Email security...problem solved?

A more modern approach to a challenging issue

Before we dive into the topic of email security🔒, lets just circle back on our post on large scale streaming and a bit of a breakdown on Super Bowl LV 🏈, which our friends over at Viacom-CBS managed a couple of weekends ago.

  • It broke records: The total number of concurrent streams was, we estimate, was up by ~ 30% - a considerable increase from Super Bowl LIV in 2020. Congrats 👏

  • The authenticated experience hit scaling issues: there were widely reported issues for consumers accessing one of the CBS products for the game stream during the first half, largely due to the authenticated nature of that product (see point numbers 1 and 4 in our post on the challenges here). This re-enforces how much more challenging live, high scale streaming really is.

  • Simplicity continues to be the key to success in large scale streaming: having multiple platforms (very different to architecting resilience and fail over), having a free and an authenticated feed, and having multiple teams operationally responsible all heighten the risk for these types of events and should always be engineered out during preparation and planning - some great lessons to be learned for all of us here 📚

  • Our internal engineering team has created this medium post for those of you who asked for more on this topic - enjoy.

Now onto a different sport, this week’s topic of email security 🤓

The unresolved security issues around email

When Sony Pictures was breached back in 2014, every technology team around the world was unleashed to focus on email security.

Seven years on from that attack, email is still the most targeted surface area across most major enterprises, and for many organizations it’s still a weak point. That’s why we thought we’d cover it in this post 😉

📝 Side-note: it’s also a vibrant space where we see a wave of entrepreneurs building new companies 👀

Why is email security such an exposure for large enterprises?

Here are the three big issues that large scale enterprises face when dealing with email security.

  1. Attack traffic is highly targeted and multi-stage 🎯

    Being a large and high profile enterprise (sometimes also influenced by the industry vertical you’re in) will firstly make you a target but also means that you’re often the first to see a certain attack type. This makes threat intelligence-driven approaches far less effective. Multi-stage approaches mean that you’ll often see malware hidden inside a second step, thus making sandboxing less effective.

  2. Inboxes themselves are still considered ‘crown jewels’, not just a springboard to further compromise 👑

    A purely inline solution, much like firewalls before them, assumes inside=good and offers no defense-in-depth. Email is, indeed, the perfect springboard when compromised. If an inbox is breached, you don’t want the entire contents to be accessible or for it to still be trusted internally.

  3. Email is an ecosystem-wide problem 👨‍👩‍👧‍👦

    Even if you do everything right (a big if for most large enterprises), we have observed third parties compromises carried out explicitly to send malicious email from trusted ecosystem channels. In the reverse flow, if you understand that a trusted partner has been compromised, how can you understand the scope of data that is now at risk in their environment?

When you look at these threat vectors, it’s clear that large enterprises need a more flexible security architecture. The days of inserting a secure email gateway into the flow of all emails for every tenant are numbered and we’re firm believers in (and shifting to) an API driven approach that gives us unmatched speed-to-delivery.

Legacy email security architectures

A traditional email security architecture in a large, complex multi-tenant and even multi-email provider environment, might look something like this, with an inline third party gateway technology standing between the external world and a users inbox.

In addition to the high false positive rate of the gateway which is an operational burden there is the additional problem of false negatives. Here are some real-world industry examples collected from peers and colleagues in the industry of the type of emails that have gotten past best-in-class gateways:

  1. A third party service provider is compromised and an existing email thread is highjacked to change payment location instructions for an outstanding invoice.

  2. An internal user forwards a malicious email that evades initial gateway detection. Since the gateway solution has no visibility across internal-to-internal emails, nothing is detected even if the gateway later knows it to be malicious. Since the malicious email has now been sent from an internal user, other users interact with it.

  3. A legitimate link to a shared file is sent to a user from a compromised third-party’s account. A secondary link is embedded within the remote cloud document that ultimately opens a credential stealing website masquerading as a mainstream collaboration tool. The user is required to enter their email address (and their address only, it’s highly targeted) to unlock the final malicious link, rendering a traditional ‘follow the links’ scanning tool useless.

  4. Legitimate third-party cloud infrastructure accounts (e.g. AWS, GCP etc.) are taken over to host ransomware which is then linked to within an email.

