Guarding Beyond the Gateway: Challenges of Email Security

Interested in learning more about security?

SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.

Learn how to maximize the trustworthiness of email services through changes to infrastructure and how to use your systems to improve the performance of the human firewall.

A SANS Whitepaper Written by Barbara Filkins January 2016

Sponsored by Mimecast

Email is often the first thing people check in the morning and the last thing they check in the evening. It is an essential communication channel in our business and personal lives, with more than 112 billion business emails being sent daily, according to a report by The Radicati Group.1 Almost half the time, employees (and more than half the time, executives) access their business email from mobile devices. A Business 2 Community article recently reported that 48 percent of all emails are now opened on mobile devices, and 64 percent of decision makers read their email via mobile devices.2

When accessing their email from all over the place (work, home or on the road), people Ubiquitous Email make mistakes and let in bad actors. Meanwhile bad actors, particularly phishers The average business user sends and that research their targets (known as spearphishers) are exploiting DNS weaknesses, receives 122 emails a day for a total malicious attachments and websites. For example, CNN Money reported in February that of 112 billion emails daily, according to the 2015 Email Statistics Study by a major infiltration of Russian ATMs started with spearphishing bank employees who The Radicati Group.5 clicked links in emails appearing to come from other bank employees.3 Targeted spearphishing attacks have become the method of choice for hackers as a result of the simplicity with which they can be unleashed and the effectiveness of their style as an attack. Hackers have learned it’s easier to exploit a network through its gullible and vulnerable users than to launch an attack against its hardened network defenses.

To combat email-born attacks, organizations have deployed secure email gateways (SEGs) and security training for users. But now attackers are striking even more effectively with spearphishing and highly focused business email compromise (BEC) scams. One category of BEC scams aimed at high-level targets such as CFOs and CEOs is known as whaling or CEO fraud.4 These emails are so convincing that they can even bypass the secure email gateway because they appear to be from a trusted source with a proper subject line, the sending IPs are not on any blacklist and only a few emails are sent (so they don’t trigger alarms like mass phish scams would).

To navigate this advanced attack landscape, organizations need to take the offensive beyond the gateway and adopt a 360-degree view of their email security operations. For this discussion, we concentrate on how to maximize the trustworthiness of email services through changes to infrastructure and how to use your systems to improve the performance of the human firewall.

1 Email Statistics Report, 2015-2019, The Radicati Group, www.radicati.com/wp/wp-content/uploads/2015/02/Email-Statistics-Report-2015-2019-Executive-Summary.pdf 2 “104 Fascinating Social Media and Marketing Statistics for 2014 (and 2015),” Business 2 Community, Dec. 2, 2014, www.business2community.com/social-media/104-fascinating-social-media-marketing-statistics-2014-2015-01084935#PBvlCHYbgZFZITrE.97 3 “What we know about the bank hacking ring - and who’s behind it,” CNN, Feb. 16, 2015, http://money.cnn.com/2015/02/16/technology/bank-hack-kaspersky/index.html?section=money_topstories 4 “FBI: $1.2B Lost to Business Email Scams,” Krebs on Security, Aug. 27, 2015, http://krebsonsecurity.com/2015/08/fbi-1-2b-lost-to-business-email-scams/ 5 Email Statistics Report, 2015-2019, The Radicati Group SANS ANALYST PROGRAM 1 Guarding Beyond the Gateway: Challenges of Email Security Targeted Attacks: Where the Threat Lies

