In 2020, fearware flooded our inboxes, ransomware stalked our schools, and email account compromises stumped our supply chain. What new tactics and techniques can we expect email attackers to deliver in 2021? Dan Fein, director of email security products at Darktrace, gives his five predictions for security teams.
Supply Chain Fraud Will Overtake CEO Fraud
Time and again, says Fein, security leaders tell him their priority is to protect C-level executives. "If the company is really secure, it's hard [for an attacker] to get to that C-suite," says Fein. The alternative for attackers? "Just go after whoever that company trusts."
Fein says that when attackers can take over the legitimate email account of a trusted third-party supplier, they can net a big return without ever interacting with a C-level executive.
Suppliers and contractors with large client bases may become ever more tempting targets, Fein says. Why work hard to compromise 1,000 companies separately when you can compromise one (and send fraudulent invoices to 1,000)?
There are signs already hinting in this direction. Research earlier this year found spoofing attacks that target the C-suite were decreasing, as attackers increasingly focused on staff in accounts payable departments. And as email account compromise attacks grow more sophisticated – even circumventing multifactor authentication – the type of threat Fein mentions just becomes easier.
Email Security Solutions and Third-Party Gateways That Deploy via MX Records Will Be Phased Out
The second risk on Fein's list is not a threat from attackers but rather a risk posed by your email security tool – or rather, how it's deployed.
Many email security solutions and third-party gateways currently sit right within the mail flow, directing traffic by way of mail exchanger records (MX records), which specify the mail server responsible for accepting email messages.
The trouble with this method isn't really a security problem, Fein says. It's an operational issue. If the security tool sits within the mail flow, he says, it can become a potential obstacle. If something goes wrong with the security gateway – an outage, for example – it can disrupt, or block, the entire flow of mail.
"For a while, you'll have the whole organization complaining," he says. "I don't think anyone thinks security teams, whose job is to mitigate risk, should be in a position like that."
Even when fully functioning, he says, this deployment method can introduce latency, which is becoming less tolerable as remote work becomes more prevalent.
Fein predicts that many email security providers will begin shifting away from this deployment method.
The Life Span of a Phishing Attack Will Continue to Decrease
Once upon a time, attack infrastructure lasted for weeks or months. Darktrace research has found that the average life span of a fraudulent email dropped from 2.1 days in March 2018 to just 12 hours in 2020.
It's a worrying trend for anyone who wants to block malicious IPs, identify indicators of compromise, or attribute attacks to specific threat actors. And Fein thinks it will get worse.
Forget 12 hours. Why not just one use? The affordability of and easy access to Internet infrastructure is driving this trend.
"For very cheap, you can purchase a new email domain," says Fein, "which is a massive part of the attack infrastructure."
And a brand new, fresh-as-a-daisy domain with no malicious activity on its record will pass most email security reputation checks with ease. "You can skirt by [security] all day," he says.
When attackers can use their spare change to buy domains in bulk, "that idea of a single-use domain is where I think the average lifetime of an attack will continue to decrease," Fein says.
And So Attacks Will Continue to Be Yet More Targeted
Attack "campaigns" are being replaced by "one-offs," says Fein. Single-use phishing domains suit and support this cybercrime business model.
The overwhelming, rapid proliferation of fearware this year showed how effective targeted, fear-based phishing lures could be. With so many new websites – legitimate and malicious – spinning up in response to the COVID-19 pandemic, the flood of messages from unknown domains was too much for many security tools to handle.
The sheer availability of information online and across a plethora of social media platforms allows attackers to move from a "spray and pray" approach to sending well-researched, tailored emails that have a considerably higher chance of succeeding. And as the technology becomes available to automate much of this reconnaissance, it is natural to assume attackers will take advantage of these tools.
Ransomware May Lose Some Favor With Money-Motivated Attackers
Ransomware bludgeoned hospitals and schools in 2020, but for attackers going after businesses that have expanded remote working – leaning more on cloud services than centralized, on-premise infrastructure – ransomware might not be the attack method of choice.
Email-borne fraudulent invoices, for example, might be far more popular with the money-minded cybercriminal. They could be quieter and more lucrative, says Fein, "and you're less likely to get the FBI's attention." Successful impersonations of trusted suppliers frequently enable successful wire fraud attacks. Since these attacks sometimes involve "clean" emails – containing no links or attachments – they skip past legacy security tools with ease.
Cybercriminals know all too well the approach used by the majority of email security tools today, and they are finding new ways to skirt by these simple reputation checks. Organizations must prepare now for the next wave of email attacks by turning to a new email security approach capable of neutralizing novel and sophisticated attacks that gateways miss.
Hundreds of organizations have adopted a self-learning approach that doesn't rely on hard-coded rules and signatures, but uses AI to spot unusual patterns in email communications indicative of a threat. As attackers continue to innovate, having an adaptive email security technology that continuously reassesses emails in light of new evidence will be crucial for security teams.