By: Justin Jett

Phishing emails are now skating past traditional defenses. Justin Jett, director of audit and compliance at Plixer, discusses what to do about it.

Even with the most sophisticated email scanning and phishing detection system available, phishing emails are still a very common intrusion vector for cybercriminals to use to introduce malware, including ransomware, to a business’ network. That’s because 1) increasingly, legitimate systems are used; and 2) phishing emails can also be effective even when employees are highly educated and are good at spotting and reporting them.

Fortunately, there are tactics to protect your network even when the emails can’t be stopped outright.

Increasingly Effective Phishing

When legitimate email systems are compromised and begin sending out malicious emails from a valid source, the efficacy of phishing is magnified. This was what happened over the weekend when one of the FBI’s email systems was hacked to send out fake cybersecurity alerts to thousands of people.

While the email that was sent out didn’t appear to contain any phishing links, it does show that such email compromises can introduce significant security challenges for IT professionals. Most people who received the email would be unlikely to question its legitimacy—even if they looked at the email headers—because the email came from where it said it came from (in the above case, from the FBI).

This type of compromise is extremely dangerous; it renders email authentication mechanisms like DMARC, SPF and DKIM useless since the email originates from an authorized source; so that means that anti-spam and anti-phishing software is much more unlikely to flag the message as malicious.

Regardless of the actual damage done, the fact remains that such compromises enable malicious actors to execute very effective phishing attacks. So, if the email system has been compromised, what can organizations do to protect their networks from such attacks?

Protecting the Network when Phishing Can’t Be Stopped Outright

There are many resources that network and security professionals should use to protect the business from major attacks. While it would be too exhaustive to list them all, let’s explore a well-rounded, multi-layered approach to try to stop these attacks from gaining control of the network:

1. Advanced Email Security

Although email security is not infallible, as discussed above, there are some functions within email security that should be enabled so that the likelihood of infection from compromising emails is as low as possible.

One of the most effective ways of stopping phishing attacks is to enable link-protecting in the corporate email settings. Such protections have the email system open any links and remove the ones that lead to malware downloads. Obviously, this protection can’t defend against all nefarious links, but it certainly can help reduce the number of malicious links that make it through to inboxes.

Setting higher spam-filter levels can also help block emails that have malicious intent. These settings use advanced heuristic modeling to look for poorly worded emails, or emails that have wording like other known malicious emails. Again, while not perfect, it’s certainly an important first line of defense.

2. Intrusion Detection and Prevention Systems

Hopefully, all organizations already have firewalls in place to block well-known malware from making it onto the network; however, some don’t have systems in place to block malware from spreading once it does enter. Intrusion detection and prevention systems enable organizations to find (detection) and eliminate/alter (prevention) the attack before it can take hold of other systems. These systems are often used as a coordinated effort with the endpoint protection (antivirus) that helps eliminate viruses and common malware.

There is one caveat here: These systems, while very sophisticated, are not as effective at finding relatively new malware or malware that is effective at hiding for long periods of time. This is because the system looks at packets as they traverse the network and thus often misses malicious activity that moves across the network in sporadic time intervals over days or months. Thus, they, like advanced email security, should be included as part of a broader approach that includes other defenses.

3. Flow-Based Network Detection and Response (NDR)

Another important prong of a multilayered approach is network detection and response (NDR), which security professionals can use to detect suspicious traffic, and analyze/block malware that makes it through other security systems.

According to Gartner, NDR systems  work by applying “machine learning and other analytical techniques to network traffic” and it “is helping enterprises detect suspicious traffic that other security tools are missing.” Behavioral, flow-based NDR tools complement signature-based detection solutions because they can detect anomalous behavior based on previously known network traffic.

A Balanced Approach

These three options, plus user education, endpoint detection and other best practices, can contribute to reducing the effectiveness of advanced phishing attacks. By deploying a multi-layered security approach, even when third-party systems are compromised, security teams are more effective at preventing malware from spreading across their network.

11/4/2021 Ray Wyman

H1	The Year of Ransomware
H2	According to SonicWall, with 495 million known ransomware attacks so far this year, 2021 is now on track to be the worst ever recorded.

The Year of Ransomware

According to SonicWall, with 495 million known ransomware attacks so far this year, 2021 is now on track to be the worst ever recorded.