Email-related threats and breaches can be devastating to an enterprise. In August, the FBI warned that losses linked to business email compromises (BECs) totaled more than Phishing $1.2 billion from October 2013 to August 2015. Many industry experts say that estimate is Tricking users into giving likely low. sensitive information such Impacts can range from disruption of normal business functions (blacklisting of valid as usernames, passwords email, denial of service, data leakage) to regulatory sanctions, legal action, financial and credit card details (and loss and significant damage to reputation and brand confidence. The majority of sometimes, indirectly, money), costs associated with phishing exploits are due to loss of employee productivity and often for malicious reasons. uncontained credential compromises, which, when added to other factors, can cost an Phishing emails are generated average-sized company $3.77 million per year.6 in thousands without focusing on a specific victim profile.10 Spearphishing and Whaling They rely on creating a sense The infamous 2011 breach of RSA Security is almost a perfect example of a successful of urgency to encourage spearphishing exploit: It targeted human resources (HR) personnel with an email that had multiple people to click on their the subject line “2011 Recruitment Plan” and looked as if it originated from a recruitment malicious links or attachments. firm the HR department was familiar with. Only eight emails were sent, but one person As one SANS advisory board in HR opened the Excel attachment titled “2011 Recruitment Plan.xls.”7 The SecurID fiasco member put it: “People fall for cost RSA $66 million, including costs to replace tokens, monitor customers and handle phishing scams … because other fallout.8 they’re aimed at weak points in In another case, the cyberespionage group Pawn Storm (also known as APT28, Sednit, our psychology: the perception Fancy Bear, Sofacy and Tsar Team) mounted a campaign against Ministries of Foreign of scarcity (Act now!), authority Affairs worldwide. In October 2015, this group of spearphishers lured victims with subject (Hi, this is Microsoft calling. lines related to the Middle East, then took them to malicious websites hosting an Adobe We’ve seen a problem on your Flash zero-day exploit code to attack several ministries. Once the exploit was successful, PC …) and so on.” a variant of the Sednit malware (backdoors and information stealers) often used by Pawn Storm was dropped onto the victim’s machine.9

6 “Phishing Education Can Save Nearly $4m Annually,” Infosecurity Magazine, Aug. 26, 2015, www.infosecurity-magazine.com/news/phishing-education 7 “Lessons Learned from DigiNotar, Comodo and RSA Breaches,” SecurityWeek, Nov. 17, 2015, www.securityweek.com/lessons-learned-diginotar-comodo-and-rsa-breaches 8 “RSA SecurID Breach Cost $66 Million,” InformationWeek, July 28, 2015, www.darkreading.com/attacks-and-breaches/rsa-securid-breach-cost-$66-million/d/d-id/1099232? 9 “Russia-linked Pawn Storm Attackers Exploiting New Adobe Flash Zero-Day,” SecurityWeek, Oct. 13, 2015, www.securityweek.com/russia-linked-pawn-storm-attackers-exploiting-new-adobe-flash-zero-day and “Adobe Patches Flash Zero-Day Exploited by Pawn Storm,” SecurityWeek, Oct. 19, 2015, www.securityweek.com/adobe-patches-flash-zero-day-exploited-pawn-storm 10 Federal Trade Commission, www.consumer.ftc.gov/articles/0003-phishing SANS ANALYST PROGRAM 2 Guarding Beyond the Gateway: Challenges of Email Security Targeted Attacks: Where the Threat Lies (CONTINUED)

Whaling is a type of BEC that uses well-thought-out, socially engineered scams that con unsuspecting high-level staff members at businesses to get to the company money or to phish deeper into the company.11

Lessons Learned Spearphishing 1. Social engineering attacks are becoming more sophisticated, particularly Highly targeted phishing spearphishing. attempts directed at specific 2. Targeted spearphishing attacks succeed because they seem legitimate to the individuals or companies that user and to the secure email gateway. have something in common. 3. Senior-level employees are often targets. These are usually well- 4. Even experts and senior-level employees can be victimized by social researched, customized emails engineering. that appear very believable and 5. Assess your email users and the data and access that is of value to attackers. seem to come from a trusted sender.13 6. Pay special attention to who is most likely to fall victim to a social engineering attack, such as executives, financial personnel and HR staffers.

