According to a newly released report, SaaS and email services were the target of one-third of all phishing attacks, but authors suspect that number may actually be much higher. The report, from APWG, notes that phishing targeting Webmail services and SaaS rose from 20.1 percent of all attacks in Q3 of 2018 to 30 percent in Q4.
Another report found that the vast majority of email attacks were phishing-based, including impersonation, spear phishing, whaling and credential harvesting.
The rise of attacks against email concern many organizations, and vendors are on the case. There were several announcements of products attempting to stem the tide of email attacks this year at RSA, including new products from FireEye and Agari.
The FireEye Secure Email Gateway allows companies to fully scan inbound and outbound email with a system that includes anti-spam, anti-virus, email threat intelligence, impersonation detection, supply chain impersonation detection and FireEye’s advanced threat detection on inbound email. If necessary, the solution can include FireEye’s advanced threat detection on outbound email, something Ken Bagnall, vice president of email security, said is often left out of this type of solution.
Part of the effectiveness of this solution relies on FireEye’s threat intelligence team, who continually gather information on attacks and incidents. “When an incident occurs, they can tell us how it started, along with the indicators of compromise, and we will immediately add that information,” Bagnall explained.
FireEye also uses tools like deep relationship analysis to protect against emails designed to impersonate valid users. The solution uses these tools to identify anomalous email traffic, while email-specific threat intelligence known as Smart DNS helps lead to faster detection.
Bagnall said the solution’s Proof of Value showed that the solution caught thousands of impersonation emails as well as other advanced threats that were missed by existing solutions.
“Impersonators use a broad range of tactics; they loiter and impersonate by just using your first name or last name, or they register a domain similar to your name or similar to someone in your supply chain,” Bagnall said. “For example, we worked with a company that had experienced a major fraud. We went back to the name servers where those domains were, and we found the registered domain similar to nearly everyone they did business with. That tells me that [the hackers] are going to keep going through different staff members until they get someone to engage in conversation. This is a pretty determined threat tactic, and it’s got to be addressed.”
Agari, a San Francisco company focused on email cloud security, also announced improvements to its Agari Secure Email Cloud at RSA. The goal of the new version, said CMO Armen Najarian, is to better deal with the explosion in phishing and spam emails, which typically means that an unacceptable amount of potential latent threats aren’t detected.
For security analysts, identifying these latent threats can be very time consuming and challenging.
The Agari SOC Network is a new automated cyber intelligence sharing system that analyzes new indicators of compromise across all previously delivered email for all customers and automatically removes any threats. When a SOC team member identifies and verifies a malicious message and enters the indicators of compromise (IOCs), the tool can apply those IOCs across Agari’s entire customer base. That means that every customer’s SOC team is accessing intelligence from the rest of the members of the Agari SOC network.
The second improvement to the tool is the addition of Continuous Detection and Response. Instead of allowing potential data breaches to stay in inboxes, this tool instantly applies updated knowledge from a mix of resources -- SOC teams, the Agari Cyber Intelligence Division (ACID) and threat intelligence feeds -- to continuously remove newly discovered malicious emails.
“Imagine that a message delivered yesterday contains a malicious URL, but it wasn’t identified as a threat until today. Agari can apply today’s information and go back to remove the malicious message from inboxes,” Najarian explained. “If a threat feed like Agari ATP, Crowdstrike, or Lastline finds a new threat, Agari would then automatically remove all matching emails from all inboxes in all members organizations and alert the SOC team through a mobile app.”
In another scenario, ACID might discover a cybercriminal gang targeting businesses. ACID would post the incident and IOCs to the Agari SOC Network. Agari would then automatically remove all matching emails from all inboxes in all organizations and alert the SOC team through a mobile app.