In the following article, we will review the solution and the methods that we can use for dealing with the threat of – Phishing mail attacks and his derivative Spoof mail attack.
Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9
http://o365info.com/dealing-with-the-threat-spoof-phishing-mail-attacks-part-6-of-9/
Dealing with the threat of spoof and phishing mail attacks part 6#9 | Eyal Doron | o365info.com
1. Dealing with the threat of Spoof and Phishing
mail attacks
Part 6/9
2. 2
• What Are The Ingredients That Are Needed For Successfully Dealing With The Threat Of Attacks And
Phishing And Spoofing Mail Attacks?
• Dealing With A Spoof Mail Attack And Phishing Mail Attacks Effectively
• A- Dealing with the part of “Spoof mail attack”
• B- Dealing with the part of malware and Phishing websites
• C- Dealing with a Spoof mail attack and Phishing mail attacks effectively | Users Education & awareness
program
• D- Dealing with a Spoof mail attack and Phishing mail attacks effectively | Policy, standards and regulations
• E- Dealing with a Spoof mail attack and Phishing mail attacks effectively | Client side security
AGENDA
3. What Are The Ingredients
That Are Needed For
Successfully Dealing With
The Threat Of Attacks
And Phishing And
Spoofing Mail Attacks?
4. Eyal Doron o365info.com
An unrealistic expectation to find quick and simple solution
to that threat of - Spoof mail attack and Phishing mail attacks
5. Eyal Doron o365info.com
"Logic fan of solutions that will deal with each of
the different parts of the Phishing mail attacks and its
derivative Spoof mail attack.
6. Eyal Doron o365info.com
By acknowledging that - Spoof mail attack and Phishing mail attacks are verifying
sophisticated attacks and compound attacks.
Dealing with a Spoof mail attack and Phishing mail attacks effectively
| The right state of mind
By acknowledging that - we will need to invest the required resources for learning about
the way our enemies think and about the specific characters of the Spoof mail attack
and Phishing mail attacks.
By acknowledging that there is no Single Solution or a magic button that we can use.
That we will need to invest the required resource and learning about all the passable
solutions, how to implement and test these solutions, etc.
7. Eyal Doron o365info.com
Dealing with a Spoof mail attack and Phishing mail attacks
| How | General directions
A Spoofed E-mail address
Mail protection mechanism that verifies the sender identity, will help us to recognize
and block most of the Spoof mail attacks that are use by Phishing mail attacks
B Phishing mail | Social engineering
Phishing mail attacks exploit the human factor . For this reason,
the only effective way is to educate the human factor about the existence
of this risk, and how to recognize the behavior of Phishing mail.
C Malware Phishing wesites
Mail attachment and other downloadable files – implementing and enforcing
mechanism that will be able to verify known and un-know malware's
Implement URL filter mechanism
8. Dealing With A Spoof
Mail Attack And Phishing
Mail Attacks Effectively
9. Eyal Doron o365info.com
Phishing mail
Dealing with Phishing mail attacks
| The different part of the defense plan
Dealing with the part of
Spoof mail attack
A
B Dealing with Malware
and Phishing websites
C Users Education &
awareness program
Policy, standards and
regulations
D
Client side
security
E
11. Eyal Doron o365info.com
By implementing a protection mechanism that will implement
sender verification process by using public mail standard such as:
SPF | DKIM| DMARC
Exchange based environment | Authenticated sender + Exchange rule
A
Dealing with a Spoof mail attack and Phishing mail attacks effectively
| Technical solutions | Sender identity verification
13. Eyal Doron o365info.com
B
Implementing malware mail filters.
Implementing spam mail filters.
Implementing URL verification mechanism.
Implementing mail attachment policy.
Implementing send box solutions.
Dealing with a Spoof mail attack and Phishing mail attacks effectively
| Technical solutions | E-mail content
14. Eyal Doron o365info.com
Phishing mail attack is implemented by E-mail
message that include malware attachment that
appear as Innocent file.
15. Eyal Doron o365info.com
Zero-day attack – attack that was not recognized,
classified and was registered on the well-known
attack database (have no signature).
16. Eyal Doron o365info.com
In some of the Phishing mail attacks, the victim is seduced
to access a Phishing website and download a malware
19. Eyal Doron o365info.com
The activation of the file, is executed in a
dedicated and isolated memory space
(the is the meaning of the term - Sandbox).
