such capabilities are not often part of email security platforms. Even today, incident response might fall to security staff using custom scripts or third-party tools to determine which employees have interacted with a specific threat. Identifying victims and targets can take anywhere from several minutes to several hours depending on the scope of the attack and the size of the organization.
Even then, an incident response team still must remediate the threat by resetting passwords, isolating compromised systems, and removing malicious installs. And, without clear data on who has interacted with the threat, these disruptive remediation steps are often performed on anyone who came into contact with a malicious message, regardless of their behavior. Such a brute force approach results in significant and unnecessary business disruption for employees who received but did not respond to the attack. At larger organizations, these disruptive manual investigations and remediation measures keep the window of exposure to new threats open longer.
The alternative? Modern email security platforms that allow you to query your environment using a wide range of indicators. These include the sender, recipient, return path, and IP address. By querying identifiable information like the URL that appeared in a successful email phishing attack or the name of a file attachment, IT staff can quickly determine who received the message within their organization and, if necessary, recall offending messages directly from victims’ email inboxes with the click of a button, eliminating the chance of exposure.
Check back on Thursday to read the conclusion of our three-part blog series.