10:30 AM
Connect Directly

How Many Layers Does Your Email Security Need?

At least one more layer than the attacker can defeat. Here's how to improve your odds by turning on little-used or newer capabilities to block email-targeted malware.

Most IT people find email gateways justifiably boring. They’ve been around almost as long as email, after all. Everybody has one. You probably only notice them when they miss obvious spam or block legitimate mail.  For everything else, you probably figure email gateways are all pretty much the same, and as long as you checked the box, you are free to think about something else. Out of sight, out of mind, right?

The only problem is, that’s likely completely wrong.

If your email gateway rarely catches your attention, it’s likely because it is so easily and completely fooled by targeted threats that it never lets out a whimper. Ask yourself this: how would you know if your email gateway was missing new custom malware?

Consider the current state of the threat environment your email gateway faces. In addition to phishing and mass malware attacks distributed via botnets -- which are pretty easy to see and interdict at the gateway -- we have targeted attacks using new malware. According to the 2016 Trustwave Global Security Report (registration required), 54% of inbound email is classified as spam, down from 85% in 2010. Cyber criminals have realized that email gateways are quite capable of blocking generic spam and have moved to different techniques, including targeted attacks. Targeted attacks have adapted precisely to evade traditional methods most email gateways use to try to block unknown malware, such as the following techniques:

● AV engines may miss attacks because they use new or highly obfuscated malware, for which no signature exists.

●  Spam filters may miss attacks because they are one-off, low volume, or they have few suspicious traits to analyze.

● Sender reputation filters often miss attacks that come from newly created or spoofed email addresses, or from IP addresses with no "bad" history.

● Blanket policy rules that block all unusual and risky email attachment types (such as .EXE and .LNK) cannot be used on the malicious .DOC, .PDF, .XLS, and .PPT files favored by targeted attacks, as these are common business documents.

● URL filters may miss attacks because the malicious URL is hidden inside a PDF file, or within macros hidden inside document files.

● Web scanners are sometimes evaded by sending a harmless URL, but then placing malicious code behind the URL later after it has already passed the gateway.

Even newer methods such as sandboxes are limited in their protection against targeted malware. Unfortunately, targeted malware often contains countermeasures that delay execution or prevent discovery in a virtual machine environment. 

Let’s return to the earlier question, “How would you know if your email gateway was missing new malware?” There are several methods of varying efficacy. You might have endpoint whitelisting that spots something unusual. An Endpoint Detection and Response (EDR) solution is another method growing in popularity. Perhaps you get breached and conduct a forensic investigation back to the patient-zero compromised user account, time and date.

The news isn’t all bad. There are some advanced techniques that secure email gateways can use to block obfuscated, targeted PDF and Microsoft Office docs. No single technique is completely effective, but the more of these you can leverage, the better your chances.

First off, techniques like Sender Protection Framework (SPF), Domain Keys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC) are designed to validate the identity of the sender, protecting against spoofed emails that appear to come from a friendly sender. However, very few organizations bother to turn these capabilities on. Be sure to use the same technologies when sending your own email.

Secondly, your gateway needs to extract and explode all the elements of an email attachment to be able to deeply analyze it for malicious intent. There could be executables and macros hidden inside office documents. There may be buffer overflow exploits hidden inside PDFs, or JavaScript inside a .ZIP file. Deep analysis rules can be applied to score all the traits of a file for risk. Risk points can be assigned for hundreds of reasons, including the presence of obfuscation techniques, encryption, known exploits, and buffer overflows. This can create a statistical picture of a file’s malicious intent and block never-before-seen malware. In many ways, this is more robust than sandboxes because it’s not dependent on a fragile environment or finicky timing of file execution. Also, the very techniques used to evade or obfuscate end up exposing the malware to deep analysis rules.

Finally, it is essential to ensure URLs are scanned at time of click. In practical terms, this means that URLs contained in emails must be rewritten with pointers that force them to go through a cloud-based web gateway whenever they are clicked upon. This ensures security scans at any time, and on any device the recipient uses to read email, including mobile devices. 

So, how many layers does your email security need?

Email is a hotbed of hacking innovation. Traditional or incompletely implemented secure email gateways make you vulnerable to targeted attacks. Organizations can improve their odds markedly by turning on little-used or newer capabilities to block targeted malware.  

You always need at least one more layer of email security than the attacker can defeat.

Related content:


Chris Harget is a 20-year veteran in the IT security industry as a product manager and product marketing manager for leading innovators such as Trustwave, Blue Coat, Citrix and McAfee. He has trained thousands of technology professionals on desktop, network, email, web and ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
6/6/2016 | 3:33:47 PM
Re: Could you send that email again? I never got it.
Lots of useful tactics in your comment.

Blocking all attachments goes too far, for most users we talk to.

Too much of their business (with insiders and outsiders) uses email to send docs. Add in the risk of email account takeover of a trusted business partner, and they really need a way to deeply scan office docs and PDFs for new, one-off, targeted malware. 
User Rank: Ninja
6/6/2016 | 1:55:39 PM
Could you send that email again? I never got it.
Here's just a few things your email gateway should include...






Challenge / Response

Reject All File Attachments

Strip HTML

Strip URLs

Spoof Filtering

Reverse DNS Mismatch Check


GeoIP Filtering

Word based filtering

SPF Filtering


Heuristic Filtering

Bayesian Filtering

MX Lookup Verification

Mime Header Check

IP Reputation Check

Open Relay Check


Signature Matching

Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
6/6/2016 | 12:03:45 PM
The spam industry
"According to the 2016 Trustwave Global Security Report (registration required), 54% of inbound email is classified as spam, down from 85% in 2010. Cyber criminals have realized that email gateways are quite capable of blocking generic spam and have moved to different techniques, including targeted attacks."

I wouldn't say that that's the only -- or even the most significant -- cause.  I think it has more to do with how the spamming industry has changed dramatically over the past six years, being whittled to a shadow of its former self by in-fighting and better enforcement.  Brian Krebs has written on this in depth in his book, Spam Nation.
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
New 'Mac-A-Mal' Tool Automates Mac Malware Hunting & Analysis
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/14/2018
IoT Product Safety: If It Appears Too Good to Be True, It Probably Is
Pat Osborne, Principal - Executive Consultant at Outhaul Consulting, LLC, & Cybersecurity Advisor for the Security Innovation Center,  3/12/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.