Email is in crisis. Despite massive advancements in perimeter and endpoint defenses, email remains a cybersecurity weak link for many companies.
Why? Email is at the heart of everything we do online. It’s an essential line of communication for one-on-one and group conversations, both business-to-business and business-to-consumer. It’s used for account activation, service registration, password resets, invoicing, purchase verification, opt-in confirmations, loyalty clubs, and identity verification.
Adding to risk factors is the fact that a record number of employees are working from home. This is an environment where workers are more distracted and using less-secure networks and hardware.
This is why it’s so critical to verify that the emails that land in your inbox are trustworthy and safe. Consider recent inbox attack trends.
Phishing attacks are increasingly mutating fast, shifting tactics and lures constantly. One campaign hijacks the World Health Organization’s identity and offers dubious tips and dangerous links to COVID-19 resources. A message from an unknown sender appears as a personal note from one of your friends. Emails from “your CEO” ask for gift card donations to a charity. “Urgent” invoices from trusted “business partners” contain misleading bank information for wire transfers.
Evading Existing Defenses
The problem is that attackers have learned how to get through email security at all three defensive layers currently in use by most organizations: the gateway, the mail client, and the end-user.
Attackers evade the secure email gateway by outsmarting AI/ML engines:
- Creating a gap in human perception and machine perception
- Deploying agile, rapidly evolving campaigns to evade predictive modeling
- Leveraging identity deception to avoid filtering technologies
They evade the mail client by defeating blocklists and spam filters:
- Using infinite permutations of bogus domains and spurious contact identities
- Continuously rotating IP addresses globally
- Launching campaigns with such frequency and scale that deny lists can’t possibly stay up to date
And finally, they bypass the last line of defense – humans – by deceiving end-users:
- Exploiting the human tendency to act and react emotionally, especially to false urgency
- Continuous development of new tactics to stay ahead of training and simulations
- Playing the odds at scale to take advantage of the fact that humans are error-prone
Unfortunately, despite the advances in artificial intelligence and machine learning (AI/ML), defensive strategies have not been able to keep up. Such AI/ML techniques simply aren’t suited to deal with a rapidly mutating attack profile.
The proof is in the results: Phishing attacks of just one type — the business email compromise (BEC) — have caused at least $26 billion in losses in the past five years alone, according to the FBI.
The Heart of the Problem
Almost 90% of email attacks manipulate sender identity to fool recipients and initiate social engineering attacks. A comparable percentage is malwareless: They do not contain attachments or files that would ordinarily set off malware-scanning alarms. These emails’ lack of identifiably malicious content means they can easily bypass most current email defenses.
Meanwhile, the phishers use automation to iterate their attacks with extreme rapidity. According to Google, 68% of phishing attempts have never been seen before, and the average phishing campaign lasts only 12 minutes.
In fact, there are three types of identity-based attacks, each of which exploits a unique vulnerability in content-centric email defenses:
- Domain-spoofing attacks: Emails that directly impersonate a trusted sender by putting their domain in the “From” field of a message
- Untrusted-domain attacks (aka domain impersonation): Emails that are sent from slightly altered “lookalike” or “cousin” domains
- Open-signup attacks (aka user impersonation or friendly-from): Emails that show a legitimate sender name in the “friendly from” field but are sent from an account created on a free consumer webmail service like Gmail or Yahoo
The Solution: Sender Identity Validation
To protect themselves against this new generation of attack, organizations need to deploy an additional line of defense: Validating sender identity. To be effective, sender identity solutions will need to address all three types of identity-based attacks.
Domain-spoofing can be curtailed with an effective DMARC enforcement policy for all domains that your organization owns. It is also important to implement DMARC checking on all inbound mail (usually an easily accessible option for most mail gateways). It’s not a complete solution, as you may still have business partners who you need to exchange email with but whose domains are not yet protected by DMARC with an enforcement policy. However, the good news is that DMARC usage continues to rise in most industries, and awareness of its importance is growing.
Untrusted-domain and open-signup attacks may be more difficult to solve because they challenge organizations’ ability to distinguish trusted senders from untrusted senders. When considering a security solution’s identity validation for these types of attacks, organizations should investigate how flexible its policy management tools are, whether you will need to maintain allow lists and block lists/deny lists, how comprehensive the coverage is for any vendor-supplied allow lists and deny lists, and what kind of turnaround you can expect for remediation of sending domains not yet on these lists.
It does not have to be rocket science. But a sophisticated approach to sender identity validation is clearly needed. Otherwise, we will all be standing by watching billions of dollars continue to evaporate, as scammers continue to outwit our best defenses. We can do better.