23. Eyal Doron o365info.com
Dealing with a Spoof mail attack and Phishing mail
| Education?
Our education
Management education
Users education
1
2
3
24. Eyal Doron o365info.com
IT education Management education Users education
Awareness program
C
Management commitment
Dealing with a Spoof mail attack and Phishing mail attacks effectively
| Education & awareness program
25. D- Dealing with a Spoof
mail attack and Phishing
mail attacks effectively |
Policy, standards and
regulations
26. Eyal Doron o365info.com
Definition of policies and regulations that will prevent different option of
exploitation by hostile elements.
Appointing a resource that will review and analyze E-mail message that
was identified as Spoof E-mail or Phishing mail.
Dealing with a Spoof mail attack and Phishing mail attacks effectively
| Policy, standards and regulations
D
27. E- Dealing with a Spoof
mail attack and Phishing
mail attacks effectively |
Client side security
29. Eyal Doron o365info.com
E
Dealing with a Spoof mail attack and Phishing mail attacks effectively
| Client side security
Using Antivirus
Using additional desktop smart defense mechanism
Harding the policy that related to Microsoft office
documents such as disabling macro
Editor's Notes
In the following article, we will review the solution and the methods that we can use for dealing with the threat of – Phishing mail attacks and his derivative Spoof mail attack.
To be able to succeed in this task, we will need to acknowledge the simple truth about our enemies – they are professionals, that are familiar with every blind spot and weakness that we have, and they will use it because they are highly motivated.
Modern spoof mail attack and phishing mail attacks are very sophisticated attacks, that consist of a couple of “parts,” and exploit the weakness of our mail infrastructures and the weakness of our users (the human factor that is exploited by that attacked that uses the social enginery method).
In a scenario where a political candidate declares that – he has the solutions to all the existing problems, and he can solve all the problems in a short time, do not believe him!
The same logic goes relating to the subject of protecting our organization from spoof mail attacks and Phishing mail attacks. There is no such thing as a “single solution” that will deal with this sophisticated attack or a solution that will identify and block 100% of these attacks.
The “solution” that we are looking for, realized as a combination of solutions or, a “logic fan of solutions” that will deal with each of the different parts of the Phishing mail attacks and its derivative Spoof mail attack.
The first and the most important step is – the need for “acknowledgment.”
The acknowledgment of the fact that – Spoof mail attack and Phishing mail attacks are sophisticated and include many “moving parts.”
The acknowledgment of the fact that – we must learn to think like the attacker, and understand the DNA and the characters of Spoof mail attack and Phishing mail attacks.
The acknowledgment that – the “solution” will be a combination of technical solutions, guidelines, educations and so on.
Before we get into the specific details, and the different options that we can use for dealing with Spoof mail attacks and Phishing mail attacks, just a quick reference to the “structure” that we need to use:
The phishing mail attack is exploiting the weakness of human factor by:
Using a spoofed identity of a trusted sender
Using a social engineering method for convincing and seduce the victim (our users) to “do something.”
The first thing that we will need to deal with is – the phenomenon of “Spoof E-mail.”Luckily, at the current time, there are a couple of mail standard that we can use for implementing and enforcing a process, in which we will be able to identify most of the Spoof E-mail scenarios.
The second thing that we will need to deal with is – our user’s education. Allow our users to be aware of the risks and characteristics of Phishing mail attack, so they will have the ability to recognize Phishing mail.
The third thing that we will need to deal with is – the “way” or the method in which the Phishing mail attack is actualized.
The “channels” which are used by the attacked the executable Phishing mail attacks to attack his victims are
Using a malware file – seduce the victim to open seemingly innocent file (malware).
Using a Phishing website – seduce the victim to download + open seemingly innocent file (malware), provide personal information (password, bank account, etc.) or deposit a sum of money to the bank account of the attacker.
To be able to mitigate these risks, we will need to find a protection mechanism, that could identify and block the specific malware and in addition, find a protection mechanism that could identify and block the “problematic URL’s” (links that lead our users to Phishing websites).
As we know, there is no “single solution” that could help us to deal with the challenge of Phishing mail attacks and his derivative Spoof mail attack.
Instead, the solution can be described as a “collection” or, a combination of different solutions and methods that will need to be implemented.
