How Many Layers Does Your Email Security Need?

By: Chris Harget | 07 June 2016

At least one more layer than the attacker can defeat. Here's how to improve your odds by turning on little-used or newer capabilities to block email-targeted malware.

Most IT people find email gateways justifiably boring. They've been around almost as long as email, after all. Everybody has one. You probably only notice them when they miss obvious spam or block legitimate mail.  For everything else, you probably figure email gateways are all pretty much the same, and as long as you checked the box, you are free to think about something else. Out of sight, out of mind, right?

The only problem is, that's likely completely wrong.

If your email gateway rarely catches your attention, it's likely because it is so easily and completely fooled by targeted threats that it never lets out a whimper. Ask yourself this: how would you know if your email gateway was missing new custom malware?

Consider the current state of the threat environment your email gateway faces. In addition to phishing and mass malware attacks distributed via botnets -- which are pretty easy to see and interdict at the gateway -- we have targeted attacks using new malware. According to the 2016 Trustwave Global Security Report (registration required), 54% of inbound email is classified as spam, down from 85% in 2010. Cyber criminals have realized that email gateways are quite capable of blocking generic spam and have moved to different techniques, including targeted attacks. Targeted attacks have adapted precisely to evade traditional methods most email gateways use to try to block unknown malware, such as the following techniques:

- AV engines may miss attacks because they use new or highly obfuscated malware, for which no signature exists.

-  Spam filters may miss attacks because they are one-off, low volume, or they have few suspicious traits to analyze.

- Sender reputation filters often miss attacks that come from newly created or spoofed email addresses, or from IP addresses with no "bad" history.

- Blanket policy rules that block all unusual and risky email attachment types (such as .EXE and .LNK) cannot be used on the malicious .DOC, .PDF, .XLS, and .PPT files favored by targeted attacks, as these are common business documents.

- URL filters may miss attacks because the malicious URL is hidden inside a PDF file, or within macros hidden inside document files.

- Web scanners are sometimes evaded by sending a harmless URL, but then placing malicious code behind the URL later after it has already passed the gateway.

Even newer methods such as sandboxes are limited in their protection against targeted malware. Unfortunately, targeted malware often contains countermeasures that delay execution or prevent discovery in a virtual machine environment. 

Let's return to the earlier question, "How would you know if your email gateway was missing new malware?" There are several methods of varying efficacy. You might have endpoint whitelisting that spots something unusual. An Endpoint Detection and Response (EDR) solution is another method growing in popularity. Perhaps you get breached and conduct a forensic investigation back to the patient-zero compromised user account, time and date.

The news isn't all bad. There are some advanced techniques that secure email gateways can use to block obfuscated, targeted PDF and Microsoft Office docs. No single technique is completely effective, but the more of these you can leverage, the better your chances.

First off, techniques like Sender Protection Framework (SPF), Domain Keys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC) are designed to validate the identity of the sender, protecting against spoofed emails that appear to come from a friendly sender. However, very few organizations bother to turn these capabilities on. Be sure to use the same technologies when sending your own email.

Secondly, your gateway needs to extract and explode all the elements of an email attachment to be able to deeply analyze it for malicious intent. There could be executables and macros hidden inside office documents. There may be buffer overflow exploits hidden inside PDFs, or JavaScript inside a .ZIP file. Deep analysis rules can be applied to score all the traits of a file for risk. Risk points can be assigned for hundreds of reasons, including the presence of obfuscation techniques, encryption, known exploits, and buffer overflows. This can create a statistical picture of a file's malicious intent and block never-before-seen malware. In many ways, this is more robust than sandboxes because it's not dependent on a fragile environment or finicky timing of file execution. Also, the very techniques used to evade or obfuscate end up exposing the malware to deep analysis rules.

Finally, it is essential to ensure URLs are scanned at time of click. In practical terms, this means that URLs contained in emails must be rewritten with pointers that force them to go through a cloud-based web gateway whenever they are clicked upon. This ensures security scans at any time, and on any device the recipient uses to read email, including mobile devices. 

So, how many layers does your email security need?

Email is a hotbed of hacking innovation. Traditional or incompletely implemented secure email gateways make you vulnerable to targeted attacks. Organizations can improve their odds markedly by turning on little-used or newer capabilities to block targeted malware.  

You always need at least one more layer of email security than the attacker can defeat.

Copyright 2013 - 2016 ZOOM Technologies. All rights reserved.