The Frailty Of Email

Email is by far the most common way businesses communicate. The days of the letter are gone, and even secure documents are notified to the user by email. It is the open door to business; we allow strangers to communicate with us and we send some of our most precious details over this mysterious link.

Whilst we want it to be open and easy for all to use, it can be the carrier of many malicious payloads. These payloads often induce users to click on a link or, convince them the message is genuine from, perhaps a CEO, getting them to transfer money to the creator of the email.

Even our most sophisticated detection systems can be fooled by a crafted email from a skilled bad actor. So, the question becomes, is now the time to stop using it and go to closed communication platforms?  No, there is still hope!

The press is awash with ransomware stories. These attacks almost always are delivered by email, and it is a very real threat for all sizes of business. Ransomware typically happens through users inadvertently clicking on a link within an email, this then triggers the programme and the next thing the user sees is that they can’t access their data without paying. 

According to the ransomware incident response firm Coveware, an average of some £101,670 was paid by ransomware victims, promised a decryption key, in Q2 of 2021. Furthermore, in Q1of 2021,81% of ransomware attacks involved the threat to leak exfiltrated data into the public domain. In 2020, almost 65% of victims that were faced with a data leak threat opted to pay the ransom, despite the reality that in doing so, there was almost a zero-value guarantee.

These attacks are very visual, you know you have been hacked and you are given terms to recover your data. But a more insidious attack is now appearing, where the data or the network is compromised but the attack is cunningly hidden, so the exploit can go unchecked, with the outcomes possibly very damaging for the victim’s company.

Think about the integrity of your bank account. If your bank balance is £1000 and somebody tampers with the integrity of that data, i.e. data is changed and suddenly it goes to zero, that would have a very significant impact. Companies face equally disastrous consequences. For example, should a business have a secret formula or a secret recipe that the product depends on, and somebody alters it, although they haven't stolen it, the data has been changed and the correct formula or recipe is no longer being produced. The effect could be disastrous; a gradual loss of market share, a prosecution due to the incorrect marking of a product or, even death should a recipe be changed, or an engine valve diameter made a fraction smaller, causing the engine to fail and with an ensuing accident.

The way these attacks get into the network varies. Mostly they start with an email that takes the user to a site which appears safe but, under the cover is another file which is downloaded to the machine and harvests the components it needs from the Internet, silently within other programs. Once it has all the parts to start the attack, it triggers.

Such attacks on data fall under commercial espionage and the actors range from competitors, disgruntled employees and even nation states. The attacker, once in the network, remains hidden and takes various approaches dependent on what the attack is to achieve. We have seen attacks where data has been monitored and fed back to the competition when a tender has been submitted, or a change to pricing. Such information can be very valuable when governments are placing large contracts. It is not the intension of the attacker to tell the victim that they have their data, but to remain hidden, indefinitely.

Equally, we have seen a rise in data modification which has resulted in very expensive product recalls and the loss of market confidence, which ultimately could lead to a business failing. We also predict that we will see these attacks change to a blackmail scenario, where the victim is advised of the infiltration and possible data modification and, without ongoing payment, the victim will not be released. A little like a protection racket or extortion money. Such extortion tactics appear in the same vein as the adage that, a stolen laptop is worth more to the original owner than it is to sell to a third party in the local pub.

How these attacks occur are generally down to poor monitoring of network access and the missing of unusual events within the infrastructure.  

Things such as odd programmes starting or, data being accessed at unusual times. Frequently, incidents are alerted but due to the busy nature of many IT departments, they go unchallenged and eventually get lost in the logs, never to be seen again.

Dependent on the form of attack, companies can protect themselves by being more proactive in stopping the unknown rather than relying on known attack vectors, which Antivirus (AV) and DLP solutions focus on. Attacks such as fileless ones are impossible for AV to detect and once triggered, look like a normal application, but can exploit and hide themselves away.

New advanced threat solutions are designed to understand what is normal on a network and, act on the unusual. Operating on endpoints and servers, these solutions can automatically take a machine off the network if unusual behaviour is seen thus thwarting the spread of any attack or, can divert the attack to a controlled area such as a honeypot, allowing the company to monitor what the exploit intends to do.

Such solutions take away the delay associated with SIEM solutions as the required action is taken immediately rather than waiting for someone in the IT team to investigate, as by then, it is often too late.

Another action is to be able to follow the revision of any form of data and apply a control called file integrity. With file integrity monitoring, you create a hash of the file itself, especially when you do not want any changes to happen, you can then compare that hash. If it is the same, you know that that file, or photo, has not been changed.  Furthermore, you can apply classification, such as ‘Secret’, and should these types of files move, change, or leave the organisation, an alert is sent to the data owners. Hence, if these files are being manipulated in any way, the company is made aware, and action can be taken.

