Monitoring email for signs of trouble is generally done in three ways: inline analysis,
which looks at network traffic flow; mail flow analysis, which monitors mail passing
through a mail server; and endpoint security, which puts tools like antivirus and junk
email filters on the client. These options typically are signature-based, though some
analyze IP addresses, formatting irregularities and other characteristics of the email
transfer that might look suspicious.
In this Post
Inline email analysis is typically done with an IDS/IPS or a dedicated appliance, usually
where Internet traffic enters or leaves the network. Often, the appliance scans other
traffic in addition to email. These devices are good at detecting oddities in the network
traffic, but they are typically not optimized to process inside the email, looking for
content that would suggest malicious intent or evaluating email attachments.
Email analysis for malicious links and attachments often runs on the main mail server or
on a scanning mail server that sits in front of the corporate mail server. Such a scanning
system is located either on-site or at the vendor location (as a cloud-based service).
In the cloud-based scenario, unwanted mail should be prevented from entering the
organization’s network at all, which also makes it more difficult for attackers to identify
the corporate email server to look up targets and associations between targets.
The system should be capable of scanning the message body, email attachments and
URLs, both inbound to and outbound from recipients. This analysis should be based
on a number of things, including to/from addresses, time of day, domain information/
destination URL, email content and headers. It should include the capability to pull
suspect mail aside and examine it more thoroughly before allowing it to move on to
the recipient. With advancements in polymorphism and URL obfuscation, the system
will need to be able to scan inbound email in near real time and parse the mail so that it
can send clean messages forward and send malicious messages to a secure, sandboxed
environment to test the link or URL and then take actions based on findings.
Since spearphishing relies on finding and exploiting users and apps of value, it is
important that the email security system also keep intelligence on valuable targets
(users, systems and data) around which to wrap extra protections. For example, the
email system should share intelligence with data loss prevention (DLP) systems to
protect sensitive outbound data but also to identify targets sending that work with
Email analysis at the endpoint is important, too, particularly in the case of mobile users.
Antivirus software on the endpoint can also scan every message, looking for malicious
content. Email security on the endpoint, usually accompanied by an agent, should
provide all the scanning capability listed above as requests from mobile devices attempt
to access the email system. This means that email security at the endpoint would be best
if it could integrate with network access control (NAC) or other access systems to scan
the endpoints for violations of policy, vulnerabilities and security status before email is
downloaded to the mobile device.
Better yet, keep the email on the internal server and do not let it store on mobile devices.
Note that because targeted attacks are designed to evade most endpoint antivirus
discovery, email server and application protections are the critical impact point that
controls should focus on.
A detection system for advanced threats should be able to identify files that are known
and analyze those that are unknown. Analyzing against a blacklist of known bad files can
cut down on the noise, allowing for the detection of advanced spearphishing attempts
that go unnoticed amid other attacks that are easier to detect. The system would
identify and remove malicious files quickly in a process that is repeatable whenever
new instances of the same malicious file attachments are detected by the email security
system. But that only takes care of known problems.
A second layer of analysis is needed when unknown files attempt to execute on the
system. At time of delivery or attempted execution, these files should be screened and
segmented into a secure zone, where they are sandboxed and executed to determine
their payloads. Should those payloads display signs of malware, they are further
examined. Files identified as malicious are added to the blacklist of known bad files.
Once added to the blacklist, they can be used for detecting and blocking the same or
similar files in the future.
URL and IP Address Analysis
Keeping up with changes to URL and IP classifications is not easy. Just recently, an Internet
Storm Center diary entry9 noted that the website for GM trucks was hosting the Nuclear
exploit kit (EK). The site looks quite innocent when checked with a browser appliance, and
it probably had been clean a week earlier. Criminals are constantly scanning the Internet
looking for legitimate sites that can be hijacked and used to compromise unsuspecting
visitors. An advanced threat detection system needs to be able to constantly reclassify
URLs and IP addresses as they go from good to bad and back again.
In addition to monitoring URLs that are being used throughout the organization, the
system should monitor IP addresses of senders. This often involves vendor-managed
databases that list known good and known bad classifications of both URLs and IP
addresses. These lists should accept updates automatically as new
malicious attachments and URLs are found. Often this function is
performed through cloud-based services, on-premise equipment or
both. The key is that the URLs and IP addresses are examined before the
user has a chance to click the links.
Data analysis. Stored email on mobile devices is a treasure trove for
attackers. Therefore, it is important that the system work with DLP to
determine sensitivity of data types, enforce rules such as encryption
of stored data and data emailed off the devices and report when sensitive data tries to
leave the organization via email.
Analysis of high-value targets. The system should also provide intelligence on users
of value to the organization based on their titles, systems they access and the data that
would be impacted should spearphishers access those high-value systems. Additional
analysis may be needed for the highest-value targets, such as what mention they get on
the company websites, what social media use they’re prone to and how they normally
Together, these email security defenses will catch a lot of malicious activity. Nonetheless,
email analysis alone is not enough; it should be coupled with outbound network
monitoring, activity monitoring and user security awareness training. In addition,
email analysis should integrate with internal and third-party threat intelligence data,
whitelisting and blacklisting policies and network security reports (IDS/IPS/firewalls) to
reduce false positives and block new advanced attacks that email systems alone might
Threat intelligence from third-party vendors, the email system or the SIEM system is a
good starting place for automating your response processes. Email security systems
should provide their own intelligence that feeds into the SIEM system as needed and
should be especially focused on targets of high value to spearphishers. These systems
should combine machine analytics with self-learning so that newfound threats, such as
newly malicious URLs and malicious payloads, are categorized and included in future
detection and response platforms. It should also be shared with the larger community
through third-party intelligence providers, the email security system or industry groups
such as Information Sharing and Analysis Centers (ISACs).
If email and web security can catch malicious downloads that antivirus isn’t catching,
then these layers should also integrate with anti-malware programs for better detection,
for example. Humans are needed to make decisions, but automated collection and
analysis systems such as SIEM, as well as the sharing of intelligence, are crucial to pulling
out the actionable events.
These automated systems cannot just be plugged in and left alone; they need to be
thoughtfully set up, monitored and adjusted as the network environment and the
threats change. The following email security checklist should help organizations
determine whether their email security is meeting the challenge of fighting today’s
advanced spearphishing threats.