Keeping your cyber defense strategies ahead of the game today is no easy task, especially when organizations face a daily proliferation of increasingly evasive cyberattacks. Advanced persistent threats (APTs) are a particular concern for cybersecurity professionals because once they’ve penetrated the organization, the malware operates on the ‘low and slow’, carrying out tasks over time in order to avoid detection, and often with serious consequences.
Information is King
The motivations for APT attacks are many and varied. Nation-state sponsored, industrial espionage and targeted attacks are primarily designed not to cause disruption, but to steal information. Operating in a digitally collaborative world, organizations and the applications they use hold vast quantities of data, some of which can be easily monetized (intellectual property or financial data) or used to help perpetrate a cyberattack (detailed corporate information).
No organizations are immune to the risks that APTs bring, although those with highly valuable data, such as large organizations operating in defense, government, healthcare and the financial service sectors, are frequently targeted. Smaller organizations working in the supply chain for these industries are often targets too. Seen as less well-defended, cybercriminals will use these smaller organizations as a stepping stone to their ultimate target.
Email-Based Advanced Persistent Threats
Email is a common method of delivery for advanced malware and cybercriminals use spear phishing and social engineering techniques to try and penetrate cyber defenses. Spear-phishing emails are cleverly targeted, crafted to look like they come from someone known to the recipient, this could be a fellow employee, customer, or supplier. They contain weaponized attachments (hidden in a document or an image) or malicious URLs, that when opened or clicked releases the malware into the network.
An example is the Dridex malware, specifically designed to attack financial services organizations and banks. It arrives as an attachment to a phishing email. The attachment is a trusted file type that has an embedded macro or script that activates when opened. Dridex has been responsible for the theft of hundreds of millions of dollars in the form of fraudulent transactions.
Mitigating APTs
APTs are almost impossible to detect as they’ve been designed to evade traditional email security defenses, such as anti-virus solutions. Unfortunately, there’s no one ‘silver bullet’ that organizations can use to protect themselves, however a combination of layered measures can be put in place to minimize the threat of APTs.
People can play an active role in lowering the risk of APTs being successful. However, simply educating users on how to recognize a suspicious email and what to do if they suspect an email is fraudulent is not enough on its own. It only takes one person to accidentally open a document or click on a URL for malware to gain entry. For the next defense layer, organizations need to augment their email security technology to remove infected files and neutralize URLs before they reach peoples’ inboxes.
The Clearswift Solution
Using Deep Content Inspection technology, Clearswift’s Secure Email Gateway appliance thoroughly analyzes all incoming and outgoing mail, inspecting the content right down to its constituent parts. It verifies the conformity of file structures, checking to see if data is piggybacking onto other files. Message Sanitization automatically detects and redacts malicious URLs, attachments and HTML, and Structural Sanitization detects and removes any active content within files, such as embedded macros and scripts, that would trigger when a document is opened. A safe, clean version of the content is then rebuilt and sent on its way. This process occurs in real time, so there’s no delay to the communication.
The technology can be configured to work alongside Sandbox solutions, only sending active content for further analysis. This reduces the overhead cost of the Sandbox, which would otherwise continuously scan all files.
Apply Defense in Depth
To reduce the risk of ransomware, spyware and other advanced malware being delivered by phishing emails, organizations can apply a layer of Deep Content Inspection and Sanitization to augment existing Email Security solutions.