| |
HB1PMS > TECH 21.01.20 15:02l 220 Lines 12799 Bytes #999 (0) @ WW
BID : 5643HB1PMS
Read: GAST
Subj: BitDam Study Exposes High Miss Rates of Leading Em
Path: DBO595<DBX320<FRB024<NL3TD<NL3PRC<GY1BBS<HB1BBS
Sent: 200121/1221Z 5378@HB1BBS.ZL.NLD.EU BPQ6.0.19
Message from: HB1PMS@HB1BBS
BitDam Study Exposes High Miss Rates of Leading Email Security Systems
Imagine receiving an email from US VP Mike Pence's official email account
asking for help because he has been stranded in the Philippines.
Actually, you don't have to. This actually happened.
Pence's email was hacked when he was still the governor of Indiana, and his
account was used to attempt to defraud several people. How did this happen?
Is it similar to how the DNC server was hacked?
Email hacking is one of the most widespread cyber threats at present. It is
estimated that around 8 out of 10 people who use the internet have received
some form of phishing attack through their emails. Additionally, according
to Avanan's 2019 Global Phish Report, 1 in 99 emails is a phishing attack.
BitDam is aware of how critical emails are in modern communication. BitDam
published a new study on the email threat detection weaknesses of the
leading players in email security, and the findings command attention. The
research team discovered how Microsoft's Office365 ATP and Google's G Suite
are allegedly critically weak when dealing with unknown threats. Also, their
time-to-detect (TTD) can take up to two days since their first encounter
with unknown attacks.
How Leading Security Systems Prevent Attacks
Email security systems address cyber threats by scanning links and
attachments to determine if they are safe or not.
They can then automatically block links and prevent download or execution of
file attachments. In most cases, to identify threats, security systems
compare the scanned files or links to a database of threat signatures. They
employ reputation services or a threat hunting protocol that monitors
possible attacks based on threat data from various sources.
Links or attachments that are deemed safe on the initial scan are not always
safe, though. There are many instances when security systems fail to filter
threats because they have not updated their threat databases yet. Because of
this, gaps in detection exist. There can be up to three detection gaps in a
typical security system. These gaps represent vulnerabilities or
opportunities for email attacks to penetrate.
There are security systems that take advantage of artificial intelligence to
make threat learning and detection automatic and more efficient. They use
data from previous attacks and the corresponding actions of the network
administration or computer owner to come up with better judgments for the
succeeding incidents.
High First Encounter Miss Rates and TTD: Current Email Security's Inadequacy
Despite all of the advancements in email security, flaws still exist. As
mentioned earlier, leading email security systems Office365 ATP and G Suite
lose their detection effectiveness when faced with unknown threats. Based on
BitDam's test results, Office365 has an average first encounter miss rate of
23% while G Suite has 35.5%. They also have notably long TTDs after the
first encounter. TTD for Office365 and G Suite were recorded at 48 hours and
26.4 hours, respectively.
To clarify, unknown threats are threats that security systems encounter for
the first time--those that are not yet in their signature databases. The
obscurity is relative, though. Threats that are unidentified to one system
may not be unknown to others.
That's why there's a significant difference in the miss rates of Office365
and G Suite. Regardless, these unknown threats appear to be the Achilles
Heel of current email security in general. They seem unimportant because
they are like a temporary weakness that gets corrected over time, but they
open a critical window for attack penetration.
It's also worth noting that unknown threats are not necessarily completely
new malware or forms of attacks. According to the BitDam research, they can
be mere variants of existing threats rapidly churned out with the help of
artificial intelligence. This means that they are extremely easy to produce,
presenting an exponentially growing problem to security systems that have
difficulties detecting unknown threats.
In BitDam's tests, new threats, along with their modified versions, were
used to test the detection effectiveness of leading security systems. Most
of the modified threats were perceived as unidentified/unknown even though
their "source" threats were already recorded in the threat signature
database.
For an email security system to be regarded as reliable, it can't continue
to have this flaw of having high first encounter detection miss rates.
The Challenges in Fighting Email Hacking
For an email attack to succeed, persistent attacks paired with at least one
of the following elements are needed.
Weak passwords
Cybersecurity illiterate email users who fall for social engineering attacks
The absence of a reliable email security system
One of the primary methods used to hack emails is password guessing. With
simple and educated (collecting details about the victim) guesswork, hackers
persistently enter passwords until they stumble upon the one that works.
Many may think that this tactic is too crude to make sense, but there are
many instances when email accounts are compromised easily because the
account owners use simple and predictable passwords.
Social engineering is about tricking victims into doing things that make
them unwittingly reveal supposedly secret information or give away things
they otherwise wouldn't. Phishing is arguably the most common form of social
engineering—unsuspecting victims enter their username and password or
provide information on a website that looks legit but is actually stealing
information.
The modus operandi starts with the attacker sending to the victim an email
that requires urgent action. It could be a notification for the victim to
change their online banking password after a "breach" has been discovered or
a congratulatory message that comes with a link that takes the victim to an
online form they have to fill out so they can claim their prize.
Email security may also be breached through malware-laced attachments.
Clicking on anomalous email attachments can result in the unintentional
installation of spyware or keyloggers, which can obtain passwords and other
critical data from infected computers. Some malware may also be designed to
simulate forms through a pop-up or modal windows, deceiving victims into
entering their login details.
