email monster

The problem of phishing continues to be one of the most acute when it comes to corporate information security. And the most difficult thing is that the human factor plays a key role in countering phishing. At Oxygen, we have developed a two-pronged approach to combating malicious emails and the tendency of employees to go to infected look-alike sites. And it is this approach that I will share in this post today.

My two previous posts were about cloud protection mechanisms in general, as well as connecting external services for countering DDoS and web attacks in particular. Of course, questions about phishing began. And those were the right questions. After all, even if we foresaw everything, installed a powerful alarm system, hung electronic locks on the doors … and then the tenant himself sent an SMS with a password to the robber, then it would be extremely difficult to counteract the crime.

The same situation is with phishing. According to our partner, Fishman, between 65 and 85% of untrained employees consistently follow fake links, fill out phishing forms, and hand over the keys themselves. apartments where the money is corporate accounts to attackers. Phishing is able to nullify and throw overboard all the protections that you use.

Research shows that phishing is on the rise. Therefore, to protect against this scourge, you need to take some measures. And we were convinced that it is logical to enter from two sides at once.

Automated protection

First of all, you can and should install a filtering gateway so that emails go through a thorough check before they get into the mailboxes of employees. Modern solutions can significantly cut off both mass mailings and BEC attacks (Business Email Compromise is a targeted attack when an attacker initiates email correspondence on behalf of another employee (including a superior) or a representative of a partner company). Moreover, at the gateway level, it is possible to filter content and neutralize the so-called MailSploit vulnerabilities, which potentially open access to victims’ computers that open specially crafted messages.

Discovery Technologies

Sender authentication and typical features

SPF / DKIM / DMARC – these sender authentication mechanisms, together with dozens of indicators specific to phishing messages, allow you to detect spoofing and various substitutions during phishing attacks.

Domain name analysis

The attackers use domain names that are similar to the domains of well-known reputable companies or organizations with which the target company is in constant contact. At the gateway level, you can track such “similarity” and biasedly analyze such messages.

IP Address Reputation

There are many bases and reputation systems of source domains and IP addresses of senders. We connect them to the protection system to save email users from phishing and, by the way, from spam too.

MailSploit Protection

Many email solutions do not consider MailSploit vulnerabilities to be a bug. They advise to deal with such outrages “at the gateway”. Well, we do it! Moreover, the presence of attempts to use MailSploit in mail directly indicates that the letter is probably part of a phishing attack. So, if you are using a modern Mail Gateway, attempts to mailploit your systems play against intruders and help detect phishing activity.

Machine learning

Alas, phishing mailings are not always massive. Recently, complex campaigns have become increasingly common, targeting specific user groups and employees in specific organizations. Machine learning algorithms are used to block non-standard and especially targeted phishing attacks. And what is especially important, recognition synchronization occurs at the global level – that is, the identified signs of attacks from one user are applied to the entire client base. This makes the defense work faster.

BEC attack detection

It must be admitted that BEC attacks are the most dangerous type of spear phishing based on the trust of colleagues and business partners in each other. We use protection against BEC attacks on the gateway, based on a comprehensive analysis of incoming messages. In particular, the same machine learning algorithms are used for this.

How to install?

The gateway can be installed in various ways. But since we are a cloud provider, we offer either a SaaS service or the installation of a virtual appliance directly in front of the client’s mail server. These two installation options are suitable for different situations. The cloud service is good for those who use “mail from the cloud”. And the virtual appliance guarantees speed for large message flows and can be integrated with already implemented security tools and SIEM systems for centralized security management.

Each of the options can be implemented by subscription. That is, you do not need to pay the cost of an annual license right away, but instead evaluate the solution and pay for its operation on a monthly basis.

Automated learning

However, even 99.999% protection does not exclude the possibility that several phishing messages can penetrate your network, get into the mailbox of the very employee who is just sitting and waiting for Wildberries to send an email about the best sale on rocking chairs. And it doesn’t matter that the letter came for some reason to a corporate address, you need to open it as soon as possible!

That is why it is important to approach such an issue as phishing, where the human factor is important, at the same time from the side of employee training. And here the dilemma most often arises: how to carry it out?

Popular options include:

• Distribution of job descriptions and manualsthat no one will read, so waste your time

• Read webinars on how to counter phishingwhich employees roll up while playing solitaire

• Organization of face-to-face lectureswhere you can sleep well

• Introduction of fines and punishmentswhich everyone begins to fear only when he is already fined.

In my opinion, the only effective solution to this issue is to automate the process of training and testing the infrastructure for vulnerability to phishing attacks.

We at Oxygen provide a platform (as a service) with which you can organize phishing practice mailings. Based on its results, you can assess how phishing can hit your company, analyze the number of people who got on the phishing mailing list, and carry out targeted work on errors. For the especially gifted, re-learning functions are available – for this, a whole set of courses with subsequent tests is ready.

It’s nice that the testing and training platform can be branded and wrapped in a corporate style so that employees do not think that someone external teaches and audits them. In this way, anti-phishing becomes a corporate norm and part of the corporate culture.

It’s better to prepare (than deal with the consequences)

The dual approach to combating phishing is fully justified, given that today the intensity of such attacks is growing, and social engineering methods are becoming more sophisticated.

If we talk about numbers, the statistics of already implemented projects show a 70% decrease in the frequency of phishing incidents after a month of working with a corporate employee training platform. And the use of such a solution, together with a properly configured mail security gateway, practically reduces the threat to nothing.

In principle, such a scheme can be implemented completely in the on-prem mode. But recently, there are more and more customers for such a kit, because the cloud model allows you to bring both of them into the plane of a subscription and / or cloud service, which means reducing the burden on the budget and reducing the cost of maintaining solutions.