Cyberwarfare and email:
what you need to know
Cyberwarfare is a reality, with evolving geopolitical tensions constantly shaping and modifying the cyber risk for organisations and states.
Cybercrime vs cyber warfare
Malicious actors have learned to move fast and to capitalise on situations that draw attention and trigger emotions, as we saw at the height of the pandemic. Cybercriminals will be taking advantage of the tension and fear created by war in Europe for all kinds of financially driven scams, including phishing and ransomware campaigns. But this kind of cybercrime is not the type of activity that most worries the national-level computer security incident response teams (CSIRTs).
In response to the current situation in Ukraine, CSIRTs have issued guidelines for mitigating the potential risk of cyber-attacks on companies, institutions, infrastructure and communication systems. These guidelines focus on the risk of state-sponsored and politically motivated attacks: cyberwarfare.
Email is where most attacks start
Email is the most used (and abused) communication channel between organisations, which is why this is where most data breaches start. Targeted campaigns are a common attack vector for state actors and politically motivated cybercriminals, and the most common way of weaponising email is through phishing and malware attacks.
Cyberwarfare doesn’t necessarily leverage topics related to geopolitical tensions or military escalations. Attacks are usually designed by skilled actors who try to stay below the radar, which means dangerous phishing emails may seem quite innocuous, and not what you might expect.
Geoblocking – the logical line of defence
Geoblocking restricts content access based on a user’s location. It uses IP addresses, GPS and end-to-end delay measurement to identify where a user is and either approve or deny access. It’s commonly used to protect copyright and licensing, such as preventing US viewers from watching movies on a European streaming site.
Geoblocking can also be used to prevent the delivery of content originating from specific states or nations. While bad actors can still route attacks through different countries, this involves additional steps and increases the chances of detection. Geoblocking may not be a silver bullet, but it’s a logical measure to take when the risk of attack from certain geographical areas increases.
There are two approaches for geoblocking email: rejecting and quarantining.
Rejecting email from certain locations
Rejecting email at SMTP level can be managed by dropping connections from IP addresses belonging to a specific country. This simple blocking strategy is effective in terms of resource usage, but it does leak information to the potential attacker – they will immediately recognise the block and change their strategy.
You also have no visibility of what has been rejected: you won’t know if there was any legitimate traffic trying to get through and you won’t be aware of any targeted attack attempts taking place. And as already mentioned, an email originating in a blocked location could have been relayed through other countries.
For some organisations, rejecting traffic from an entire country or countries is feasible, but for others it isn’t, and a more refined approach may be needed. This is where quarantining proves to be the better alternative.
Quarantining email for evaluation
As an alternative to outright rejection, we recommend quarantining as the best approach for preventing email attacks through geoblocking. This involves accepting and analysing all email, and silently quarantining (not delivering) content from specified locations.
- Attackers are not alerted to the measures you are taking
- You can analyse email samples to detect attempted attacks
- You can investigate the tools and strategies that attackers are using (our analysts can support you with this if you need help)
- You can define where quarantine measures are instigated, whether on the last hop (the final relay that is attempting to deliver the email) or on any of the intermediate hops (which could include countries that the email has been relayed through)
- You have full visibility of all quarantined traffic, so legitimate emails can be released for delivery
- You can define exceptions, for example, block email from an entire country except when originated from the specific organisations you have established relationships with
Naturally, geoblocking and quarantining are both included in our award-winning Libraesva Email Security solution, as well as threat analysis and remediation, spoofing protection, sandbox defences, our AI-driven Adaptive Trust Engine and much more.
Ready to find out more?
CTO @ Libraesva