The ransomware juggernaut is still rolling through global networks at ever-increasing speed and accuracy. Threat actors are battering through surprisingly weak cybersecurity defenses of some well-known and essential businesses and government agencies. To say that these hacks are causing problems and consternation threatens to be a gross understatement. These cyberthreats are global, catastrophic and potentially deadly.

A 148% Increase in the Number of Attacks

Meanwhile, SonicWall was back in the news with a new report titled The Year of Ransomware. The stunning headline is backed up with an updated third-quarter tally that shows ransomware attacks increased by 148%. With 495 million known ransomware attacks, 2021 is now the worst ever recorded. Additionally, SonicWall confidently forecasted that the year could end with 714 million ransomware attacks.

The report concludes a 33% rise in IoT malware attacks worldwide, the most prevalent being in the US and Europe. There was also a 21% increase in cryptojacking in the US, with Europe inundated with a massive 461% growth.

Growing Concern: A 73% Increase in Unique Malware Variants

The company goes on to note that its customers experienced 1,748 ransom attempts during the third quarter. Put another way, there were 9.7 ransomware attempts per customer for each and every business day. But the most troubling aspect of that incredible number is that SonicWall claims that they detected 307,516 “never-before-seen” malware variants — a 73% increase over previous years. 

SonicWall’s method to arrive at this number is their patented RTDMI™ (Real-Time Deep Memory Inspection) technology in its cloud-based Capture Advanced Threat Protection (ATP) sandbox service. Among several patented innovations, RTDMI leverages memory inspection and CPU instruction-tracking with machine-learning capabilities. As a result, the system efficiently recognizes and mitigates cyberattacks, including threats that do not initially show malicious behavior.

This rise in variants points to a growing ability for cybercriminals to rapidly diversify the software they use to attack networks and computers. Coupled with a constant flood of attacks, businesses and individuals will find it increasingly difficult to protect themselves.

A Rise in Other Attacks as Well

Recently, the trade organization that represents and supports telecoms in the UK, the Comms Council UK, says that cybercriminals are also targeting their members with DDoS (distributed denial of service) attacks as an additional means of extorting money. 

The organization reports that the incursions appear to be coordinated and extortion-focused, adding that the UK telecom industry has never seen anything like it.

Previously, DDoS attacks were often considered an unsophisticated “blunt instrument” for an attack. However, unless an organization is fully equipped with the latest cybersecurity technology, this kind of attack can be devastating, even if it’s only partially successful. And now, it seems, companies could be held for ransom from this vector as well. 

A Nearly Unimaginable Upward Trend

The 190.4 million ransomware attacks in the third quarter are the highest ever recorded by SonicWall. Additionally, the statistic nearly eclipses the 195.7 million total ransomware attacks recorded during the first three quarters of 2020.

“As we see it, ransomware is on a nearly unimaginable upward trend, which poses a major risk to businesses, service providers, governments and everyday citizens,” said SonicWall President and CEO Bill Conner. 

Despite movements to secure infrastructures, the UK has seen a 233% surge in the number of ransomware attacks, and the US has witnessed a 127% year-to-date increase.

A Grace Period Comes to an Abrupt End

As the sheer volume of attacks illicit words like “global crisis,” “ruthless,” and “a significant national security threat,” people appear to be content to restore a sense of normalcy. And yet, the crisis continues unabated.

“Cybercriminals have never let up, driving ransomware campaigns to record numbers through the first three quarters of 2021,” said Conner. “These criminal organizations will continue to launch highly sophisticated cyberattacks that are designed to target organizations and business with weak or lax security controls.”

Conner has a point. With the flood of attacks from all directions, companies and governments will find it increasingly challenging to protect their networks and assets with old or out-of-date security.

The real-world damage we’re experiencing is far beyond anecdotal. We’re literally staring down the avenue of a global crisis that has already taken a severe toll on businesses and governments everywhere. 

The only thing we can conclude is that any grace period we may have enjoyed from having to enforce stricter cybersecurity has ended abruptly.

“The techniques deployed by ransomware actors have evolved well beyond the smash-and-grab attacks from just a few years ago,” said SonicWall Vice President of Platform Architecture Dmitriy Ayrapetov. “Today’s cybercriminals demonstrate deliberate reconnaissance, planning and execution to surgically deploy toolchains targeting enterprise and government infrastructure. This results in larger victims and leads to higher ransoms.”