Cyber-war and Email communications
Cyber-war is a reality. Ever evolving geo-political tensions shape and modify the cyber risk for organizations and states.
The quick escalation of the current war in Europe led the national CSIRTs (Computer Security Incident Response Teams) to issue guidelines for mitigating risks related to potential cyber-attacks to companies, institutions, infrastructure and communication systems.
Email is the most used (and abused) communication channel between organizations, most of the breaches start with an email. Targeted campaigns are a common attack vector for state actors and politically motivated cybercriminals. The most common way of weaponizing email is through phishing and malware attacks.
We expect that also the “usual” malicious actors will quickly abuse this tension and the fear it brings along for all kinds or financially motivated scams, for phishing and for ransomware campaigns.
They learned to move fast and to quickly abuse topics that draw attention and trigger emotions. They did it effectively with the pandemic and they already started to use this new topic.
We are anticipating a high volume of malicious campaigns on this theme but it is not this kind of activity that most worries the CSIRTs. They are not referring to the usual financially motivated cybercriminal gangs changing once again topic in their campaigns, they are mostly worried about state-sponsored and politically-motivated attacks to critical infrastructure and organizations.
This kind of attacks will not necessarily leverage topics related to the geo-political tensions or to military escalations. Such attacks will be mostly designed by skilled actors who will try to stay below the radar and hit the victims with targeted campaigns. What I am saying is that the most dangerous phishing emails won’t necessarily be what you expect them to be.
Geo-Blocking is one of the tools that can be used to minimize the attack surface in regards to email attacks being originated from specific countries.
Attackers can, of course, route the attacks through different countries but this involves additional steps and increases the chances of the attacks being detected.
Even if Geo-Blocking is not a silver bullet, it may be one of the rational mitigation measures to be implemented when the geo-political situation increases the chances of attacks from certain geographical areas.
Every organization has its own needs. Some organizations are exposed to frequent communications to some countries, some other organization aren’t. For some organizations plainly blocking traffic from some countries is feasible, for some other organizations it isn’t and a more elaborated approach is needed.
Possible strategies about geo-blocking email
You have basically two strategies for geo-blocking email: rejecting and quarantining.
Rejecting email at the SMTP level can be done by dropping connections from IP addresses belonging to a specific country. It is simple and effective in terms of resource usage but it leaks information to the potential attacker: they will immediately know that you are adopting this kind of mitigation measure and they will change strategy.
Rejecting has also another disadvantage: you have no visibility on what email traffic has been rejected, you don’t know whether there was some legit traffic among it and you are not aware of targeted attack attempts.
Finally: rejecting email relies on the geo-location of the connecting IP address and this is sub-optimal. The email might have been relayed through a country you are not blocking even though it has been originated in a country you would like to block.
Quarantining, on the other hand, involves accepting and analyzing all email but silently quarantining (not delivering) email from specific origins.
One advantage of quarantining versus rejecting is that by accepting such email traffic you are not leaking any information to the potential attacker.
By quarantining you also have full visibility on the blocked traffic and you can analyze the email samples in order to detect attempted attacks and investigate the technical tools and strategies the attackers are using (our analysts are always here to help you in this task).
Also, the quarantining strategy can be defined not only on the last-hop (the final relay that is attempting to deliver the email) but also on any of the intermediate hops. You can also decide to block email that has been originated (first-hop) or relayed through (intermediate-hop) a specific country.
Finally, with a quarantining strategy you are free to define exceptions and, for example, block email from an entire country unless originated from a few specific organizations you entertain relationships with.
All this said, we do generally suggest a quarantining strategy. Only under very particular circumstances a reject strategy can be evaluated. Our technical support team is available in helping you with this decision.
CTO @ Libraesva
Yesterday most of the mail administrators, organizations, and MSPs worldwide suddenly found that their mail was being rejected as it reported as being listed in the blacklist at bl.spamcop.net.
SpamCop, a wholly-owned subsidiary of Cisco Systems, provides a Real-time Blackhole List (RBL) that mail servers can use to determine if incoming mail should be marked as spam, suffered a worldwide outage after its domain mistakenly was allowed to expire.
As a consequence of this all cloud services and mail servers – including Libraesva, Cisco and Barracuda only to mention a few – who use their RBL started to reject incoming mail automatically.
According to a post on Reddit, when visiting spamcop.net, the domain was shown as parked , and users that tried to contact Cisco didn’t get any answer. Libraesva has contacted Cisco as well with further questions but has not received any reply from them as of yet.
Sunday evening finally Cisco renewed the spamcop.net domain, but some customers and mail administrators are still reporting that they continue to see issues with their incoming mail being blocked by SpamCop. This is due to the DNS systems dealing with cache and TTL. We suggest to manually expire DNS cache before re-enable the SpamCop RBL Service.
We do apologize with all Libraesva’s customers for any inconvenience that we may have caused relying on SpamCop RBL.
Earlier in December another big company offering cloud storage – Wasabi – had a worldwide outage caused by its domain being suspended by GoDaddy and taking down on their knees all customers worldwide, being unable to resolve their object storage bucket.
It seems that simple tasks like keeping a service domain active and healthy are huge problems for these industry giants… Nevertheless if this is a mission critical task with worldwide impact.
A few days ago, Microsoft® informed that a Mimecast® for Microsoft 365™ certificate has been hacked and is being used against Mimecast’s customers.
This certificate allows full administrative access to the Microsoft 365™ Exchange Web Services of some Mimecast’s customers, estimated to be around 10% of their global install base, who had configured the integration between Mimecast® and Microsoft 365™.
Since this announcement was made, we have been asked by our channel partners and customers if the integration between Libraesva’s products and Microsoft 365™ can be abused in the same way.
