The Frailty Of Email

Email is by far the most common way businesses communicate. The days of the letter are gone, and even secure documents are notified to the user by email. It is the open door to business; we allow strangers to communicate with us and we send some of our most precious details over this mysterious link.

Whilst we want it to be open and easy for all to use, it can be the carrier of many malicious payloads. These payloads often induce users to click on a link or, convince them the message is genuine from, perhaps a CEO, getting them to transfer money to the creator of the email.

Even our most sophisticated detection systems can be fooled by a crafted email from a skilled bad actor. So, the question becomes, is now the time to stop using it and go to closed communication platforms?  No, there is still hope!

The press is awash with ransomware stories. These attacks almost always are delivered by email, and it is a very real threat for all sizes of business. Ransomware typically happens through users inadvertently clicking on a link within an email, this then triggers the programme and the next thing the user sees is that they can’t access their data without paying. 

According to the ransomware incident response firm Coveware, an average of some £101,670 was paid by ransomware victims, promised a decryption key, in Q2 of 2021. Furthermore, in Q1of 2021,81% of ransomware attacks involved the threat to leak exfiltrated data into the public domain. In 2020, almost 65% of victims that were faced with a data leak threat opted to pay the ransom, despite the reality that in doing so, there was almost a zero-value guarantee.

These attacks are very visual, you know you have been hacked and you are given terms to recover your data. But a more insidious attack is now appearing, where the data or the network is compromised but the attack is cunningly hidden, so the exploit can go unchecked, with the outcomes possibly very damaging for the victim’s company.

Think about the integrity of your bank account. If your bank balance is £1000 and somebody tampers with the integrity of that data, i.e. data is changed and suddenly it goes to zero, that would have a very significant impact. Companies face equally disastrous consequences. For example, should a business have a secret formula or a secret recipe that the product depends on, and somebody alters it, although they haven't stolen it, the data has been changed and the correct formula or recipe is no longer being produced. The effect could be disastrous; a gradual loss of market share, a prosecution due to the incorrect marking of a product or, even death should a recipe be changed, or an engine valve diameter made a fraction smaller, causing the engine to fail and with an ensuing accident.

The way these attacks get into the network varies. Mostly they start with an email that takes the user to a site which appears safe but, under the cover is another file which is downloaded to the machine and harvests the components it needs from the Internet, silently within other programs. Once it has all the parts to start the attack, it triggers.

Such attacks on data fall under commercial espionage and the actors range from competitors, disgruntled employees and even nation states. The attacker, once in the network, remains hidden and takes various approaches dependent on what the attack is to achieve. We have seen attacks where data has been monitored and fed back to the competition when a tender has been submitted, or a change to pricing. Such information can be very valuable when governments are placing large contracts. It is not the intension of the attacker to tell the victim that they have their data, but to remain hidden, indefinitely.

Equally, we have seen a rise in data modification which has resulted in very expensive product recalls and the loss of market confidence, which ultimately could lead to a business failing. We also predict that we will see these attacks change to a blackmail scenario, where the victim is advised of the infiltration and possible data modification and, without ongoing payment, the victim will not be released. A little like a protection racket or extortion money. Such extortion tactics appear in the same vein as the adage that, a stolen laptop is worth more to the original owner than it is to sell to a third party in the local pub.

How these attacks occur are generally down to poor monitoring of network access and the missing of unusual events within the infrastructure.  

Things such as odd programmes starting or, data being accessed at unusual times. Frequently, incidents are alerted but due to the busy nature of many IT departments, they go unchallenged and eventually get lost in the logs, never to be seen again.

Dependent on the form of attack, companies can protect themselves by being more proactive in stopping the unknown rather than relying on known attack vectors, which Antivirus (AV) and DLP solutions focus on. Attacks such as fileless ones are impossible for AV to detect and once triggered, look like a normal application, but can exploit and hide themselves away.

New advanced threat solutions are designed to understand what is normal on a network and, act on the unusual. Operating on endpoints and servers, these solutions can automatically take a machine off the network if unusual behaviour is seen thus thwarting the spread of any attack or, can divert the attack to a controlled area such as a honeypot, allowing the company to monitor what the exploit intends to do.

Such solutions take away the delay associated with SIEM solutions as the required action is taken immediately rather than waiting for someone in the IT team to investigate, as by then, it is often too late.

Another action is to be able to follow the revision of any form of data and apply a control called file integrity. With file integrity monitoring, you create a hash of the file itself, especially when you do not want any changes to happen, you can then compare that hash. If it is the same, you know that that file, or photo, has not been changed.  Furthermore, you can apply classification, such as ‘Secret’, and should these types of files move, change, or leave the organisation, an alert is sent to the data owners. Hence, if these files are being manipulated in any way, the company is made aware, and action can be taken.