Whaling A malware-less attack that Vertical Targets attempts to get high-level users, Spearphishers also target verticals such as financial, government and health care particularly with C-level titles, because of the data their email users have access to. Health care is especially vulnerable politicians and celebrities, who to email-related exposure because one personal health care record is enough to start criminals consider “big fish,” entire new identities. In March 2015, Beacon Health System discovered it had been the to expose their credentials or target of a sophisticated phishing attack that affected more than 300,000 individuals. sensitive information.14 During the investigation, Beacon found that the compromise may have started as early as November 2013.12

All the same lessons learned apply to other industries. Identify your targets of value based on the information they process, learn their email usage patterns and then educate and monitor them.

11 Spoofing Whales: How Companies Can Protect Their CEOs and CFOs from the “Business Email Compromise,” www.cfjblaw.com/spoofing-whales-companies-protect-ceos-cfos-business-email-compromise 12 “Beacon Health System alerting patients of security breach,” WNDU.com, May 26, 2015, www.wndu.com/home/headlines/Beacon-Health-System-alerting-patients-of-security-breach-304973591.html 13 “Spear Phishers: Angling to Steal Your Financial Info,” FBI, www.fbi.gov/news/stories/2009/april/spearphishing_040109 14 “Whaling definition,” TechTarget, Feb. 2014, http://searchsecurity.techtarget.com/definition/whaling SANS ANALYST PROGRAM 3 Guarding Beyond the Gateway: Challenges of Email Security Targeted Attacks: Where the Threat Lies (CONTINUED)

Threat Summary

Table 1 summarizes threats and targeted attacks discussed in this section, along with representative scenarios.

Table 1. Prioritized Email-based Threats and Scenarios

Threat Hypothetical Scenario 1. Email sent by unauthorized mail Malware present on an employee’s laptop transport agent (MTA) in enterprise (e.g., installs lightweight SMTP server and sends malware botnet) out email that discloses credentials without the employee’s knowledge 2. Message sent by unauthorized sender (i.e., compromised or stolen credentials) 3. Pharming (i.e., sending or receiving Research department independently emails from hijacked domains) operates an unauthorized mail server discovered by university IT only after reports of damaging email being sent from hijacked domain 4. Phishing, spearphishing (i.e., email sent Employee falls for phishing scheme, using forged sending address) resulting in cyber attack and exfiltration of login credentials for admin accounts 5. Email bombing or unsolicited bulk email Inability to send or receive email (DoS/ (UBE, spam) DDoS) 6. Bypass of security solutions by LAN- Attackers gain access to LAN-based based compromise resources, such as webmail, to send spearphishing emails internally, bypassing gateway security

SANS ANALYST PROGRAM 4 Guarding Beyond the Gateway: Challenges of Email Security A Framework to Secure Email

To guard beyond the gateway, organizations must address the technology gaps that allow advanced phishing attacks to take root in organizations. Today’s threats and varied attack surfaces call for more robust email security intelligence, in-mail scanning systems and data loss prevention (DLP), all supported with user awareness and understanding.

Email Architectures To guard beyond Enterprise email architecture can be quite complex. When performance, availability, the gateway, storage and security are taken into consideration, the resulting hardware stack may organizations include numerous components: servers (primary, fail-over, back-up), storage (SAN) and must address the additional capabilities such as encryption, antivirus, anti-spam and authentication).

technology gaps Organizations tend to get lost in this complexity, not taking into account a “360-degree that allow advanced view” that they need to account for security “beyond the gateway.” This architecture phishing attacks should embrace the following elements: to take root in • Infrastructure: What can be done from an infrastructure perspective to maximize the trustworthiness of email services, both for transport and archiving organizations. of messages? • Policy: What can be done at the SEG to minimize threats (attack surfaces) and inadvertent risks posed by human interaction with web/email systems? • End user: How can organizations detect and enforce “secure email” behavior? How can technology improve the performance of the human firewall?

SANS ANALYST PROGRAM 5 Guarding Beyond the Gateway: Challenges of Email Security A Framework to Secure Email (CONTINUED)

Figure 1 provides a representation of the 360-degree view we will use to examine how to secure email against targeted attacks involving social engineering.

