Blog

We recently released a new Targeted Threat Protection service to help protect employees from weaponized email attachments – Attachment Protect.

Malicious email attachments are a critical threat to businesses as they can easily bypass existing defences as part of sophisticated spear-phishing attacks. For example, a macro in a Word document could run when the file is opened and deploy malware onto targeted systems or attempt to download content from a malicious website. Attackers are using this weakness to infiltrate organizations in order to achieve their goals, that may include stealing data, staging ransomware demands or even a springboard attack on another company.

Mimecast Targeted Threat Protection - Attachment Protect is a fresh approach to attachment sandboxing – driving safety without added latency.
Mimecast Targeted Threat Protection - Attachment Protect is a fresh approach to attachment sandboxing – driving safety without added latency.

To counter this threat, sandboxing has become a vital technical defense. Attachment Protect offers this critical protection - incoming mail is held by the Mimecast gateway while we establish if there is any hidden code in the attachment by security checking the file in our sandbox. The sandbox spins up a virtual environment, opens the file and performs a deep security analysis on the contents. If the file is deemed safe, we deliver the mail to the recipient.

But sandboxing does have its limitations. It delays external emails and this can frustrate employees and impact their productivity. It can also be expensive. So organizations often limit who they protect to keep costs under control. That is clearly not ideal as it gives attackers a potential back door into an organization.

Mimecast Targeted Threat Protection - Attachment Protect makes it cost effective and easier to protect the whole organization.

It does this by replacing inbound email attachments that could contain malicious code (e.g. PDF or Microsoft Office files) with safe, transcribed versions – neutralizing any malicious code. Mails passing inbound through our gateway that contain potentially vulnerable attachments are processed by our Message Transfer Agent where they are transcribed to a different file format. For instance, a Word document is converted to a PDF file. The PDF file format visually renders the content in the same way to the reader. The difference is that the execution environment has changed and so any malcious macros or code are rendered inactive as part of this process.

Most employees only need to view attachments, so no further action is needed. In fact, our research shows that approximately 51% of attachments are read-only PDF files, followed by 17% Word, 9% Excel and 3% PowerPoint.* However, if employees need to edit a file, a link in the email can be used to request the original file on-demand via our sandboxing service.

It’s a fresh approach to attachment sandboxing. Administrators can choose the best mix of safety, performance and functionality for their organiziation. In addition, granular reporting allows for end-to-end, real-time threat analysis.

For comprehensive zero-hour threat protection, customers can combine Mimecast Targeted Threat Protection – Attachment Protect, with our URL Protect service. Now, in addition to link rewriting, URL Protect includes innovative user awareness capabilities so IT teams can raise the security awareness of employees.

If you’d like more information, please read more on our site here – thanks!

*Source: Analysis of 1 terabyte of Mimecast platform data, 2015

FILED IN

When it comes to enterprises finding innovative ways to neutralize widespread email-based attacks, I’ve made the case before that it's employees – the same “weak links” who unknowingly click on malicious email URLs and attachments – who could actually be the strongest allies of IT managers in fighting back against these threats.  

There’s one caveat, though. The “human firewall” will not be as successful if employees are merely aware that email-based threats exist. Attackers know employees either don't care about cybersecurity or don't know enough to ward off threats, which is why spear-phishing and social engineering attacks continue to be so effective.

Attackers know employees either don't care about cybersecurity or don't know enough to ward off threats, which is why spear-phishing and social engineering attacks continue to be so effective.
Attackers know employees either don't care about cybersecurity or don't know enough to ward off threats, which is why spear-phishing and social engineering attacks continue to be so effective.

To explore the problem further, last week I hosted a webinar, "The Human Firewall: Strengthening Email Security," where I was joined by Mimecast Product Manager Steve Malone and Forrester Research Analyst Nick Hayes.

 Here are three takeaways from the webinar:

 1. Shore Up Your First Line of Defense

 Picture your cybersecurity infrastructure. At the core is all the sensitive data you're trying to protect. The first line of defense should be your cybersecurity technology. This is critical. Technology is not a security guarantee, but if you have the right controls in place, like Targeted Threat Protection, then fewer threats will actually break through.

This is important because your next line of defense comprises your employees – the “human firewall.” If your technology is working correctly, employees won’t be overwhelmed by a wave of continuous threats; they'll be less likely to fall victim to the few that may enter your infrastructure.

2. Appeal to Employees' Ability and Motivation

So, what happens when a threat actually does reach your “human firewall”? Are your employees properly trained to recognize and react to it? The answer depends on how well they were trained.

To illustrate how to educate employees, Nick gave the hypothetical example of a mobile phone ringing and explained there were two reasons why someone wouldn't answer it – either they didn't have the ability to do so (too busy) or didn't have the motivation (just didn't feel like talking). 

Applying the example to cybersecurity training, "ability" refers to whether employees have learned how to recognize and respond to threats, while "motivation" refers to whether they understand the consequences of whatever action they take, right or wrong. 

The best training stresses both, and does so in compelling language that employees will remember.