  5. Employee harassment and threats.

  6. Text-only reconnaissance emails that are sent from legitimate commercial or consumer grade email accounts for the purpose of (a) identifying if an email account exists, and (b) identifying if a user will respond.

  7. Malicious inbound links from dozens of externally compromised accounts, including official .gov accounts, many of whom are law enforcement, most of which pass DMARC.

  8. A remote image loader “Web Bug URL” is included within an email to a user who opens the email on their phone, providing geolocation data to a nation state actor seeking to understand his whereabouts near government properties.

The list goes on and on, and is a major headache for any technology leader in today’s enterprise.

A smarter way of doing things

Most forward leaning enterprises are considering a major shift away from the old serial way of doing things and alongside some basic hygiene, this approach takes a fundamentally different approach. APIs instead of gateways. Deep ML and the use of the social graph for behavioral anomaly detection as opposed to threat intelligence alone. Deep protection of the email data post delivery rather than simple scanning on the way through. The shift in the model is profound and brings significant advantages based upon our own experience so far.

When considering this architecture, there are four key components that your teams should really consider in detail during implementation.

  1. Perform environment hygiene 🧹

    It’s a lot of work to configure your email environment correctly but it pays huge dividends in raising the security bar.

    Enforce a retention policy within the inbox. Users hate this but it’s important to break the practice of using the inbox as the core file storage system. New approaches do allow you to be a bit more user-friendly, though (see part 4).

    Help prevent spoofing and spam by enabling SPF + DKIM and enforcing DMARC. This is also part of being a good email citizen in the world.

  2. Implement native protections within email providers and MFA 🔐

    Microsoft and Google are sitting on an incredible data asset and they’ve become adept at handling the vast majority of large scale attacks, spam, greymail, etc. Leverage these native capabilities as much as possible and you’ll get 80% of the benefits for 20% of the effort.

    In addition to this, it’s essential that the configuration of your Multi-Factor Authentication (MFA) platform is calibrated appropriately. For example, disable third-party application authorizations (or at a minimum, disable unverified applications). Also disable legacy protocols - SMTP, POP and IMAP.

    Finally, you’re still running a risk if you allow push notification as your means for secondary authentication. It has been proven through testing that a significant percentage of users will accept an arbitrary push notification. Yubikey is the ultimate protection for MFA in our opinion 🔑

  3. Add behavioral anomaly detection to identify targeted, suspicious behavior 🦹‍♂️

    In separating signal from noise, your orgnaization’s user graph is key. On a given day an organization of our scale can see 20+ advanced attacks that have been crafted to bypass threat intelligence, sandboxing or other SEG approaches.

    An API-based solution that leverages social graph data can identify bad activity missed by native protections - such as well crafted phishing leveraging lookalike domains / typo domains / spoofing that easily tricks users (and also passes DMARC). It can also identify intra-tenant badness (e.g., a compromised account attempting to get something from another account) missed by an inline solution. There are some great early stage companies playing in this space at the moment.

  4. Add post-delivery protection to facilitate defense in depth 📨

    Email Data Leak Protection (DLP) has historically been weak and we’re super excited about new innovations in this area. With post-delivery protection, sensitive information within the inbox can be redacted and put behind additional step-up authentication. This capability also allows for a a more user friendly and less aggressive retention policy due to the additional protections around the data.

    The inbox is often the centre piece to authentication on other systems, and additional protections around resetting passwords is critical. Single-Sign-On (SSO) mitigates this risk but in most large enterprises there is inevitably a new app that has not yet been integrated into the SSO platform.

Beyond architecture, we often hear that user training is the most important ‘first line of defense’ in 2021. We’d argue that it’s essential, but philosophically, we believe we should abstract this problem away from users, not view them as the safe, consistent and reliable ‘first line of defense’. User education is a component of defense, but at the end of the day, users should be able to communicate freely and be their best selves without worrying that a wrong click can be the downfall of your company!

Stay safe out there folks 🧓 👱‍♀️

About FOX

Cyber security is integral to our business and we have an outstanding team of security leaders and engineers who work across our organization to protect and secure our operations. We’re forward leaning with the technology partners that we work with and we’re always looking for the next innovation in this category.

If you’re an entrepreneur working in this space, reach out. If you’re looking to work in a high calibre cyber security team, we’re hiring 😀