It’s been 38 years since the invention of email and today, it is still the number one communication tool in and out of enterprises. While technology, hardware, infrastructure and the internet itself evolved tremendously in the past almost 4 decades, email is the spoiled child of the family that declines to grow up.
Unfortunately, email is also one of the most used attack vectors when it comes to targeted attacks or the initial phase of an APT. Even though content filters are doing a great job and we don’t see as much spam as we used to let's say 10 years ago, in fact, 80% of all global email is still spam. The fact that we don’t see it doesn’t mean that it doesn’t exist. Just check your Spam or Junk folder.
One possible approach is for enterprises to move away from email and start using other collaboration tools. I have personally experimented with such tools and they work great.
Change is difficult and costly, but migrating away from email will bring a lot of benefits. This change is on its way but in the meantime, consider taking a few steps to protect your data.
- First and foremost, use an endpoint security solution that has a high focus on behavioral detection. Signature-based detection, although still very accurate, is a dying, old, hard to scale technology. Behavioral-based detection is a much better way of keeping threats away.
- Email encryption should be enabled by default in order to protect the content from being read by other entities than the intended recipients. Although most companies have taken on this practice, there is still email out there that is being sent in clear text.
- Use a smart content filtering solution (a.k.a. antispam for old school readers). As I was stating above, 80% of all global email is spam. If you were surprised to hear that statistic it means that the content filtering solution you are using is accurate enough. If you sarcastically stated “yeah right!”, it means that the current solution is not good enough and you should be looking for something better. There are independent tests out there which can guide you picking something better.
Most APT attacks that we’ve analyzed in the past 6 years started with a single email attachment. In some cases, the content filtering solution used correctly tagged that email as spam, but since the biggest threat always lies in-between the keyboard and the chair, some opened the infected attachments even though the e-mails had already been classified as Spam. Analyzing the attachments' behavior in a virtualized sandbox prior to delivery to the recipient can decrease this risk by a lot.
While all these steps are useful to block or complicate attacks, you should also consider the (hopefully hypothetical) malicious insider as a threat and implement egress filtering for email, especially for email attachments. Harmonizing this requirement with an “encrypt everything at all times” policy is left as an exercise for the enterprising CI(S)O.