Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

10/30/2019
02:00 PM
Eyal Benishti
Eyal Benishti
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Email Threats Poised to Haunt Security Pros into Next Decade

Decentralized threat intel sharing, more public-private collaboration, and greater use of automated incident response are what's needed to combat phishing

As organizations begin to plan their cybersecurity strategy for 2020 and beyond, email security will certainly be high on leadership's agenda. That’s because phishing attacks continue to increase in sophistication and frequency, and email remains the number one vector for all cyber incidents. In fact, 90% of all cyberattacks begin with email, and the breadth of phishing detection, prevention, and response has become the ultimate SOC team burden.

As such, one thing is clear: Enterprises are losing the email security battle. This unpopular truth exists partially because of the complex email threat landscape. After all, it’s almost impossible for any organization to proactively defend against 130 million phishing attacksper quarter, not to mention the tens of thousands of permutations associated with each. Another contributing factor is the proliferation of payload-less, social engineering-driven phishing, such as business email compromise (BEC) and account take over (ATO), which enable attackers to bypass traditional server-level email security tools and trick human defenses with relative ease.

Presently, when it comes to phishing mitigation, the industry is guilty of holding the same conversations that it’s had for the past several years. Comparing and contrasting secure email gateways. Evaluating both the real and perceived benefits of phishing awareness training. Debating the pros and cons of authentication and encryption protocols. While all three tactics remain popular, they are decreasing in effectiveness.

Thus, as we approach the next decade, it’s time to move away from the trivial arguments of yesteryear and focus on what’s needed to defeat the phish of 2020 and beyond. From decentralized threat intelligence sharing and greater public-private collaboration to automatic incident response and mailbox-level security, these safeguards are better suited to combat the future of anti-phishing because they rely on human and technical controls working together 24/7/365. 

Evolution of email security
Looking back over the past decade, email security has, admittedly, come a very long way. Eight years ago, organizations relied almost entirely on spam filters and antivirus software to protect against Nigerian scams. Eventually, antivirus products were rejected as the sole line of email defense, as attackers found creative and cost-effective ways to defeat these controls.

Phishing technique advancements prompted secure email gateways (SEGs) to enter the market, and this technology remains the most common phishing prevention method. Around the same time as SEGs, security training became part of the corporate lexicon, and employers attempted to gain some advantage over attackers by using employees to identify and corral suspicious messages. 

Unfortunately, attackers responded to the increased employee awareness and SEG technology by creating new attack techniques that bypass common email security controls. In response, many enterprises have added gamification to their security training as a means to bolster employee situational awareness while also implementing authentication and encryption protocols such as DMARC.

While such counter maneuvers are surely effective from time to time, attackers continue to have the upper hand while enterprises look toward 2020 for a silver bullet. Unfortunately, one is not going to appear.  

Email security challenges that elevate risk
The email security industry is in the midst of an intense debate over what technology, standards and protocols can deliver the most protection and reduce the most risk. The common arguments are a bit ironic when considering that successful cyberattacks continue to cost enterprises more than $1 million per incident.

The most common arguments include:

  • Robust email security requires two-factor authentication.
  • Adoption & maintenance of protocols like DMARC are essential.
  • Phishing awareness training should be mandatory for all organizations.
  • Encrypt all email messages.
  • Incident response requires automation. 

While none of these trending arguments are wrong per se, they all assume that email security is some sort of linear challenge that can be eradicated with a singular solution driven by either technology or people. But if history has taught us anything it’s that attackers will evolve and find a way to defeat whatever human and technical controls and enterprise deploys. 

That's why, as we move into 2020 and a new decade, the conversations surrounding email security must evolve from comparing anti-phishing and email security tools, protocols, and trainings to resolving non-phishing email security challenges that are at the center of elevating risk. This includes the need to address SOC burden and educate the next generation of the cybersecurity workforce; decentralizing threat intelligence sharing so that organizations of all resources can protect their assets, promoting ubiquitous interoperability so that solutions can better integrate for analysts; and having an industry-wide agreed upon definition of what actually defines incident response.

Such a transformation of the email security industry will enable organizations to focus on effective anti-phishing techniques that actually address the root causes of the industry’s problems, and not just the effects. For example, by encouraging decentralized threat intelligence, organizations’ SOC teams can have access to hundreds of thousands of trending threats worldwide, allowing them to be proactive in defense instead of reactive. It’s a power of the pack mentality that suggests industry is stronger together than it is apart. 

As it stands now, attackers will continue to have the means and motives to evolve faster and more efficiently than technological advancements. But when human controls and technological controls work together to decentralize threat intelligence, automate rapid response and encourage employee collaboration, their advantage can shrink to a much more manageable level. 

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The Real Reasons Why the C-Suite Isn't Complying with Security."

Eyal Benishti has spent more than a decade in the information security industry, with a focus on software R&D for startups and enterprises. Before establishing IRONSCALES, he served as security researcher and malware analyst at Radware, where he filed two patents in the ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...