Cybersecurity Practice #1: E-mail Protection Systems (medium/large)

According to the 2017 Verizon Data Breach Report, “Weak or stolen passwords were responsible for 80% of the hacking related breaches”. ¹ The report further identifies phishing attacks (a type of hacking attack) as the most common first point of unauthorized entry into an organization. After monitoring 1,400 customers and 40 million simulated phishing campaigns, the PhishMe 2017 Enterprise Resiliency and Defense Report concluded that the average susceptibility of users within an organization falling prey to a phishing attack is 10.8 percent.² Though other areas of significant threat exist, including in the web application space, the effectiveness of phishing attacks allows attackers to bypass most perimeter detections by “piggy backing” on legitimate workforce users. If an attacker obtains an employee’s password via phishing, and if that employee has remote access to the organization’s IT assets, the attacker has made significant progress toward penetrating the organization.

The two most common phishing methods are credential theft (leveraging e-mail to conduct a credential harvesting attack on the organization) and malware dropper attacks (e-mail delivery of malware that can compromise endpoints). An organization’s cybersecurity practices must address these two attack vectors. Because both attack types leverage e-mail, e-mail systems should be the focus for additional security controls. 

Sub-Practices for Medium-Sized Organizations

Standard antispam and antivirus (AV) filtering controls are basic protections that should be implemented in any e-mail system. Both are implemented directly on the e-mail platform. These controls assess inbound and outbound e-mails from known malicious senders or patterns of malicious content. Table 1 provides a list of suggested security implementations for e-mail protection controls.

Table 1. E-mail Protection Controls

In most cases, e-mail protection controls do not operate alone. When combined to evaluate an organization’s e-mails, they contribute information that provides a more complete assessment of each message. Modern systems score e-mail content on each pass through the protection controls.

Implement this scoring technique and set at least three thresholds: OK for Delivery, Quarantine, or Block/Drop. Score each e-mail to determine which of the three thresholds applies. Based on that threshold, automated actions should be executed. E-mails cleared for delivery automatically pass through for additional processing. The e-mail protection system discards Block/Drop e-mails, and the user never sees them. Quarantine actions allow the user to evaluate the message in a secured environment, not the user’s regular e-mail box, for final verification. In most cases, the system delivers quarantined messages to the user daily in a single e-mail digest for verification.

Adding X-Headers to the delivery of e-mail messages is a good way to flag potential spam or malicious e-mail before sending it to the user. There are two common methods for doing this: ⁵

• Spam X-Header: If a message receives a score that prevents the system from definitely classifying it as spam/malicious, the system can tag the message with an X-Header. The system modifies the Subject or the top of the Body of the message to include a [POSSIBLE SPAM] tag. This advises the user to verify the legitimacy of the message before opening it.
• External Sender X-Header: Another common practice is to add an [EXTERNAL] tag to inbound messages from external senders. The tag can be configured to be highly visible, such as “WARNING: Stop. Think. Read. This is an external e-mail.” This method is effective at catching messages that might be spoofed or pretend to come from within the organization. It also informs the e-mail recipient to be cautious when clicking links or opening attachments from these sources. NOTE: If you leverage DMARC, you might consider exempting the External Sender X-header tag for messages that pass DMARC authentication. This may help e-mail users understand the trust environment and identify when it is necessary to be extra vigilant.

In addition to tagging messages that fail DMARC authentication, messages can be tagged, or digitally signed, when they originate from approved hosting or cloud-based services with a legitimate need to spoof an internal address. This is common for communications platforms, such as marketing systems, emergency management communications systems, or alert management systems.

It is common and expected to share sensitive information through e-mail systems. E-mail is the primary mechanism used by most organizations to communicate electronically. It is also common to access e- mail remotely, as the workforce has become increasingly mobile.

Given the prevalence of credential harvesting attacks, if remote e-mail systems are available, passwords are the only controls prohibiting malicious users from accessing sensitive information within transmitted e-mails. This is a critical exposure that increases organizations’ susceptibility to phishing attacks.

As discussed in Cybersecurity Practice #3: Identity and Access Management, two-factor authentication, or multifactor authentication (MFA), is the process of verifying a user’s identity using more than one credential. The most common method is to leverage a soft token in addition to a password. The soft token is a second credential that can be delivered through a mobile phone or tablet, devices that most people have nearby. The soft token could consist, for example, of a text message containing a code, or of an application installed on the phone that provides the code and/or asks for independent verification after a successful password entry.

Implementing MFA on your remote-access e-mail platform mitigates the risk of a compromised credential, such as a user password. With MFA, a hacker requires both the phone and the user’s password, which significantly reduces the likelihood of a successful attack. This is one of the most effective controls to protect your organization’s data.

