by Loïc Calvez, ALCiT
Is email really that dangerous?
Spoiler alert: yes.
Last month, here, we looked into phishing and some of the actions you could take to protect yourself. This month, we want to dive a little deeper into what makes email so dangerous, but also, what you can do to protect yourself and your company (because as bad email is, we still need it to get a lot of things done).
As we mentioned previously, 94% of malware was delivered via email1, and when you think of it, it is pretty logical, other attack vectors (like USB keys) require someone to buy the keys, infect them, find you, try to get the key in your hands and then try to persuade you to connect it. With email, they can send a million of them in a couple of minutes, and even if they have a one in a million chance of you opening one, well, that’s still one person for a couple of minutes of investment…
To understand the risk and why some of the protections methods from before are no longer effective, it is important to understand what has changed with malware (a.k.a. viruses, trojan, ransomware, adware, rootkits…) in the last couple of years. Malware used to be simpler, they had a specific binary signature that would be injected in a file and you could look for it (scan) and discover hidden malware to deal with it before you got infected. You had a “virus scanner” that would get updated regularly, would check all new and old files and keep you safe.
But how things have changed:
- First: there are now fileless malware, they never actually get written to disk, so they evade all previous generation anti-malware that are looking into files.
- Second: Malware is now polymorphic, it changes its signature every time it moves, so signature scanning is useless.
- Third: zero day attacks, it is so new that detection software cannot be updated to detect it
So what to do?
Use a new generation of anti-malware (a.k.a. Next Generation). The new products on the market are what are now called “behaviour” based anti-malware. They execute under the assumption that malware could be anywhere and watches for abnormal behaviour. For example, you receive an urgent email from an unknown customer that wants to place a large order. You open the attached PDF (many variants of malware hides in “regular” documents (pdf, docx, xlsx …)) and without you noticing, it (the PDF) starts downloading a second file, modifies your registry and scans your hard drive, that’s not “normal” behaviour for a PDF! So the Next Generation anti-malware stops those actions, quarantines the PDF and lets you know what happened.
Before we get back to email, I also want to introduce another cyber security concept: “defense in depth”.
The key of the concept is to have multiple layers of defense to stop attacks/malware before it even gets to your devices. Think of your classic medieval castle, it did not just have a door, it had moats, high walls, draw bridges… So the anti-malware running on your device (because you are running one, right?) is your last line of defense, whenever possible you want to stop everything before it gets to you. With email, this is actually easier since all emails need to go through a server before they get delivered to you and a minute or two of delay to make sure all is safe is acceptable.
So here is what a Next Generation email gateway solution looks like: all emails coming in (and optionally out) are analyzed. This gateway is usually a stop before your existing email solution (like Office 365 or G-Suite)
- All attachments are reviewed against a known good database (if that exact file, with that exact binary signature has already been tested, it gets the ok to move on)
- Unknown attachments are scanned with multiple signature based anti-virus (they miss things, but they are fast, so it is an easy step to detect the low-end malware)
- If the attachment still looks ok, it is then moved in to multiple “sandboxing” engine. Here we take the file and open it in a virtual environment made to look like a real device and see it does anything unexpected (bad behaviour). We recommend using multiple different sandboxing engines because newer malware also uses evading technics if they think they are in a sandbox.
- Then the URL (web links) in the email are checked to see if they could potentially connect to bad websites or infected files.
- And if all this looks good, the email is sent to your mailbox (and this usually all happens under 2 minutes).
So by using a proper Next Generation email gateway and using a newer behavior based Next Generation anti-malware on your devices, you dramatically increase your level of protection, but we will also tell you about a secret weapon that can save you from a lot of trouble: a telephone. If you receive an unexpected email from someone, especially with an attachment, call that person before you open it.
Lastly, if you receive an email with an encrypted zip file and they very graciously provided the password in the email, just delete it (and if you really (really) think it could be something you need, call the person first!).
Safe emailing everyone!
1: Verizon Data Breach Investigations Report (DBIR) 2019)