The benefit of these forms of monitoring is that the company becomes aware that something ‘odd’ is going on and it is on core or critical assets. No longer is the organisation hoping that an intruder will trigger a network alert by being clumsy in their navigating around the network.

The final defence layer is the user. It is the user who reads the email and clicks the link. With better education in spotting rogue emails, and thinking before they click, many users can stop an attack before it even starts. 

However, education needs to be continuous as people forget and so deploying an email training application is a good investment. These applications send regular spoof emails into the organisation and track who fails to spot the bad nature of the content. The user receives a short onscreen tutorial showing them what they should have spotted, and, over time, their progress is monitored and if needed, further training can be given. The benefit to the organisation of these applications is that it can track the overall progress of the business in identifying bad emails and as a result, will see a gradual drop in users clicking on the bad emails.

This improves the security posture of the organisation and will save a great deal of money in clearing up after a ransomware attack.

Companies face a continual threat against their reputation, revenues, and future market share. Equally, there are many companies who want to grow and will take every opportunity to gain the upper hand on their competition. With data often being the key to a company’s success, whether that be due to the data holding key designs, recipe, or manufacturing codes, it is easy to see why it will be targeted and exploited, not just as a one off, but over years. 

Email is a common carrier of bad content but is also a key component in doing business.  It is impossible to lock it down to the extent that ultimately, everything would get stuck in junk filters. A balanced approach is needed, using technology to investigate the intent of the content of the email and, at the back stop on the device that the user was using when the rogue link was clicked.

Both ends should stop the payload launching, but the final backstop is the user, so educate, educate, educate.

Colin Tankard is  Managing Director of Digital Pathways

You Might Also Read:

The Cyber Skills Shortage & Training Gap - What Is The Solution?:

 

 

« British Schools At Risk Of Cyber Attacks
Russia's Top Spy Agency Runs Fake News At Home »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Ascentor

Ascentor

Ascentor specialises in independent information and cyber security consultancy. We’re experienced industry experts, providing cyber security services since 2004.

Defense Advanced Research Projects Agency (DARPA)

Defense Advanced Research Projects Agency (DARPA)

DARPA's mission is to develop breakthrough technologies for national security. The Information Innovation Office undertakes cyber security activities.

CSR Privacy Solutions

CSR Privacy Solutions

CSR Privacy Solutions is a leading provider of privacy regulatory compliance programs for small and medium sized businesses.

Zscaler

Zscaler

Zscaler enables the world’s leading organizations to securely transform their networks and applications for a mobile and cloud first world.

National Cyber Security Centre Finland (NCSC-FI)

National Cyber Security Centre Finland (NCSC-FI)

The NCSC-FI develops and monitors the operational reliability and security of communications networks and services in Finland.

Secure India

Secure India

Secure India provides Forensic Solutions that help Government and Business in dealing with prevention and resolution of Cyber related threats.

SRI International

SRI International

SRI International is a research institute performing client-sponsored R&D in a broad range of study areas including computing and cybersecurity.

Future of Cyber Security Europe

Future of Cyber Security Europe

Future of Cyber Security Europe is a European wide event examining the latest cyber security strategies and technologies.

AllegisCyber Capital

AllegisCyber Capital

AllegisCyber is an investment company with a focus on seed and early stage investing in cybersecurity and its applications in emerging technology markets.

SGBox

SGBox

SGBox is a highly flexible and scalable solution for IT security. Choose the modules which your company needs and implement it without any modification to your network infrastructure.

International Cybersecurity Institute (ICSI)

International Cybersecurity Institute (ICSI)

ICSI is a UK company offering specialized and accredited professional qualifications in cybersecurity for young IT graduates as well as mature professionals.

Ridge Global

Ridge Global

Ridge Global works with C-suite executives and corporate directors to build more resilient organizations through innovative preparedness, protection, response and education capabilities.

DataFleets

DataFleets

DataFleets is a privacy-preserving data engine that unifies distributed data for rapid access, agile analytics, and automated compliance.

BridgingMinds Network

BridgingMinds Network

BridgingMinds Network is an industry leading best practices and IT security training provider in Singapore.

West Midlands Cyber Resilience Centre (WMCRC)

West Midlands Cyber Resilience Centre (WMCRC)

The East Midlands Cyber Resilience Centre supports and helps protect SMEs and supply chain businesses and third sector organisations in the region against cyber crime.

Early Game Ventures (EGV)

Early Game Ventures (EGV)

Early Game Ventures invests in startups that jumpstart new industries in the emerging markets of Europe.