The Frailty Of Email

Uploaded on 2022-02-25 in TECHNOLOGY--Resilience, FREE TO VIEW

Email is by far the most common way businesses communicate. The days of the letter are gone, and even secure documents are notified to the user by email. It is the open door to business; we allow strangers to communicate with us and we send some of our most precious details over this mysterious link.

Whilst we want it to be open and easy for all to use, it can be the carrier of many malicious payloads. These payloads often induce users to click on a link or, convince them the message is genuine from, perhaps a CEO, getting them to transfer money to the creator of the email.

Even our most sophisticated detection systems can be fooled by a crafted email from a skilled bad actor. So, the question becomes, is now the time to stop using it and go to closed communication platforms?  No, there is still hope!

The press is awash with ransomware stories. These attacks almost always are delivered by email, and it is a very real threat for all sizes of business. Ransomware typically happens through users inadvertently clicking on a link within an email, this then triggers the programme and the next thing the user sees is that they can’t access their data without paying. 

According to the ransomware incident response firm Coveware, an average of some £101,670 was paid by ransomware victims, promised a decryption key, in Q2 of 2021. Furthermore, in Q1of 2021,81% of ransomware attacks involved the threat to leak exfiltrated data into the public domain. In 2020, almost 65% of victims that were faced with a data leak threat opted to pay the ransom, despite the reality that in doing so, there was almost a zero-value guarantee.

These attacks are very visual, you know you have been hacked and you are given terms to recover your data. But a more insidious attack is now appearing, where the data or the network is compromised but the attack is cunningly hidden, so the exploit can go unchecked, with the outcomes possibly very damaging for the victim’s company.

Think about the integrity of your bank account. If your bank balance is £1000 and somebody tampers with the integrity of that data, i.e. data is changed and suddenly it goes to zero, that would have a very significant impact. Companies face equally disastrous consequences. For example, should a business have a secret formula or a secret recipe that the product depends on, and somebody alters it, although they haven't stolen it, the data has been changed and the correct formula or recipe is no longer being produced. The effect could be disastrous; a gradual loss of market share, a prosecution due to the incorrect marking of a product or, even death should a recipe be changed, or an engine valve diameter made a fraction smaller, causing the engine to fail and with an ensuing accident.

The way these attacks get into the network varies. Mostly they start with an email that takes the user to a site which appears safe but, under the cover is another file which is downloaded to the machine and harvests the components it needs from the Internet, silently within other programs. Once it has all the parts to start the attack, it triggers.

Such attacks on data fall under commercial espionage and the actors range from competitors, disgruntled employees and even nation states. The attacker, once in the network, remains hidden and takes various approaches dependent on what the attack is to achieve. We have seen attacks where data has been monitored and fed back to the competition when a tender has been submitted, or a change to pricing. Such information can be very valuable when governments are placing large contracts. It is not the intension of the attacker to tell the victim that they have their data, but to remain hidden, indefinitely.

Equally, we have seen a rise in data modification which has resulted in very expensive product recalls and the loss of market confidence, which ultimately could lead to a business failing. We also predict that we will see these attacks change to a blackmail scenario, where the victim is advised of the infiltration and possible data modification and, without ongoing payment, the victim will not be released. A little like a protection racket or extortion money. Such extortion tactics appear in the same vein as the adage that, a stolen laptop is worth more to the original owner than it is to sell to a third party in the local pub.

How these attacks occur are generally down to poor monitoring of network access and the missing of unusual events within the infrastructure.  

Things such as odd programmes starting or, data being accessed at unusual times. Frequently, incidents are alerted but due to the busy nature of many IT departments, they go unchallenged and eventually get lost in the logs, never to be seen again.

Dependent on the form of attack, companies can protect themselves by being more proactive in stopping the unknown rather than relying on known attack vectors, which Antivirus (AV) and DLP solutions focus on. Attacks such as fileless ones are impossible for AV to detect and once triggered, look like a normal application, but can exploit and hide themselves away.

New advanced threat solutions are designed to understand what is normal on a network and, act on the unusual. Operating on endpoints and servers, these solutions can automatically take a machine off the network if unusual behaviour is seen thus thwarting the spread of any attack or, can divert the attack to a controlled area such as a honeypot, allowing the company to monitor what the exploit intends to do.

Such solutions take away the delay associated with SIEM solutions as the required action is taken immediately rather than waiting for someone in the IT team to investigate, as by then, it is often too late.

Another action is to be able to follow the revision of any form of data and apply a control called file integrity. With file integrity monitoring, you create a hash of the file itself, especially when you do not want any changes to happen, you can then compare that hash. If it is the same, you know that that file, or photo, has not been changed.  Furthermore, you can apply classification, such as ‘Secret’, and should these types of files move, change, or leave the organisation, an alert is sent to the data owners. Hence, if these files are being manipulated in any way, the company is made aware, and action can be taken.

