Email has been and will continue to be a prime attack vector for external adversaries. What’s changing is the shift from random, general phishing attacks to very targeted spear-phishing attacks where the attackers research their targets on social media sites. Traditional email security gateways are no match for these types of attacks. We recommend a dedicated, complementary Anti-Spear Phishing Service that uses a multi-layered approach, leveraging the cloud to achieve economies of scale.

Email continues to be a primary external attack vector for criminal and state-sponsored adversaries. Phishing attacks have shifted from broad-based attacks to highly targeted spear-phishing campaigns. These attacks are not random, but focused and coordinated efforts based on research through open sources such as social media sites. Furthermore, it can take an organization weeks or months from the time of initial compromise to discovery (dwell time), thus the increased risk of a data breach of confidential information.

A dedicated, multi-layered service designed specifically to detect, block, and respond to sophisticated email-based attacks that complements traditional email security gateways is recommended.

Anomaly Detection – Because spear-phishing is not a high-volume attack, a statistical anomaly detection approach is required.

URL Link Analysis – While email attachments may be the initial source of malware, very often it’s URL links in the message that is the threat. The user is baited into clicking on a link in response to the email’s message. Each time a user clicks on a link in an email message, the link must by analyzed before the request goes to the Internet. The best approach is to have these links routed to a cloud-base service because the analysis process is just too much overhead for an on premise appliance.

Cloud-based file analysis – Files attached to emails or downloaded as a result of clicking on a link, must be analyzed in a sandbox where they are allowed to execute. Signature based approaches have shown to be inadequate due to the polymorphic nature of today’s malware. While it is possible to perform sandbox analysis on premise, it’s expensive. It’s much more economical for a vendor to perform this function in the cloud. In addition, the file execution can proceed for longer as the cloud environment can be better fortified than makes financial sense at each customer location.

User Interface – The service’s user interface must provide summary information for executives as well as drill-down detailed information for the security operations team with all of the details of the sender, receiver, subject, and the attack itself.

If you have a question or a comment, or would like more information, please let us know by completing the Contact Us box on the upper right side of this page.