The Frailty Of Email

Uploaded on 2022-02-25 in TECHNOLOGY--Resilience, FREE TO VIEW

Email is by far the most common way businesses communicate. The days of the letter are gone, and even secure documents are notified to the user by email. It is the open door to business; we allow strangers to communicate with us and we send some of our most precious details over this mysterious link.

Whilst we want it to be open and easy for all to use, it can be the carrier of many malicious payloads. These payloads often induce users to click on a link or, convince them the message is genuine from, perhaps a CEO, getting them to transfer money to the creator of the email.

Even our most sophisticated detection systems can be fooled by a crafted email from a skilled bad actor. So, the question becomes, is now the time to stop using it and go to closed communication platforms?  No, there is still hope!

The press is awash with ransomware stories. These attacks almost always are delivered by email, and it is a very real threat for all sizes of business. Ransomware typically happens through users inadvertently clicking on a link within an email, this then triggers the programme and the next thing the user sees is that they can’t access their data without paying. 

According to the ransomware incident response firm Coveware, an average of some £101,670 was paid by ransomware victims, promised a decryption key, in Q2 of 2021. Furthermore, in Q1of 2021,81% of ransomware attacks involved the threat to leak exfiltrated data into the public domain. In 2020, almost 65% of victims that were faced with a data leak threat opted to pay the ransom, despite the reality that in doing so, there was almost a zero-value guarantee.

These attacks are very visual, you know you have been hacked and you are given terms to recover your data. But a more insidious attack is now appearing, where the data or the network is compromised but the attack is cunningly hidden, so the exploit can go unchecked, with the outcomes possibly very damaging for the victim’s company.

Think about the integrity of your bank account. If your bank balance is £1000 and somebody tampers with the integrity of that data, i.e. data is changed and suddenly it goes to zero, that would have a very significant impact. Companies face equally disastrous consequences. For example, should a business have a secret formula or a secret recipe that the product depends on, and somebody alters it, although they haven't stolen it, the data has been changed and the correct formula or recipe is no longer being produced. The effect could be disastrous; a gradual loss of market share, a prosecution due to the incorrect marking of a product or, even death should a recipe be changed, or an engine valve diameter made a fraction smaller, causing the engine to fail and with an ensuing accident.

The way these attacks get into the network varies. Mostly they start with an email that takes the user to a site which appears safe but, under the cover is another file which is downloaded to the machine and harvests the components it needs from the Internet, silently within other programs. Once it has all the parts to start the attack, it triggers.

Such attacks on data fall under commercial espionage and the actors range from competitors, disgruntled employees and even nation states. The attacker, once in the network, remains hidden and takes various approaches dependent on what the attack is to achieve. We have seen attacks where data has been monitored and fed back to the competition when a tender has been submitted, or a change to pricing. Such information can be very valuable when governments are placing large contracts. It is not the intension of the attacker to tell the victim that they have their data, but to remain hidden, indefinitely.

Equally, we have seen a rise in data modification which has resulted in very expensive product recalls and the loss of market confidence, which ultimately could lead to a business failing. We also predict that we will see these attacks change to a blackmail scenario, where the victim is advised of the infiltration and possible data modification and, without ongoing payment, the victim will not be released. A little like a protection racket or extortion money. Such extortion tactics appear in the same vein as the adage that, a stolen laptop is worth more to the original owner than it is to sell to a third party in the local pub.

How these attacks occur are generally down to poor monitoring of network access and the missing of unusual events within the infrastructure.  

Things such as odd programmes starting or, data being accessed at unusual times. Frequently, incidents are alerted but due to the busy nature of many IT departments, they go unchallenged and eventually get lost in the logs, never to be seen again.

Dependent on the form of attack, companies can protect themselves by being more proactive in stopping the unknown rather than relying on known attack vectors, which Antivirus (AV) and DLP solutions focus on. Attacks such as fileless ones are impossible for AV to detect and once triggered, look like a normal application, but can exploit and hide themselves away.

New advanced threat solutions are designed to understand what is normal on a network and, act on the unusual. Operating on endpoints and servers, these solutions can automatically take a machine off the network if unusual behaviour is seen thus thwarting the spread of any attack or, can divert the attack to a controlled area such as a honeypot, allowing the company to monitor what the exploit intends to do.

Such solutions take away the delay associated with SIEM solutions as the required action is taken immediately rather than waiting for someone in the IT team to investigate, as by then, it is often too late.