Figure 1. 360° View of Email Security Architectures

In this discussion, we concentrate on maximizing the trustworthiness of email services through changes to infrastructure as a means to minimize attack surfaces within the message and to improve the performance of the human firewall. We acknowledge, but do not delve deeply into, other elements of the email environment, such as DLP integration and encryption in transit or at rest.

SANS ANALYST PROGRAM 6 Guarding Beyond the Gateway: Challenges of Email Security A Framework to Secure Email (CONTINUED)

Infrastructure First

The DNS plays a central role in delivery of email to the correct address. A sending mail transport agent (MTA) queries DNS for the Mail exchange resource record of the recipient’s domain (the right-hand side of the “@” symbol in an email address) to find the receiving MTA to contact. Systems can use DNS reverse tree lookups as a crude authentication check.

DNS can be vulnerable to a variety of attacks, such as cache poisoning, used to redirect a person keying in a legitimate URL to a malicious website.15 Or, in the case of a homograph attack, a person frequenting a site, such as citibank.com, may be lured to click a phishing link in which the Latin C is replaced with the Cyrillic . Both the legitimate link and the malicious link look the same to the unsuspecting user, but the two Cs are actually represented by different Unicode character codes. Clicking on the phishing link, the user becomes a victim of an internationalized domain name (IDN) homograph attack.16

Organizations should implement Domain Name System Security Extensions (DNSSEC; RFC4033) that have been developed to provide cryptographic security for DNS queries to protect against various threats, including pharming.

DNS is also used as the publication method for protocols designed to protect email and combat malicious, spoofed email. For example: • Sender Policy Framework (SPF) allows recipients to verify sender identity (at the organizational level) by allowing domain owners to publish, via DNS, the IP addresses that are authorized to send emails from the specified domains. • DomainKeys Identified Mail (DKIM) takes email sender identification a step further by associating a domain name and owner to the content of the email message, allowing the organization to vouch for the content of the message through cryptographic signing of the content. • Domain-Based Message Authentication (DMARC) further improves on SPF and DKIM by giving sending organizations a method to communicate the confidence of their SPF and DKIM implementations. It provides the ability for receiving systems to feed information back to the sending systems, such as details on who is attempting to spoof sender domains. It also enables domain owners to publish policies that can be considered by recipients when handling SPF and DKIM failures.

15 “The Hitchhiker’s Guide to DNS Cache Poisoning,” The University of Texas at Austin, www.cs.cornell.edu/~shmat/shmat_securecomm10.pdf 16 “Spoofed URLs: Homograph Attacks Revisited,” We Live Security, July 14, 2015, www.welivesecurity.com/2015/07/14/spoofed-urls-homograph-attacks-revisited SANS ANALYST PROGRAM 7 Guarding Beyond the Gateway: Challenges of Email Security A Framework to Secure Email (CONTINUED)

Figure 2 shows how all these elements work together.

DNS

2) DMARC

DNS

1) SPF & DKIM Email in (delivered) if DMARC is pass

Email out with Inbox SPF/DKIM Sending MTA Receiving Server Email Server

If DMARC is fail, then it will apply the policy to the email

Aggregate Report to Sender

Figure 2. Domain-Based Message Authentication Architecture

While SPF, DKIM and DMARC authenticate that the sending MTA is an authorized, legitimate sender of email messages from a domain, they do not necessarily authenticate that the email message is from a specific individual. For this, consider the other protocols based on federated identity: OpenID, SAML and OAuth.

Recommendations • Deploy DNSSEC for all DNS name servers and validate DNSSEC queries on all systems that receive email. • To reduce the chance of spoofed email messages, implement the Sender Policy Framework (SPF) by deploying SPF records in DNS and enabling receiver-side verification in mail servers.

