Rodolfo Saccani, CTO Libraesva
Cyberwarfare is a reality, with evolving geopolitical tensions constantly shaping and modifying the cyber risk for organizations and states.
Cybercrime vs cyberwarfare
Malicious actors have learned to move fast and to capitalize on situations that draw attention and trigger emotions. Cybercriminals take advantage of the tension and fear created by conflict for all kinds of financially-driven swindles, including phishing and ransomware campaigns. Malicious campaigns are now being targeted at a national level, such as those aimed at disrupting infrastructure and the delivery of foreign assistance to Ukraine. In response, national-level computer security incident response teams (CSIRTs) have issued guidelines for mitigating the potential risk of cyber-attacks on companies, institutions, infrastructure, and communication systems at a time of heightened threats.
However, unlike criminal attacks which capitalize on geopolitical instability, cyberwarfare involves state-sponsored and politically motivated attacks. The US Cyber Security & Infrastructure Security Agency clearly identifies those nations it considers to be presenting an advanced persistent threat, and regularly publishes advisories to help organisations to reduce risk and build their security capacity.
The EU, UK and US have all imposed sanctions for cyber-attacks (such as against Russia for NotPetya)NATO has established the Cooperative Cyber Defence Centre of Excellence, but a unified doctrine is still lacking
Some countries, such as France and the UK, have publicly declared that they will respond to cyberattacks with all necessary means, including military action.
Email is where most attacks start
Email is the most used (and abused) communication channel between organizations, which is why this is where most data breaches start. Targeted campaigns are a common attack vector for state actors and politically motivated cybercriminals, and the most common way of weaponizing email is through phishing and malware attacks.
Cyberwarfare doesn’t necessarily leverage topics related to geopolitical tensions or military escalations. Attacks are usually designed by skilled actors who try to stay below the radar, which means dangerous phishing emails may seem quite innocuous, and not what you might expect.
Geoblocking – the logical line of defense
Geoblocking restricts content access based on a user’s location. It uses IP addresses, GPS, and end-to-end delay measurement to identify where a user is and either approve or deny access. It is commonly used to protect copyright and licensing, such as preventing US viewers from watching movies on a European streaming site.
Geoblocking can also be used to prevent the delivery of content originating from specific states or nations. While bad actors can still route attacks through different countries, this involves additional steps and increases the chances of detection. Geoblocking may not be a silver bullet, but it is a logical measure to take when the risk of attack from certain geographical areas increases.
There are two approaches for geoblocking email:
👈🏼 Rejecting email from certain locations
Rejecting email at SMTP level can be managed by dropping connections from IP addresses belonging to a specific country. This simple blocking strategy is effective in terms of resource usage, but it does leak information to the potential attacker – they will immediately recognise the block and change their strategy.
You also have no visibility of what has been rejected: you won’t know if there was any legitimate traffic trying to get through and you won’t be aware of any targeted attack attempts taking place. And as already mentioned, an email originating in a blocked location could have been relayed through other countries.
For some organizations, rejecting traffic from an entire country or countries is feasible, but for others it isn’t, and a more refined approach may be needed. This is where quarantining proves to be the better alternative.
👈🏼 Quarantining email for evaluation
As an alternative to outright rejection, we recommend quarantining as the best approach for preventing email attacks through geoblocking. This involves accepting and analyzing all email, and silently quarantining (not delivering) content from specified locations.
- Attackers are not alerted to the measures you are taking
- You can analyze email samples to detect attempted attacks
- You can investigate the tools and strategies that attackers are using (our analysts can support you with this if you need help)
- You can define where quarantine measures are instigated, whether on the last hop (the final relay that is attempting to deliver the email) or on any of the intermediate hops (which could include countries that the email has been relayed through)
- You have full visibility of all quarantined traffic, so legitimate emails can be released for delivery
- You can define exceptions, for example, block email from an entire country except when originated from the specific organizations you have established relationships with
Naturally, geoblocking and quarantining are both included in our award-winning Libraesva Email Security solution, as well as threat analysis and remediation, spoofing protection, sandbox defenses, our AI-driven Adaptive Trust Engine and much more.
