Thirty-six years later, email remains the ultimate killer app. It’s also your organization’s biggest security risk. Here’s why.
Want to know how email became the number one attack vector for cybercriminals?
Look no further than a recent phishing test at a major financial services firm in which more than one executive clicked through to a fraudulent link, which is pretty bad—especially when the email read, “This is a phishing test. Clicking the link below will cause harm to your computer.”
Don’t laugh. In a 2017 employee survey, 46% of respondents suggest they might very well do the same, believing that, “opening any email on my work computer is safe.” Which means that while CISOs have been busy constructing every manner of perimeter defense you can think of to protect their businesses from cybercriminals, a gaping security hole has remained firmly in place.
Indeed, even as secure email gateways and other solutions have been erected to safeguard this critically important communications channel, a new generation of email attacks now blow past these systems undetected.
No wonder 76% of organizations suffered email attacks last year, and 42% report being compromised. In fact, more than 93% of successful cyberattacks now start with email. And when you factor in the 4.6 billion active email accounts in operation around the world today, the attack surface becomes enormous. But it wasn’t supposed to be this way.
The Devil is in the Emails
Think about it. Commercial email has changed little since it was first introduced in the 1980s, or for that matter, since it was first conceived at MIT in the 1960s.
We still use the “@” addressing system ARPANET had developed in 1971. And email remains an open standards-based, store-and-forward tool for communicating and collaborating between just about kind of computer across both public and private networks. Its sheer simplicity and profound utility have led to its universal adoption as our most important communications and collaboration tool, bar none.
Yet while these attributes make email a simple way to share a spreadsheet with the CFO or plan a night out with friends, it also makes it the ideal conduit for deploying ransomware to unsuspecting businesses, or hoodwinking employees into transferring money or sensitive information to criminals. In fact, despite the rise of secure messaging services such as Slack and HipChat, 63% of corporate employees turn to email to send sensitive data.
At first, email attacks meant to exploit email’s ubiquity were scattershot, launched from compromised servers, and had content signatures that were distinct from legitimate email. In time, SEG, ATP, TAP and other technologies were deployed to analyze content for suspicious words or phrases, assess the reputation of the infrastructure from which an email is sent, and sniff out viruses, worms and polymorphic malware. And they still work quite well.
Yet the volume and effectiveness of attacks continues to grow more devastating by the day, circumventing safeguards with frightening ease. So what gives?
The Rise of Identity Deception
The fact is, email has a fatal security flaw: the ability for anyone to send an email claiming to be someone else. And the tactics with which that’s done are rapidly growing more sophisticated and ingenious.
Unlike the poorly-crafted, mass attacks of yesteryear, today’s email cons leverage security gaps in underlying email protocols and the user interface constraints of email clients to imbue messages with an incredible level of verisimilitude.
Lookalike domains, domain spoofing, display-name tricks and messages sent from hijacked sender accounts make attacks virtually indistinguishable from authentic messages from trusted sources.
Meanwhile, messages sent from G-Suite, Office 365 and other web services fly past filters due to the reputation and pervasiveness of these platforms. And the messages themselves are now flawlessly researched and exquisitely targeted to specific individuals.
They even leverage seasonality or time of day. Simple, late-afternoon queries ostensibly from an important executive asking “are you still at your desk?” or “can you pay help me pay this bill,” for instance, use social engineering ploys to put targets on the defensive, making them more eager to please and less careful in their actions.
After a typical attack is launched, its first target will bite in 82 seconds and be compromised in under 4 minutes. Like the executives in that recent phishing test so clearly demonstrated, human beings have become the last, weakest link in your cyber-defenses.
From Here to Security
In response to this growing threat, many organizations allocate a portion of their budgets to workforce security awareness training to help employees spot malicious email attacks. But no amount of training can keep up with ever-morphing attack tools and techniques.
Many have also started implementing Domain-based Messaging Authentication, Reporting and Conformance (DMARC), an email validation system. However, DMARC is only effective against domain spoofing, which is but one of the four forms of identity deception in email.
The fact is, identity deception attacks require a different approach, one that’s based on a protection model that focuses less on email content and infrastructure reputation, and more on assessing people, relationships and behaviors to detect and disrupt attacks before they ever reach their prey.
Piece of cake, right? But how many organizations today have advanced machine learning technologies in place with the modeling and analytics capabilities and globally crowdsourced threat intelligence needed to do this?
How many even recognize that identity has become the new perimeter for defending against cybercrime?
In parts 3 and 4 of this series, we’ll take a closer look at what a lack of visibility into attack modalities and an inability to search and destroy active threats in real time can mean to businesses and their customers.
Because with email attacks expected to contribute to half a trillion dollars in losses from cyberattacks just in the US this year, we’d all better seek out effective solutions before “killer app” takes on a whole new meaning.
To learn more about how advanced email attacks have moved from deceiving systems to deceiving human beings and how to stop it, download our exclusive, Agari Identity Intelligence White Paper, here.