Attacking email accounts will continue to be one of the most popular methods used by cyber criminals to gain access to sensitive company information. Barracuda best practices for addressing a lack of integration between incident response and web security.
Although classics such as compromised email attachments or links still serve their purpose, attackers do not necessarily want to rely on them: social engineering or the use of stolen credentials for planned data theft are far more difficult tactics. And so, inefficient responses to email attacks cost companies billions of dollars each year. Because for many organizations, finding, identifying, and removing email threats is a slow, manual, and resource-intensive process. Valuable time that can often spread an attack further.
On average: phishing attacks on 10 employees
To better understand threat patterns and response practices, Barracuda security analysts studied around 3.500 companies - with a clear result: A company with 1.100 users experiences around 15 email security incidents per month. An “incident” refers to malicious emails that have made it past IT security solutions and into users' inboxes. Once these incidents are identified, they must be prioritized and investigated to determine their scope and threat level. If it turns out to be a threat, remedial actions must also be taken. On average, 10 employees are affected by every phishing attack that makes it to the inbox. As mentioned above, malicious links still work: 73% of employees are fooled by a phishing link into clicking it, leaving the entire organization at the mercy of attackers. Hackers only need that one click or an email response to successfully launch an attack. It's good to know that companies that train their users can see a XNUMX percent improvement in the accuracy of user-reported emails after just two training sessions.
Below, the article takes a closer look at identified threat patterns and response practices, and introduces measures that IT security teams can take to noticeably improve their organization's response to e-mail threats after delivery.
Post-delivery email threats
The activities that are performed to deal with the aftermath of a security breach and the threats that emerge after delivery are commonly referred to as incident response. An effective incident response is aimed at quickly resolving the security threat in order to stop the attack from spreading and to minimize the potential damage.
As hackers use increasingly sophisticated social engineering techniques, email threats are becoming increasingly difficult for both IT controls and email users to detect. There is no IT security solution that can prevent all attacks. Likewise, users fail to always report suspicious emails, either due to lack of training or negligence. If they do, and if the accuracy of the reported messages is poor, it leads to a waste of IT resources. Without an efficient incident response strategy, threats can often go undetected - until it's too late.
Detect threats effectively with threat hunting
There are several ways in which email threats can be identified and then addressed. Users can report them, IT teams can go on the hunt for threats internally, which is to say initiate so-called threat hunting, or they can commission external providers to eliminate the attacks. Data on previously resolved threats that companies share with one another is usually more reliable than user-reported information.
Barracuda's analysts found that the majority of incidents (67,6 percent) were discovered through internal threat-hunting investigations initiated by the IT team. These examinations can be carried out in different ways. Usually, message logs are searched or keyword or sender searches are carried out in delivered e-mails. Another 24 percent of the incidents were due to user-reported emails. Around eight percent were discovered with the help of threat data from the community, the remaining half a percent through other sources such as automated or already resolved incidents.
Companies should always encourage their workforce to report suspicious emails. However, a stream of user-reported emails also puts a heavy burden on resource-constrained IT teams. A good way to increase the accuracy of the case studies is to conduct rigorous security awareness training.
Three percent of email users click links in malicious emails
Once IT security teams have identified and confirmed malicious emails, they need to assess the potential scope and impact of the attack. Identifying everyone within an organization who received malicious messages can be incredibly time-consuming without the right tools.
Three percent of a company's employees click a link in a malicious email, exposing the entire company to attackers. In other words, for an average organization with 1.100 email users, about five of them click on a malicious link every month. But that's not all: Employees forward or answer malicious messages and thus spread the attacks not only within their company, but also externally. The value may seem small at first glance, but its impact is no less significant. Hackers only need one click or one answer for an attack to be successful. And it only takes 16 minutes for a user to click a malicious link. Rapid investigation and remedial action are therefore key to keeping the company safe.
Malicious email spends 83 hours in inboxes
Eliminating email can be a lengthy and time consuming process. On average, it takes three and a half days from the moment an attack lands in users' inboxes until they either report it or the security team discovers it and the attack is finally eliminated. Targeted security training can shorten this long time considerably by improving the accuracy of the attacks reported by the users. The additional use of automatic defense tools can automatically detect and remedy the attacks. In fact, only five percent of organizations are upgrading their web security to block malicious websites for their entire organization. The reason for this is mostly the lack of integration between incident response and web security.
Five tips to protect against post-delivery threats
- Employee training to improve the accuracy and scope of reported attacks
Regular training ensures that security practices are remembered and the accuracy of the threats reported frees IT from spending too much time investigating annoying junk mail, not malicious. - Community as a source of potential threats
Shared threat intelligence is a powerful tool against evolving threats that put data and email users at risk. Similar, and sometimes identical, e-mail threats affect more than one organization because hackers often use the same attack techniques on multiple targets. Gathering intelligence from other organizations is an effective approach to warding off large-scale attacks. An incident response solution that can access and use common threat intelligence helps conduct an effective threat search and report potential incidents. - Threat hunting tools for faster investigation of attacks
Detecting potential threats and identifying the scope of the attack and all users affected can take days. Companies should use threat hunting tools that give them insight into emails after they have been delivered. These tools can be used to identify anomalies in emails that have already been delivered, quickly scan for affected users, and see if they have interacted with malicious messages. - Automate defense measures
Using automated incident response systems can dramatically reduce the time it takes to identify suspicious emails, remove them from the inboxes of all affected users, and automate processes that strengthen defense against future threats. - Use integration points
In addition to automating their workflows, companies should integrate their incident response with email and web security to prevent attacks. The information gathered from responding to incidents can also be used to automatically troubleshoot problems and identify related threats.
Rapid and automated incident response is more important than ever as sophisticated spear phishing attacks designed to bypass email security are becoming more common. In the race against cyber criminals, the automation of incident response significantly improves the response time to incidents, helps to strengthen company security, limit damage and saves IT teams valuable time and resources.
More at Barracuda.com[starboxid=5]