As we know, the Spoof mail attack is one of the main characters of Phishing mail attack.For this reason, we need to implement a solution in which our mail infrastructure will use a mechanism of a sender verification process.
Each time that a sender addresses our mail infrastructure, our mail infrastructure will implement a verification check, so we will be able to be sure that the sender is really who he claims to be.
In other words, using a protection mechanism, that will identify (and block) E-mail message that has a spoofed sender identity. A scenario in which hostile element prettied to be one of our legitimate users or legitimate sender from another organization.
The good news is that at the current time, there are a couple of mail security standard that was created for the purpose of verifying sender identity such as – SPF, DKIM and DMARC.
Note – we will review the main characters of this sender verification solutions in the article – Using sender verification for identifying Spoof mail | SPF, DKIM, DMARC, Exchange and Exchange Online |Part 8#9
Note – if you want to read more information about the implementation of DKIM in Office 365 based environment you can read the article – Outbound DKIM signing and DNS infrastructure | Building the required DNS records for Office 365 | Part 4#5
In addition, in case that your mail infrastructure is based on Exchange architecture, we can use additional option for verify sender identity by, identify authenticated versus non- authenticated (anonymous) senders who use our organization domain name.
Note – if you want to read more information about the implementation of sender identity verification by using the Exchange Online rule that will identify non- authenticated (anonymous) sender you can read the article – Detect spoof E-mail and send an incident report using Exchange Online rule (Learning mode) |Part 2#12
In this part, we are dealing with the “channels” which are used by the attacker to executing his specific attack.
Just a quick reminder, the Phishing mail attack “channels” are – malware file or a Phishing website.
Using a spam mail filter
For the sake of full disclosure, I don’t think that a spam mail filter is very usefully for identify Phishing mail because Phishing mail is not a spam mail.
Only in a scenario in which the Phishing mail has also characters of spam mail, the spam mail filter can identify such as E-mail message.
Another scenario in which spam filter can be useful is – in a scenario that the specific Phishing mail attack was recognized as a Phishing mail attack, and specific characters of the E-mail message (the signature) appear in the signature database of a “well know problematic E-mail messages.”
Bottom line
It’s recommended to use a spam mail filter, but we should not relate to the spam filter as the “ultimate solution” for Phishing mail attacks.
Dealing with E-mail attachments
Many times, the Phishing mail attack is implemented by an E-mail message that includes malware attachment that appears as an Innocent file.
Let’s assume that the attacker (the part that relates to social engineering) convinces the victim (our user), to open the file that is attached to the E-mail message, what can we do in this scenario?
1. Implementing malware mail filters.
The purpose of the malware mail filters as the name implies is to detect a malware that appears as an E-mail attachment.
Case 1 – Phishing mail attack that includes Zero-day attack malware
The major disadvantage of the “standard malware mail filters” is his inability to cope withZero-day attack. The term Zero-day attack, describe a “new attack” that wasn’t recognized, classified, and was registered on the well-known attack database (have no signature).
The standard malware mail filter can detect E-mail malware, based on a signature database that includes a “documentation” of malware signatures. For this reason, the standard malware mail filters cannot deal with a zero-day attack.
In simple words, cannot detect “new malware” that his specific signature doesn’t appear in the identified malware database.
Case 2 – Malware that doesn’t implement as E-mail attachment
In many Phishing mail attacks, the malware doesn’t appear as an E-mail attachment. Instead, the victim is seduced to click on a link that will lead him to the hostile website and then asked to download a specific file (the malware). In this scenario, the malware mail filter is not involved in the process and cannot detect the malware.
2. Implementing E-mail attachment policy.
The advice of “Implementing mail attachment policy,” in which block a specific type of E-mail attachment such as the executable file is a “good advice,” and not just for the scenario of dealing with a Phishing mail attack.
The main problem is that most of the time, Phishing mail attack that has an attachment, will use an Innocent type of file such as Microsoft office files (Word, Excel etc.).The main problem that we are facing is – that most of the time, we cannot define mail attachment policy that will block “standard” E-mail attachment such as a word document.
This is the weak spot that is exploited by the hostile element that sends the “Innocent attachment.”
