Email threats are pervasive. If you’re working in a large organization, you could face millions of attacks a month, in a small organization hundreds or thousands is common. It truly is a numbers game, and this article is designed to help you stack the odds in your favour.
If we look at the universe of threats, they range in both sophistication and volume. At the left side of the graph above, you have the entry level script kiddies, who don’t really yet know what they’re doing, their attacks are poorly executed and use weaker social engineering. As we move to the middle of the pack, we get more sophistication - spray and pray, high volume attacks but also run in campaigns and time being taken to make sure the spelling is correct, the landing page of the phish site looks professional, etc. To the right of the graph you have more refined and often targeted attacks. Spear phishing. Business email scams where the attacker has done extensive research on the executive branch. Low volume targeted malware against specific recepients.
Over the last ten years, the graph has shifted. In the early days of attacks, they were less compelling, didn’t take effective social engineering techniques into consideration, had spelling errors, etc. But gradually, the attackers have improved their tools, improved their research, and the overall bulk of the attacks have gradually moved in their sophistication to the right.
The impact of end user awareness training is to take your users and move them to the right of the graph. You won’t be able to eliminate all threats from impacting all users, but you can reduce the frequency and probability of impact on any given user. Some users are hard to train, and have bad habits. Other users are incredibly cautious already, and training will only help a little.
The purpose of security defences are to reduce the volume of attacks that reach OR can impact your user. A strong email filtering tool will reduce a lot of the volume on the left end of the graph. Anti-malware is good on volume attacks, but less effective on targeted attacks. Next-gen malware protection (regardless of type - sandboxing, machine learning, etc) is primarily tasked with protecting against unknown threats which are increasing in volume and to the left. You need both. End user reporting of phish/email scams combined with effective, fast response from a security teams can mitigate the impact by blocking attacks at the firewall/filters.
Interestingly, how frequently users check email is a big impact here. If users check email less frequently, then anti-malware vendors have time to issue signature updates, firewall vendors have time to block C&C channels, users have time to report phishing attacks - and defences can be put in place before they hit a high volume of your users.
Lastly, if the purpose of the attack is to deliver malware to gain a foothold in your organization, then patching is the last line of defence. The attacker needs to find a vulnerability in java, flash, word, your pdf viewer, something else. Having these software stacks patched, reducing the likelihood of exploit by removing administrator privileges, removing unnecessary software altogether reduces the probability of successful penetration.
Lastly, a thought for smaller organizations. If you don’t have the resources for sophisticated protection and response, sometimes your best option will be to hire someone else to do it for you. It could be a monitoring/filtering service, a hosted email security platform, something else. But trying to do it all yourself is likely to end up in failure.
So, tips summarized:
- Email filtering, anti-malware and next-gen malware protection will reduce the volume of low quality attacks impacting your organization. Firewalls blocking C&Cs will reduce the impact of infections that do occur.
- End user education will reduce the probability of lower quality attacks and some higher quality attacks from getting through. Combined with end-user reporting can reduce the impact of any attacks that do hit.
- Patching, removing administrative privileges and unnecessary software will reduce the likelihood of an attack infecting an endpoint and gaining a foothold in your organization.