E-mail threat control techniques

E-mail threat control techniques

Introduction

SpamCheetah is an E-mail threat control SEG. Secure E-mail gateway is the way you deploy SpamCheetah in your network and protect yourself from E-mail related attacks.

Most of the network annoyances and compromises are initially spread using the medium of mail. So if you can secure mail, then it is battle won most of the time.

The threats that exist at the SMTP level are always perpetrated only by humans. The SMTP protocol delivers a dangerous e-mail to your inbox but unless it is acted upon by humans like you, it cannot cause any harm.

The malicious code that executes either as a virus or worm or trapdoor or even a phishing link can only be effected if humans take action.

This is why companies like Sophos does end user training to help protect their users instead of depending only on software to thwart attacks.

The various categories of E-mail related threats can be seen in detail in the next section.

What can hurt you online?

In general scams occur on Internet just like they occur in real world. It could be linked with funds being collected for charity or that your friend is in danger or someone needs money to escape from a cruel regime or for some medical expenses.

The best way most people can reach you and establish contact is using e-mail and they use that too. In most cases people however delete mails from unknown people but a small percentage of gullible users fall for such schemes.

You can call it a form of social engineering or playing with your emotions so to speak when you are made a victim like countless others on the Internet and we live in a world where communication on Internet cuts across continents timezones and cultures seamlessly.

The ability to access any sucker around the world for free using the Internet became something that scam artists and con artists benefited from.

And at a fraction of a cost of a normal scam operation they could lay their hands on a fool’s money. Well at least using some trickery.

It is not exactly fool’s money since if you analyze deeply everyone is privy to some sort of fancy or foolishness and it is easy to fall for easy money anyway.

Now let us look at how human fallacy is capitalized by other humans and how machines and software can help protect one from such age old scams.

Malware checking methods

One of the main methods of causing you harm is by asking you to send money using one of the methods mentioned above.

But if they wanted to cause severe damage to your network infrastructure and cause a lot of collateral damage in the bargain then attackers resort of what is now known commonly as Malware.

The malware definition stands for malicious software and could mean a wide array of things.

  • adware
  • backdoor
  • bot
  • ddos
  • dropper
  • exploit-kit
  • keylogger
  • ransomware
  • remote-access-trojan
  • resource-exploitation
  • rogue-security-software
  • rootkit
  • screen-capture
  • spyware
  • trojan
  • virus
  • worm

Just to make things a little easier for us , we shall stick to the term malware and understand that it could mean any of these above items and more.

Internet is always producing more and more of such malicious software intended to run in specific environments and causing a specific harm or an array of harmful things.

Such things could mean spying on what is going on inside your company, defacing your network assets or website or cause network flooding or whatever the software is written to do.

E-mail is typically employed as a payload or carrier of malware and remember, a piece of malware can only execute in a CPU architecture or hardware or software environment.

So the malware gets a chance to infect your machine only when the code is run and usually malware authors are smart enough to know how to replicate even hide its presence and even trigger only at certain times of the day or week.

Remember, malware is just software and whatever software can do malware can as well, so in the past few decades malware authors have become more and more sophisticated in the way they infect spread and damage target networks.

E-mail is one of the methods by which malware spreads or an attack begins but not the only.

How malware is tested inside a sandbox

In terms of the methods by which you can analyze a malware once it is suspected as one, a sandbox environment is a really powerful one.

Very respectable names in security industry , big corporate players in cyber security space have come up with sandbox implementations that study malware attacks and they come up with reports that warn us about existence of various attack vectors from time to time.

But what if the attack is new? Or a modification of an old one that goes undetected by malware scanners?

Typically secure email gateways also come equipped with various tools and techniques to detect presence of malware and stop them from inflicting harm on e-mail inboxes.

In this endeavor a sandbox can go a long way towards helping one identify the harmful effects of malware.

A sandbox environment like one by Fireye or Cuckoo sandbox or Joe Sandbox can analyze a malware execute for its behavior in terms of memory or network usage or CPU usage. What network ports it contacts and how they operate and infect machines.

The sandboxed environment is typically walled off from outside network in order to avoid infecting other machines by mistake and this is similar to a corona virus test lab or a quarantine.

A sandbox can give you valuable insights into malware behavior that can potentially be even used in a court to initiate proceedings against the author if caught.

Now let us look at what other tools we have to deal with malware.

What can yara or rules engine do?

In terms of detecting the presence of a malware in an e-mail, the e-mail body must be MIME decoded and deciphered to analyze the attachments and subject it to a malware API service.

An API service either one by Virustotal or abuse.ch is one in which you can create a sha256 or some hash of the executable and compare against a central database for known matches.

If the malware signature matches then a red alarm is sounded and the mail quarantined or dropped.

A malware spreading in E-mail is a serious concern and some secure e-mail gateways even alert the sys admin of the same.

Now, another technique to analyze a malware or detect the presence of malware is by using yara rules. Yara rules which are a form of signature based techniques to detect minor malware modifications. You can write a very broad set of rules to detect minor changes that malware authors do to pass through spam filters and such firewalls that stop malware once identified.

Yara rules can be used for generic security threats since the rules based engine can be used to look for strings or binary data or even files inside objects , main memory or even URLs.

The attacks are becoming more and more sophisticated and so are the good guys that protect us from attackers. The game of Internet fraud and the way we fight them is in a constant state of flux.

Categories of E-mail threats

E-mail related threats are also network related threats since most attackers are interested in not just defrauding one individual or steal one person’s money but also bring down a network or a series of networks.

One of the very common mail server attacks involve a lot of bogus Internet non routable IP addresses targeting a specific mail server and they keep bombarding with SMTP mail attempts, the mail server tries to drop the mails or protect itself from being a victim but the enormity of the attack is so high that for some 24 hours things are difficult for everyone.

I have personally seen these attacks occur every once in a while and this situation does not typically impact end users, only the sys admin gets sleepless night. And the entire network maybe under stress but mail flows normally albeit a bit delayed which is not even perceived by end users.

The Internet is a very bad place and no amount of VPNs or encryption technology or firewalls or secure e-mail gateways can protect you against such attacks.

Obviously the attackers need really expensive high end network resources to mount such an attack and they move on after a while as they do not get any return on investment from mounting such attacks.

One of the reasons people attack is to demand a ransom to stop attacking as one form of extortion but usually E-mail based attacks do not fall into that category.

How does threat manifest?

Email fraud (or email scam) is intentional deception for either personal gain or to damage another individual by means of email. Almost as soon as email became widely used, it began to be used as a means to defraud people. Email fraud can take the form of a “con game”, or scam. Confidence tricks tend to exploit the inherent greed and dishonesty of its victims. The prospect of a ‘bargain’ or ‘something for nothing’ can be very tempting. Email fraud, as with other ‘bunco schemes,’ usually targets naive individuals who put their confidence in schemes to get rich quickly. These include ‘too good to be true’ investments or offers to sell popular items at ‘impossibly low’ prices. Many people have lost their life savings due to fraud.

Quoted from wikipedia

Can user training help?

Sandboxes

Back to homepage



Download 30 day trial of SpamCheetah