Note – if you want to read more information about how to implement mail attachment policy in an Exchange base environment by using Exchange rule, you can read the article series – Manage E-mail attachment policy in Office 365 – part 1#4
3. Implementing “sandbox” solutions.
One of the most frustrating and challenging security threats is the subject of zero-day attack.
The simple meaning of this term can be translated into a “new type of malware” that is distributed by hostile elements, that consider as “UN knows malware” meaning, the security, defense systems that should protect our infrastructure from this specific malware are not aware of the fact that this malware.
Note – the definition of “new type of malware” can also be translated to a variation of a well know malware.
The problem of identifying scenarios of zero-day attack considers as “blind spot” or, a congenital weakness of antivirus products.
A common antivirus software detects malware is by examining the existing file and compare the file characters to a signature database, that include information about malware that was detected, classified as malware and registered in the malware signature database.
Because in the specific scenario of zero-day attack the malware is not “registered” in the malware signature database, it’s hard for the antivirus application to detect and mark the zero-day file as malware.
The solution for a zero-day attack is a technology (technology that is offered by a couple of manufacturers) that was built to deal with the problem by implementing a mechanism named – sandbox.
The concept of “Sandbox” is implemented in the following way:
When an E-mail that includes an attachment is sent to a destination recipient who is protected by security gateway that uses the mechanism of “Sandbox,” the E-mail will not be sent directly to the destination recipient but instead, will be “Intercepted” by the security gateway.
The security gateway will simulate the exact action that was supposed to be performed by the end user, such as, open the E-mail message, and try to open the attachment (double-click on click on the file).
The “activation” of the attached file is executed in a dedicated and isolated memory space (the is the meaning of the term Sandbox).
The security gateway, will watch the “file behavior” and check if the attachment (the file) is trying to do something that is not standard such as – trying to access the hard disk, try to access a suspicious area in the RAM that a standard file will not access, try to create a buffer overflow and so on.
In this way, we can locate malware that’s disguised them self as Innocent file.
Additional reading
Zero-day attack
Zero-day (computing)
Responding to Zero Day Threats
The Best Defenses Against Zero-day Exploits for Various-sized Organizations
Advanced Threat Protection – Exchange Online
Introducing Exchange Online Advanced Threat Protection
Exchange Online Advanced Threat Protection
Exchange Online Advanced Threat Protection is now available
Exchange Online Advanced Threat Protection Service Description
Advanced threat protection for safe attachments and safe links
Video lectures
First Look at Advanced Threat Protection in Office 365 to Stop Unknown Malware and Phishing Attacks
Leading the way in the fight against dangerous email threats
Implementing a URL verification mechanism.
A very common method that is used in a Phishing mail attack is – to infect the victim’s desktop with a malware or hostile code, using a smart process” which includes a two or three steps.
The first step is to convince the victim to “do something” by clicking on a specific link that will lead him to a website which includes the malware.
The victim will need to download the file and open the file (the malware).
This method enables the attacker to bypass existing implementation of malware filter because the malware doesn’t appear as part of the E-mail message.
The only way to deal with this “bypass method” is, to implement a security mail filter that can verify URL addresses that appear in the E-mail message by deciding if the specific URL considers as a legitimate URL address or a hostile URL address such as Phishing website.
The security mail filter that needs to verify URL address can implement the verification process in two methods:
1. URL address database
Using a database that includes information about a “problematic website” or a dangerous website” such as a Phishing website or websites that were compromised.
2. Simulate the access to the specific website instead of the “original user”
A process in which the “URL filter” tries to access to the URL address that includes in the E-mail message before the recipient read the E-mail message and try to check if the website looks like a legitimate website or a website that tries to manipulate the user desktop by trying to exploit existing vulnerability.
An example of such “URL verification filter” is the Microsoft technology, that is implemented in the EOP (Exchange Online protection) by using the feature named ATP (advanced threat protection) which includes a component named – safe links.
The purpose of this technology is to add an additional layer of security, in which the mail security gateway (the EOP infrastructure) will check and verify each URL address (link) that appears in E-mail message, and verifies the that the “destination website” is a legitimate website and not a website that appears as a problematic website.
