Email has become a tool of choice for cybercriminals to deploy various cyber threats. Fundamental email security methods can recognize certain threats, but advanced email security further thwarts the remaining ones. Given the diversity of attack types, advanced email security needs to address a multitude of vectors, not just a singular one. Below is a comprehensive checklist to aid evaluation activities when looking for advanced email security.
1. Threat Coverage
Email is facing a barrage of threats, encompassing next-generation exploits and various types of attacks. An advanced email security solution needs to conduct a comprehensive examination of each message, including attachments and links, to assess the potential for cyberthreats that may involve a combination of attack types.
2. Level of Analysis
Advanced email security solutions should disregard the initial packaging of an email and its attachments. Cybercriminals often conceal threats within seemingly harmless packaging, such as a Word document or zipped file. The only effective method for identifying malicious threats concealed through covert delivery is to dismantle the original packaging of each email and its attachments. A thorough examination of each element is essential, involving deep analysis at multiple nesting levels to uncover potential threats.
3. Multi-layered Approach
A comprehensive approach to email security involves integrating multiple advanced tools, working collaboratively to scrutinize the fundamental elements of email messages and attachments, and targeting various cyber threats. By developing an overarching perspective through a thorough analysis of each message and attachment element, a robust assurance can be established regarding whether a message is benign or malicious.
4. Speed
Effective advanced email security solutions must pass the "phone test." When a user mentions, "I have just sent you an email," during a conversation with a colleague or customer, the corresponding email should be delivered within a few seconds. If the delivery feels sluggish and users repeatedly click the Send/Receive button, it disrupts the natural flow of email. Prolonged delays in email message delivery for several minutes or more can lead users to perceive a system malfunction, creating a sense that something is broken.
5. Threat Detection Accuracy
The effectiveness of advanced email security solutions is two-fold: speed of operation on one side and accuracy of judgment on the other. It is imperative to avoid declaring email messages and attachments laden with threats as safe and delivering them to end users. A reliable advanced email security solution should boast high detection rates and low false positives, establishing trust with users by ensuring a robust defense against potential threats.
6. File Functionality Post-Scan
Files must undergo recursive checks for embedded and hidden threats for an advanced email security solution to fulfill its intended purpose. However, once a file is examined and deemed benign, the delivered file to the end user should remain as fully functional as possible. It should not be altered, broken, or rendered inoperable. If users encounter broken files, they may resort to unsanctioned tools that bypass security checks, thereby exposing the organization to more substantial security threats.
7. URL Scanning
URLs embedded in email messages and attachments pose a risk of directing users to malicious sites that distribute malware, ransomware, APTs, and various threats. An advanced email security solution should conduct a thorough examination of the URL by cross-referencing it with known malicious sites. Additionally, the solution should visit the destination site, perform recursive scans for potential threats, assess the recency and provenance of domain registration, and check for lookalike and soundalike domain names that may indicate a spoofing attempt, among other measures.
8. Threat Intelligence
New cyberthreats arise continuously, and businesses cannot afford to remain unprotected. Threat intelligence services seamlessly integrating with an advanced email security solution provide comprehensive protection against evolving email-borne dangers, promptly addressing new threats.
9. Anti-BEC
Detecting emails that may not contain malicious files or URLs but pose a threat through impersonation is critical for businesses. Many spoofing attempts can be uncovered by evaluating the alignment between key email security declarations found in the customer's DNS record, including SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), DMARC (Domain-based Message Authentication, Reporting, and Conformance), along with DNSSEC (Domain Name System Security Extensions). When combined with IP reputation checks, any lack of alignment among these elements can cast doubt on the authenticity of a particular message.
10. ATP Capabilities
Threat Protection (ATP) encompasses a suite of capabilities that extend beyond the scanning of known threats exclusively. ATP includes defenses against impersonations, zero-day attacks, weaponized links and attachments, as well as credential phishing campaigns targeting sensitive data, among other threats. A robust set of ATP capabilities indicates an advanced email security solution that prioritizes addressing not only known attacks with familiar signatures but also a broader spectrum of potential risks.
11. Zero-Day Detection
A zero-day attack exploits a software vulnerability, often referred to as a "bug," that is either unknown or unaddressed by the software vendor. Traditional advanced threat protection modules, like sandboxes and content disarm and reconstruction (CDR), typically scan at the application level, relying on known data or behaviors. In contrast, a zero-day attack initiates at the CPU level, attempting to execute malicious code. Therefore, a more deterministic approach to detect zero-days is to leverage CPU-level data to intercept the attack at the exploit level.
12. Anti-Evasion
The design of advanced email security solutions must take into account the incorporation of innovative evasion techniques employed by cybercriminals; overlooking the likelihood of evasion techniques is short-sighted. One common evasion method involves checking if a document is being opened in a virtual sandbox; if detected, the included malicious payload is withheld. Another technique involves scrutinizing the details of the IP infrastructure requesting a URL link. If the request originates from an IP address space associated with a security service, a benign page is delivered instead of the malicious one. To ensure the authenticity of each message, attachment, and link, advanced email security solutions must incorporate their own covert methods to counter evasion techniques effectively.
13. Protection before the Inbox
Businesses must strategically implement their advanced security solutions in a "prevention mode" to ensure user protection before emails reach the inbox. In prevention mode, every email and URL undergo thorough scanning before delivery to the end user, mitigating potential risks. In contrast, operating the system in detection mode involves delivering the email to the user first and then conducting a background scan. If the email is later identified as malicious, it is pulled from the user's inbox, potentially exposing the organization to risks if the user has already opened the email before the scan completion.
14. 100% Dynamic Scanning of Content
Modern advanced security solutions cannot depend solely on signature-based detection and static checks. They must actively scan content, employing techniques such as detonating a file or a URL on a virtual machine to assess it in real-time. Relying on partial scans due to scale or performance considerations in an email security solution exposes the organization to potential risks. Comprehensive and dynamic content scanning is essential for robust protection against evolving cyber threats.
15. Incident Response
Having an Incident Response Team/Plan is just as important as detecting breaches. Incident response responsibilities (or services from an MSP partner) should encompass the following:
- Continuous technical and product support.
- Escalation routes for addressing challenging issues.
- Technical troubleshooting.
- System optimization, including refining rules and policy settings tailored to the specific organization, based on insights gained from newly encountered threats.
16. Reporting
Reporting capabilities play a vital role by providing a regular stream of updates. Seeing the types of threats businesses are being exposed to (and protected from) facilitates their efforts to strengthen defenses, such as incorporating new security awareness training modules or additional layers of advanced protection. Reporting also reinforces the importance and effectiveness of existing security capabilities.
For more information about how to implement advanced email security, Contact Us!
