Last week, a friend called me, gave some bad news about a company. The company was looking for help since they became a victim of Egregor ransomware and trying to learn what to do against attacker since the attacker got their all data, encrypted it and gave three days to be paid 500k dollars. The attacker threatened them to publish their data in public in three days. Meanwhile, the only problem was not that all data would be published publicly, but also they lost all their private data. But, how can it be possible?
Ransomware is the biggest problem of the cyber world for some years. We heard about it, work on it and have seen paid bitcoins too much in these years. There are tens (or maybe hundreds) of webinars, talks and articles about it, trying to help about being safe against ransomware. It is ok while the weakest link is human, it is possible to be exposed a ransomware but it is not too difficult to confine it to a small area.
The company I told about above was a chemical company and of course has too many private data like formulas. I mean they also lost their backups while I am saying they lost all their data. Since, they did not isolate their backup network, their backups was also being encrypted. Meanwhile, they have some backup tapes but cannot use them because they have never tested whether the backup tapes working, and of course they did not when the company need them.
There are some basic prevention steps against ransomware. If we mention briefly, we can say user awareness, regular phishing tests, not only an anti-spam product but also a sandbox or another technology against malicious emails, EDR to response faster against a malicious behavior, NDR to determine the anomaly in the network, to backup data and test these backups regularly, to isolate backup network so infiltrated attackers cannot harm backups, to isolate private data and apply need to know, to limit users’ internet access, and more. the list seems too long but most of them do not require much expenditure. But it if you do not invest to professionals and to any technology, then you just prodigalize your money. However, you can never count lost reputation and also secret formulas and data.
All these measures can take too much. I can understand if a company cannot invest all of them for security. But as I said above, this company’s backup network is not isolated and can be accessed from all other networks. And, as I learnt, they only use an antivirus software but it is not up to date, and I am sure they do not track whether all PCs or servers have this antivirus. So, like these measures, most of them are not expensive. To have these measures at least, every company needs to invest talented security professionals to save money. However, I think, any of these measures cost more than 500k$ + reputation + publicly published private data. To invest security is not wasting money. It is directly saving money. Everyone needs to understand this without living.
All IT professionals know that most of the cyber attacks begin with an email. Actually, according to statistics of Phishme Defense Guide 2017, 91% of cyber attacks began with an email. It is not surprise, since all we know that the human is the weakest part of cyber defense. If the users have not enough awareness – this might be the IT professionals’ fault of course – and especially, with today’s carefully designed phishing emails, users can easily download the malicious content or steal their identity. These phishing attacks and users make it easier to breach an organization for cyber criminals, instead of scanning the vulnerabilities on websites, and applying complex techniques to obtain the same gain.
As we told at the beginning, most of the successful attacks begin with phishing emails. Attackers may send a malicious content directly via email, or a link to a phishing site to download the malicious content or to a CnC server. Sometimes, to bypass the security devices, attackers may leave the back of the link empty at the beginning, then add the malicious content, so the users can download it once the link bypassed the security controls.
Traditional signature-based or reputation-based email security controls cannot stop these types of attacks. Signature-based controls cannot stop 0-day threats, and criminals uses unique malwares, URLs or phishing sites to bypass these signature-based security control mechanisms.
Most of the antispam solutions work like that, with including an antivirus to their solution. As explained, even if it is not enough, spam is also a very big problem against organizations, since more than 90% of emails reaching to an organization are spam emails. So, while choosing an email protection solution, antispam feature is one of the most important capabilities you have to check. If you do not stop known spam mails, it will be very difficult to combat against more sophisticated email attacks while trying to manage too many spam messages.
Feature 1: Antispam As explained top, more than 90% of emails are spam in an organization. Most of these spam mails do not contain malicious content and just contain information about a sales campaign. Reputation database mostly used in cloud with intelligence of the vendor and other customers’ feedback. So, both intelligence capability and size of the customer becomes important for the vendor. It is important to note that some vendors use different black lists for more protection.
Also, antispam engine must be tested carefully, especially if the most used language in the organization’s is not English. Tool’s antispam engine capability may differ for different languages.
Although spam mails are not very dangerous, they are annoying, due to the volume and content of some of them.A good antispam engine and reputation capability stopping these spam mails also provides a better analysis chance on remeining emails by reducing the number of the emails with stopping at the edge.
Feature 2: Antivirus Like antispam feature, a signature-based antivirus feature can stop most of the known malicious contents sent to organization. Different email security vendors use different antivirus solutions in their solution, so even if you do not trust directly to the antivirus feature, it is important to use a well known vendor’s solution here.
Feature 3: Sandbox With today’s developing attack types and more aggressive and focused attackers, sandboxes became mandatory for organizations. I do not want to explain the features of the sandboxes here but today, a sandbox that analyzing emails became very important. In traditional antispam solutions, antivirus engine can only stop known malwares. Organizations need a sandbox for analyzing both unknown files and URLs. For suspicious URLs, masking feature also can be used. So, users’ direct Access to the suspicious URL could be blocked.
Sandboxes for email protection can be completely from a different vendor from antispam solution, can be positioned after these antispam products to analyze remaining email after antispam or a cloud solution if the organization does not have a regulations against using cloud solutions.
Feature 4: Quick Response Organizations receive thousands of alerts everyday. Most of the organizations do not have enough analysts to determine all these alerts whether they are true attacks or false positive. Even worse, most email security solutions do not give enough information to determine the alert. For responding quickly, a solution giving more detailed analysis about the content should be choosen.
Feature 5: End User Quarantine One of the worst parts of email security gateway solutions is the false positive rates. Since attackers create more realistic emails to cheat the users, stricker rules may be required. The stricker rules mean more false positives. Emails required fort he work of the user lso begin to be blocked. Of course, this situation leaves IT professionals in trouble. This situation leads they leave all their important tasks and have to spend time clearing emails from quarantine. So, the end user quarantine feature that allows the user to manage their own quarantine and release the emails they think is clean is as important as the false positive rate.
One bad thing about end user quarantine, users can really release suspicious emails to themselves. So, this feature should be used very carefully. Workload or security? One more thing to think on for deciders.
Feature 6: Scalability With developing business models and growing organizations, scalability is always an important point. Not only email protection but also all security products should be scalable. These should be especially discussed during PoCs. Again, for the organizations do not have a regulation agains cloud usage, scalability becomes easier for native cloud solutions.
Questions To Ask While choosing an email security gateway product, it is better to ask these questions to the vendors; 1- Does the solution use multiple Technologies also including AI? 2- Does the solution provides intelligible reports against suspicious or malicious activities for responding quickly? 3- Which technologies does the solution have for identifying 0-day attacks? 4- What is the false positive rate of the solution? 5- Is the solution fed from any intelligence source? 6- What is the quality of these intelligence sources? 7- Can it be quickly updated against new threats? 8- What is the success rate in preventing suspicious URLs? 9- Can the solution share threat information with other security tools positioned at the organization? 10- What is the scalability capacity of the solution?