Additional reading
Safe attachments and safe links | Office 365 and Exchange Online
Exchange Online Advanced Threat Protection
Introducing Exchange Online Advanced Threat Protection
Advanced threat protection for safe attachments and safe links
Set up a safe links policy in EOP
Exchange Online Advanced Threat Protection Service Description
Most of the time, when we use sentence such as fighting Spoof E-mail attacks and Phishing mail attacks, the first association that comes to mind is related to some kind of “high end sophisticated products” that will know how to deal with this terrible threat.
The simple truth is that we probably we will need to use this “high-end sophisticated products” but, to be able to provide a complete and comprehensive for the problem that we are facing we must add the layer of – educating our users about the risk of the Spoof mail attack and Phishing mail attacks, the specific characters of such attack, how to recognize these attacks and so on.
In other words, the technological solutions do not provide a complete solution!
Although there is a great importance to the subject of “user education,” most of us, tend to underestimate this solution because the common association that is related to the term “education” is – boring, not needed, useless.
The interesting thing, that I would like to draw your attention is the fact that – one of the most effective and significant ways, to deal with the phenomenon of Spoof and Phishing mail attacks is the subject of “education.”
At the same time, one of the most neglected areas is the “education.” Because most of us are sure that is just a non-useful nonsense.
Notice that I didn’t use the common term “user education” because the subject of “education” is related to different elements in the ecosystem:
1. Our education
Most of us (IT persons) have the misleading sense that we know everything about mail security, the different type of mail Threats such as Spoof mail attack and Phishing mail attacks and so on.
The simple truth is that we don’t.
Let’s make it simple – the purpose of the current “boring article series” is -to make you understand that the subject of Spoof mail attack and Phishing mail attacks is not so simple and that there is a lot of information that we should learn about this subject.
2. Management education
When I use the term “management education,” I relate to the concept of “management commitment.”
The concept of “management commitment” must be realized in two ways:
The acknowledgment that Spoof mail attack and Phishing mail attacks could cause serious damage.
The acknowledgment that there is no “magic solution” to this risk buy instead, a combination of a different solution.
The acknowledgment that there is no “magic solution” that will block 100% of the Spoofing or Phishing attacks.
The management will need to commit to the simple fact in which she needs to allocate the required resources (time, money, education and so on).
3. User’s education
Because the Phishing mail attack is so sophisticated and hard to detect one of the most effective tools that we can use dealing with this risk is – to make our user aware of this threat.
Teach them about the specific characters of Spoof E-mail attacks and Phishing mail attacks, show an example of Spoof E-mail or Phishing mail and so on.
The outcome of the acknowledgment of the big importance to educate our user regarding the subject of Spoof E-mail attacks and Phishing mail attacks is – the user awareness program.
Additional reading
Security user awareness program.
Information Supplement: Best Practices for Implementing a Security Awareness Program
The 7 elements of a successful security awareness program
Building an Information Technology Security Awareness and Training Program
Creating an IT Security Awareness Program for Senior Management
Video lectures
How To Avoid Falling Prey To Phishing Scams
1. Define a policy and regulation that will restrict the level of damage that could be caused by a Phishing mail attack
One of the most neglected areas regarding the subject of dealing with a scenario of Spoof E-mail attacks and Phishing mail attacks is – an area which I describe as “Policy, standards and regulations.”
And again, most of the time, the first association that comes to mind regarding these terms is – boring or, not relay a useful solution that I can use.
I would like to give you an example of a regulation \ policy that seemingly doesn’t relate directly to the subject of Phishing mail attack.
A policy which restricts the specific amount if the money, that specific employee is authorized to transfer to another bank account by himself.
The main purpose of such regulation \ policy is to reduce the level of damage in a scenario in which a company employee, maliciously execute a criminal activity in which he will steal money by transferring money from the company bank account to his bank account.
A specific type of Phishing mail attack, and especially Spear phishing attack, is directed to a very specific organization’s role such as the company CEO, CFO, etc.
In this Phishing attack, the hostile element used a false identity and lures his victim to – transfer a specific amount of money to a specific bank account (the hostile element bank account).
In this case, one of the most effective operations that can be implemented is – define a very clear and simple company policy that deals with subject such as:
What is the maximum amount of the money that can be transferred?
Who is the element that needs to authorize this money transfer?
The possibility of implementing a mechanism in which two “entities” need to authorize the money transfer.
What are the allowed “destination bank account” in which the company money can be transferred?
