There Will be Attacks – Improve Your Email Defenses Achmad Chadran Product Specialist Pleased to be a sponsor for this Data Connectors event Title means email-borne cybercrime is a matter of “when,” not “if”; we know this from our grid Why email?
91% of all incidents start with a phish Email is mission-critical. It’s everywhere. Some 225 billion emails – both business and personal – are sent each day worldwide A successful attack can deliver the keys to the kingdom And a successful attack doesn’t need to be technically sophisticated…just smart Wired 2015
Think Your Employees are Alert Enough to Stop Them? That’s why it’s imperative that we – all of us – get reminded regularly about the risks of suspicious emails User awareness is something we at Mimecast call the Human Firewall We’re a lot like these cute meerkats with our herd mentality It’s up to CIOs, compliance officers, ALL execs, to leverage this fact Pop quiz: anyone know how long it takes on average for a recipient of a phishing exploit to click on the link? Confidential |
a phish: median time-to-first-click 1 minute 22 seconds a phish: median time-to-first-click 1M 22 SECONDS THE MEDIAN TIME FOR SOMEONE TO CLICK on a phishing link That’s the Median, imagine what the lower outliers are. Verizon 2015 Data Breach Investigations Report (DBIR)
How Do The Attackers Do It? Again, it may involve malware – ransomware is rampant and growing. But without the social engineering component, even ransomware would be ineffective!
Do You Have a Page Like This On Your Website? How do Attackers get their information? An easy way to find out about a company is visit their website. Most companies have information about their executive teams. What better way to entice a user to open an email than having it look like it’s from the CEO, the CFO or some other senior leader? Remember that it only takes one employee to “click before they think” to compromise an entire organization.
And if a cybercriminal should need any remedial education, no worries! All fairness, titles like these are intended to help the white hats among us. But the bad guys know we’re learning, so their attacks and exploits are evolving with amazing speed. It’s an arms race on amphetamines. New ways to get in. New ways to fool well-meaning people. Email is the prime gateway.
You are susceptible to email-borne attacks if…. You have certain letters in your domain name You accept resumes on your website You have a team of people in finance You have a profile Your life is deemed interesting enough to be on You are susceptible to email-borne attacks if…. Thanks to this innovation, all of these are risk factors Cybercriminals have access to a wealth of information they can use to disguise themselves and incite panicked responses Is there any wonder why we’re living in both a Cybercrime Era and a Social Media Era?
Bitcoin! Another huge breakthrough for our cybercriminal friends! The digital currency phenomenon is fascinating. I personally believe it’s ultimately going to make our lives better, especially as we embrace blockchain technologies But did ransomware take off when Bitcoin came of age? No breadcrumbs, no track and trace.
There are other ways to gather information cybercriminals can leverage You can use a program that harvests email addresses. These are cheap and easy to use. Just type in a domain and you’ll get a list of email addresses for that organization. Are we in the wrong line of business, folks?
You don’t even need to know how to code I ask in jest, but look at this. Attackers don’t have to know how to code, they don’t even have to be tech-savvy. They can download TOX, a ransomware construction tool that provides an easy to use graphical interface that allows attackers to track how many folks have been infected and track the ransom paid Introducing the cybercriminal industrial complex: developers, agents, strategic tie-ups Source: Forbes.com - "Ransomware As A Service Being Offered For $39 On The Dark Net" 7/15/16
FUD (Fully Undetectable) Crypting Services to avoid AV detection Another example: you may be an attacker who can code but don’t know how to evade sandbox detection That’s not a problem there’s an online service that can help FUD- fully undetectable crypting services uses obfuscation, encryption and code manipulation.
Real life examples Here are some examples of convincing attacks we’ve collected in the recent past. Maybe you’ve seen some of these too.
Phishing attack with malicious URL Vector: Phishing attack with malicious URL Threat: Entering credentials Target: Random mass-mailing This is your classic phishing attack This one uses a malicious URL as the detonator When customers of Mimecast Targeted Threat Protection click, here’s what they get: a mini-tutorial on the dangers of taking action
Phishing email with attachment Vector: Phishing email with attachment Threat: Opening the document and activating malicious code Target: Targeted mailing Here’s another phishing exploit, this one which uses an attachment that’s been weaponized with a malware agent, maybe a macro This one was also intercepted at our gateway The threat was detected and neutralized. The attachment replaced with an inert PDF – no macros. And there are instructions attached that let recipients decide whether this was an attachment they needed in its original format, while reminding them of the risks. In the crush of the busy workday, it’s all too easy to want to crank through your emails.
Business Email Compromise Whaling Wire transfer W-2 Fraud Who Says Attacks Need to Involve Malware? Business Email Compromise Whaling Wire transfer W-2 Fraud These attacks are often called Business Email Compromise, wire transfer fraud, W-2 fraud or whaling What’s sets these attacks apart is that they don’t use malware to achieve their goal They rely purely on the power of social engineering and the inherent trust in email Impersonation attacks are a huge threat because Traditional security systems like AV cannot detect this type of attack. Even solutions that scan URLs and detonates attachments in a sandbox are powerless in preventing these attacks Defending against these attacks requires specialised tools that monitor multiple indicators of potential compromise.
Threat: Impersonating senior staff Vector: Spear phishing attack Threat: Impersonating senior staff Target: An employee with authority The difference between a phish and a spearphish is that spearphishing is more targeted This one was sent to a specific individual with a particular role in the company Anybody spot what’s wrong with this email?
Threat: Impersonating senior staff Vector: Spear phishing attack Threat: Impersonating senior staff Target: An employee with authority Another spear-phishing (or whaling) exploit. Instead of our CEO, this one involves impersonating our CFO Can any of you spot the anomaly here?
Herd alertness helps, but… While part of the aim here is to create herd alertness in your organization, there are clearly times when user action is warranted The intention is not to make everyone suspicious of everything, or make everyone a security pro, but make them alert enough to linger over a link or attachment. The Mimecast security awareness tools help in this mission to compliment the other tactics you should use like training and perhaps simulated exercises.
Are Users Part of the Solution or Part of the Problem? The Compromised Insider The Careless Insider The Malicious Insider Anyone can fall victim to an email exploit
Can we do more with technology? - YES! Layer one is of course the technology Can we do more with technology? - YES! Confidential |
Mimecast Cloud Service Inspects >650M Inbound, Outbound, & Internal Emails/Day for Both Opportunistic & Targeted Attacks
Mimecast Email Security Suite Cyber Resiliency Mimecast Email Security Suite Secure Gateway - Anti-virus / malware - Anti-spam - Reputation analysis - Zero-day protection - Continuity - Independent Archive - Backup & Recovery Comprehensive protection, simply achieved in the cloud Targeted Threat Protection URL Attachment Impersonation Internal Emails
Protect You need the technology that provides the best possible multi-layered protection Continue You need to continue to work while the issue is resolved Remediate You need to get back to the last known good state Cyber Resilience
Thanks. Questions?