3. Link Desired Behaviors to Necessary Knowledge

Once employees understand the threats at bay, the next step is to teach them new behaviors. To get to that point, employees need context. You first have to identify their current behaviors putting your organization at risk. This could be, for example, clicking on malicious links or attachments.

Once those behaviors are clear, determine the desired alternatives. So, instead of clicking on a malicious link, you'd want your employees to recognize a link or attachment as being malicious and then flag it to the IT department. By working backwards from that point, you would know exactly the knowledge you would need to impart upon your employees about email-based threats.

The Writing is on the Firewall

While it may seem farfetched that IT departments can build a savvy, well-trained army of cyber defenders from the same employees who previously snuck shadow IT into the workplace and jeopardized enterprise security, the process works. We've seen the technology and the “human firewall” go hand-in-hand to protect organizations that were previously vulnerable. And it can work for your company too.

Read More:

The Human Firewall: Why the Humans Might Be the Answer

To learn more, please play our on-demand webinar, "The Human Firewall: Strengthening Email Security." 

FILED IN

The Rise of Cybercrime-as-a-Service

by Orlando Scott-Cowley - Cyber Security Specialist

Posted

It’s long been said that when botnets first appeared, they were the first usable forms of cloud computing. Now with hindsight they fit the NIST definition of cloud computing very well and have become rapidly scalable and on-demand.

More recently criminal malware has taken a turn towards being more akin to enterprise-grade software through its entire lifecycle. It’s not unusual to find your rental of a botnet now comes with 24x7 support and channel reseller margins. Buying exploit kits, renting botnets, and using enterprise-grade cloud technology, Crime-as-a-Service (CaaS) has become part of the latest breed of XaaS, offering the same benefits of cost and complexity reduction as well as lower barriers to entry. Using CaaS gives anyone an instant criminal business model in the cloud.

What we know today, is that CaaS is starting to have its own marketplace, run by well organized criminal mega-gangs; support contracts for purchasers are not uncommon.
What we know today, is that CaaS is starting to have its own marketplace, run by well organized criminal mega-gangs; support contracts for purchasers are not uncommon.

CaaS has been given much publicity since the 2014 Internet Organized Crime Threat Assessment (iOCTA) report from Europol described the commercialization and availability of the technology and how it’s impacting legitimate enterprises in real time.

The rise of CaaS is another step on the roadmap of the crimeware that has been instrumental in many of the most recent attacks, where Zeus and its variants like Citadel and Gameover have led to significant loss of data. What we know today is that CaaS is starting to have its own marketplace, run by well-organized criminal mega-gangs; support contracts for purchasers are not uncommon, nor are healthcare and pension plans for employees.

This threat takes how we think about our own protection to a new level. The high-profile breaches of the last twelve months all managed to evade well known or best of breed corporate defenses, so it’s no surprise that enterprise IT managers and CIOs are starting to lose sleep about their next big breach. In many cases, this fear is born out of a realization that platforms like CaaS have become rapidly more advanced than the protections they have within their own environments.

Targeted Threat Protection is once again at the top of the agenda, for C-level managers, as well as those who deploy and run the technology. The sophistication of the attacks means we can no longer sit back and wait for our protection to do its job. We all need to become much more actively defensive – not offensive, but active in our defenses.

FILED IN

As many began to return home from its Worldwide Partner Conference this week, Microsoft confirmed an outage of Office 365 email.

According to Microsoft Support, it appears that affected users were unable to connect to the Exchange Online service, including Outlook, Outlook Web App (OWA), Exchange ActiveSync (EAS), and Exchange Web Services (EWS). Many users also experienced delays when sending and receiving messages.

Certainly Office 365 is not the only service to suffer like this – outages happen, but the reason why Office 365 outages grab widespread attention is because of its increasing popularity and the business critical nature of services it provides. Suffering from an Office 365 Outage? We'll Keep Your Business Running. Suffering from an Office 365 Outage? We'll Keep Your Business Running.

For many businesses, email is their most critical IT workload. Email is also highly valued by employees. Tolerance for email downtime is almost zero as it costs money, damages reputations and cripples business operations. In short, we all need it to work and to work all the time.

For years IT teams have built disaster recovery plans and systems predicated on the belief that IT fails and you always need a plan B. Nothing changes in a cloud first world. Cloud services clearly fail and if you don’t have an independent continuity service, your email will be down until Office 365 gets it back up again. And you can’t control when that will happen. One hour. Five hours. Days.

So take a leaf out of the on-premises risk management handbook. Make Office 365 safer with the addition of an independent third-party continuity service.

Office 365 will continue to have service outages. Sometimes these will be very disruptive because they affect an entire region. Other occasions may only see some customers or group of employees affected. But outages do and will happen. It’s irrational to expect them not to happen.

Many of us now live in a cloud-first world. So the question to ask ourselves is – what will happen to me when Office 365 goes offline? Do I have a plan B?

For all its strengths, if you rely 100% on Office 365 for your email you are asking for trouble. It’s just a matter of time.

Find out more about how we can help keep your business running during an Office 365 outage here.

FILED IN