While the large Enterprise builds layered redoubts from potential insiders and hackers, phishing and spam mailings remain a headache for companies. If Marty McFly knew that in 2015 (and even more so in 2020) people would not only invent hoverboards, but even learn how to completely get rid of junk mail, he would probably lose faith in humanity. Moreover, spam today is not only annoying, but often harmful. In about 70% of cases during the implementation of the killchain, cybercriminals penetrate the infrastructure using malware contained in attachments or through phishing links in emails.
Recently, there has been a clear trend towards the spread of social engineering as a way to get inside the organization's infrastructure. Comparing the statistics of 2017 and 2018, we see an almost 50% increase in the number of cases when malware was delivered to employees' computers through attachments or phishing links in the body of an email.
In general, the whole range of threats that can be implemented using e-mail can be divided into several categories:
- incoming spam
- inclusion of the organization's computers in a botnet that sends outgoing spam
- malicious attachments and viruses in the body of the email (small companies most often suffer from mass attacks like Petya).
To protect against all types of attacks, you can either deploy several IPS, or follow the path of the service model. We already about the Unified Cybersecurity Services Platform, the core of the Solar MSS managed cybersecurity services ecosystem. Among other things, it includes virtualized Secure Email Gateway (SEG) technology. As a rule, a subscription to this service is purchased by small companies, in which all IT and IS functions are assigned to one person - a system administrator. Spam is such a problem that is always in front of users and management, and it is impossible not to solve it. However, over time, even the management becomes clear that itβs impossible to simply βthrowβ it to the system administrator - it takes too much time.
2 hours to parse mail is too much
One of the retailers approached us with a similar situation. Attendance systems showed that every day his employees spent about 25% of their working time (2 hours!) Going through the mailbox.
With the customer's mail server connected, we configured the SEG instance as a two-way gateway for both incoming and outgoing mail. We launched filtering according to pre-set policies. We compiled the Blacklist based on an analysis of the data provided by the customer and our own lists of potentially dangerous addresses obtained by Solar JSOC experts as part of other services - for example, monitoring information security incidents. After that, all mail was delivered to recipients only after being cleaned, and various spam mailings about "great discounts" stopped pouring in tons on the customer's mail servers, freeing up space for other needs.
But there were situations when a legitimate letter was erroneously classified as spam, for example, as received from an untrusted sender. In this case, we left the decision to the customer. There are not so many options for what to do: immediately delete or send to quarantine. We have chosen the second path, in which such spam is stored on the SEG itself. We provided the system administrator with access to the web console, in which he could at any time find an important letter, for example, from a counterparty, and pass it on to the user.
Getting rid of parasites
The email protection service includes analytical reports, the purpose of which is to control the security of the infrastructure and the effectiveness of the applied settings. In addition, these reports allow you to predict trends. For example, we find the corresponding section βSpam by Recipientβ or βSpam by Senderβ in the report and look at whose address the largest number of blocked messages is received.
It was during the analysis of such a report that a sharply increased total number of letters from one of the customers seemed suspicious to us. Its infrastructure is small, the number of letters is low. And suddenly, after a working day, the number of blocked spam almost doubled. We decided to take a closer look.
We see that the number of outgoing letters has increased, and all of them in the "Sender" field contain addresses from a domain that is just connected to the mail protection service. But there is one caveat: among quite sane, perhaps even existing, addresses come across clearly strange ones. We looked at the IPs from which the letters were sent, and, quite expectedly, it turned out that they do not belong to the protected address space. Obviously, the attacker sent spam on behalf of the customer.
In this case, we made recommendations for the customer on how to correctly configure DNS records, and specifically SPF. Our specialist suggested creating a TXT record containing the rule "v=spf1 mx ip:1.2.3.4/23 -all", which contains an exhaustive list of addresses that are allowed to send emails on behalf of the protected domain.
Actually, why this is important: spam on behalf of an unknown small company is unpleasant, but not critical. The situation is quite different, for example, in the banking industry. According to our observations, there the level of confidence of the victim in a phishing email increases many times over if it is supposedly sent from the domain of another bank or counterparty known to the victim. And this distinguishes not only bank employees, in other industries, such as the energy sector, we are facing the same trend.
