The earlier in the attack cycle you can stop the bad guys the better. A large proportion of attacks, both targeted and opportunistic, begin with an email. But many anti-phishing / business email compromise (BEC) technologies depend primarily on some kind of known bad data whether IP address, domain name, URLs, message text and so on. Those technologies probably catch a lot of bad messages, but they simply can’t catch new widely broadcast opportunist campaigns running on newly spun, fresh infrastructure, until the campaign has been around long enough to get on threat intel lists. Moreover, carefully targeted attacks built on top of fresh infrastructure may never be picked up by curators of threat intel lists.
An important risk with anti-malicious email technology is the false positive. At worst, major business opportunities have been lost by improperly blocked email and otherwise productivity is routinely impacted by false positives.
But there are so many useful indicators of malicious email, even newly launched ones, if you use context and history. There are 4 types of history and context that are valuable for detecting malicious email:
- Your organization’s directory
- The recipient’s history of email communications
- The sender’s history of email communications
- If external, the sender’s domain and email infrastructure
Some of the techniques we will look at might be described as fuzzy – meaning that an automated block or pass decision isn’t always viable. And that’s where I come to the other aspect of this session – human intelligence. I have come to realize that the human element of cyber security is more nuanced than we infosec pros have acknowledged in the past. Traditionally we’ve said that any control requiring a user to make a decision between security and productivity is not a control. And certainly, if you present users with a warning confirmation every time they perform a repetitive operation, like opening a document, their eyes will glaze over and they’ll just click OK – me included.
But I’ve seen at my own organization, and at others, that users are becoming more aware of cyber security in general and, in particular, malicious emails. No one wants to be “taken in”. This presents an opportunity for us to use technology to assist users in recognizing risky emails. And it’s important because most attacks beginning with a malicious email rely on getting the user to take some action before the attack can proceed. We can use technology to quickly assess history, context and make other routine checks that any human would quickly be weary of.
In this webinar we’ll look at:
- Sender domain
- Sender IP
- Sender Name
- Email authentication information from DKIM, DMARC and SPF
- Relationship strength
- Is there a nexus between your organization and the sender domain?
- Is there a nexus between the sender and recipient, or the recipient’s department?
- Reputation of sender domain and email infrastructure
This real training for free event is made possible by GreatHorn and Eric Chaves will briefly show you how their technology analyzes hundreds of data points, combining data unique to each sender and recipient to accurately identify sophisticated threats better than any other platform.
Please join us for this real training for free session.