SANS ANALYST PROGRAM 8 Guarding Beyond the Gateway: Challenges of Email Security A Framework to Secure Email (CONTINUED)

Enforce with Gateway Policy

Policy is a strategic effort to align with what the business needs to protect its information as evidenced by the organization’s data classification and protection policy, other data governance policies and procedures, and enforcement as defined by regulation and Policies Enforced at Gateway A SEG with MTA functions can industry. Granted, most organizational email exchanges will be daily, non-structured provide augmented security events, but there will be well-defined, business-specific workflows. Some of these may through various methods: inbound require email support; others won’t. To develop and implement email policy, you need to filtering of spam, phishing, know the rules as best you can. malicious and marketing emails; outbound DLP; email encryption; SEG security policies, including reputation and content checks, provide the configurable and targeted attack prevention, rules for how the technical controls in the gateway route messages, deliver content and such as sandboxing and web protect against malicious payloads, attachments and URLs associated with a message. 17 link reputation checks. As with A SEG usually provides an administrative interface that allows these rules to be defined, all infrastructure components, created and managed centrally. These policies and checks would normally be applied however, a SEG needs to in progression, starting with implementing sending/receiving policies and moving to be properly configured and maintained in order to provide the reputation checks and then content policies. protections it offers. Table 2 lists the major categories that might be applied to an inbound message through a SEG working in conjunction with the user’s endpoint client (whether webmail, an message user agent [MUA] such as Outlook or Thunderbird, or a compatible mobile app) to help reduce the risk of a targeted attack.

Table 2. Policy and Reputation Checks Configured at the Secure Email Gateway

Sending/Receiving (with DNS) Reputation Content • Inbound lockout that can • IP reputation checks that compare • Spam scanning (provide content-based heuristic scanning, identify be based on a specific IP the sending IP address against if possible spam, take action if a match is found based on configured (e.g., IP identified on a real- externally or internally maintained policy) time blacklist or blackhole lists used to identity whether the • Virus scanning (signature and heuristic malware detection, reject if list) or domain (e.g., block sending IP address belongs to a malware signature detected) spoof attempt, reject sender that allows “open relays” message if sender address is or an ISP that allows spammers to • Content scanning (examine in terms of context, classify and take masquerading as an internal use their infrastructure. Normal subsequent action according to configured DLP rules): domain address) categories include: - Hold for Review • Blocked senders (e.g., - Whitelist (accept message if - Deny and Notify sender IP is flagged as good) external connection totally - Strip and Link blocked) - Real-time blacklist or blackhole • Permitted senders (e.g., lists (reject message if sender IP • Sandbox policy (have attachment execute in sandbox, depending on allows message through is flagged as known malicious content scanning and threat detection configured policies) 18 but bypasses reputation sender) • Web reputation tools (provide metrics that allow an administrator to checks and some scanning • Recipient validation (prevent analyze whether the URLs embedded in emails are malicious and grant [not AV] because sender or inbound emails with invalid access accordingly), rewrite to safe format sender domain is identified recipient addresses, blocks • Advanced capability: Contextual analysis and classification (identify as trusted) spammers that send out numerous trends and topics within unstructured data, such as email and email emails with guessed addresses or a metadata, offers protection against new threats) result of directory harvesting)

17 “Magic Quadrant for Secure Email Gateways,” Gartner, June 29, 2015, www.gartner.com/technology/reprints.do?id=1-2IMRSTV&ct=150629&st=sb 18 “Blacklist Basics: The Top Email Blacklists You Need to Know,” ReturnPath.com, https://blog.returnpath.com/blacklist-basics-the-top-email-blacklists-you-need-to-know SANS ANALYST PROGRAM 9 Guarding Beyond the Gateway: Challenges of Email Security A Framework to Secure Email (CONTINUED)

The policies and checks outlined in Table 2 should be considered as representative of the types of policies most SEGs provide. Establish rules according to best practices, such as those outlined in a request for comment (RFC). Keep in mind that terminology and the default rule set(s) will vary across platforms.

Recommendations • Invest in additional technology that will make the email infrastructure become “policy aware,” more dynamic in its interaction with end users and more effective in changing user behavior. • Such technologies should include attribute-based access control, risk-based authentication, email scanning/security with whitelisting/blacklisting, sandboxing, URL scanning and DLP. Integrate these tools with other processes, such as incident response to detect and respond to outbound data leakage, malicious URL and attachment links and indicators of compromise across a wide group of email users. • Email defenses should leverage up-to-date threat intelligence sources, enabling email policies to adapt in real time to current and recent threats, including blacklisting IP addresses of attacking hosts and preventing user access to URLs of malicious domains embedded in email messages. • Remember that any advanced capabilities need to integrate with the present environment and enforce policy against your networked assets, including on- premises equipment, cloud resources and mobile elements.

