Letting The Wrong Ones In: Email Security’s Big Blind Spot

In the course of my systems engineer duties at FireEye, I get the chance to speak with security professionals at a lot of organizations. Many of them seem confident that their email security gateways or email software-as-a-service (SaaS) providers can safeguard them from spear-phishing attacks.

Here are some of the typical comments I hear from companies:

• “My email security provider has specific phishing filters, so we’re confident that we have eliminated the risk of an infection via a spear-phishing email.”
• “Our users receive virtually zero spam, so the solution works just fine.”
• “The contents of the email quarantine are so accurate that we don’t bother checking any more.”
• “We have a strict attachment policy and multiple AV engines within our email security solution. That adds a very high level of protection from malware threats.”

In general, people believe that the email security headache has been solved. So they tend to relegate it to a secondary concern, far below Web security.

That could be a huge mistake. While spam filters and other email security tools have defanged many high-volume campaigns, they’re futile against some of the most dangerous targeted, personalized attacks.

To understand why, a quick history lesson is in order. The original email problem was spam. Spam is a volume game. The read-and-respond rates from spam email recipients are miniscule, so getting a good return — tricking people into clicking a malicious link or wiring money in an advance-fee fraud — means sending lots and lots of email.

Email security providers use a combination of filtration methods and global IP reputation to create a confidence-based score to identify spam. The higher the score, the more “spammy” the email is deemed. If the score isn’t sufficiently high to be near certain that the email is unwanted, then the email is quarantined instead of deleted to let a human decide.

Today's email security providers still believe the major problem is blocking spam and viruses. This heavily influences their architecture and how they inspect email. Most of the top email security providers use some form of sender-reputation-based system to decipher global patterns and the spread of spam campaigns.

To avoid rejecting legitimate emails because of stale information, IP reputation databases are often implemented with only a short-term memory of bad senders and email traffic is continuously resampled. This resampling requires a feedback loop.

That’s where detailed email inspection comes into play. For emails that have no bad sender reputation, additional granular filters kick in. These filters inspect the header, the recipient list, the sender, the language, and case and word proximity in the subject and the body. Some vendors inspect URLs to add additional anti-phishing capability. The filters are designed to determine whether the lexical (or non-lexical) patterns exhibited in the email match any of the heuristic patterns already defined from within spam or phishing emails.

As an added layer of security, email security tools usually enforce an attachment policy. Its purpose is twofold: first, to stop executable file types coming in (or going out), and second, to control attachment sizes and other aspects of end user Acceptable Usage Policy.

So with these protections in place, aren’t organizations safe from email-based attacks?

Not quite. The email security business focuses primarily on high-volume attacks. These attacks are noisy, large, and very quickly spotted by reputation-based systems. The problem is low-volume, targeted threats.

Take person-to-person email, for example. Some vendors promise to deliver all legitimate person-to-person email. Their lexical, heuristic, and IP-reputation filters all focus on global email patterns to determine attack sources in an effort to stop massive spam, directory harvest attacks (DHAs), and backscatter attacks. But what do vendors put in place to identify a bad person-to-person email?

The answer: very little.

Spear phishing isn’t a new problem, but it remains a widely effective attack method. The 2013 Verizon Data Breach Investigations Report estimates that the proportion of breaches that involved spear phishing as the initial infection vector quadrupled from the prior year alone. By definition, spear phishing represents a small volume of sent email. But for targets, the impact is huge.

You might notice this trend in your own inbox as the holiday season approaches. Just like legitimate marketers, spammers and phishers launch holiday and event-based campaigns. Both email advanced persistent threat (APT) attacks and the simple bot-delivered email attacks tend to spike around public holidays. FireEye research from Q3, 2012 highlights this pattern, and the trend is set to continue this year.

Spear phishing is a thorny topic for email security providers. On one hand, they need to ensure delivery of legitimate email. On the other hand, they need to spot malicious person-to-person emails. If an attacker is sending from an IP address that hasn’t been blacklisted and their email body text uses natural language, then normal email filters give the email a clean bill of health.

If the email contains a URL, the security tool may follow up with basic inspection. Or the tool may just see whether the URL is in an existing blacklist. But unless the tool fully examines URL behavior to understand its intention, it likely comes up clean.

In the same way, if the email contains an attachment, the tool likely inspects the binary and determines the file type. If the file is executable or known to be malicious, it is blocked. But if it’s an unknown or authorized file type — even one booby-trapped with a zero-day exploit — the email is delivered.

And that’s the problem. A person-to-person email doesn’t have spam or bulk phishing characteristics. Any malicious payload is likely to be a weaponized document or a common file type that attachment filters allow through. And URLs contained in the email probably won’t appear on any blacklists.

This exposes a significant blind spot in your email defenses. Your tools might stop 99.99 percent of the bad stuff. But it’s the 0.01 percent that should really alarm you — because those are the ones that have your organization directly in the crosshairs.