The leading security systems at present cannot protect accounts with weak or
predictable passwords. They also can't guarantee protection against social
engineering. They are only expected to focus on blocking malware-infected
file attachments and links. Unfortunately, even when it comes to this
aspect, they have serious weaknesses. As stated earlier, they have high
first encounter miss rates and need time to learn how to block unknown
threats.
The Recommended Security Augmentation
BitDam suggests an improvement in the way leading email security systems
work: the introduction of a threat-agnostic layer of protection. BitDam's
tests show that a model-based detection approach boosted first encounter
detection rates significantly. It even brought TTD down to zero. The malware
that Office365 and G Suite failed to detect were effectively identified
using BitDam's model-driven method.
So how does this model-based approach work?
Essentially, it takes away the focus on comparing scanned files to data on
existing threats. Instead, it looks at how applications behave when
interfacing with certain files. It generates a model (hence the "model-
driven" description) of what a "clean" flow of application execution looks
like.
Applications behave differently when they are processing files laced with
unwanted codes or malware. If apps don't behave smoothly when dealing with a
file, the only logical verdict is that the file is anomalous, malicious, or
harmful. As such, it has to be blocked.
This model-driven strategy does not seek to supplant data-driven methods. It
is meant to serve as a supplement. It can also have false-positives, so it
would be better to use it in conjunction with threat data comparison to
ascertain that the blocked perceived threats are indeed harmful.
BitDam's Study Methodology
BitDam started the study in October 2019, collecting thousands of "fresh"
malicious file samples from various sources. It focused on Office365 ATP and
G Suite, but ProofPoint TAP is set to be added as the continuing study
proceeds.
The process can be summarized as follows:
Collection — The researchers obtain numerous malicious file samples. Most of
which is Office and PDF files.
Qualification — After collecting the samples, the researchers ascertain that
they are indeed malicious/harmful. Only actually harmful files are used for
the tests.
Modification — The verified malicious files are then modified so they can be
viewed as new threats by the security systems. BitDam's researchers employed
two methods for this modification. One method was by changing the hash of
the file with the addition of benign data to it. The other method entailed
the modification of the static signature of a macro.
Sending — The recently collected malicious files and their variants
(modified copies) are then sent to mailboxes considered to have decent
protection. For G Suite Enterprise mailboxes, the advanced options are
activated, including sandbox in pre-delivery mode.
Monitoring and Measuring — The mailboxes are then tracked, and the threat
detection efficiency measured. Files that get past threat detection are re-
sent to the mailboxes every 30 minutes during the first four hours (after
the file was sent). For the next 20 hours, the re-sending frequency is
reduced to once every six hours. Re-sending frequency is further reduced to
once per six hours for the next seven days.
Data Collection and Analysis — All details produced by the tests are then
compiled and examined.
Modifying the collected malicious files is an essential part of the process
since BitDam does not have access to the latest malware that has not been
entered into Microsoft and Google's threat registries yet. Take note that
the files were to be sent via email (Outlook and Gmail). Microsoft and
Google's security systems would have immediately blocked the attachment of
malicious files during the composition of the test emails.
The researchers successfully devised ways to modify the threats for Google
and Microsoft to regard them as entirely new and unknown. Hence, the ability
of security systems to block the attachment was reduced considerably.
There was the option to use email services like SendGrid, which don't
perform malware scanning. However, the researchers found out that the
accounts they used ended up freezing in less than 24 hours.
In Conclusion
Again, BitDam does not claim to have collected malware that was not yet in
the threat signature databases of Microsoft and Google. Some challenges had
to be cleared for BitDam to complete the tests and come up with the bold
conclusion that a paradigm shift is in order.
The fact that the researchers managed to add malware attachments to the
emails they sent for the test proves that minimal modifications are enough
for security systems to see derivative threats as unknowns. Their detection
effectiveness is then disrupted, thus suffering from high first encounter
miss rates.
Unknown attacks pose serious risks, mainly because of the data-driven nature
of most email security solutions. There's a need to augment security systems
with a model-based strategy, so detection does not rely solely on threat
signature updates.
Additionally, it's important to continue educating people about
cybersecurity. Email security systems don't provide blanket protection. They
are notably is incapable of stopping attack penetration made possible by the
use of predictable passwords and gullibility (easily falling prey to
phishing or social engineering).
73 Henk. HB1PMS
=====================================================================
_ _ ____ __ ____ ____ _____
| | | | _ \/_ | _ \| _ \ / ____| SYS: Henk (hb1nos@hb1bbs.com)
| |__| | |_) || | |_) | |_) | (___ QTH: Ouwerkerk - JO11XO
| __ | _ < | | _ <| _ < \___ \ BBS: HB1BBS.ZL.NLD.EU
| | | | |_) || | |_) | |_) |____) | QRV: 27.235 MHz (FM 1200bps)
|_| |_|____/ |_|____/|____/|_____/ WEB: www.hb1bbs.com
=====================================================================
(Message sent with Sally 7.2.035)
---------------------------------------------------------------------
Timed Tuesday 11 January 2005 16:26 gmt
BBS HB1PMS@HB1BBS
---------------------------------------------------------------------
Lese vorherige Mail | Lese naechste Mail
| |