The Frailty Of Email

Uploaded on 2022-02-25 in TECHNOLOGY--Resilience, FREE TO VIEW

Email is by far the most common way businesses communicate. The days of the letter are gone, and even secure documents are notified to the user by email. It is the open door to business; we allow strangers to communicate with us and we send some of our most precious details over this mysterious link.

Whilst we want it to be open and easy for all to use, it can be the carrier of many malicious payloads. These payloads often induce users to click on a link or, convince them the message is genuine from, perhaps a CEO, getting them to transfer money to the creator of the email.

Even our most sophisticated detection systems can be fooled by a crafted email from a skilled bad actor. So, the question becomes, is now the time to stop using it and go to closed communication platforms?  No, there is still hope!

The press is awash with ransomware stories. These attacks almost always are delivered by email, and it is a very real threat for all sizes of business. Ransomware typically happens through users inadvertently clicking on a link within an email, this then triggers the programme and the next thing the user sees is that they can’t access their data without paying. 

According to the ransomware incident response firm Coveware, an average of some £101,670 was paid by ransomware victims, promised a decryption key, in Q2 of 2021. Furthermore, in Q1of 2021,81% of ransomware attacks involved the threat to leak exfiltrated data into the public domain. In 2020, almost 65% of victims that were faced with a data leak threat opted to pay the ransom, despite the reality that in doing so, there was almost a zero-value guarantee.

These attacks are very visual, you know you have been hacked and you are given terms to recover your data. But a more insidious attack is now appearing, where the data or the network is compromised but the attack is cunningly hidden, so the exploit can go unchecked, with the outcomes possibly very damaging for the victim’s company.

Think about the integrity of your bank account. If your bank balance is £1000 and somebody tampers with the integrity of that data, i.e. data is changed and suddenly it goes to zero, that would have a very significant impact. Companies face equally disastrous consequences. For example, should a business have a secret formula or a secret recipe that the product depends on, and somebody alters it, although they haven't stolen it, the data has been changed and the correct formula or recipe is no longer being produced. The effect could be disastrous; a gradual loss of market share, a prosecution due to the incorrect marking of a product or, even death should a recipe be changed, or an engine valve diameter made a fraction smaller, causing the engine to fail and with an ensuing accident.

The way these attacks get into the network varies. Mostly they start with an email that takes the user to a site which appears safe but, under the cover is another file which is downloaded to the machine and harvests the components it needs from the Internet, silently within other programs. Once it has all the parts to start the attack, it triggers.

Such attacks on data fall under commercial espionage and the actors range from competitors, disgruntled employees and even nation states. The attacker, once in the network, remains hidden and takes various approaches dependent on what the attack is to achieve. We have seen attacks where data has been monitored and fed back to the competition when a tender has been submitted, or a change to pricing. Such information can be very valuable when governments are placing large contracts. It is not the intension of the attacker to tell the victim that they have their data, but to remain hidden, indefinitely.

Equally, we have seen a rise in data modification which has resulted in very expensive product recalls and the loss of market confidence, which ultimately could lead to a business failing. We also predict that we will see these attacks change to a blackmail scenario, where the victim is advised of the infiltration and possible data modification and, without ongoing payment, the victim will not be released. A little like a protection racket or extortion money. Such extortion tactics appear in the same vein as the adage that, a stolen laptop is worth more to the original owner than it is to sell to a third party in the local pub.

How these attacks occur are generally down to poor monitoring of network access and the missing of unusual events within the infrastructure.  

Things such as odd programmes starting or, data being accessed at unusual times. Frequently, incidents are alerted but due to the busy nature of many IT departments, they go unchallenged and eventually get lost in the logs, never to be seen again.

Dependent on the form of attack, companies can protect themselves by being more proactive in stopping the unknown rather than relying on known attack vectors, which Antivirus (AV) and DLP solutions focus on. Attacks such as fileless ones are impossible for AV to detect and once triggered, look like a normal application, but can exploit and hide themselves away.

New advanced threat solutions are designed to understand what is normal on a network and, act on the unusual. Operating on endpoints and servers, these solutions can automatically take a machine off the network if unusual behaviour is seen thus thwarting the spread of any attack or, can divert the attack to a controlled area such as a honeypot, allowing the company to monitor what the exploit intends to do.

Such solutions take away the delay associated with SIEM solutions as the required action is taken immediately rather than waiting for someone in the IT team to investigate, as by then, it is often too late.

Another action is to be able to follow the revision of any form of data and apply a control called file integrity. With file integrity monitoring, you create a hash of the file itself, especially when you do not want any changes to happen, you can then compare that hash. If it is the same, you know that that file, or photo, has not been changed.  Furthermore, you can apply classification, such as ‘Secret’, and should these types of files move, change, or leave the organisation, an alert is sent to the data owners. Hence, if these files are being manipulated in any way, the company is made aware, and action can be taken.

