The average cost of cyber-crime has surpassed $9.5M per corporation world-wide.’ Since most cyber-attacks begin with email and since
email is an inherently insecure channel, companies are having to increase their investments to protect against this vector. Traditionally
IS departments have tried to protect against deceptive, targeted attacks by relying on anti-spam engines passed down from secure
email gateways. However, as cyber-criminals become more sophisticated and begin to exploit human perception as the preferred attack
vector, neither of these methods continues to work. Many modern targeted attacks attempt to deceive the receiver about the sender’s
identity, role, and sphere of influence. Companies need a solution to protect their enterprise, as well as their customers, which takes into
account digital deception.
This approach may use signatures, rules, machine learning or heuristics to score emails in categories such as spam,
phishing, bulk, and imposter. These methods stem historically from repurposed SEG tools. Scorers are updated periodically
based on threats which have been caught. While sometimes applied to Advanced Persistent Threats (APTs), the
fundamentally crude roots of this approach make it ineffective against targeted, small scale attacks and particularly ones
based on social engineering.
Pros: Fairly low impact on performance. Good for common/known threats. Works well for large -volume,
non -tailored attacks.
Cons: Won’t catch most socially -engineered BEC or Spear Phishing attacks, even with malicious payloads, due to the very
small “exposure footprint”. Marginally effective against zero days. Less effective outside one’s own domain.
This method detonates executables in a contained virtual sandbox to determine if an email contains malware. This
has the ability to catch threats not seen before but requires a lot of overhead to perform. Included in this category is
Pros: Works for malware, malicious URLs, and Zero Days.
Cons: Not relevant for targeted BEC attacks based on digital deception. Only works with attacks that utilize a payload;
pure social engineering attacks will bypass sandboxing.