Part 1: How did this happen?
By Ron Temske, Vice President of Security Solutions, Logicalis US
Email is widely and increasingly used as an attack vector for malware. In fact, it has become one of the largest attack vectors and no organizational size is immune. Let’s look at the complexities of the challenge IT organizations face when it comes to email as an attack vector and some recommendations for mitigating this threat in your organization.
Background: How did this happen?
In the early days of the Internet, email – specifically Simple Mail Transport Protocol (SMTP) – was developed with little security in mind. It was created similarly to a US Mail postcard on which anyone can write the “From Address” and “To Address” and which is generally assumed to be accurate and not validated. Additionally, anyone involved in handling the postcard can read what was written on the postcard itself. This creates many challenges such as, “How do I know the person sending the email is who they say they are and how do I ensure confidential information is only read by the intended recipient?”
Today, that lack of email security has become a huge challenge. To put the magnitude of the problem in perspective, Verizon’s 2017 Data Breach Investigative Report (DBIR) shows that over half of all breaches included malware and nearly one out of every three instances of malware was delivered via email. Keep in mind these statistics are specific to data breaches and don’t include incidents where no data has been exfiltrated, or surreptitiously removed, from the organization. However damage was still accomplished, in some way compromising the confidentiality, integrity or availability of the system.
In attacks that are not data breaches, many analysts claim that email plays an even greater role. For example, Dark Reading says 91 percent of all cyberattacks start with email, according to a December 2016 article. The Verizon report also showed that email was the dominant communication method accounting for 88 percent of financial pretexting incidents (a process of attempting to obtain financial or personal information through fraudulent methods) with phone communications in second place at just under 10 percent.
Source: Verizon 2017 DBIR http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/
Defenders have significantly improved their capabilities to mitigate the broad effectiveness of sophisticated ransomware campaigns leveraging exploit kits like Angler and crypto worms like WannaCry. Unsurprisingly threat actors are evolving their tactics and shifting focus from these better defended areas.
Business Email Compromise (BEC) has become a highly lucrative threat vector for attackers. According to the FBI Internet Crime Complaint Center, $5.3 billion was stolen due to BEC fraud between October 2013 and December 2016 with a growth rate of over 1,300 percent. In comparison, ransomware exploits took in just $1 billion in 2016.
Let’s talk about some of the techniques utilized, to better understand the nature of these attacks and quickly identify them should you find yourself or your organization a target!
- Phishing – This is the fraudulent practice of sending emails purporting to be from reputable sources in order to induce individuals to reveal personal information, such as passwords and credit card numbers. Phishing is generally a mass attack, sent to a very large pool of recipients.
- Spear-phishing – This is essentially the same thing as phishing, except instead of a massive distribution, the attack is refined to target specific individuals or groups of individuals. Frequently the messaging will be tailored to the target to increase the likelihood of success.
- Social Engineering – This refers to the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.
- Email Spoofing – These are messages with forged sender addresses.
- Malware – This can refer to any program or file that is harmful to your systems.
You don’t need to be a highly technical hacker if you can deceive someone into transferring money or giving you a password! In my next article, I will discuss some of the most common approaches for combating email-borne threats.
Want to learn more? Read a blog post discussing What is a Common Security Framework (CSF) and why is it important to your organization’s enterprise security. Then learn How to Benchmark Your Enterprise Security Using the Critical Security Controls Framework in another post at our Enterprise Security blog. Perhaps it’s time to step up your security game? Don’t be held hostage by ransomware; read these 10 tough security questions every CIO must be able to answer.