E-mail is the most common method of communicating content, including sensitive information, among members of an organization. Although e-mail might not be the preferred communication method, one must assume that users will leverage this common and easy-to-use communication channel.

E-mail encryption is an important security protection. Multiple encryption techniques exist, though the most common use third-party applications to conduct encryption, invoking them by tagging outbound messages in some form. Tagging can occur, for example, by putting a trigger in the subject line (e.g., #encrypt, #confidential), or the e-mail client itself can invoke the third-party application. The techniques used depend upon the technology solution deployed.

When organizations have established partnerships with third parties, they can provision fully encrypted, transparent e-mail delivery between the two entities’ e-mail systems. In this model, each system can be configured to require transport layer security (TLS) encryption when sending or receiving messages from the other. This ensures that the messages are delivered over the internet in a manner that prevents their being intercepted.

Whichever encryption technique you implement, you must train your workforce to use the technique when transmitting sensitive information. You may integrate this cybersecurity practice into the data protection cybersecurity practices discussed in Cybersecurity Practice #4: Data Protection and Loss Prevention. Messages that users fail to encrypt can be automatically encrypted or simply blocked.

A study released in 2017 determined that the average measured susceptibility of users within an organization to fall victim to phishing attacks is 10.8 percent.⁶ Therefore, it is important to maintain a workforce that is vigilant and aware of cyberattacks. Whatever your organization’s actual susceptibility to phishing attacks, it is unlikely to reach zero. Given that phishing is one of the most common methods of attack and initial compromise, a layered defense strategy is important.

Organizations should implement security awareness programs that provide context around e-mail-based attacks. The challenge presented to security departments is how to deliver a concise education on spotting technical attacks when the workforce’s knowledge level does not match the hacker’s level of sophistication. For example, it is easy to make a phishing e-mail appear to originate from the company itself, incorporating logos, department names, and management names, but it is difficult to train your entire workforce to detect that fake message.

When implementing information security and cybersecurity training programs, consider the key techniques outlined in a 2015 HBR article by Keith Ferrazzi:⁷

• Ignite each manager’s passion to coach their employees: Engage and train your management team. Leverage them to communicate security practices and information to staff in all areas of the organization.
• Deal with the short shelf life of learning and development needs: Security information changes continuously. Implement continuous and ongoing campaigns to maintain awareness of current trends, issues, and events.
• Teach employees to own their career development: Customize cybersecurity training to the needs of employees in different positions or units in the organization. Develop training that is clearly relevant to the user’s job.
• Provide flexible learning options: Provide options, including on-demand and mobile training solutions that allow the workforce to schedule and complete training independently.
• Serve the learning needs of virtual teams: Recognize that many employees work remotely and virtually. Training solutions should fit within the work environment of virtual employees.
• Build trust in organizational leadership: Leaders must be open and transparent and lead by example. Managers must demonstrate to the workforce that they are fully engaged in security strategy and committed to successful execution of security controls and techniques.
• Match different learning options to different learning styles: Effective training accommodates the different learning styles and requirements of employees who function in diverse work environments within a single organization. Consider multiple options for conducting each training course to maximize training effectiveness and efficiency.

Organizations should implement multifaceted training campaigns that engage users to catch phishing through multiple channels. Points to include in your training campaign include the following:

• Sender verification: Users should look very carefully at the sender of the e-mail message. It is common to spoof the organization’s name by changing a simple character, for example, “google/c0m” rather than “google/com.” Be on the lookout for e-mails where the organization’s name appears with a separate e-mail domain, such as “!CME/google/com” rather than “acme/com.”
• Follow the links: Every link in an e-mail message is suspect. Organizations should limit the use of links in corporate messages to those that are necessary. Users should hover the cursor over each link to check the corresponding URL and determine whether it is credible. Specifically, mismatched URLs (i.e., those where the name of the link in the e-mail does not match the corresponding URL) are highly suspect.
• Beware of attachments: Though it can be difficult to determine whether an attachment is malicious based on the content of an e-mail message, there are often clues. Be wary of messages that require immediate action, for example, “You must read this right away.” Be cautious when receiving attachments from senders with whom you do not regularly correspond. It is important to detect malicious attachments, which may contain malware or exploit scripts that permanently compromise your computer.
• Suspect content: In most cases, hackers entice you to follow a link or open an attachment. They will use messages to play with your curiosity and emotions. These messages vary widely, from urgent messages such as, “Your account will be deactivated unless you re-register,” to scary messages such as, “The IRS is suing you and you must fill out the attached form.” Hackers also prey on hopes and desires. Examples of these messages include, “You have won a $100 amazon gift card!” and the well-known Nigerian Prince messages.

