Hacker Mindset: Email Is the Golden Ticket

Image

In my ongoing blog series “Hacker Mindset,” I’ll explore an attacker's assumptions, methods and theory, including how information security professionals can apply this knowledge to increase cyber-vigilance on the systems and networks they steward. In this first article, I examine how email provides a tool for hackers to gain a foothold into company networks and what you can do to stay one step ahead of these threats.

Why Email?

Attacks on business networks are on the rise. Record amounts of corporate data are being compromised and put up for sale on the dark web. Many times, these security breaches involve a hacker delivering malicious code (such as ransomware or spyware) to a targeted end-user through email systems. Hackers using email as a vector makes sense—most everyday users of the internet lack either the knowledge or the vigilance required to identify simple threats, such as phishing scams or suspicious email attachments.

Standard Defense Tactics

Most network perimeter protection plans employ an email security gateway that filters messages for spam content, malicious code and bad URL links. How is it possible that these messages are making it into user email mailboxes? Traditional anti-virus programs can be circumvented and are not as useful in today's threat landscape. For instance, emails and files designed specifically for a hacker’s target can evade anti-virus software and land straight into the target’s email inbox. After the target opens the attachment, the custom-made code can exploit vulnerable systems and spread throughout the environment and even evade detection for lengthy periods of time.

Recommendations

Given the state of email security, how can you prevent a hacker from using email to breach your network? Below are some recommendations:

• End-User Training Is Paramount: A critical pillar of any effective information security program will be end-user training. Does your organization train employees to identify and report suspicious emails? Does it have a robust testing and compliance program to ensure end-users are applying their training in real-world environments? Training shouldn't be just given to employees once a year or only upon onboarding. Rather, security awareness training should be regularly tracked, tested and enforced as part of continuous business operations.
• Incident Detection and Response: Incident management is key to any information systems environment. Thus, your organization should develop a plan for responding to email threats and then rehearse it with both end-users and incident response personnel. There are many moving parts, and it's best to reference the NIST 800 series for guidance. It takes about 146 days to discover a network compromise with some breaches going years before detection. Can your organization detect these threats promptly?
• Look at Whitelisting: That's not to say whitelist the TLDs you expect to communicate with. Rather examine how your SMTP gateway is configured to whitelist. Many appliances will bypass threat checks if the incoming domain is on the whitelist. A hacker could masquerade as your external partner or sister company to get a message past the filter. Knowing how your whitelisting works can help reduce unwanted messages. Organizations should take the risk of password protected ZIP files in email messages seriously. This characteristic attack vector will always bypass perimeter controls because the archive cannot be examined by your security process since it is encrypted. It’s best to block password protected ZIPs and all unnecessary file extensions.
• Limit File Types or Ban Them Altogether: SMTP is ill-suited for efficient file transfers of large files, so why force it? Moreover, consider limiting attachment file types to non-executable files. File-sharing services, either on-premise or in the cloud, are more secure than emailing files back and forth. It can also provide a better user experience for colleagues that, say, need to collaborate on a document. Limiting the attack surface of files sent in email is a prudent strategy.
• Block Macros Use in Your Microsoft Office Products: A typical email exploit I see with malicious code involves macro scripts inside Microsoft Word, Excel, or PowerPoint documents. By simply disabling macros, you can close off this attack surface. Microsoft has made this easy in Office 2016 by including a feature to disable most macro malware attacks. Otherwise, look into a deployed GPO that can accomplish this task.
• Update and Patch Systems: The time to patch a system should be as close to the release by the vendor as possible. Try to deploy a good QA system for your patches to arrive in production faster than an attacker can exploit a vulnerability. Hackers are getting wise to this gap, and that is how they employ their exploits in the e-mail packages they are sending users.
• Line Protocol and Border Analysis: What is happening on the Ethernet line is just as important. Employ solutions which call out suspicious connections, odd transfer sizes and PII data leakage. This task is one of the hardest recommendations because of the expertise and expense needed to gain visibility in a packet network. Encryption on the line is the biggest challenge here as organizations work to balance the need to inspect traffic for malicious content versus user privacy.
• Asset Change Detection: All critical systems should have integrity monitoring that is cryptographically verifiable. Integrity monitoring ensures you can identify where network intrusions have occurred and how they have affected your critical infrastructure. Having a stable system in place will reduce the incident detection time window and provide valuable insight to what the hacker did.
• No Files, No Links, No Problem: Attackers will send messages with all text, no links, or attachments for maximum delivery success. Financial fraud is the driving purpose for these types of messages, and a savvy hacker will know how to impersonate employees in your organization for purposes of inducing someone to open a message and take a particular action. This type of attack is called social engineering, and S. businesses have lost billions of dollars to this scam type. Here, security awareness is critical, and only a trained employee will know how to handle the situation.

Conclusion

A comprehensive IT security program can counter the threats facing email. A successful program will train employees to identify common email scams, develop an effective incident response protocol, and evaluate internal systems security practices. What do you think? Do you have anything to add? I welcome your feedback and ideas of how you handle your organization's security and combat the hacker mindset.