Phishing emails: The ticking time bomb in your inbox
With 3.7 billion users worldwide, who collectively send 269 billion messages every day, email remains the backbone of business communications. Even as other methods of collaboration find their way into the office, from instant messaging and social networking to chat-based applications like Slack, email is the primary way that many of us interact with our colleagues, clients, customers and partners.
It is no surprise that email has also become cybercriminals’ primary vector for trying to extract sensitive information and financial gains. Yahoo, Google, Facebook, the Democratic National Committee and even White House officials were compromised in 2017 through email-based attacks. We can expect even more in 2018. The core problem is that humans are simply vulnerable when it comes to being fooled by email scams – even those at the largest, most high-profile organizations.
As cybercriminals continue to find success, the nature and sophistication of targeted email attacks will increase. Addressing the risk that email threats pose must be a first-order consideration for technology and security teams, especially as email infrastructure itself shifts to the cloud and yesterday's products and approaches fail to keep pace with today’s attackers.
The Fundamental Flaw of Traditional Email Gateways
For nearly 20 years, the state-of-the-art in email security has been a network-based device called an email gateway, or sometimes a secure email gateway (SEG). These devices are run “in front of” a company’s email systems, routing mail through their analysis systems prior to passing email on to the intended recipient.
Dating back to the 1990s, SEGs were originally designed to stop spam and unwanted email, using so-called “signature-based” analysis, where messages are compared to known bad domains, senders and lists of attacks.
The primary danger in relying on SEGs is that their penetration rate is close to 100 percent. While SEGs offer relatively effective protection against spam and payload-based malware, they also by definition take a perimeter-based approach to blocking threats, where that protection is designed to stop the flow of unwanted mail from entering the corporate infrastructure at a single point in time.
This is a fundamental weakness, as it gives security teams no visibility, control or management over threats that successfully bypass the SEG and make their way into a recipient’s inbox. Attackers recognize this, and it is problematic for two reasons:
- Phishing scams, often employing payload-free attacks that rely on social engineering tactics to trick employees into sharing sensitive information, are hard to catch at the perimeter; the legitimate use of a personal email service and the fraudulent impersonation of an executive look fundamentally alike to a perimeter-based tool. By merely blocking or quarantining these messages, SEGs reduce an information security team’s response capabilities rather than enhancing them, often at the expense of user experience and resulting in frustration and business-impacting delays.
- Phishing scams are not always fully enabled (or “weaponized”) at the moment of delivery. Especially if an email contains a link to a compromised website, an attack can be armed and made dangerous minutes, hours and even days after it is delivered. There is no shelf-life for phishing attacks – phishing emails still pose a threat if the recipient is successfully deceived into thinking the email is legitimate, no matter how recently it was received. These types of non-weaponized attacks often bypass security gateways, however, given their point-in-time nature.
Perimeter security tools are artifacts of a different time when infrastructure ran in a server room and email servers were something an organization’s IT team directly managed. With the growing popularity of cloud email platforms like Office 365 and Google G Suite among modern organizations, security teams need to make sure they are updating their security posture to handle advanced attacks, not simply yesterday’s threats.
A Better Solution: Automated Security Tools
To stand a fighting chance against increasingly sophisticated attacks, organizations need to adopt technologies that implement automated threat detection and remediation. Automation allows for continuous, 24/7/365 monitoring and response to overall mailboxes – unlike the single approach of SEGs.
Automated security tools introduce new capabilities to analyze non-signature-based data, such as the relationship strength between a sender and recipient, or real-time reputation data as assessed across a global-scale information set, rather than a single domain or customer. In addition, next-generation security tools can extend their analytics past the perimeter, mitigating threats even if they come online post-delivery.
To put the scope of the problem in perspective, the average Fortune 500 organization receives 3,680 emails that contain threat characteristics each week. The average time to response for a known attack – assuming that an information security analyst can be dedicated to research and mitigation – is five minutes. This means that each week, security teams are spending 305 hours reviewing potential phishing threats. For organizations with hundreds of millions of emails coming in on a monthly basis, keeping up with anomalous messages and potential threats has become impossible to do manually.
So what’s the bottom line? Traditional email security systems lack the ability to protect organizations against the advanced types of phishing attacks we see today – leaving already overworked enterprise IT and information security teams spending hundreds of hours each week manually detecting, analyzing and responding to potential phishing emails post-delivery. It is time for security leaders to look beyond perimeter-based tools that were meant to defend on-premise infrastructure, not the highly connected cloud platforms of today. As with many components of an organization’s security program, email security is only as strong as its weakest link.
About the Author: Kevin O'Brien is the co-founder and CEO of GreatHorn, the leader in next-generation email security that protects enterprises from advanced threats. With a background in the cybersecurity industry that began in the late 1990s with the seminal security firm @stake (now Symantec), Kevin has held multiple senior executive roles in Boston-area startups, and has an extensive background in information security and data privacy.