We kill viruses
But spoofing is not as common a problem as, for example, virus infections. And how do you most often deal with viral epidemics? They install an antivirus and hope that "the enemy will not pass." But if everything were so simple, then, given the rather low cost of antiviruses, everyone would have long forgotten about the problem of malware. Meanwhile, we constantly receive requests from the series βhelp restore files, everything is encrypted, work is stopped, data is lost.β We do not get tired of repeating to customers that antivirus is not a panacea. In addition to the fact that anti-virus databases may not be updated quickly enough, we often encounter malware that can bypass not only anti-viruses, but also sandboxes.
Unfortunately, few ordinary employees of organizations are aware of phishing and malicious emails and are able to distinguish them from ordinary correspondence. On average, every 7th user who does not undergo regular awareness raising succumbs to social engineering: opens an infected file or sends his data to attackers.
Although the social vector of attacks, in general, has gradually increased gradually, this trend has become especially noticeable in the past year. Phishing emails became more and more like regular emails about promotions, upcoming events, and so on. Here we can recall the Silence attack on the financial sector - bank employees received a letter allegedly with a promotional code for participation in the popular iFin industry conference, and the percentage of those who succumbed to the trick was very high, although, recall, we are talking about the banking sector - the most advanced in matters of information security.
Before last New Year, we also observed several rather curious situations when employees of industrial companies received very high-quality phishing emails with a "list" of New Year's promotions in popular online stores and with promotional codes for discounts. Employees not only tried to follow the link themselves, but also forwarded the letter to colleagues from related organizations. Since the resource to which the link in the phishing email was blocked, employees began to massively leave requests to the IT service to provide access to it. In general, the success of the mailing must have exceeded all expectations of the attackers.
And recently, a company that was βencryptedβ turned to us for help. It all started with the fact that the accounting staff received a letter allegedly from the Central Bank of the Russian Federation. The accountant clicked on the link in the letter and downloaded the WannaMine miner to his machine, which, like the well-known WannaCry, exploited the EternalBlue vulnerability. The most interesting thing is that most antiviruses have been able to detect its signatures since the beginning of 2018. But, either the antivirus was disabled, or the databases were not updated, or it was not there at all - in any case, the miner was already on the computer, and nothing prevented it from spreading further over the network, loading the CPU of the servers and workstations by 100%.
This customer, having received a report from our forensic group, saw that the virus had originally entered him through the mail, and launched a pilot project to connect an email protection service. The first thing we set up was a mail antivirus. At the same time, malware scanning is carried out constantly, and signature updates were first made every hour, and then the customer switched to twice a day mode.
Full-fledged protection against viral infections should be layered. If we talk about the transmission of viruses through email, then it is necessary to filter out such letters at the entrance, train users to recognize social engineering, and then count on antiviruses and sandboxes.
inSEGyes on guard
Of course, we do not claim that Secure Email Gateway class solutions are a panacea. Targeted attacks, including spear phishing, are extremely difficult to prevent because they each such attack is "sharpened" for a specific recipient (organization or person). But for a company trying to provide a basic level of security, this is a lot, especially with the right experience and expertise applied to the task.
Most often, when implementing spear phishing, malicious attachments are not included in the body of letters, otherwise the anti-spam system will immediately block such a letter on its way to the recipient. But they include links to a pre-prepared web resource in the text of the letter, and then the matter is small. The user follows the link, and then, after several redirects, in a matter of seconds, he finds himself on the last of the entire chain, the opening of which will load malware onto his computer.
Even more sophisticated: at the moment of receiving the letter, the link can be harmless and only after some time, when it has already been scanned and skipped, will it start redirecting to malware. Unfortunately, Solar JSOC specialists, even taking into account their competencies, will not be able to configure the mail gateway in such a way as to βseeβ malware through the entire chain (although as a protection, you can use the automatic substitution of all links in letters for SEG, so that the latter scans the link not only at the time of delivery of the letter, but at each transition).
Meanwhile, even with a typical redirect, the aggregation of several types of expertise helps to cope, including the data received by our JSOC CERT and OSINT. This allows you to create extended blacklists, on the basis of which even a letter with multiple redirects will be blocked.
The use of SEG is just a small brick in the wall that any organization wants to build to protect their assets. But this link also needs to be correctly put into the overall picture, because even SEG, with proper configuration, can be made a full-fledged protection tool.
Ksenia Sadunina, Consultant at Solar JSOC Expert Presale Department
Source: habr.com