Cyber Security

5 reasons you need better email security

Written by Emily Pipkin

Email security is tough. It always has been. Bad actors are constantly finding innovative ways to evade detection, successfully breach defences and monetise their attack. Cyber security is an arms race and every cyber security professional knows that no single security control can ever be 100% effective. This is because no one can foresee what the next innovative evasion tactics will be, so we invest in multiple layers of controls.

One of the most important security layers is to protect against email threats and highlighted below are five reasons why you need better email security, or put another way, why your current email security might be failing.

1) Email security is not a commodity

More than 90% of attacks start with an email. This is a well-known, often quoted statistic. What is less well known is that spend on email security accounts for a little over 5% of total global security software spend. This 5% includes secure email gateway products and services and is clearly completely out of proportion to the threat. 

There is an incorrect belief that email security is a commodity and many organizations rely on the free email security that comes bundled with their email platform. This is despite an abundance of evidence from independent test labs that shows that the detection efficacy afforded by these services is often lacking. 

2) Malicious domains and websites rapidly appear and disappear

Around 200,000 new domains are registered every day and about 70% of these are malicious or suspicious. Phishing sites can come online for just hours. Over 60 days, Akamai observed in excess of 2 billion unique domains associated with malicious activity, and 89% of them had a lifespan of less than 24 hours. It is impossible for any cyber security company to track every new malicious domain and website, so if your email security product just looks up any URLs in emails against a list of known malicious ones, the likelihood of that list being up to date is extremely remote.

Weaponising URLs in an email a few minutes after sending it is a tactic that has been around for many years, so even performing a full analysis of the URL’s target web page on receipt will likely be ineffective. Your email security must re-write URLs before delivery and check them each and every time the recipient clicks them. The URL should be followed to its final destination and the content analysed, and the security must understand and overcome the many tactics that will be used to evade detection.

3) Phishing kits are driving the increase in phishing attacks

The availability of phishing kits and phishing as a service has democratised phishing, making it easy for any non-technical cyber criminal to launch a phishing attack. A kit contains everything someone needs to launch a phishing campaign and can be purchased for as little as $99, with additional costs for mailer services. With phishing as a service, a bad actor simply gives email addresses to the service provider and enters into a revenue sharing model with them. Evasion tactics play a part in phishing kits too – the more expensive the kit, the more tactics it will include to help the phish evade detection by the target’s email security.

4) Attackers are successfully compromising email accounts

The goal of many email attacks is to steal credentials. A Tech Validate survey* reported, in the previous 12 months, over half of respondents had suffered from threats caused by attackers compromising their users email accounts.

The ubiquity of cloud services has resulted in the traditional network perimeter disappearing. To access your applications and information, an attacker no longer has to first gain access to your network. In much the same way that the success of Windows made it a target for malware, the success of Office 365 has resulted in it becoming a major target for those wishing to steal business login credentials. Many phishing kits are designed to steal Office 365 credentials. In a 262 day period Microsoft was the top targeted brand with 62 kit variants found across 3,897 domains. Once inside a user’s Office 365 account, an attacker can set up rules to divert and monitor emails, understand your business, your customers and your business partners. The Tech Validate survey found that 30% of organisations suffered an attack where malicious activity was spread from one infected user to another via email. Clearly, if your email security is just monitoring inbound emails at the email perimeter, you have no visibility of this.

*Original Research on Mimecast | https://www.techvalidate.com/product-research/mimecast

5) Evasion tactics make detection difficult

The first polymorphic viruses, created around 1990, were designed to change slightly to evade detection by signature-based AV engines. Today, malware attempts to evade detection by even the most advanced sandboxes, by understanding that it might be executing in a sandbox and exhibiting very different behaviours that it would if executed on a laptop. Phishing emails use many tactics to evade detection too. Attackers impersonate domains, senders and websites, and use social engineering tactics to trick the recipient into disclosing their credentials or other sensitive information. 

Mimecast research found that 26% of total malicious emails were impersonation attacks and 67% of organisations saw the volume of such attacks increase over the previous year. The target server or phishing web page could also use one or many evasion techniques to prevent security controls correctly classifying the site, web page or content as malicious, including:

  • Blocking of IP address ranges known to belong to security companies, to prevent their crawlers and researchers analysing a phishing site
  • Use of cloud hosting to enable presentation of valid SSL certificates. E.g. an Office 365 phishing page hosted on Azure presents a Microsoft certificate.
  • HTML character encoding and web page encryption to prevent machine analysis discovering words associated with phishing pages.
  • Small changes to graphics such as logos of well-known brands to prevent machine detection based on fingerprint techniques. E.g. A pixel changes in the Paypal logo results in a different result if hashed, but it appears identical to the human eye.
Recommendation

To ensure you get the best possible email security, you must first acknowledge that it is not a commodity. Next, identify any gaps in your current protection – ensure your security product or service provider has the best possible detection efficacy and rapid time to protection from new threats. They should use multiple layers of defence and be capable of understanding the tactics bad actors use to evade detection. Finally, recognise that even the best email security might miss a new, sophisticated threat, and ensure they have the capability to provide visibility and detection of email threats inside your network and organisation.

Why choose SysGroup?

SysGroup take your security seriously, and have made our name from it. We combine an exceptional reputation for IT security with first class tech know-how and account management. We pride ourselves on being transparent, open and innovative with the solutions we propose, adding real value to your business by developing solutions and implementing services that work best for you. 

SysGroup is a certified partner of Mimecast, a recognised leader in email security. Mimecast reduces the risk, complexity and cost traditionally associated with protecting email. We understand that email is the gateway to other critical IT systems and that it must be protected, so we recommend Mimecast email solutions to our clients, regardless of their size. Mimecast Email Security uses Targeted Threat Protection and sophisticated detection engines to protect your email from modern threats like malware, spam, phishing and targeted attacks.

Resources

You might also like