Years ago, attacks on emails in transit and at rest were commonplace, enabling attackers to successfully steal sensitive communications. In this first of a 3 part series, we look at the new tricks cybercriminals have up their sleeves and how we can defend the enterprise.
Today’s CIOs and CISOs are aware of the potential for corporate data theft via their email platforms. They know that the compromise of even a single employee’s email account can result in millions of dollars of damage to the company. As a result, many security leaders have invested a great deal of time and a dizzying array of resources to address email risks. Unfortunately, in spite of the increased focus on email attacks, these attacks have increased almost 50% during the first quarter of 2018 over the same time last year.
While enterprise leaders intelligently focus on NIST standards that prescribe use of encryption in transit and encryption at rest, many fail to realize encryption as a powerful tool with potential to help them well beyond these narrow applications.
Years ago, attacks on emails in transit were commonplace, enabling attackers to successfully intercept and read sensitive communications. For example, attackers could easily trick someone to use a rogue WiFi hotspot that closely resembled a trusted one and thus provide an attacker full access to a person’s emails. However, as TLS and SSL became more widely deployed, attacks focused on intercepting messages became less prevalent.
Similarly, prior to deployment of encryption at rest there was significant data theft due to lost, stolen or inappropriately decommissioned computers. But, with encryption at rest products such as Bitlocker, enterprises have dramatically reduced unauthorized data access.
As we fast forward to today, we find encryption in transit and encryption at rest have become commonplace. Alongside this evolution, attackers have followed the path of improved IT hygiene and moved onto other techniques as well. In Part 1 of the series, we’ll examine the trend of attackers use phishing, spoofing and Business Email Compromise (BEC) to breach enterprises, and how encryption can help.
Phishing is the most common form of attack, with as many as 95% of enterprise attacks involving spear phishing. Business Email Compromise scams (which involves impersonating various executives and employees) are also on the rise and have cost businesses $3.1 billion over the past few years.
When criminals phish a user, they typically send an email pretending to be someone credible and try to trick the recipient into doing something such as giving up their password or downloading malware. Many phishing attacks leverage ‘spoofing’ techniques, in which attackers masquerade as legitimate users and companies by creating a forged sender address to make the email appear legitimate. Even when trained to avoid external phishing emails, 30% of employees will still open well-crafted malicious email messages.
In BEC, attackers use a compromised individual’s email account to send out emails. The compromised account has typically been the victim of a phishing or spoofing attack. Attackers will typically compromise people like financial officers or CEOs and use their accounts to send emails requesting employees’ personal identifying information, payment for fake invoices or money transfers. According to Gartner Research, BEC will continue as a persistent and evasive form of attack over the next 5 years, leading to large financial fraud losses for enterprises.
Enterprises have attempted to combat “impersonation” attempts by using security standards such as DMARC and DKIM to protect employees. At their core, DMARC and DKIM are open, DNS-based email authentication standards that use public-key encryption to authenticate email messages. Given that unauthorized use of domains lies at the heart of impersonation attacks, DMARC and DKIM attempt to use a validation system to detect and prevent this sort of domain use.
DMARC and DKIM can work well when deployed, but most organizations find them difficult and time consuming to deploy and use. Proper key management is burdensome. Senders often end up using the same key across their brands, entities and mail streams. As Gartner noted, DMARC efforts are not granular enought to authenticate users and do not address all attack types. Consequently, despite being a powerful solution, we observe that DMARK and DKIM have not been widely deployed across enterprises.
The challenges of phishing, spoofing and BEC are highlighted by the ability of attackers to constantly improve their methods for entering a users’ inbox. Additionally, as soon as technologists find a way to detect attackers’ methods, criminals find new ways disguise their email tricks. Fortunately, there is a way to move past this game of whack-a-mole.
This solution is encapsulated in what PreVeil calls its Trusted Community suite. PreVeil’s Trusted Communities email solution is a reliable method for trusted individuals such as fellow employees, vendors and contractors to communicate through email. This is achieved by providing a secondary “Trusted Mailbox”, which is by default closed off to the outside world and can only be extended to trusted 3rd parties via whitelisting. The result is simple: End users know that, although they still must scrutinize emails that arrive through their ordinary mailbox, any emails arriving in their Trusted Mailbox are (by definition) trusted and legitimate encrypted email messages. They can click on links and reply without worry that the email is a phishing, spoofing or BEC attack.
Interested in learning how you can protect your enterprise messaging from phishing, spoofing and BEC today? Contact PreVeil today to learn more.
In Part 2 of this series we will look at the challenges of using Privileged Access Management as well as preferred alternatives.