AusCERT 2017 - Cyber resiliency that starts with email
- 14 June, 2017 09:47
Mimecast’s Garrett O’Hara spoke at this year’s AusCERT conference on the issue of cyber resilience and how companies, large and small, are being impacted and defrauded through email-born attacks.
One of the tools used by malicious parties, said O’Hara, is the information companies make public. Much of the intelligence gathering by threat actors is done by simply visiting company websites, LinkedIn and other online sites where companies provide useful information such as corporate structure, executive names and contact details. That data is correlated and used to target and execute attacks with untraceable crypto-currencies used as the way to steal funds.
According to data from PhishMe, 91% of attacks start with phishing emails, said O’Hara.
“If you think about all the other attack vectors, they’re harder and leave you to more exposure. Email is ridiculously easy,” said O’Hara.
While the idea of resilience isn’t new, said O’Hara, but cyber resilience takes a different perspective.
“You can do your best to protect an organisation but you’ve really got to think and assume you’re going to be attacked. What are you going to do? What’s going to happen during that event? What’s going to happen after that event?”.
O’Hara said it will bring together information security, business continuity and data resilience together.
Incidents can be started in a number of different ways. While malicious intent is often at the top of the list when it comes to risk, O’Hara noted last year’s outage of the Telstra cellular network was caused by human error and technical failures when equipment fails such as a firmware error that affected Salesforce’s storage arrays.
“The goal of cyber resilience is uninterrupted business,” said O’Hara.
One of the benefits of the shift to cloud, said O’Hara, is the ability to “hyperscale”. This is infinite expansion of resources to support new and growing business needs. For resilience, this means you can take advantage of cloud technologies to provide multiple tools, at a lower cost and faster deployment time than before, to verify your email is safe before it reaches user inboxes.
“There’s a limit you will hit with an on-prem solution where that borders on impossible,” he said.
Also, it’s possible using cloud solutions to deliver services with 100%, or very close to 100%, uptime.
Traditional anti-virus and anti-spam is “falling apart” said O’Hara. While there is still some value in those solutions they are no longer enough. While perimeter protection is still needed, there needs to be increased focus on endpoints.
That requires deep analysis of the content of emails to test URLs, for example, and validate that they don’t direct users to websites that expose them to other threat vectors. Similarly, whaling attacks, that might contain anything other than plain text instructions, are also a challenge. The signature and trust-based systems employed by anti-virus and anti-span systems can’t handle those. But solutions that leverage the cloud, with multiple analysis engines have a better chance of filtering those emails and protecting users.
O’Hara also suggested systems can be used to introduce “speed bumps” so users are made aware when they are exposed to potentially dangerous messages so their awareness of the risks can be heightened.
Other techniques O’Hara advocated were sandboxing, to test email payloads and simulate user actions right down to mouse movements, as well as PDF flattening so potentially harmful files are made innocuous before they are received by users.
As threat actors become better at their craft, it is important that the protections we put in place enable users to work safely without their productivity being adversely impacted.