The short answer is no. The long answer is no, because…
1) We do not use a single certificate to authenticate against our customer’s Microsoft 365 tenants.
A single certificate that acts as a passe-partout key for full access to many customer’s tenants is a bad design choice from a security standpoint. This is, of course, our opinion.
2) We instruct our customers to provide to Libraesva with the minimum set of permissions we require.
Libraesva asks for the minimum set of permissions required to provide the services we provide. We do not advise our customers to provide complete access to their own tenants. We ask them to only provide the permissions that they need, based on how they use our products.
3) We have a de-centralized architecture.
Libraesva’s products are designed for full isolation between customers. Each customer ‘lives’ in a separate virtual appliance, with a unique IP address. We do not store access credentials in any central repository.
As Libraesva is a security company, we know that security is difficult and that anybody can fail. Our architectural and software design choices are based on strict security principles, among which is avoiding any single point of failure.
The last year, maybe like no year before, demonstrated clearly just how much every moment and aspect of our day-to-day lives depend on the Internet. This dependence leads to an increase of risks and threats to our “online security”.
According to the latest Data Breach Investigation Report, email is still the main vehicle for delivering cyber threats, with particular reference to malicious links and attachments which are developed in order to carry malware. 46% of those surveyed included companies who said they had received the bulk of malware delivery attempts via email. Social Engineering attacks also remain very high, around 96%, and phishing is confirmed the favourite form, while successful Business Email Compromise deliveries has led to an average loss of $ 44,000 per company.
According to a Radicati Group’s study, there will be more than 4.2 billion email users within the first months of 2022; this means that about half of the global population will be using email to communicate. Consequently, a cyber attack delivered via email has a high chance of being successful and spreading like wildfire.
For example, let’s think about the Account Takeover phenomenon, a fraudulent identity theft attack method: cybercriminals obtain a victimis’ account credentials through brand impersonation, phishing and social engineering techniques and then monitor an organisations activities to learn how the company does business, manages financial transactions and even communicate with one another. This allows the cybercriminal to glean valuable information to resell to competitors, damage a companies reputation or bottom line, generate and spread further cyber attacks or acquire further credential logins, creating an endless cycle.
A single malicious email can cause a significant amount of damage to networks and, in some cases, completely halt business growth. This is exactly why email protection should be considered a crucial part of any businesses cyber-security strategy. Investing in email security is not an expense, but a saving. While it may seem convenient to use free secure email gateways, there are drawbacks to consider, such as the lack of real-time updates to block emerging threats or a lack of comprehensive security features. During the last year we have witnessed how cybercriminals rapidly change their strategies to become more effecient at delivering succesful attacks, circumventing free and simple to manouvere security platforms, negating cost saving benefits realised by implementing free email protection there resulting in larger costs to fix and recover from them – bringing the total cost of a free solution, to many thousands of pounds more expensive than if they had paid for one which can offer real-time protection and the use of a combination of advanced technologies, including artificial intelligence and machine learning, enabling predictive threat analysis.
What is a secure email gateway?
A secure email gateway is essentially a firewall that scans your incoming email in order to protect your mailbox from email-borne cyber threats, such as phishing attacks, compromised business emails, malware, next-generation spam, or fraudulent content of various kinds. But a secure email gateway can also scan outgoing messages to prevent sensitive data from leaving an organization.
What do you need to consider when choosing a secure email gateway?
Choosing a secure email gateway can be a long and difficult process. There are many gateways available on the market and, even if they look very similar, there are numerous differences. To help you along this path, we have suggested some points that you should take in consideration:
- Deployment: it is important to have the possibility to choose between a cloud and local service, based on the needs of your organization
- Threat intelligence, artificial intelligence and machine learning technologies, to detect and block both emerging & known threats and help administrators to understand which attack techniques and strategies are used the most against their company
- Active analysis of URLs and attachments, to quickly and accurately block various types of malware spread in this way, thus preventing phishing attacks
- Response capabilities, to recognise a malicious email and automatically identify and block all subsequent ones
- Control of outgoing content to prevent sensitive data from being released
What are the advantages of using a secure email gateway?
First and foremost, a secure email gateway helps to plug gaps in email security. It is a big mistake to think that installing an antivirus engine will protect you against threats delivered via email, or to believe that solutions such as Microsoft365™ (formerly Office365™), offer a complete and secure email gateway service. A recent test carried out on numerous implementations of Microsoft365™ lasting for 1321 days across 175.110 users and 109.284.844 emails, demonstrated that a large number of threats were not intercepted by security filters included in the solution. Unfortunately, cybercriminals have become very good at finding strategies to circumvent software such as antivirus and multi-vector attacks, which use evasion techniques, such as anti-forensics and encryption, expanding significantly in recent years; exactly why nearly 35% of organizations that have switched to Microsoft365™ are integrating their native email security features with a third-party product that combines threat intelligence with traditional filters.
Furthermore, these malicious actos are well aware that employees are the weak link in the chain and the main vehicle for intrusion into corporate networks: the presence of a secure email gateway allows companies to improve employee safety by blocking unsafe URLs and malicious attachments, which are capable of spreading phishing attacks, compromised business emails, malware, and more.
Another advantage of using a secure email gateway is the ability to preserve the operational continuity of email; in the unlikely instance of a primary server experiencing downtime, a secure email gateway can allow users to send and receive email messages through their web interface.
Another feature that a secure email gateway should offer is quarantine management, to allow users to examine blocked messages and log search in a flexible and customizable way, providing comprehensive reports and useful information to help them decide which messages to release, which senders to blacklist and much more.
Finally, the right email gateway offers maximum security, requires minimal maintenance and operates largely in the background in a “set and forget” manner, guaranteeing continuous protection with minimal use of human and time resource.