Subscribe

Why are e-mail threats still a problem?


Johannesburg, 19 May 2022

We at Nclose have seen several fairly large ransomware attacks locally in the last 18 months. In most cases, it’s assumed to be a drive-by URL-based attack or business e-mail compromise used in the initial stages of the attack. The biggest challenge we see is the e-mail compromise might not be that significant, but it’s the post-compromise ramifications that are significant. 

This raises the question of why e-mail remains one of the most effective routes for cyber criminals to target enterprises and end-users and still accounts for the majority of cyber attacks, despite billions having been spent on e-mail security.

To deep dive into the issue, Nclose and Tessian hosted a webinar recently, where we invited experts to weigh in. Essentially, the opinion was that e-mail threats remain a problem because although e-mail security tools have closed the gaps for simple e-mail attacks, attackers have responded by becoming increasingly cunning and sophisticated.

George Vasey, partnership manager (EMEA) at Tessian, said: “Organisations have invested billions of dollars in tackling e-mail threats, yet e-mail is still the entry point for 91% of cyber attacks. Threat actors are using more sophisticated techniques and achieving great success due to the commercialisation of cyber crime, with phishing as a service and ransomware as a service offerings readily available on the dark web. In addition, there has been an increase in the number of employees working from home, often on personal devices, following the pandemic.” 

Steven Wills.
Steven Wills.

Steven Wills, senior sales engineer at Tessian, said: “Over time, threats have become more sophisticated and targeted. The first e-mail threats we saw were around viruses and spam, so the first cyber security tools were designed to solve that problem. But as that problem is solved, the threat actor still wants a reward. The attackers want the shortest path to success the easiest way. So as defence becomes more sophisticated, the attacks do too. If the more basic threats still worked, attackers would still be using them – which is an indication that the existing defences have been doing a good job.”

Wills said Tessian had seen two million malicious e-mails evade traditional solutions in a 12-month period. “Traditional solutions are effective against known threats including malware, basic phishing and spam, but less effective against unknown threats such as new domains and advanced impersonation techniques,” he said.

Stewart Gilburt, senior team lead, vulnerability management at Nclose, said: “Times are changing and tools for hackers are a lot easier to access and use. You’re still seeing threats getting through. Even if engineers dedicated all their time just to e-mail security – which they can’t – there’s still a lot of work that must go into it. You must constantly review policies, check quarantines and do simulated campaigns to see which users are more susceptible and try to train them up. Meanwhile, more and more hackers are able to get tools and bypass security, getting spear phishing or targeted attacks through security and exploit credentials or worse, deploy malware.”

Stephen Osler.
Stephen Osler.

Attackers are now using known good platforms and more targeted impersonation mails to trick users and get past traditional solutions. Wills explained: “It has created the problem where organisations now have a new weakness, where attackers are using trusted sites and individuals to bypass signature-based defences and launch attacks. You must have seen something previously to create signature-based detection, so traditional tools don’t protect against them. The day zero-style attack is incredibly difficult to detect, so solutions have now pivoted to not trust anything. Threat actors understand how security works, so they might, for example, compromise a third-party account and launch the attack through a reply to a business mail.”

Wills added: “E-mail gateway and native tools have some level of domain detection, but often based on variation of their own domain – not variations of their entire partner network’s domains. Attackers might use account takeovers or third-party domain compromise and attack multiple accounts. Attackers now have the confidence to access a single mailbox and then look at their relationships and attack their entire network.”

Vasey noted: “DMARC e-mail authentication protocol protects your brand reputation but don’t really protect against inbound attacks. And when a third party is compromised, DMARC won’t prevent the attacks coming from their legitimate e-mail.”

He highlighted Integrated Cloud Email Security (ICES), a term coined by Gartner, which is a new category and the next generation of e-mail security. Vasey said: “ICES is positioned as the best defence against advanced phishing threats that bypass traditional solutions. Gartner expects up to 20% of enterprises will be using an ICES solution by 2025. They are cloud, leverage machine learning and behavioural intelligence to detect anomalous e-mail behaviour deep within incoming e-mails. They are not relying on known threats and are designed to detect advanced social engineering attacks including impersonation attacks, business e-mail compromise and account takeover.”

Sources: * Tessian Spear Phishing Threat Landscape 2021 report

Sources: * Gartner Email Security Market Guide 2021

Share