Part 2: What Can You Do About It?
By Ron Temske, Vice President of Security Solutions, Logicalis US
In my last article, I outlined the growing challenges posed by email increasingly used as an attack vector for malware. In this article, I will discuss recommendations for mitigating this threat in your organization.
For our discussion, we are going to consider a typical enterprise Outlook or Office 365 environment to see the approaches you can take to thwart email attack vectors. These are not all manual solutions. In fact, at Logicalis US and with our clients, we often recommend Microsoft’s Advanced Threat Protection (ATP) and Cisco’s Cloud Email Security (CES) with Advanced Malware Protection (AMP) to help in protecting end users.
- Check Email Headers. End user awareness training must include the basics of reading an email header along with other safe practices. If you want to get a sneak peak of the treasure trove of email information available, you must open your message (not just preview it) in Outlook 2016 and select File/Properties. In the bottom of the window that pops up is a box with Internet headers. This information provides insight into the true origin of an email. Obviously, you wouldn’t do this for every email, but it can provide insight into suspicious emails. Normal caution applies of course, as with some attacks merely opening (or even just previewing) the email is enough to launch the attack!
Example Outlook 2016 Properties Dialog Box Displaying Internet Headers
- Anti-Spoofing. You should implement anti-spoofing standards such as Domain-based Message Authentication, Reporting and Conformance (DMARC) which is built upon Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) which is built into Exchange Online Protection (part of Microsoft 365 and Cisco Email Security solutions).
- Block senders, files, and URLs using a reputation system. This is not just a simple blacklist, but is backed by a leading threat intelligence organization. The idea behind this approach is that sites with bad reputations (or simply no reputation) can be marked as cautionary, without actually identifying specific malicious content. To accomplish this, Microsoft Office 365 leverages Exchange Online Protection, while some additional features require E5 licensing or Advanced Threat Protection license.
- Inspect inbound sender details against a company directory. You can do this to highlight “From: Ron Temske,” for example, using the correctly spelled friendly name but not the correct domain which is frequently hidden in headers not seen by the end user’s email application. You can also look for domain names that are close, but not quite right; email@example.com for example. Also look for the use of international characters (Unicode) that look close to standard characters (ASCII).
- Inspect links BEFORE clicking. It should be obvious, but inline links are not always what they purport to be. You’ll want to ensure that you have a system in place that evaluates URLS not just at the time they are received, but also when they are being clicked on. Inspection of URLs shouldn’t rely solely on reputation but other static and dynamic analysis as well.
- Lock Down File Attachments. File attachments present an obvious challenge, consider limiting what is allowed at your organization. Do you really need to allow executables or archives? Consider dropping or quarantining Microsoft Office documents with macros enabled.
- Play in the Sandbox. Leverage the cloud for sandboxing to run files that have an unknown disposition in a virtual environment to see if any malicious activity occurs before running on the end user’s system.
- 3ncrypt M3$$ages. Have a way to send encrypted messages to users that others can’t read by snooping.
- Break Down Security Silos. Your security architecture should be natively integrated and not operating in product silos (e.g. email systems should share information with endpoint or firewall systems).
- Leverage PKI. Consider leveraging public key infrastructure (PKI) that uses certificates issued to individuals deployed in a manner that can be used for both signing emails for non-repudiation purposes along with encryption which requires two separate private keys.
The important thing to take away from my articles is that while email is not going away – and with it, email-borne threats – you have multiple options available to better manage some of the most common email threat techniques.
Want to learn more? Read a blog post discussing What is a Common Security Framework (CSF) and why is it important to your organization’s enterprise security. Then learn How to Benchmark Your Enterprise Security Using the Critical Security Controls Framework in another post at our Enterprise Security blog. Perhaps it’s time to step up your security game? Don’t be held hostage by ransomware; read these 10 tough security questions every CIO must be able to answer.