The benefit of these forms of monitoring is that the company becomes aware that something ‘odd’ is going on and it is on core or critical assets. No longer is the organisation hoping that an intruder will trigger a network alert by being clumsy in their navigating around the network.

The final defence layer is the user. It is the user who reads the email and clicks the link. With better education in spotting rogue emails, and thinking before they click, many users can stop an attack before it even starts. 

However, education needs to be continuous as people forget and so deploying an email training application is a good investment. These applications send regular spoof emails into the organisation and track who fails to spot the bad nature of the content. The user receives a short onscreen tutorial showing them what they should have spotted, and, over time, their progress is monitored and if needed, further training can be given. The benefit to the organisation of these applications is that it can track the overall progress of the business in identifying bad emails and as a result, will see a gradual drop in users clicking on the bad emails.

This improves the security posture of the organisation and will save a great deal of money in clearing up after a ransomware attack.

Companies face a continual threat against their reputation, revenues, and future market share. Equally, there are many companies who want to grow and will take every opportunity to gain the upper hand on their competition. With data often being the key to a company’s success, whether that be due to the data holding key designs, recipe, or manufacturing codes, it is easy to see why it will be targeted and exploited, not just as a one off, but over years. 

Email is a common carrier of bad content but is also a key component in doing business.  It is impossible to lock it down to the extent that ultimately, everything would get stuck in junk filters. A balanced approach is needed, using technology to investigate the intent of the content of the email and, at the back stop on the device that the user was using when the rogue link was clicked.

Both ends should stop the payload launching, but the final backstop is the user, so educate, educate, educate.

Colin Tankard is  Managing Director of Digital Pathways

You Might Also Read:

The Cyber Skills Shortage & Training Gap - What Is The Solution?:

 

 

« British Schools At Risk Of Cyber Attacks
Russia's Top Spy Agency Runs Fake News At Home »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

aizoOn Technology Consulting

aizoOn Technology Consulting

aizoOn is a technology consulting company offering a range of services including IoT & embedded security, mobile security, cybersecurity assessments, risk & compliance, network monitoring and more.

Verisec International

Verisec International

Verisec International AB is a Swedish Tech company focused since inception in enabling Trust in Digital Transactions, through the development of proprietary cutting-edge technologies and services.

Duane Morris LLP

Duane Morris LLP

Duane Morris is a global law firm with offices in the USA, UK and Asia. Practice areas include Cybersecurity.

SafenSoft (SnS)

SafenSoft (SnS)

SafenSoft delivers high-efficiency, low-impact proactive protection against malware, insider threats, and confidential data leakage.

UM Labs

UM Labs

UM Labs is a developer of security products for Voice over IP (VoIP), protecting SIP trunk connections, safeguarding mobile phone communications and enabling BYOD.

Bluink

Bluink

Bluink specializes in identity and access management and customer identity verification, using your smartphone as a strong authenticator and secure identity store.

Korn Ferry

Korn Ferry

Korn Ferry is a global organizational consulting firm, synchronizing strategy and talent to drive superior performance for our clients in key areas including cybersecurity.

Internet Infrastructure Investigation

Internet Infrastructure Investigation

Internet Infrastructure Investigation offers a bespoke Internet Governance Solution to your brands online infringement problems.

DMARC360

DMARC360

DMARC360 analyzes your email traffic patterns and sources, rapidly deploys email authentication protocols and monitors your email domains with automated recommendations and incident response.

Noblis

Noblis

Noblis is a dynamic science, technology, and strategy organization dedicated to creating forward-thinking technical and advisory solutions in the public interest.

ZARIOT

ZARIOT

ZARIOT's mission is to restore order to what is becoming connected chaos in IoT by bringing unrivalled security, control and quality of service.

NetCentrics

NetCentrics

NetCentrics leverages an innovative, agile, ‘what’s-next’ approach to our customers’ IT and cyber challenges.

Unit 42

Unit 42

Unit 42 brings together world-renowned threat researchers, incident responders and security consultants to create an intelligence-driven, response-ready organization.

Sekoia.io

Sekoia.io

Sekoia.io is a European cybersecurity company whose mission is to develop the best protection capabilities against cyber-attacks.

EPAM Systems

EPAM Systems

Since 1993, EPAM Systems has leveraged its advanced software engineering heritage to become a leading global digital transformation services provider.

Novem CS

Novem CS

Novem CS are bespoke cyber security specialists providing a highly effective and specialised approach to solving your cyber security challenges.