Anticipate User Behaviors

Studies have shown that it is possible to educate users about phishing in the real (non-research) world and on a large scale. Research at Carnegie Melon University (CMU) also concludes that user training should be used as a complementary strategy to technological solutions.19 However, training and awareness efforts related to email- based attacks face challenges: Attackers continue to evolve tactics, creating new, increasingly sophisticated and successful ways to deceive the user, making training seem obsolete as soon as it is developed. The key is determining how to deliver awareness and training in such a way that it keeps users current in their knowledge and helps reinforce their learned behaviors.

19 “School of Phish: A Real-World Evaluation of Anti-Phishing Training,” Carnegie Melon University, www.cmuchimps.org/publications/school_of_phish_a_real-world_evaluation_of_anti-phishing_training_2009 SANS ANALYST PROGRAM 10 Guarding Beyond the Gateway: Challenges of Email Security A Framework to Secure Email (CONTINUED)

Email security systems must be able to assist in this training in near real time as employees make mistakes, such as attempting to click a phishing link. People don’t want to wait for information. According to a recent study from Microsoft Corporation, people now generally lose concentration after eight seconds, highlighting the effects of an increasingly digitalized lifestyle on the brain.20 Email systems should protect users from poor decisions by catching them as they click and reinforcing awareness and education by leading them intuitively to the right actions—all within that eight-second window.

Stay User Friendly

The following recommendations for secure user interface design research can help improve awareness and foster secure practices at the user interface:21

Email systems should • Configure the default state for the email MUA on any endpoint as the secure state. Don’t expect users to read documentation to learn that they must change protect users from many settings before sending sensitive attachments securely. Let the default poor decisions by configuration of the client and the policies at the gateway reinforce secure sending catching them as they policies without user interference. click and reinforcing • Maintain convenience. If operating securely requires too much effort, count awareness and on users circumventing or ignoring security measures even while completely education by leading aware that they are doing so. For example, email encryption should be a positive experience for users when they can use it easily and understand its value, rather them intuitively to the than finding the process difficult and “in the way.” right actions. • Use the interface to encourage users to do things properly by virtue of design. For example, make the icon of a lock clickable to attach a file for encryption. • Send a warning. Configure the DLP solution to send a warning to the user that he or she is about to attach a spreadsheet containing sensitive information about students, patients or employees. • Block the errant behavior. Should a user continue despite the warning, the system should be able to prevent the user action and immediately start a trouble ticket or report the issue to the designated managers. • Help users understand. It is important that users understand the impact a breach can have on other areas of the business, their personal lives and even their own job.22

20 “Goldfish have a better attention span than you, smartphone user,” CNET, May 18, 2015, www.cnet.com/news/goldfish-the-actual-fish-not-the-crackers-may-have-a-better-attention-span-than-humans 21 “User Interaction Design for Secure Systems,” University of California at Berkley, May 2002, www.eecs.berkeley.edu/Pubs/TechRpts/2002/CSD-02-1184.pdf 22 “Improving IT Training Makes Cyberrisk Every Employee’s Responsibility,” Monitor, April 9, 2015, www.riskmanagementmonitor.com/improving-it-training-makes-cyberrisk-every-employees-responsibility SANS ANALYST PROGRAM 11 Guarding Beyond the Gateway: Challenges of Email Security A Framework to Secure Email (CONTINUED)

Don’t neglect to put the gateway to work. The email client or webmail must bridge between the technical controls afforded by the infrastructure and the policies managed by the SEG.

