[BreachExchange] Advanced Phishing Threat Protection Requires Security at the Mailbox Level

Audrey McNeil audrey at riskbasedsecurity.com
Mon Mar 19 21:18:22 EDT 2018


https://www.infosecurity-magazine.com/opinions/phishing-threat-protection-
mailbox/

Even as cyber-criminals seek new ways to bypass enterprise security, they
continue to target what they perceive to be the weakest link – humans.

With more than 269 billion emails sent every single day worldwide, it’s no
surprise that email phishing remains the primary attack vector, as it is
the easiest, and most proven method, to target vulnerable people.

Currently, the cybersecurity market is oversaturated with server-level
email security solutions, such as secure email gateways (SEGs), which
struggle to prevent and detect advanced phishing attacks, such as business
email compromise (BEC) and ransomware, among others.

To better mitigate risk of today’s advanced phishing threats that are no
match for server-level safeguards, organizations are beginning to adopt
mailbox-level solutions as an additional backstop for fraudulent emails
that make it through email gateways, and to better identify threats in
real-time.

Server-based email security no match for BEC attacks
In the midst of phishing attacks becoming exponentially more sophisticated
and targeted, the majority of SEGs continue to only offer signature-based
and behavioral signature solutions that scan links and attachments,
determine domain reputation and verify sender-receiver relationship, among
other futile safeguards at the server level.

This can be beneficial, but without a more advanced and dynamic method of
profiling, not nearly good enough.

Today, SEGs fail to address new threat models because of insufficient
advanced threat defense capabilities. For example, an impersonated email
message can easily evade legacy gateway detection, arriving into an
employee’s inbox, where it can lay idle for days, weeks or months. With
minimal to no post email delivery detection and response capabilities, a
SEG will not recognize this type of email as malicious because the attack
lacks links and attachments to analyze. Other limitations and
vulnerabilities of SEGs include:

- The misguided reliance on content filtering (URLs/attachments), and
signatures despite hyper-targeted messages increasingly bypassing
traditional email security controls.
- Sender-recipient reputation-based context prevention mechanisms are too
reliant on static VIP lists and similar algorithms such as fuzzy hash.
- Relatively basic post email delivery capabilities easily defeat
signature-based email security solutions by using polymorphism techniques.
This includes changing email artifacts like the sender’s IP, subject lines
and elements of the email body.
- Not all inbound emails can be sandboxed or sanitized using Content Disarm
and Reconstruction (CDR) technology.

Many organizations, especially the enterprise, are beginning to come to
terms with the fact that their employees are now targeted and falling
victim to all types email phishing attacks. As such, mitigating phishing
risk requires stakeholders to rethink their approach to security to one
that prioritizes automated advanced phishing threat protection at the
mailbox level.

Improve phishing mitigation by moving email security from server to the
mailbox
Because it is inevitable that phishing messages will land in employees’
inboxes, it is essential that every employee have mailbox-level detection.
For one, mailbox-level security offers the ability to leverage machine
learning to analyze an account’s information and communication habits. In
turn, this can add to the expanse of knowledge on how to better identify
these messages in the first place.

Additional benefits of mailbox-level email security include:

Inbox Behavioral Analysis - Once it has established a framework for what
defines normal communications and messaging between the two parties, the
system can then apply that monitoring to every mailbox inside and outside
the organization, carefully scoring the content of the correspondence and
looking for anomalies.

Dynamic Sender Reputation Scoring - A mailbox-level solution has the
ability to deeply scan and analyze every mailbox individually, offering a
better view of the communication habits between the sender and the
receiver. When used with machine learning technology, it can create a
baseline for what “normal” communications between the two parties should
look like to gauge the credibility of the sender’s reputation based on
multiple data points and prior communications and habits.

Augmenting Machine Intelligence – Providing end-users with in-mail alerts
to flag and to act upon advanced phishing attacks such as BEC that cannot
be determined by the human eye due to well-crafted social engineering.

While phishing attempts are certainly growing more frequent and harder to
detect and prevent, organizations can greatly reduce risk by moving
phishing detection and prevention down the stack by putting a backstop in
the mailbox itself.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180319/285ce408/attachment.html>


More information about the BreachExchange mailing list