Preventing Data Loss from Blended Threats

Blended threats aren’t new news to any cybersecurity professional. But what may surprise you is a recent dramatic rise in the depth and breadth of “the blends” — a big increase in the sophistication of blended attacks. Concurrent surges over the past year in the number of blended threats and their sophistication present a particularly nasty challenge for enterprise efforts to prevent the loss of sensitive data.

Stealing sensitive data such as passwords, personal identification information, healthcare information, customer credit card numbers and intellectual property/trade secrets is only one possible cyber risk from blended threats. Blended threats can also lead to ransomware attacks, denial of service attacks, account takeovers and covert surveillance of your corporate network.

But data loss is a particularly thorny blended threat to prevent, for two reasons. First, because of its complexity, preventing data loss from blended threats requires seamless integration among traditionally disparate security controls. Second, there’s a kind of sliding scale between security and business efficiency: Too much of the former can infringe upon the latter — and this is particularly true when it comes to data loss prevention.

What Are Blended Threats?

Blended threats are simply multipronged attacks using two or more different digital communications channels to achieve the attacker’s goal. Blended threats have been on the rise because they can be much harder to detect than a more conventional attack, and because heightened awareness of cyber threats in general is forcing cyber criminals to up their game. At the same time, the growing “digital transformation” of all aspects of modern businesses has given bad actors more “prongs” — aka, attack vectors — to work with, and the rise of social media has given them access to more information with which to formulate a realistic subterfuge to fuel an attack.

Blended attacks may use a mix of viruses, worms, trojans and other types of malicious code. But the most dangerous blended threats typically start by mining social media to “socially engineer” a realistic phishing email, which, once clicked on, deploys malware or brings the user to a web site in the hope of gathering credentials or other valuable information.

In October 2020, the Mimecast Threat Intelligence Center detected a large spike in blended attacks of up to 10 million a day, which included a 35.6% increase in email-delivered malware, a 55.8% leap in malicious URLs embedded in emails and a 30.3% jump in impersonation attempts via email. Given the trend seen in 2020, those numbers are likely still rising.

How to Prevent Data Loss from Blended Threats

Cybersecurity professionals can prevent data loss from blended threats, but it takes detail-oriented hard work and constant vigilance.

“Ideally, you want to stop the inbound emails that are the would-be launchpads for virtually all blended attacks,” notes security expert Matthew Gardiner. If you identify and block such malicious emails, you stop blended threats cold. But experts agree that because threat actors are constantly evolving, trying out new attack strategies and tactics, and improving the sophistication of their attacks, some percentage of bad emails will make it through no matter how good your inbound email security is.

Consequently, businesses that take data loss prevention seriously also must monitor outbound communication channels. At a high level, there are two channels through which cyber criminals can exfiltrate data from a business: email and the web — but “the web” constitutes a multitude of possible channels. They include phishing sites masquerading as legitimate businesses, uploads to external file-sharing sites (bad actors will try to use the same site that a company legitimately uses), social media uploads and posts, FTP sites and more. Monitoring all these outbound channels is a big challenge, but doable.

Email security systems, for example, can inspect outgoing content for sensitive data and block emails that appear suspicious. Outgoing web traffic can be similarly inspected, in one or both of two ways: the contents of the outgoing data itself, or the nature of the destination. It’s easier to analyze whether the external destination for outbound communications is suspicious/malicious, but it’s less certain that you’ll catch all attempted exfiltrations. Analyzing the actual contents of network traffic is much more resource-intensive but catches more threats.

To achieve the gold standard in data loss prevention, businesses have to do all of the above: Install strong email security gateways, inspect outgoing email contents, analyze the target destinations for all outbound web traffic, and inspect the contents of outbound traffic in all channels. Experts call this approach “layered defense” or “defense-in-depth.”   

Blended Threat Defense Demands Integrated Security Controls

Adding to cybersecurity professionals’ blended threats challenge is the history of security technology. “To defend all those blended threat vectors traditionally required specialized technology for each,” explains Gardiner. “And then you need to have them all integrated in such a way that you’re notified correctly more often than not when something funny happens.”

But integrating multiple best-of-breed security controls continues to be among the biggest challenges faced by cybersecurity teams. Only in recent years have open APIs emerged for integrating disparate SIEMs, SOARs and individual security controls. And only the largest enterprises typically use those open APIs themselves; the rest require vendor-provided off-the-shelf integrations, which are only now becoming widely available. Mimecast, for example, recently announced integration with endpoint-security firm CrowdStrike. Producing enough off-the-shelf integrations to cover the cybersecurity landscape is a large and never-ending job, since security control providers aim to evolve as rapidly as their threat-actor foes.

“Without really good integration among all your security services, you can miss these hybrid or blended attacks. When blended threat actors pursue your data in many channels, you may stop them in one or more, but if your security controls aren’t well integrated, you may miss them in another,” says Gardiner. “All they have to do is get through one.”

Cloud Security Can Boost Blended Threat Defenses

The trend toward cloud-based security brings good news for preventing data loss from blended threats, especially in terms of security integration. The evolution of security controls into the cloud, the increasing number of controls within a single cloud service, the integration of those security controls within a particular cloud service and the integration of disparate cloud services among themselves is making sophisticated detection and prevention systems more available to more organizations.

“With more security controls being offered as a service, mini cloud security platforms are emerging. If you can’t yet, you soon should be able to buy a kind of defense-in-depth from a single cloud security service,” says Gardiner.

This cloud security trend is powered by two big advantages cloud providers have over businesses doing it themselves: economies of scale and economies of scope. The first is the well-known cloud trope that any cloud service should be more cost-effective than DIY because the cloud provider designs and builds its solution once and then can amortize its investment across many customers. The economies of scope come because security is the core business of cloud security providers. That means they can justify investment in fundamental research and development that leads to better security solutions, whereas an enterprise with a different core business doing its own security cannot.

Striking the Balance Between Security and Doing Business

Of course, in order to actually prevent data exfiltration from blended attacks, cybersecurity teams have to take action when security controls identify a suspicious data transfer. That means getting in the way and stopping it. Which brings you right up against a perennial thorn in cybersecurity teams’ sides: false positives. 

Set security requirements too strict, and you are likely to end up getting in the way of your company’s business. Set them too loose and you open your organization up to dangerous data loss. Striking the right balance requires a deep understanding of your particular organization’s threat landscape and risk tolerance, all of which varies tremendously depending on what business you’re in and how it is regulated. Healthcare companies and banks must meet a different standard than restaurant chains and liquor stores.

The Bottom Line

Blended threats are on the rise, as is their level of sophistication. These attacks are particularly challenging to defend against because they may use many different threat vectors to get into your corporate network. And when it comes to data loss prevention, they may use many different channels to get data out — sometimes simultaneously. Effective blended threat defenses require many different security controls, all of which must be well-integrated. The rise of cloud security providers helps more companies defend themselves against blended threats by democratizing access to the more-sophisticated — and better integrated — defenses that are needed.