Want to know how email became the number one attack vector for cybercriminals?
Look no further than this phishing test at a major financial services firm in which more than one executive clicked through to a fraudulent link. Making matters worse, the email read: “This is a phishing test. Clicking the link below will cause harm to your computer.”
Don’t laugh. In a 2017 employee survey, 46% of respondents suggest they might very well do the same, believing that, “opening any email on my work computer is safe.” Which means that while CISOs have been busy constructing every manner of perimeter defense you can imagine to protect their businesses from cybercriminals, a gaping security hole has remained firmly in place.
Indeed, even as secure email gateways and other solutions have been erected to safeguard this critically important communications channel, a new generation of email attacks now blow past these systems undetected.
No wonder 83% of organizations suffered email attacks last year, with more than 94% of successful data breaches now starting with email. And when you factor in the over four billion active email accounts in operation around the world today, the attack surface becomes enormous. But it wasn’t supposed to be this way.
Think about it. Commercial email has changed little since it was first introduced in the 1980s. For that matter, little has changed since it was first conceived at MIT in the 1960s.
We still use the “@” addressing system ARPANET had developed in 1971. And email remains an open standards-based, store-and-forward tool for communicating and collaborating between just about kind of computer, across both public and private networks. Its sheer simplicity and profound utility have led to its universal adoption as the most important communications and collaboration tool across the globe.
Yet while these attributes make email a simple way to share a spreadsheet with the CFO or plan a night out with friends, it also makes it the ideal conduit for deploying ransomware to unsuspecting businesses, or hoodwinking employees into transferring money or sensitive information to criminals. And despite the rise of secure messaging services such as Slack and Microsoft Teams, employees still turn to email to send sensitive data.
At first, email attacks meant to exploit email’s ubiquity were scattershot, launched from compromised servers, and had content signatures that were distinct from legitimate email. In time, secure email gateways, advanced threat protection, and other technologies were deployed to analyze content for suspicious words or phrases, assess the reputation of the infrastructure from which an email is sent, and sniff out viruses, worms, and polymorphic malware. And they still work quite well.
Yet the volume and effectiveness of attacks continue to grow more devastating by the day, circumventing safeguards with frightening ease. So what is actually happening?
The fact is, email has a fatal security flaw—the ability for anyone to send an email claiming to be someone else. And the tactics with which that’s done are rapidly growing more sophisticated and ingenious.
Unlike the poorly-crafted, mass attacks of the late 2000s, cybercriminals now leverage security gaps in underlying email protocols and the user interface constraints of email clients to imbue messages with an incredible level of verisimilitude. Look-alike domains, domain spoofing, display-name tricks and messages sent from compromised sender accounts make attacks virtually indistinguishable from authentic messages from trusted sources.
Meanwhile, messages sent from G Suite, Office 365 and other web services fly past filters due to the reputation and pervasiveness of these platforms. And the messages themselves are often flawlessly researched and exquisitely targeted to specific individuals.
They even leverage seasonality or time of day. Simple, early-morning queries from an important executive asking “Are you at your desk?” or “Can you pay help me pay this bill?” use social engineering ploys to put targets on the defensive, making them more eager to please and less careful in their actions.
After a typical attack is launched, its first target will bite in 82 seconds and be compromised in under 4 minutes. Like the executives in that phishing test so clearly demonstrated, human beings have become the last, weakest link in your cybersecurity defenses.
In response to this growing threat, many organizations allocate a portion of their budgets to workforce security awareness training to help employees spot malicious email attacks. But even the best training cannot keep up with ever-morphing attack tools and techniques.
Many have also started implementing Domain-based Messaging Authentication, Reporting and Conformance (DMARC), an email validation system. However, DMARC is only effective against domain spoofing, which is but one of the four forms of identity deception in email.
The fact is, identity deception attacks require a different approach, one that is based on a protection model that focuses less on email content and infrastructure reputation, and more on assessing people, relationships, and behaviors to detect and disrupt attacks before they ever reach their target.
Piece of cake, right? Unfortunately, few organizations recognize that identity has become the new perimeter for defending against cybercrime, and even fewer have taken the necessary steps to protect against it.
With email attacks expected to contribute to billions of dollars lost over the next few years, we’d all better seek out effective solutions before “killer app” takes on a whole new meaning.
To learn more about how advanced email attacks have moved from deceiving systems, and how you can stop it, download From SEG to SEC: The Rise of the Secure Email Cloud.