By: Justin Jett
Phishing emails are now skating past traditional defenses. Justin Jett, director of audit and compliance at Plixer, discusses what to do about it.
Even with the most sophisticated email scanning and phishing detection systems, phishing emails remain a common intrusion vector for cybercriminals. They often use these to introduce malware, including ransomware, into a business network. This happens because cybercriminals increasingly use legitimate systems. Additionally, phishing emails can still be effective, even when employees are well-educated and skilled at spotting and reporting them.
Fortunately, there are tactics to protect your network even when the emails can’t be stopped outright.
Increasingly Effective Phishing
When legitimate email systems are compromised and begin sending out malicious emails from a valid source, the efficacy of phishing is magnified. This was what happened over the weekend when one of the FBI’s email systems was hacked to send out fake cybersecurity alerts to thousands of people.
The email didn’t seem to contain any phishing links. However, it still reveals significant security challenges for IT professionals. Most recipients wouldn’t question its legitimacy. Even if they checked the email headers, they might not notice anything suspicious. The email appeared to come from the FBI, just as it claimed.
This type of compromise is extremely dangerous. It renders email authentication mechanisms like DMARC, SPF and DKIM useless since the email originates from an authorized source. Which means, that anti-spam and anti-phishing software is much more unlikely to flag the message as malicious.
Such compromises allow malicious actors to launch highly effective phishing attacks. So, if the email system has been compromised, what can organizations do to protect their networks from such attacks?
Protecting the Network when Phishing Can’t Be Stopped Outright
There are many resources that network and security professionals should use to protect the business from major attacks. Let’s explore a multi-layered approach to stopping these attacks.
1. Advanced Email Security
One of the most effective ways of stopping phishing attacks is to enable link-protecting in the corporate email settings. Such protections have the email system open any links and remove the ones that lead to malware downloads. This protection can’t defend against all nefarious links. But, it certainly can help reduce the number of malicious links that make it through to inboxes.
Setting higher spam-filter levels can also help block emails that have malicious intent. These settings use advanced heuristic modeling to look for poorly worded emails, or emails that have wording like other known malicious emails. Again, while not perfect, it’s certainly an important first line of defense.
2. Intrusion Detection and Prevention Systems
Hopefully, all organizations already have firewalls in place to block well-known malware from making it onto the network; however, some don’t have systems in place to block malware from spreading once it does enter. Intrusion detection and prevention systems enable organizations to find (detection) and eliminate/alter (prevention) the attack before it can take hold of other systems. These systems often work together with endpoint protection (antivirus) to eliminate viruses and common malware.
There is one caveat here: These systems, while very sophisticated, are not as effective at finding relatively new malware or malware that is effective at hiding for long periods of time. This is because the system looks at packets as they traverse the network and thus often misses malicious activity that moves across the network in sporadic time intervals over days or months. Thus, include them, along with advanced email security, in a broader defense strategy.
3. Flow-Based Network Detection and Response (NDR)
Another important prong of a multilayered approach is network detection and response (NDR), which security professionals can use to detect suspicious traffic, and analyze/block malware that makes it through other security systems.
According to Gartner, NDR systems work by applying “machine learning and other analytical techniques to network traffic” and it “is helping enterprises detect suspicious traffic that other security tools are missing.” Behavioral, flow-based NDR tools complement signature-based detection solutions because they can detect anomalous behavior based on previously known network traffic.
A Balanced Approach
These three options, plus user education, endpoint detection and other best practices, can contribute to reducing the effectiveness of advanced phishing attacks. A multi-layered security approach strengthens the ability of security teams to prevent malware from spreading across their network, even when third-party systems are compromised.