As you establish your awareness campaigns, keep this simple goal in mind: you want your workforce to be “human sensors” detecting malicious activity and reporting these incidents to your cybersecurity department. Is they say in the New York subway systems, “If you see something, say something.” The earlier security personnel become aware of a phishing attack, the faster they can execute Cybersecurity Practice #8: Security Operations Center and Incident Response.

The following are recommended channels for cybersecurity awareness campaigns:

• Monthly phishing campaigns: The most effective means of training your workforce to detect a phishing attack is to conduct simulated phishing campaigns. Your authorized security personnel or third-party provider crafts and sends phishing e-mails to your employees. These e-mails have embedded tracking components (e.g., to track link clicks). Tracking enables the organization to identify employees who detect the e-mail as a phishing attack and those who fail to detect the attack, opening the e-mail or clicking the e-mailed links. Then, the organization can provide the appropriate training and feedback as soon as possible after the event. Simulated phishing attacks provide a cause-and-effect training opportunity and are incredibly effective. Consider conducting phishing simulations on at least a monthly basis for the entire workforce. Develop specialized simulations for higher-risk areas within your organization. These could be based on the department (such as finance and human resources [HR]) or on data identifying your highest-risk users.
• Ongoing and targeted training: Although training is not the most effective means of raising phishing awareness, you should include phishing content in your organization’s ongoing privacy and security training.
• Departmental meetings: Hold departmental meetings to disseminate information on information security and cybersecurity events and trends. Brief presentations or informal conversations provide face-to-face context and build relationships between security personnel and the organization’s workforce/ These relationships encourage a continuous dialogue that elevates the visibility of cybersecurity across the organization.
• E-mail campaigns: Deliver a pointed e-mail message or alert about specific attacks. Provide Secure Multipurpose Internet Mail Extensions (S/MIME) or other digital certificates as evidence that these messages are authentic. Remember that attackers will attempt to do the same thing!
• Newsletters: Working independently or with your marketing department, develop and distribute your own cybersecurity newsletter. Write articles that explain how to catch a phishing attack. Better yet, provide an example of an actual phishing attack, highlighting the warning signs that might have prevented the attack.

Sub-Practices for Large Organizations

Many sophisticated solutions exist to help combat the phishing and malware problem. These solutions are called advanced threat protection services. They use threat analytics and real-time response capabilities to provide protection against phishing attacks and malware.

The following list describes some of these tools:

• URL click protection via analytics: In a modern phishing attack, the hacker will create a web page on the internet for harvesting credentials or delivering malware. Next, the hacker will conduct an e-mail campaign, sending e-mails with a link to a web page that does not have malicious content. Because the linked page is not malicious, traditional spam and AV protections clear the e-mail for delivery to the user. As soon as the e-mails are delivered, the hacker changes the linked web page to the newly created malicious web page. This allows the hacker to bypass many traditional e-mail protections and leaves the organization to rely on the user’s vigilance and awareness. Protection technologies that rely on analytics leverage the ability to re-write links embedded in an e-mail message. The rewritten URLs point to secure portals that apply analytics to determine the maliciousness of the request at the time of the click. The message is thus protected no matter where or when the user clicks the link. Such technologies use the cloud and numerous sensors throughout the install base to check linked sites in real time. They can also block discovered malicious sites ahead of time to inoculate the organization.
• Attachment sandboxing: Another common attack technique is to send attachments with embedded malware, malicious scripts, or other local execution capabilities that compromise vulnerabilities on the endpoint where the attachment is launched. These attachments bypass traditional signature-based malware blocking by using multiple obfuscation techniques that alter the attachment’s content to provide a different hashing signature. Sandboxing technologies open attachments proactively in virtual environments to determine what behaviors occur after the user opens the attachment. The protection system determines whether a file is malicious based on these behaviors, such as system calls, registry entry creation, file downloading, and others.
• Automatic response: Another useful technique is to implement mechanisms that automatically rescind or remove e-mail messages categorized as malicious after delivery to a user’s mailbox. After using the analytics approach described earlier in this section to identify malicious e-mails, cybersecurity response teams remove these messages from the user’s mailbox. This manual process requires identifying the characteristics of the malicious e-mail message, searching the organization’s e-mail environments, and deleting messages that match the identified characteristics. This time-consuming process is difficult to run in a 24x7 operation and can be dangerous. As an alternative to costly manual removal, automatic response technologies can identify the signature of a delivered e-mail. When advanced threat tools determine that a previously clean message has become malicious, it can automatically delete that e-mail message from all user mailboxes in the organization. This reduces the labor involved compared with the manual processes and provides the consistency of automation.