Another action is to be able to follow the revision of any form of data and apply a control called file integrity. With file integrity monitoring, you create a hash of the file itself, especially when you do not want any changes to happen, you can then compare that hash. If it is the same, you know that that file, or photo, has not been changed.  Furthermore, you can apply classification, such as ‘Secret’, and should these types of files move, change, or leave the organisation, an alert is sent to the data owners. Hence, if these files are being manipulated in any way, the company is made aware, and action can be taken.

The benefit of these forms of monitoring is that the company becomes aware that something ‘odd’ is going on and it is on core or critical assets. No longer is the organisation hoping that an intruder will trigger a network alert by being clumsy in their navigating around the network.

The final defence layer is the user. It is the user who reads the email and clicks the link. With better education in spotting rogue emails, and thinking before they click, many users can stop an attack before it even starts. 

However, education needs to be continuous as people forget and so deploying an email training application is a good investment. These applications send regular spoof emails into the organisation and track who fails to spot the bad nature of the content. The user receives a short onscreen tutorial showing them what they should have spotted, and, over time, their progress is monitored and if needed, further training can be given. The benefit to the organisation of these applications is that it can track the overall progress of the business in identifying bad emails and as a result, will see a gradual drop in users clicking on the bad emails.

This improves the security posture of the organisation and will save a great deal of money in clearing up after a ransomware attack.

Companies face a continual threat against their reputation, revenues, and future market share. Equally, there are many companies who want to grow and will take every opportunity to gain the upper hand on their competition. With data often being the key to a company’s success, whether that be due to the data holding key designs, recipe, or manufacturing codes, it is easy to see why it will be targeted and exploited, not just as a one off, but over years. 

Email is a common carrier of bad content but is also a key component in doing business.  It is impossible to lock it down to the extent that ultimately, everything would get stuck in junk filters. A balanced approach is needed, using technology to investigate the intent of the content of the email and, at the back stop on the device that the user was using when the rogue link was clicked.

Both ends should stop the payload launching, but the final backstop is the user, so educate, educate, educate.

Colin Tankard is  Managing Director of Digital Pathways

You Might Also Read:

The Cyber Skills Shortage & Training Gap - What Is The Solution?:

 

 

« British Schools At Risk Of Cyber Attacks
Russia's Top Spy Agency Runs Fake News At Home »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

CERT.hr

CERT.hr

CERT.hr is the national authority competent for prevention and protection from computer threats to public information systems in the Republic of Croatia.

Lynx Software Technologies

Lynx Software Technologies

Lynx provide secure software and operating systems for use in mission critical applications such as aerospace, medical, transportation and IoT.

Titanium Industrial Security

Titanium Industrial Security

Titanium Industrial Security specializes in advising and accompanying companies on cybersecurity in Connected Industry (Industry 4.0 / Smart Factory / IIoT).

PrivateVPN

PrivateVPN

PrivateVPN is a Virtual Private Network services provider offering secure encrypted access to the internet.

AU10TIX

AU10TIX

AU10TIX’s smart forensic-level ID authentication technology links physical and digital identities, meets compliance mandates, and ensures your customers know their trust and safety come first.

QuillAudits

QuillAudits

QuillAudits offers advanced Ethereum, EOS, TRON smart contract audit, blockchain protocol security and formal verification to ensure your platform’s integrity.

Secure-IC

Secure-IC

Secure-IC provide end-to-end, best-of-breed security expertise, solutions, and hardware & software technologies, for embedded systems and connected objects.

Iowa Cyber Hub

Iowa Cyber Hub

Iowa Cyber Hub is a cybersecurity education partnership between Iowa State University and Des Moines Area Community College.

BrandShelter

BrandShelter

BrandShelter specializes in providing online brand protection for companies and trademark owners.

Northcross Group (NCG)

Northcross Group (NCG)

NCG provides services to help organizations meet the challenges of regulatory compliance. Our services include support, consultation, tools and accelerators for all parts of an organization.

FYEO

FYEO

FYEO is a threat monitoring and identity access management platform for consumers, enterprises and SMBs.

Mode Solutions

Mode Solutions

Mode guarantee IT performance where you need it most, creating seamless and secure solutions that will alleviate pressure from your business.

Open Source Security Foundation (OpenSSF)

Open Source Security Foundation (OpenSSF)

OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all.

DESCERT

DESCERT

DESCERT offers you an extended IT, cyber security, risk advisory & compliance audit team which provides strategic guidance, engineering and audit services.

ImagineX Consulting

ImagineX Consulting

ImagineX Consulting is a cybersecurity-focused boutique technology consultancy whose mission is to help our clients #BeBetter by reducing their corporate risk.

Threater

Threater

Threater (formerly ThreatBlockr / Bandura Cyber) is a cybersecurity platform that provides active network defense by automating the discovery, enforcement, and analysis of cyber threats at scale.