For example, the SEG interprets an email or web page differently than the human user

perceives the same information. An email may contain a link to http://evilsite.com/ but the link’s text in the email says Apple Web Store. To the secure email gateway, the The SEG can URL links to a bad site, but from the user’s perspective, it links to Apple’s online store. The determine that the user cannot easily tell that the link does not lead to the location they expect until they link is bad, block see the URL in their browser, and the gateway cannot determine that the link’s text is misleading. However, the gateway can determine that the link is bad, block execution of execution of user user action and alert the user via the interface that the URL is malicious should the user action and alert the click on the link. user via the interface that the URL is Protect Users from Themselves malicious should the In a similar fashion, the application of sandboxing technology can prevent inadvertent user click on the link. compromise by allowing further inspection of attachments, eliminating potentially malicious payloads by first placing them in a safe, isolated environment that replicates end-user operation, observing what happened and rating the result based on activity rather than attributes. Employees may think they are receiving a spreadsheet with HR information and open the attachment. But the sandbox reviews the attachment first, and if it discovers that the spreadsheet is a weaponized attachment, removes it prior to an employee having the opportunity to fall prey to the attack.

SANS ANALYST PROGRAM 12 Guarding Beyond the Gateway: Challenges of Email Security A Framework to Secure Email (CONTINUED)

Recommendations • Incorporate threat intelligence regarding the use of the email clients or webmail into user training and awareness. Help users know what can go wrong and when they should be suspicious. • Detail, within reason, real or imminent attacks against your organization. • Communicate the issues that need to and can be addressed in order to motivate users to take the right actions. • Use news events when you don’t have your own incidents to detail. • Emphasize the direct result of a failure on a human level. • Share that attacks that exploit end users are pervasive and that perpetrators are always getting smarter. You can pull examples of attacks from practical examples in the community, attacks experienced in the organization and incidents discovered in vulnerability scans or penetration tests conducted by your enterprise. • Make users aware of how to react. Provide users with examples of how they should act if they perceive themselves to be under attack. Give them a sense of being able to control a potentially bad situation by knowing what to do. • Ensure that the security team is aware of the intelligence and recommended actions. Don’t take for granted that the security team, including external groups such as help desk and operations, is fully aware of the issues and how to respond.

Policy Framework Summary

Table 3 summarizes some of the strategies discussed in this paper, relative to threats identified in this paper.

Table 3. Remediation Against Email Threats

Threat Framework Element 1. Email sent by unauthorized Deploy domain-based authentication techniques. MTA in enterprise Establish reputation filtering, blacklist malicious IPs and block malicious URLs. (malware botnet) Use policies to address spam and other malicious messages and 2. Message sent by attachments. unauthorized sender (compromise of Adopt a defense-in-depth strategy using multiple security solutions. credentials, stolen Use cloud-based email risk management providers as an enhancement credentials) or alternate to internal mail servers to prevent malicious traffic from 3. Email sent using spoofed impacting network performance. or unregistered sending Use URL rewriting and other threat identification sources to guide policy domain and improve user awareness at the point of compromise—when users 4. Email sent using forged actually click. sending address (phishing, Open email file attachments in a sandbox to verify integrity and block spearphishing) execution if necessary.

SANS ANALYST PROGRAM 13 Guarding Beyond the Gateway: Challenges of Email Security Conclusion

Email remains both the most dominant and the most critical form of business communication in today’s connected world. Users employ multiple devices, some of which are mobile, to read, respond to and store email from all over the place, not just behind the gateway on a protected network.

Meanwhile, threats based on social engineering are also evolving, becoming ever more sophisticated and focused. Attackers are less likely to launch IP- or network-based attacks when they can easily and successfully target error-prone humans through well- researched social engineering.

To secure email, we need to take the offensive, not just play defense. We need proactive solutions rather reactive fixes. Email is an attack vector where training and technology must come together to achieve greater protection: • Augment written policies with effective user education, awareness and training on how to detect and react in a suspicious situation. • Reinforce correct human behavior with intuitive technology and automation. • Ensure that the human, policy, training, technology and network layers work together to prevent malicious links or attachments from making their way to users, to protect email transport and to stop sensitive data leakage.

