The indictment announced this week against four people – including a Canadian who holds dual citizenship – with the 2014 hacking of Yahoo email accounts allegedly started with spear phishing, according to news reports.
If so, it marks another sad example of how both technology and security awareness training failed a major corporation.
To be fair, any CISO has to be aware that no matter how well prepared, no defence can block all intrusions forever – particularly if an employee is careless. Being prepared for the worst is the infosec pro’s job.
But hasn’t technology advanced enough to drastically reduce the risk?
“To me the problem has been solved,” Jeff Stark, at the time CIBC’s director of cyber security mitigation services, told a conference last year. “We’re just not executing properly as security practitioners.”
Threats keep getting through. And small wonder: The Anti-Phishing Working Group just reported there were just over 1.2 million phishing attacks last year, a 65 per cent increase over 2015. The report cites PandaLabs discovering an average of 190,000 new malware samples per day in the fourth quarter of 2016 — and that was a low for the year.
In theory, email security gateways should be the place where email-delivered threats stop. These days top-notch solutions include antivirus, antimalware, antiphishing and antispam scanning capabilities, sandboxes for exploding suspicious contents, incorporation of threat intelligence for context analysis and data loss prevention. CISOs have a wide choice of both on-premises and cloud-based solutions.
We spoke to four vendors, most of whom said their solution will stop at least 95 per cent of known malware and bad URLs. That still leaves some small number that might get through. And unknown zero-day exploits aren’t covered by their assurance. But they also said if the full analytic capabilities of their solutions are turned on users might experience a delay in receiving mail deemed suspicious – usually no more than 10 minutes, which they believe is acceptable.
Manufacturers of these solutions are proud of their capabilities.
Cisco Email Security
Steve Gindi, a member of Cisco Systems Canada’s security practice, said Cisco’s Email Security Appliance (offered as an on-prem or cloud service from a Canadian data centre) recently added the ability to do advanced malware forensics on a file and anti-spoofing examination of incoming mail. It has also added Cisco’s Web security technology to look for suspicious URLs in email.
Cisco and its partners try to size the environment to ensure there is no performance degradation when a solution is bought, he said. “Traditionally what you’ll find is organizations in this space try to adhere to IT standards of fully scanning an email message with traditional filters within three seconds. With the introduction of advance malware (scanning) capabilities we’ve changed the way that works.” If a message has to be sandboxed for malware analysis or file forensics “that typically runs under seven minutes” to discover if it has to be blocked or delivered.
Perhaps five to 10 per cent of messages would need file forensics, he added.
Usually, most organizations won’t object to a five-to-seven minute delay – which he said is standard for all advanced malware processors –for a small percentage of mail. And virtually none refuses to turn on advanced malware scanning, he said. “Organizations have accepted that you need advanced malware on your endpoint and network.”
There is an option for allowing a suspicious file to go through while it is being scanned, he added, with a warning being sent to the end user if the scan is positive. If the organization uses Microsoft’s Office 365, the positive scan also automatically quarantines the file.
Microsoft Email Security
Microsoft’s solutions include Exchange Online Security Protection, a subscription service for any email server, and Advanced Threat Protection, which is included in Office 365.
Alym Rayani, director of Office 365 security, explained that ATP detonates and inspects suspicious mail. The “zero hour auto purge” capability automatically pulls back a message already delivered to a user inbox if analysis confirms there is attached malware.
“Our commitment is to stop all known virus signatures,” he said.
Most scans “are completed within a few minutes,” said Rudra Mitra, partner director of Office 365. There’s a 30-minute default, but the vast majority of messages will be scanned much faster than that. And if the “dynamic” setting is used – which allows messages to be delivered while being scanned – it’s even faster.
But, he said, added security comes at a cost. “I think there’s an expectation that if you are trying to get enhanced protection by through examination of content and links you’re making a tradeoff between delay and extra security you get.”
ProofPoint Email Security
ProofPoint Inc. offers two main solutions: ProofPoint Protection, a cloud or on-premises mail gateway appliance, which looks for known threats, malware and spoofed messages; and Targeted Attack Protection (TAP), a set of sandboxes for examining suspicious links and unknown advanced threats. (There’s also a product for small and mid-sized business called Essentials).
Ryan Kalember, the company’s senior vice-president of cybersecurity strategy, said that among the latest capabilities is a classifier for spoofed email from alleged executives, and also email fraud defence, which allows an enterprise to authenticate outgoing email. In addition, TAP rewrites all embedded URLs to protect users, and can track and block clicks to malicious web pages without affecting the user experience or other URL-filtering technologies being used.
The Protection gateway causes “almost no delay” in scans, he said, while TAP “generally takes a minute or two.” Most CISOs set the delay for up to 10 minutes to give the sandbox time to do its work, he added.
For groups within organizations that can’t tolerate any scan delay the company also has a product called TRAP, which can allow a longer time out compared to the rest of the enterprise. But it will pull back suspect email found by a scan.
ProofPoint promises 100 per cent of all known malware will be stopped. “But,” Kalember adds, “that’s not terribly valuable because it’s so easy to create new forms of malware.”
Symantec Email Security
Naveen Palavalli, the company’s marketing and strategy director, said that as email passes through either product it all aspects – including headers, attachments, and URLs – are inspected. There are protections against phishing and business email compromise. Embedded URLs are followed through every hop to ensure the original server is legitimate, and the link is checked when a user clicks on it.
Administrators can set how much delay users will experience. “In most cases, we know so much about email with known malware we can quickly identify 95 per cent of attachments without any impact,” he said. In cases where something has never been seen it is sandboxed and then run through a Symantec physical server, because some malware won’t execute in a virtual server to avoid detection. Administrators can decide if suspect mail can be sent to end users immediately but get a followup alert.
In a worst-case scenario mail will be delay “a few minutes,” Palavalli said, which happens less than five per cent of time.
Symantec says its solutions will prevent 100 per cent of known malware, and has a 99.6 per cent effective rate against combined known and unknown malware.
Does Outlook need a ‘phishing alert’ button?
Looking at the facts of reported breaches and incidents shows there’s still a serious problem that isn’t being solved by technology, says Josh Zelonis, senior security and risk analyst at Forrester Research. In particular, he points to the increase in ransomware, which initially is usually spread through malicious links.
“I don’t think there’s a single solution to solve that,” he said. “I happen to think that DNS monitoring [to check for IP address spoofing and traffic analysis] is one of the strongest things you can do. The reason there’s been such a move in the last five years to endpoint protection of advanced threats is because you can’t stop something before it gets to the endpoint. There’s been a realization in the market that somebody’s going to be able to get something through.”
In short, security awareness training is – still – an essential ingredient in any risk reduction strategy. Users, Zelonis said, have their obligations. “This is 2017. If you don’t know how to use email your personal life must be a wreck … Users need to embrace the technology against the world the world they’re living in.” It’s not much to ask employees to at least learn how to be suspicious of email, and, where necessary, alert the security team. One vendor even embeds
It’s not much to ask employees to at least learn how to be suspicious of email, and, where necessary, alert the security team. One vendor even embeds a button in Outlook automating that alert, Zelonis noted.
But, he added, “as part of that the security team should be providing training to help these employees function and be proactive.”