The benefit of these forms of monitoring is that the company becomes aware that something ‘odd’ is going on and it is on core or critical assets. No longer is the organisation hoping that an intruder will trigger a network alert by being clumsy in their navigating around the network.

The final defence layer is the user. It is the user who reads the email and clicks the link. With better education in spotting rogue emails, and thinking before they click, many users can stop an attack before it even starts. 

However, education needs to be continuous as people forget and so deploying an email training application is a good investment. These applications send regular spoof emails into the organisation and track who fails to spot the bad nature of the content. The user receives a short onscreen tutorial showing them what they should have spotted, and, over time, their progress is monitored and if needed, further training can be given. The benefit to the organisation of these applications is that it can track the overall progress of the business in identifying bad emails and as a result, will see a gradual drop in users clicking on the bad emails.

This improves the security posture of the organisation and will save a great deal of money in clearing up after a ransomware attack.

Companies face a continual threat against their reputation, revenues, and future market share. Equally, there are many companies who want to grow and will take every opportunity to gain the upper hand on their competition. With data often being the key to a company’s success, whether that be due to the data holding key designs, recipe, or manufacturing codes, it is easy to see why it will be targeted and exploited, not just as a one off, but over years. 

Email is a common carrier of bad content but is also a key component in doing business.  It is impossible to lock it down to the extent that ultimately, everything would get stuck in junk filters. A balanced approach is needed, using technology to investigate the intent of the content of the email and, at the back stop on the device that the user was using when the rogue link was clicked.

Both ends should stop the payload launching, but the final backstop is the user, so educate, educate, educate.

Colin Tankard is  Managing Director of Digital Pathways

You Might Also Read:

The Cyber Skills Shortage & Training Gap - What Is The Solution?:

 

 

« British Schools At Risk Of Cyber Attacks
Russia's Top Spy Agency Runs Fake News At Home »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

ON-DEMAND WEBINAR: Navigating cloud security: The importance of posture management tools

ON-DEMAND WEBINAR: Navigating cloud security: The importance of posture management tools

Watch this webinar to see how cloud security posture management (CSPM) tools can fit into your cloud security strategy.

Group-IB

Group-IB

Group-IB is a leading provider of solutions dedicated to detecting and preventing cyberattacks, identifying online fraud, investigating high-tech crimes, and protecting intellectual property.

Infoblox

Infoblox

Infoblox solutions help businesses automate complex network control functions to reduce costs, increase security and maximize uptime.

ISF Annual World Congress

ISF Annual World Congress

ISF Annual World Congress, our flagship global event, offers attendees an opportunity to discuss and find solutions to current security challenges.

Fasoo

Fasoo

Fasoo provides data-centric security to protect data within the organizational perimeter and beyond by limiting access to sensitive data according to policies that cover both users and activities.

Rhebo

Rhebo

Rhebo Industrial Protector monitors and ensures the continuous, correct, and predictable operation of real-time Industrial Control Systems to prevent outages and reduce downtimes.

RangeForce

RangeForce

RangeForce delivers the only integrated cybersecurity simulation and skills analysis platform that combines a virtual cyber range with hand-on training.

Armis

Armis

Armis offers the markets leading asset intelligence platform designed to address the new threat landscape that connected devices create.

Northcross Group (NCG)

Northcross Group (NCG)

NCG provides services to help organizations meet the challenges of regulatory compliance. Our services include support, consultation, tools and accelerators for all parts of an organization.

Synamic Technologies

Synamic Technologies

Synamic Technologies was founded in 2018 as a start-up to automate cyber security processes. Our CISOSCOPE product automates vulnerability management, risk management and compliance.

Boxphish

Boxphish

Boxphish provides a proven solution to reduce Human Error and Cyber Human Risk via automated learning journeys and intelligent phishing simulations.

Venustech

Venustech

Venustech is a leading provider of network security products, trusted security management platforms, specialized security services and solutions.

Strike Security

Strike Security

Strike Security offers a continuous penetration testing platform that combines automation with ethical hackers.

FourNet

FourNet

FourNet is an award-winning provider of cloud and managed services; we work closely with our clients to enable digital transformation across their organisation.

OptimEyes.ai

OptimEyes.ai

OptimEyes.ai is a unique AI-powered, on-demand SaaS solution for cyber-security, data privacy and compliance risk modeling.

Blink Ops

Blink Ops

Blink helps security teams streamline everyday workflows and protect your organization better.

Radix Technologies

Radix Technologies

Radix offer end-to-end device management solutions, consolidating all the organization devices, processes and stakeholders into one easy-to-use management platform.