If you see something, say something!

January 21, 2020
Avoiding the hook

According to FISMA 2014 report 69% of cyber incidents reported by private sector to US CERT are phishing related.

Why has email emerged as the favorite attack vector of cyber criminals? The answer is simple; email allows asynchronous yet ‘direct’ contact with the person at the other end and this exposes the enterprise to exploitation of human vulnerability to social engineering. With the availability of high fidelity data from social media sites like LinkedIn and Facebook it is fairly easy to map the ‘employee threat surface’ of an organization. To make matters worse the explosion in recent data breaches has put corporate email addresses of employees in the hands of cyber criminals. Between LinkedIn, Facebook and open Internet Protocols it is fairly straight forward to identify high value targets, customize the communication and launch spear phishing that sails past all email security measures in place today.

Spear phishing emails are carefully crafted for the target recipient making it indistinguishable from a real message. This is not spam that can be picked up by spam filters. If the spear phish is using malicious attachment to infect the recipient’s computing device then cyber criminals take enough care to ensure anti-virus engines don’t yet have a signature to detect the malicious payload. Same care is taken with malicious website links. Traditional security measure in place today are simply ineffective in detecting and blocking attacks of this nature. And this is the reason why every major data breach in recent past has been traced back to a spear phishing email.

Leveraging employees as ‘security sensors’ has emerged as a key strategy in fighting back spear phishing attacks. Employees are being trained to recognize suspicious emails and report to their IT Operations/Security teams. It is arguable if employees can detect highly sophisticated targeted attacks. Nonetheless it is a smart strategy – “if you see something, say something”. It is important to note that deleting the email without reporting is not the desired behavior. The reason is that someone else in your organization may have received the same or similar email from the cyber criminals targeting your organization. You might delete the email that you received but someone else might respond with sensitive information, click the link or download the malicious attachment thus compromising the security of the enterprise. By reporting the threat you can ensure that proper threat investigation and mitigation is performed by the IT Operations/Security.

Reporting suspicious emails is only half the battle. The other half is the capability to quickly investigate and scope the threat followed by instantaneous remediation action. Investigating an email threat requires that you should be able to analyze the email meta data, links and attachments for determining whether the sender, the link(s) or the attachment(s) are malicious. Once it is determined that the email is indeed malicious, it is important to quickly find out who else in the organization is impacted and be able to prioritize the action plan by those who opened the email. To establish complete scope of the threat one should also be able to find all other emails that have the same threat indicators as found in the malicious email. All this needs to happen fast as most of the spear phishing emails are opened and read with in the first few hours of receiving it.

Graphus has developed an Email Threat Management Platform that gives real-time visibility and control into the enterprise email system. It allows IT Operations/Security to thoroughly investigate a suspicious email and mitigate the threat in 60 seconds or less at a fraction of the cost that are incurred if these threats go undetected. We are inviting enterprises using cloud email services from Google Apps and Office 365 for free trial.