Email continues to be the number one business communication method and is still the number one threat vector. This ubiquitous communication technology also provides an effective path for criminal actors.

Today, customers are more concerned about targeted and other advanced attacks rather than spam capture rates. Well-funded, educated criminals employ a wide range of attack methods in order to target the end user. Their goal is to infiltrate the network and access intellectual property, steal corporate or personal funds or tarnish their target’s brand reputation. Old methodologies used for fighting the spam wars will not be effective in today’s threat battle. Security professionals must implement integrated layers of methodologies in order to protect their users and their assets.

Blended threats combining email and web have been around for a long time, but are now being deployed in unique combinations. Early on, users and attackers integrated web links into their emails. Outside of email, web security products cover a full gamut of requirements. Everything from acceptable use policies to deep malware and virus scanning have been deployed in the offerings from many web security vendors including Cisco. Why not do the same for URLs embedded within an email? Administrators have to deal with spoofed email components as well as HTML-based emails that allow the URLs to be spoofed to end users. What users see is not what they get! HTML does a fantastic job in allowing complex messaging to be delivered over email, but with that high level formatting, we have obscured the true links. End users must be protected against these types of obfuscated attacks. Security teams must understand the threat posture of the websites and make informed decisions on end user access. These decisions also include categorization. Why would I block a web request going to something like hate crime, while I allow said link or content to be delivered over email. In any email security product, web integration and its potential negative impact must be evaluated.

Attachment-based attacks continue to plague end users. Embedding malicious content in business appropriate files is most common for attachment-based attacks. Criminals have many options to leverage for these attacks – from inexpensive malware that can be used in mass attacks, all the way up to the specifically crafted payloads targeting a business vertical or single company. Specifically crafted attacks come in targeted messages that include these malicious attachments. Do these files have hidden intent? Email security solutions today must quickly understand the threat posture of an attachment and if not known, then perform deep malware analysis. Actors know that the infected payload will go through some point in time malware analysis and many of the more complex attacks leverage sandbox avoidance techniques. To protect against these types of attacks, effective solutions must leverage ongoing and deep threat analysis, retrospection and detailed tracking and reporting.

Social engineering data harvesting is the latest scourge for end users. Carefully crafted emails with elaborate spoofing techniques have caused massive financial losses to many unsuspecting customers. Techniques that have tricked end users into getting compromised change on a daily basis. But what happens if there is no attachment or url to scan? What happens if there are no telltale signs that the email is spam? The different components of an email and how they can be leveraged have been covered: attachments and web links. One of today’s most reported attack is what the FBI calls Business Email Compromise or BEC. This type of attack takes content spoofing to the next level. These emails look like they are coming from trusted sources with the authority to make the request. These requests usually entail some form of money transfer or sharing of critical data. This attack has several components that must be protected against. The true sender of the email must be validated in all forms that could show up in the “mail from.” Relationships and contextual identity must be defined and validated. While this can be a daunting task for email administrators, it is up to the security vendors to make this an achievable goal.

To learn how Cisco can protect against these three methods: url, attachment and social attacks, please visit cisco.com/go/emailsecurity.


Scott Bower

Technical Marketing Engineering and Business Development Manager

Security Business Group