When it comes to how E-mail security can be enforced and attacks avoided, the world has adopted a wide variety of strategies using which we can quite comfortably guard against business email compromise or spearphishing or other forms of attack on our network assets.
The ability to safeguard your corporate assets like E-mail often involves a bunch of tools and we can also leverage open source free software as well in case the system admins are technically competent.
By using sandbox based tests we can isolate indicators of compromise and contain the damage instead of allowing it to spread and infect more machines.
Usually a network attack means loss of face, loss of several million dollars in revenue and damages the brand as well.
In terms of the popular sandbox implementations for analyzing malware behavior Joe Sandbox and Cuckoo sandbox come to mind.
The ability to face an E-mail based scam either by machines or by human knowledge/ingenuity has improved over time but as of 2022 we still have not reached a point in evolution where we can confidently point the finger and say that our machines or software and human awareness or training has reached a stage where attacks based on E-mail and perpetrated by frauds that either want a quick buck or spread misery all around shall fail.
In order for an attack to succeed there is no need for someone to target only companies that do not have a firewall or secure email gateway or some such thing.
An attack can quite easily thwart any industry standard firewall or SEG particularly since we cannot detect spearphishing or business e-mail compromise anyway, not by user training, not by software or AI.
But active research is going on and attackers also play catch up game despite of improvements in protection of network assets and users.
In this article we shall examine the current state of the art E-mail threat control as of 2022.
One of the most common ways to attack and steal cash has definitely been phishing or using fraudulent URLs and typically the websites the URLs point to are also operated only by fraudsters and their accomplices.
Typically the attackers operate on a model of collaboration and revenue or loot sharing in which the networks that are used to send spam, the websites that are used as phishing targets, the malware that is found in such links that infect end user machines are also hosted by them and so on and so forth.
In such a coordinated effort to cause harm, how can lone machines or networks that do malware analysis or sandboxes help? Needless to mention attackers that write malware also are aware of the presence of sandboxes and yara rules that detect spam content.
The ability of software components to detect a piece of malware has doubtless improved over the past few decades as plenty of effort has gone into the maintenance of support infrastructure to detect abnormal network activity, to detect spam sources or open relays and once a misbehaving software is detected anyone can report the presence of a new malware and databases world over are updated.
Once a spam control software does an API check on malware, the spam is detected and stopped. So the intelligence to detect share and analyze attacks has come a long way indeed.
Plenty of cyber security companies make millions of dollars studying network behavior, reporting compromises and scanning network assets.
Despite of all this, the E-mail threat landscape is still filled with various vendors that are attacking the age old e-mail spam problem each using a different method but plenty of the tactics are common between various security vendors.
The ability of a malware API or yara rule to detect a spammy content being high, we still must resort to analyzing how a malware behaves under an ideal threat environment.
A sandbox environment is like a quarantine lab that simulates the attack to study the mind of a malware author and how the malware behaves in a particular attack environment.
Attacks like Sunburst UNC2452 tell us that even with very moneyed companies with deep pockets and resources an attack can go undetected for months together.
What to talk of SMEs and SMB companies? Even for hospitals and defense environments attacks are common and though many of these compromises are not life threatening individuals that travel to dangerous countries have been killed and money stolen.
But companies by and large usually become a victim of espionage or data theft and it is embarrassing for most entities to even talk about it.
In order to protect oneself from E-mail threats what does one do?
The research in malware mutations and new methods employed are being studied by research labs and academic institutions worldwide and though attackers used to get away with minor code modifications to thwart signature based checks in which the checksum was used to detect for a specific type of malware or a dictionary lookup could identify an attack vector.
But in today’s world with Yara and friends things have become tough for attackers and several malware authors are aware of this as well.
Usually corrupt regimes like that of North Korea or China or even Russia gets involved and big companies with a lot of revenue become targets as they can be extorted and they typically will not talk about this in public to save face.
The brand loss involved in a security breach is incalculable and most companies prefer to keep compromise a secret in 2022 just like in 2000.
The attack vectors you often find in the wild mostly use URLs though sending malware as attachment is also widely seen today just like before.
The expense involved in E-mail related attacks and mitigation and collateral damages have also been comparable to recent years.
Even steps like SPF, DKIM, ARC, DMARC and RBL checks have not been able to help much when it comes to spearphishing and business E-mail compromise.
Despite of a very dynamic network environment where the big bad place of the Internet has always had good and bad actors alike the methods used to attack and protect have largely remained the same.
The use of artificial intelligence and machine learning to study network behavior and look into E-mails to look for tell tale signs of an E-mail related compromise have evolved with companies like Abnormal Security doing some research into it.
But most security gateways do not implement AI or ML in spam control to the best of my knowledge.
The presence of computer vision and related techniques are recommended by Gartner but I have my doubts if they are widely used and are successful in protecting a lay user.