The benefit of these forms of monitoring is that the company becomes aware that something ‘odd’ is going on and it is on core or critical assets. No longer is the organisation hoping that an intruder will trigger a network alert by being clumsy in their navigating around the network.

The final defence layer is the user. It is the user who reads the email and clicks the link. With better education in spotting rogue emails, and thinking before they click, many users can stop an attack before it even starts. 

However, education needs to be continuous as people forget and so deploying an email training application is a good investment. These applications send regular spoof emails into the organisation and track who fails to spot the bad nature of the content. The user receives a short onscreen tutorial showing them what they should have spotted, and, over time, their progress is monitored and if needed, further training can be given. The benefit to the organisation of these applications is that it can track the overall progress of the business in identifying bad emails and as a result, will see a gradual drop in users clicking on the bad emails.

This improves the security posture of the organisation and will save a great deal of money in clearing up after a ransomware attack.

Companies face a continual threat against their reputation, revenues, and future market share. Equally, there are many companies who want to grow and will take every opportunity to gain the upper hand on their competition. With data often being the key to a company’s success, whether that be due to the data holding key designs, recipe, or manufacturing codes, it is easy to see why it will be targeted and exploited, not just as a one off, but over years. 

Email is a common carrier of bad content but is also a key component in doing business.  It is impossible to lock it down to the extent that ultimately, everything would get stuck in junk filters. A balanced approach is needed, using technology to investigate the intent of the content of the email and, at the back stop on the device that the user was using when the rogue link was clicked.

Both ends should stop the payload launching, but the final backstop is the user, so educate, educate, educate.

Colin Tankard is  Managing Director of Digital Pathways

You Might Also Read:

The Cyber Skills Shortage & Training Gap - What Is The Solution?:

 

 

« British Schools At Risk Of Cyber Attacks
Russia's Top Spy Agency Runs Fake News At Home »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

ANS Group

ANS Group

ANS are a strong team of straight-talking tech and business experts. Our mission is to make digital transformation accessible to all.

Sogeti

Sogeti

Sogeti deliver solutions that enable digital transformation and offer cutting-edge expertise in Cloud, Cybersecurity, Digital Manufacturing, Quality Assurance, Testing, and emerging technologies.

CyberSec.sk

CyberSec.sk

CyberSec.sk is the Slovak portal bringing the latest cyber security news, politics, tips and instructions on how to protect the internet.

Pentagon Group

Pentagon Group

Pentagon Group is a provider of security services in high-risk environments, remote areas and emerging markets in support of land-based, aviation, maritime and cyber operations.

Micro Strategies Inc.

Micro Strategies Inc.

Micro Strategies provides IT solutions that help businesses tackle digital transformation in style.

Optra Security

Optra Security

Optra Security specializes in information security with a focus on Application Security.

GMV

GMV

GMV is a technological business group offering solutions, services and products in diverse sectors including Intelligent Transportation Systems, Cybersecurity, Telecoms and IT.

Worldline

Worldline

Worldline IIoT solutions allow industrial companies to start their digital transformation journey with industrial level cyber security standards (IEC 62443 ready).

Ackcent Cybersecurity

Ackcent Cybersecurity

Ackcent's mission is to help our clients to protect their critical digital assets by providing them with a portfolio of specialised professional services.

LimaCharlie

LimaCharlie

LimaCharlie gives security teams full control over how they manage their security infrastructure. Get full visibility, build what you want, control your data, get the security capabilities you need.

Mobilicom

Mobilicom

Mobilicom is an end-to-end provider of cybersecurity and smart solutions for drones, robotics & autonomous platforms.

Saudi Information Technology Company (SITE)

Saudi Information Technology Company (SITE)

SITE is a forward-thinking enterprise, which aims at revitalizing Saudi Arabia’s digital infrastructure, cybersecurity, software development, and big data and analytics capabilities.

Barclay Simpson

Barclay Simpson

Barclay Simpson is proud to have a long history of delivering cyber security, technology and governance recruitment services.

Codenotary

Codenotary

Codenotary provide a comprehensive suite of verification and enforcement services to guarantee the integrity of your software throughout its entire lifecycle.

Athena7

Athena7

Athena7 is a dedicated assessment practice committed to helping organizations understand how their infrastructure, backups, and security controls will withstand the latest threat actor tactics.

ZENDATA

ZENDATA

ZENDATA are an innovative provider of intelligent, tailored cybersecurity solutions to global companies and public sector institutions.