Email is something we all use in business. Attackers know this and understand that email is an excellent way to reach users to spread malware and ransomware. Cyberattacks are now getting more creative, and companies need to adapt their email defense to stay abreast of this continuous threat. Some basic ways can be explored to defend against this and ensure that users don’t fall prey to this ever-evolving threat. Although multiple strategies exist, an organization’s strategies to implement will depend on the level of risk the organization is willing to accept.
A lighter (weaker) approach to email defense
Let’s suppose that an email arrives in a user’s inbox and contains a malicious link. The user unsuspectedly clicks on the link. Subsequently, the user’s endpoint is infected. Most organizations would defend/react to such an issue in the following three ways:
- The organization has ensured that anti-malware has been installed on the endpoint, hoping to stop the infection.
- The organization has trained and educated the users regarding email vulnerabilities and defense tactics in the hope that the users will be cautious and realize that the link is malicious and therefore would not click on the link.
- The organization has invested in antispam email scanning technology as a further layer of defense.
Although each of these processes has benefits, inevitably, all three of these approaches are relatively weak forms of email defense. The first defense option, which relies on the installation of anti-malware on the endpoint, assumes that the user is using the protected endpoint and that the anti-malware will detect the threat. However, these threats are always evolving, and there are underhanded ways of circumventing anti-malware, such as using browser-based email and links that have not been registered. It is common for organizations that use anti-malware as their sole form of email defense to continue to be compromised through malicious links being clicked on by users.
This brings us to the second point — training and educating users to be skeptical, aware, and not click on the links. Although education is vital and the step should be taken, ultimately, people are curious, and there is a likelihood that some users will click on the links, either out of curiosity or careless error. Unfortunately, it only takes one user to click on a malicious link to compromise an organization mistakenly. It is seen time and time again. So, it’s evident that the curious nature of users and the craftiness of the attackers will always result in users clicking something somewhere that they shouldn’t.
Third, the ubiquitous antispam technology that scans the links in emails. Many believe this to be a foolproof approach. However, the links continue to get through the defense. This is usually a result of the hackers being accustomed to Microsoft 365 or an equivalent and so they know how to circumvent this type of defense with ease.
So, with these three strategies being relied upon by many, what else can be done to solidify email defense further.
A more robust approach to email defense
The layering of defense strategies is often spoken of. Thereby, if some fail, there are always some to fall back on. Similarly, layering several strategies to defend against continuous email cyberattacks is beneficial. The following email defense layers could be included:
- Build a system that continuously checks the links; this can be done by employing technologies that click the link to find any potential vulnerabilities. If the link is found to comprise a vulnerability, the technology will redirect the link to an internal site and highlight it as malicious.
- Ensure the endpoint is isolated from all other systems so that if a malicious link is clicked, the payload will not infect the endpoint. This can be achieved through air gapping the endpoints. Moreover, if the endpoint does not have security, it should not have permissions for viewing the email. Therefore, it’s a posture assessment that pre-allows access to the email. By limiting the machines that can access the email/links, the organization ensures that only isolated and hardened machines can.
- Encourage users to use only protected systems and put incentives in place to encourage these restricted interfaces. This is a heavily reliant discipline. By using devices for what they were intended for, will not only make the organization more secure but will help to develop secure practices. If the devices are resilient to any link that can be clicked, the vulnerability of continuous email cyberattacks starts to become less of a problem.
- Ensure that all domains that can’t be validated in the links and all domains that are not common or are not regularly used are blocked by default. Not only will this approach limit the whole attack surface area, but it will ensure that any links from a random domain will not work by default. All executable scripts and applications must be blocked, and particular attention afforded to the browser. This is generally not well managed in many organizations.
- Adopt robust DNS scanning so that when a link appears that redirects to a DNS area known for malware or something new that is not yet vetted, it will be blocked.
- Create application whitelists that only allow vetted applications and scripts to run. If any sign of scripts or executable codes is created or run within the memory on devices or browsers, this action should be blocked.
- Employing end-to-end encryption for trusted and sensitive communication is also key; this means that users wanting to communicate with each other securely have to authenticate and create an email in a secure envelope to which they sign and actively authenticate. This is more secure than just sending a public email over public networks. Security platforms can authenticate users using identity verifications systems to know where the email is coming from. By ensuring all emails are encrypted and signed, they can’t be tampered with. These types of secure email platforms are a lot more trustworthy than standard enterprise email.
Rising to this endless challenge
Continuously defending the email landscape is challenging, and traditional systems need improvement as it’s clear that the majority of ransomware is infiltrating through email, and it’s effective. As email can reach all users and is here for the long haul, using secure email is a good option. Although training and education have a part to play, it is seldom effective on its own, so enforcing additional layers, technical controls, is vital to defend against this continuous threat that all businesses face daily.
Featured image: Shutterstock