The secure email gateway (SEG) worked for a number of years, but the SEG is no match for a new generation of rapidly evolving advanced email attacks that use identity deception to trick recipients. With business email compromise scams, spear-phishing attacks, and data breaches, along with other types of crime, cybercriminals are seeing massive success to the tune of $2.71 billion each year in the United States.
At the same time that cybercriminals are evolving their tactics, businesses are shedding on-premises infrastructure, moving en masse to cloud-based platforms such as Microsoft Office 365 or G Suite. These platforms provide native support for anti-spam, virus and malware blocking, email archiving, content filtering, and even sandboxing, but they lack when it comes to protecting against advanced email threats that use identity deception techniques to trick recipients.
This move to cloud-based email and the onslaught of zero-day attacks that successfully penetrate the inbox are shifting email security from signature-based inspection of email on receipt to continuous detection and response using machine learning to detect fraudulent emails and to hunt down latent threats that escaped initial detection or have activated post-delivery.
As a result, the Secure Email Cloud Architecture has emerged. This AI, graph-based approach detects advanced email attacks and cuts incident response time up to 95% in an effort to reduce the risk of business disruption and the rapidly increasing financial losses from data breaches, ransomware, and phishing. By employing a next-generation solution based on detecting identity rather than content, the Secure Email Cloud Architecture reduces the risk of serious financial, reputational, and organizational damage that occurs when rapidly-evolving threats hit inboxes.
There is little doubt that email and the threats against it are changing fast. Email security must do the same.
The ubiquity of email, as well as the known limitations in its technology, has made the channel vulnerable to cybercriminals for decades. In the early 2000s, the secure email gateway (SEG) and various anti-malware/anti-virus vendors stopped the majority of these attacks as they focused on signature-based inspection of incoming message content. SEGs assessed the reputation of the sending infrastructure in order to identify and disrupt spam, virus and worm attacks, and scattershot credential phishing attacks. Leading SEGs still rely on detecting the “bad” or malicious content like malware, keywords, or high volumes of attacks from a single IP address.
While this approach stumped cybercriminals for quite some time, they eventually evolved to send new types of threats. Second-generation SEGs and advanced threat protection solutions leveraged malware sandboxes and new forms of dynamic analysis to counter them. Unfortunately, cybercriminals evolved email-based threats faster than most of the email security industry, changing their approach once again to using sophisticated identity deception techniques and attacks with no detectable payload, both which can easily bypass most legacy defenses.
A New Kind of Attack
Instead of relying on malicious links or software, a new generation of well-funded, increasingly networked cybercriminal operations has evolved the techniques used for email-based attacks from content deception to identity deception.
Exploiting security gaps in the underlying email protocols or the user interface constraints of email clients, attackers are able to send email messages that leverage the identity markers of trusted people and use deception techniques informed by social engineering to manipulate recipients into taking a desired action such as wiring money or divulging sensitive information. These messages hide in plain sight, easily bypassing legacy security systems undetected, and use personal and professional context to defraud businesses and individuals.
Making matters even worse, attackers are increasingly leveraging popular cloud platforms and services, and even compromised user accounts, to launch these attacks. By using Google and Microsoft infrastructure, cybercriminals prevent organizations and current email security solutions from blacklisting the services, given the tremendous volume of legitimate email that they send.
The Problem with Awareness Training
Perhaps the most obvious solution to defending against human vulnerability is simply to train end-users how to spot fake emails—showing them which rules to apply to inspect emails in their inbox. This can stop some attacks from being successful, but it is not foolproof. Even with the best security awareness training, a well-crafted targeted email attack using personal context is likely to fool users into opening the email and clicking on malicious links.
Furthermore, security awareness training will result in an uptick in reported phishes, many of which will turn out to be false positives. Clearly, a better solution is needed not only for email security, but for incident response and remediation as well.