2. Appointing a “dedicated authority” that will be responsible for managing the defense infrastructure.
Another subject that I would like to emphasize is – they need to decide about a “person” or “persons,” that will be responsible for managing the enforcement and the ongoing day to day tasks, that are related to the protection mechanism that deals with Spoof E-mail attacks and Phishing mail attacks.
For example, let’s assume that we configure a protection mechanism which monitors our incoming mail flow, and identifies an event, in which there is high chance that the sender spoofs his identity.
In our specific scenario, we don’t block such as E-mail message, but instead, generate an incident report, that is sent to a dedicated mailbox which stores this incident reports that include a copy of the E-mail message that was identified as Spoof E-mail.
The major questions that I would like to ask are:
Q1: Who is the person\s that will have access to the mailbox that stores the information about the Spoof E-mail events?
Q2: How often this person needs to access the mailbox that stores the information about the Spoof E-mail events?
Q3: What is the procedure that needs to be implemented in a scenario in which we identifya scenario of Spoof mail?
What is my point?
My point is – that the fact that we recognize and send a suspicious E-mail message (Spoof mail) to a dedicated mailbox that will store the information about this E-mail doesn’t solve the problem.
We need to define a very clear and precise procedure, which will define what is the scope of the responsibility of this person, what he needs to need, who should he report about a Spoof E-mail event, what are the “actions” that will be implemented in a scenario of Spoof E-mail events and so on.
In this section, I would like to review the “client side” of the formula.
In an event of Spoof E-mail attacks or Phishing mail attacks, we can use a “client side” mechanism, that will help us to deal with this problem.
1. Using antivirus
Most of the common antivirus clients, was not created for identifying an event of Spoof E-mail.The main benefit of using antivirus client is in a scenario in which the Phishing mail seduces the user to download an open a malware file, and the malware manage to slip that “server side defense systems.”
For example – a scenario in which the Antivirus client can be useful is – a scenario in which the user downloads a malware from a specific URL address that appears in the E-mail message (Phishing website).
In this scenario, the Antivirus client provides an additional layer of protection because, the mail security gateway is useful when the malware appears as part of the E-mail message, and not a scenario in which the user uses his browser for downloading the malware to his desktop.
2. Using additional desktop “smart defense mechanism”
As mentioned, the antivirus software is good for detection of “well know malware”. The problem is with zero-day malware that their signature is not listed.
The solution for this “blind spot” is – using a “smart client,” that have the capabilities to identify programs that behave strangely and not in a proper way or a scenario of “anomaly” in which a specific process or service behaves strangely.
There is no specific name for this feature because each of the providers of “desktop security product” uses other names or terms.
An example of such a solution is a desktop security product that includes IDS\IPS (intrusion-detection detection system \ intrusion prevention system) that can identify and detect software component that doesn’t beehives on a legitimate way.
3. Harding the policy that related to Microsoft office documents such as disabling macro
Some of the malware will appear as E-mail attachment and some won’t.
Some of the malware will appear as E-mail attachment using an executable file and some won’t.
What is my point?
My point is that in a “perfect scenario,” the malware will be implemented as an executable file that will be recognized by the malware filter as a malware and will be blocked.
Most of the time, the attacker who uses a Phishing mail attack is a professional, that will make the required effort to make our life difficult, by using attachments that appear as a legitimate file such as Microsoft office file.
The malware will be “hidden” in the office document as a macro, and will be executed when the user opens the file.
Besides of implementing a mechanism that can perform “Sandbox” verification test, one of the simplest solutions that, can we implement is – by configuring and enforcing the policy that will prevent from our user to use Microsoft office document that includes macro.
In case that now your mind says something like – I cannot do it, some of my users must use the document with macros!
My answer is – it’s your decision; you will need to weigh the business need versus the security need and make the right decision.
Additional reading
Manage macro setting of office documents
Enable or disable macros in Office documents
Enable or disable macros in Office files
Macro malware
Plan security settings for VBA macros for Office 2013
Plan security settings for VBA macros in Office 2016
Manage Protected View setting of office documents
What is Protected View?
Plan Protected View settings for Office 2013
In the following diagram, we can see a summary of the “client side elements” that we can use for dealing with Spoof E-mail attacks and Phishing mail attacks.
The next article in the current article series is
The questions that we will need to answer before we start the project of – building a defense system that will protect us from Spoof mail attacks | Part 7#9