Email is one of the most popular communication mediums for organisations today. It is also the most prominent attack vector. Emails are being accessed using multiple devices, from different locations (home, office, on the move) shaping a 'converged device landscape' for email use. When accessing emails employees usually inadvertently click on the links to malware-hosting websites or even worse, they install malicious content directly to the device without knowing it, which are then also being sent as attachments to others.
Cyber Kill Chain: A framework for cyber intrusion identification and prevention
Cyber Kill Chain is a framework developed by Lockheed Martin for the identification and prevention of cyber intrusion. It defines an adversarys’ steps to success. It recognises email as the largest means of spreading malware – using file-based and fileless techniques.
Targeted spear-phishing campaigns using emails have become the method of choice of the attacker to exploit networks, systems and data. In the past companies have deployed different email security solutions to combat email attacks. Solutions such as secure email gateways (SEG) in combination with cyber security awareness creation within their organisations. The attacks are much more sophisticated nowadays and focus on unconventional channels such as business email compromise.
Is your CEO the Trojan Horse for Email security?
One of the most common instances of targeted spear-phishing is CEO fraud. This is when cybercriminals spoof company email accounts and impersonate executives. Through email or other communication channels, they try to fool an employee in accounting or HR into executing unauthorized wire transfers or sending out confidential tax information. The CEO is targeted as the Trojan Horse for email security, so to speak. New and Modified strains of malware and zero-day threats cannot be detected at scale using historic IPS signatures and only heuristic-based techniques, deployed by many legacy email security solution providers.
Organisations have an unprecedented need for protection against content (attachments and URLs) and contentless types (Spams, Spear phishing, BEC) of email-borne attacks. In a cyber security market full of vendors and products, each claiming to be groundbreaking, it is a massive challenge for customers to select the right email security product, create a deployment framework and fine-tune the relevant features and services to achieve a strong level of security posture.
Below I will guide you in a step by step method about the critical aspects of email security, including the vital features to have in any email security product, and how to integrate those into your existing ecosystem.
Email Security gateway reference architecture
Today, a large number of customers have already or are planning their migration from legacy firewalls to next-generation firewalls. When deployed smartly, the next-generation firewall technology provides Complete Visibility, Control, Threat Prevention and Sandboxing capabilities to name a few. An email security solution together with next-generation firewall protection can provide the most complete protection against targeted attacks, even those orchestrated using email attack vectors.
In a typical simplistic network, an email security gateway can be positioned in either physical or virtual form factor – VMware ESXi, KVM, HyperV etc. placed behind a perimeter next-generation firewall for the best results. Email Security gateways are also available for public cloud deployments, thereby catering to the full spectrum of on-premise, Cloud and Saas based email server deployments.
So, even if you have one or more on-premise Microsoft Exchange, Saas based Office 365 or Google suite deployments or a hybrid setup comprising of a distributed domain environment, you can seamlessly secure email by deploying an email security gateway at one location – either on-premise or in the cloud, to cater for distributed email servers
Key features to consider for an email security gateway
The key features which are pivotal in an email security gateway solution are:
1. Effective Anti-Spam for email
Use sender, protocol and content inspection techniques that shield networks and users from unwanted bulk email. It starts with assessing IP, domain and other reputations and continues with various validation methods such as bounce, authentication and recipient verification as well as DMARC, SPF and DKIM checks.
2. Email Anti-Virus or Malware - Known samples and Zero day
Multi-tiered antivirus protection in the cloud is used to stop viruses and manage threats before they reach the network. Heuristics based predictive technology is used to combat evolving virus threats. Effective email security should protect users from following links to malware bearing websites. Sandbox Analysis, which runs attachments and connects to URLs, assesses the runtime behaviour of both files and embedded links in both email and email attachments.
3. Data Loss Prevention (DLP) for email
Block and prevent data loss with a user-transparent, centrally based, policy-driven DLP filter. Users that send emails with interesting content which matches DLP policy, so the appropriate action is taken automatically. DLP dictionaries and identifiers provide automatically updateable policies with high accuracy.
4. Email Archival and Retention
Archive inbound, outbound and internal messages received by and sent from Microsoft exchange servers or Office 365 accounts. Protect email metadata, by ensuring that all emails are actually archived at the point of origin and final destination. European customers’ email should be archived in the EU and U.S. clients’ email archived in the USA, supporting requirements of the EU data protection directive. Having clear agreements on support for detailed email archive logs is also key to establishing great enterprise email security.
5. Protection against email fraud with DMARC/DKIM/SPF
DMARC (Domain‐based Message Authentication, Reporting & Conformance) is the most recent advancement in email authentication. The DMARC standard was first published in 2012 to prevent email abuse. DMARC was created by PayPal together with Google, Microsoft and Yahoo.
With DMARC an organization gains insight into their email channel. Based on the insight provided, organizations can work on deploying and enforcing a DMARC policy for email security.
When the DMARC policy is enforced to p=reject, organizations are protected against:
- Phishing on customers of the organisation
- Brand abuse & scams
- Malware and Ransomware attacks
- Employees from spear phishing and CEO fraud to happen
With DMARC it becomes possible to gain insight into phishing attacks. This way, customers can be informed in advance and therefore are aware of these attacks. DMARC builds on the widely deployed SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Mail) protocols. SPF authenticates the sender, and DKIM authenticates the message.
DMARC uses DKIM to make sure messages are untampered and builds on SPF for sender authentication. It also advises email recipients what to do when email authentication fails, but then it's up to receivers’ email gateways to follow the advice. DMARC domain owners instruct email gateways on how to handle unauthenticated email via a DMARC Policy.
The DMARC email authentication framework comprises three key building blocks:
- Build an SPF Record
Specify which IP addresses are allowed to send emails on behalf of your domains. - Sign with DKIM
Take responsibility for transmitting a message in a way that can be verified by mailbox providers. - Implement DMARC
Block any malicious messages coming from your owned sending domains before they reach the inbox.
Implementing DMARC email authentication ensures senders are who they purport to be.