In addition, email security teams (and the policies and technologies they deploy) must be ready to respond to user mistakes and prevent malicious links and payloads from executing. The system should work with DLP and other technologies to protect sensitive data, identify high-value targets, protect user account information and continually learn and improve its detection, prevention and response capabilities.

SANS ANALYST PROGRAM 14 Guarding Beyond the Gateway: Challenges of Email Security About the Author

Barbara Filkins, a senior SANS analyst who holds the CISSP and SANS GSEC (Gold), GCH (Gold), GLSC (Gold), and GCPM (Silver) certifications, has done extensive work in system procurement, vendor selection and vendor negotiations as a systems engineering and infrastructure design consultant. She is deeply involved with HIPAA security issues in the health and human services industry, with clients ranging from federal agencies (Department of Defense and Department of Veterans Affairs) to municipalities and commercial businesses. She focuses on issues related to automation—privacy, identity theft and exposure to fraud, as well as the legal aspects of enforcing information security in today’s mobile and cloud environments.

Sponsor

SANS would like to thank this paper’s sponsor:

SANS ANALYST PROGRAM 15 Guarding Beyond the Gateway: Challenges of Email Security Last Updated: February 9th, 2016

Upcoming SANS Training Click Here for a full list of all Upcoming SANS Events by Location

SANS Northern Virginia - McLean 2016 McLean, VAUS Feb 15, 2016 - Feb 20, 2016 Live Event

SANS Munich Winter 2016 Munich, DE Feb 15, 2016 - Feb 20, 2016 Live Event

ICS Security Summit & Training - Orlando Orlando, FLUS Feb 16, 2016 - Feb 23, 2016 Live Event

SANS Secure India 2016 Bangalore, IN Feb 22, 2016 - Mar 05, 2016 Live Event

SANS Southern California - Anaheim 2016 Anaheim, CAUS Feb 22, 2016 - Feb 27, 2016 Live Event

RSA Conference 2016 San Francisco, CAUS Feb 28, 2016 - Feb 29, 2016 Live Event

SANS Philadelphia 2016 Philadelphia, PAUS Feb 29, 2016 - Mar 05, 2016 Live Event

SANS London Spring 2016 London, GB Feb 29, 2016 - Mar 05, 2016 Live Event

SANS Abu Dhabi 2016 Abu Dhabi, AE Mar 05, 2016 - Mar 10, 2016 Live Event

SANS 2016 Orlando, FLUS Mar 12, 2016 - Mar 21, 2016 Live Event

ICS410 Dubai 2016 Dubai, AE Mar 13, 2016 - Mar 17, 2016 Live Event

SANS Secure Singapore 2016 Singapore, SG Mar 28, 2016 - Apr 09, 2016 Live Event

SANS Atlanta 2016 Atlanta, GAUS Apr 04, 2016 - Apr 09, 2016 Live Event

SANS Northern Virginia - Reston 2016 Reston, VAUS Apr 04, 2016 - Apr 09, 2016 Live Event

SANS Secure Europe 2016 Amsterdam, NL Apr 04, 2016 - Apr 16, 2016 Live Event

Threat Hunting and Incident Response Summit New Orleans, LAUS Apr 12, 2016 - Apr 19, 2016 Live Event

SANS Pen Test Austin Austin, TXUS Apr 18, 2016 - Apr 23, 2016 Live Event

SANS Secure Canberra 2016 Canberra, AU Apr 18, 2016 - Apr 23, 2016 Live Event

ICS Amsterdam 2016 Amsterdam, NL Apr 18, 2016 - Apr 23, 2016 Live Event

SANS Copenhagen 2016 Copenhagen, DK Apr 25, 2016 - Apr 30, 2016 Live Event

SANS Security West 2016 San Diego, CAUS Apr 29, 2016 - May 06, 2016 Live Event

SANS Secure Japan 2016 OnlineJP Feb 15, 2016 - Feb 20, 2016 Live Event

SANS OnDemand Books & MP3s OnlyUS Anytime Self Paced