Digital signatures allow a sender to leverage public/public key cryptography to cryptographically sign an e-mail message. This does not encrypt the message itself. Rather, it validates that a received message is from a verified sender and has not changed in transit.

As long as trusted root certificates are used to create the S/MIME certificate used in digital signatures, most modern e-mail clients will check and provide verification automatically by presenting an icon on the message itself. This icon is useful when training your workforce to determine the validity of an e- mail.

A word of caution: many e-mail protection technologies change the content of e-mail messages (e.g., by tagging subject lines, re-writing URLs). Digital signature technology that maintains the integrity of an e- mail will fail when you use these other protection techniques. Currently, there is no method to resolve this problem.

Cybersecurity departments use data and analytics from both regular e-mail protection platforms and advanced threat protection systems to identify the most frequently targeted users in an organization. These users might not be the ones you think are highly susceptible, such as the CEO or the finance workforce. With the systems discussed in this section, SOCs can identify targets, implement increased protections (e.g., lower thresholds for spam/malware checking, delayed processing time for attachments), and provide on-the-spot and targeted education. Informing these individuals of their high risk profile instills a heightened sense of awareness and increased vigilance.

Threats Mitigated

1. E-mail phishing attacks
2. Ransomware attacks
3. Insider, Accidental or intentional data loss

Suggested Metrics

• Number of malicious phishing attacks prevented on a weekly basis. The goal is to ensure that systems are working. A reduction in attacks prevented indicates system misconfiguration. Sudden changes in the rate of phishing attacks should trigger operational checks of to ensure that systems are still operating as intended.

• Number of malicious URLs and e-mail attachments discovered and prevented on a weekly basis. The goal is to measure the effectiveness of advanced tools, like click protection or attachment protection.
• Number of account resets on a weekly basis. This is based on users who accessed a malicious website. It assumes that a registered click indicates compromised credentials, so be sure to change the credential before further compromised can occur. Implement education to keep this number as low as possible.
• Number of malicious websites visited on a weekly basis. The goal is to establish a baseline understanding, then strive for improved awareness through education activities that train employees to avoid malicious websites.
• Percentage of users in the organization who are susceptible to phishing attacks based on results of internal phishing campaigns. This provides a benchmark to measure improvements to the workforce’s level of awareness. The goal is to reduce the percentage as much as possible, realizing that it is nearly impossible to stop all users from opening phishing e-mails. A secondary goal is to correlate the percentage of susceptible users with the number of malicious websites visited or the number of malicious URLs opened.
• List of the top 10 targeted users each week, with corresponding activity. For example, how many phishing e-mails do the top three users receive compared with the rest of the workforce? What positions do these users hold in the organization? Are there correlations among the user, the user’s position, and the number of phishing e-mails received? What inferences and conclusions are possible? The goal is to conduct targeted awareness training to these individuals, advising them that they are targets more often than other users, and increasing their vigilance as well as their ability to detect and report phishing attacks.
• Average time to detect and time to respond statistics for phishing attacks on a weekly basis. Time to detect measures how long the phishing attack was in progress before the cybersecurity department was aware of it. Response times measure of how quickly the cybersecurity department neutralized the messages to end the attacks. The goal is that both metrics should be as low as possible; establish a baseline to understand the current state and set goals to improve performance.

1. Tin Zaw, “2017 Verizon Data Breach Investigations Report (DBIR) from the Perspective of Exterior Security Perimeter,” Verizon Digital Media Service, last modified July 26, 2017, https://www.verizondigitalmedia.com/blog/2017/07/2017-verizon-data-breach-investigations-report/.
2. Ian Murphy, “How Susceptible Are You to Enterprise Phishing?” Enterprise Times, last modified December 1, 2017, https://www.enterprisetimes.co.uk/2017/12/01/susceptible-enterprise-phishing/..

3. Murthy Raju, “Using RBL and DCC for Spam Protection,” Linux/com, last modified June 14, 2007, https://www.linux.com/news/using-rbl-and-dcc-spam-protection..

4. KC Cross, Denise Vangel, and Meera Krishna, “Use DMARC to Validate E-Mail in Office 365,” Microsoft TechNet, last modified October 8, 2017, https://technet.microsoft.com/en- us/library/mt734386(v=exchg.150).aspx.
5. KC Cross and Denise Vangel, “Configure Your Spam Filter Policies,” Microsoft TechnNet, last modified December 13, 2017, https://technet.microsoft.com/en-us/library/jj200684(v=exchg.150).aspx.
6. Murphy.
7. Keith Ferrazzi, “7 Ways to Improve Employee Development Programs,” Harvard Business Revew, last modified July 31, 2015, https://hbr.org/2015/07/7-ways-to-improve-employee-development-programs.