While email remains the #1 threat vector, the tools attackers use continues to evolve — we’re no longer dealing with annoying emails sent by amateurs.  Instead, well-funded and persistent organized crime and nation states create vast email schemes. At the heart of these attacks? Massive amounts of harvested user data. Criminals know that this easily-obtained data can help them craft a compelling attack campaign.  Defenders must have an equally vast set of tools in their toolbox to thwart these sophisticated attacks. And we have to be right all the time. In this post, we’ll dive into the essential tools you need to defend your users.

In my first two blogs, (Deploying DMARC & Why Phishing Attacks Still Win) I discussed the standards around SPF, DKIM and DMARC. While these standards provide significant security benefits, they need to be evaluated/deployed with other threat intel interrogation methods to truly achieve their potential. A comprehensive defense in depth strategy will bring trust back to your users inbox!

Are you focusing on the right threats?

The days of worrying about annoying spam are behind us. Most Email Security Gateways that are competitive do an acceptable job blocking annoying, non-malicious spam. This means the impact of the load on our servers is relatively low.

When we talk to the majority of Email Administrators and security professionals, their concern is around the threats that their end users are being exposed to. This includes attacks like sophisticated Business Email Compromise emails. It’s common to see even “educated users” being tricked into syphoning funds and/or critical intellectual property. Likewise, emails that contain embedded malicious URLs, or benign -looking attachments plague businesses. Administrators know that a seemingly benign attachment could actually be part of an advanced malware attack that erodes the trust and use of email within their organization.

What tools do you need to thwart attacks?

Email Threats come in all techniques and fashion: Header, Body, Email Content, Attachments, URLs.

Defense in depth is mandatory. An effective email security solution will have many layers of defense, like layers of swiss cheese. Even if a threat makes it through one gap, the next layer stops it from reaching the end user. These security layers must gain intelligence from different sources. Global intelligence is helpful because it tackles the generic threats on the internet, but it’s critical that we augment that data with local intelligence.

Go beyond the inbox to fight email threats

We may be tempted to call it a day at those two intelligence sources. But defenders must look to specific attack vectors as well. Check out my short list below and see how many of these your organization harnesses.

How many of these tools are you currently using:

  • DNS layer security
  • Email Sender profiles
  • Signature based AV services
  • Web security around URLs/hosting sites.
  • Advanced Malware Protection / A malware solution that tracks files across all security layers

All of these tools must work together, update automatically, and be simple to manage. (Seem impossible to achieve? Keep reading).

When it comes to zero-day threats, it can get a bit more complicated. For example, it isn’t uncommon to see a threat that surfaces, retreats and re-emerges by another sender. In order to find these threats, some of the best tools are deep malware analysis and interrogating URLs in real time via a secure web proxy.

But what about DMARC?

The email security industry, in their effort to regain trust in email has come up with DMARC as a standard. The benefits and deployment descriptions have been covered in previous blogs. While DMARC and the surrounding standards will make a significant difference in your defense posture, it will not cure all ills.

Attackers have also embraced DMARC and highjacked it to make their malicious campaigns more effective. They create and register look-alike domains and validate/authenticate them with DMARC. This technique preys on the end-user and relies on them not noticing that a domain is carefully misspelled. For defenders, DMARC validation of the inbound mail in conjunction with local identity intelligence can help Email Admins uncover these look-alike domains and other impersonation abuse techniques.

Final takeaways

After discussing an array of tools and techniques, your head may be spinning. But remember the swiss cheese analogy: continue layering your defenses. Likewise, blend your intelligence (global, local, and across all attack vectors) for the best results. Defenders have to strike a delicate balance: limiting your users’ exposure to threats without impeding the value of email for collaborative communications. With these tools, you can create the mix that’s right for your organization.

Please review the Cisco Email Security offerings that provide industry leading levels of threat detection and prevention. Are you an O365 shop who thinks Microsoft has good enough security, think again. Want to evaluate Cisco Email Security to see what we can do for you?

What did you think? Is your organization taking advantage of these different tools and techniques? Comment below with your thoughts. Or subscribe to receive an alert the next time an email security blog is posted.



Munawar Hossain

Director of Product Management

Security Business Group