How to combat malicious emails that bypass security and impact your users

Some 3% of employees in organizations researched by Barracuda will click on malicious email links, but it only takes one such incident to open the door to a cyberattack.

email.jpg

Image: GettyImages/photoschmidt

Many organizations spend a lot of time, money and resources setting up email and web security to block suspicious messages from reaching their destinations. Even with the best defenses, some malicious emails are invariably going to bypass your security and reach the inboxes of your users. In a report published Tuesday, security firm Barracuda Networks looks at how malicious messages evade security detection and what you can do to stop them.

SEE: Identity theft protection policy (TechRepublic Premium)

More about cybersecurity

For its latest research, Barracuda analyzed around 3,500 different organizations to learn about their email threat patterns and practices. Based on the findings, the average organization with 1,100 users will be hit with around 15 email security incidents per month in which a malicious message gets past security and winds up in the inboxes of employees.

On average, 10 employees will be affected by each phishing attack that evades traditional security detection.

Further, around 3% of all employees who receive a malicious email will click on a link in the message, potentially exposing not only themselves, but the entire organization to a cyberattack. Though 3% sounds like a low percentage, all it takes is one single incident to kick off a chain of events that leads to a major attack.

Some 68% of the incidents that hit the organizations analyzed by Barracuda were uncovered through internal threat hunting from the internal security teams. In these cases, security staffers typically scan message logs or run searches of keywords and senders against email that’s already been delivered. Another 24% of incidents were found through user reports, while 8% were discovered through shared threat intelligence.

Responding to an email threat in a user’s inbox can take time. Barracuda found that, on average, a malicious email will spend 83 hours, or three and a half days, in a user’s inbox before it’s discovered by a security staffer or reported directly by the user.

Security teams often use information garnered from resolved incidents to update their security policies to stop future attacks. As one example, 29% of the organizations updated their block lists to stop messages from specific senders or regions, but only 5% of them update their web security to prevent access to malicious sites.

Combatting email threats that reach your users can be a resource-intensive process. The key is to not only use, but integrate the right tools and techniques. To better protect your organization against such malicious messages, Barracuda serves up the following advice:

  • Train your users to help them identify email threats. Educate your users on how to detect potential email threats. The goal is to show them how to report such messages to your security team rather than engage with these emails themselves. Run your training sessions on a regular basis so your users are always aware of possible threats during a typical workday. Also emphasize the differences between malicious messages and standard spam so your security staff doesn’t spend too much time checking out innocuous junk mail.
  • Turn to shared intelligence data to stay abreast of potential threats. Related and even identical email threats will hit more than one organization as attackers often use the same tactics against multiple targets. Relying on intelligence data shared by other organizations is one way to combat major attacks. Just ensure that your security process takes advantage of the shared data to mitigate possible incidents.
  • Use threat hunting tools to investigate email threats. Threat hunting tools can provide details on emails that have already been delivered to your users. Take advantage of these tools to look for anomalies in delivered messages, search for affected users, and determine if anyone has interacted with a malicious email.
  • Automate email threat remediation where possible. An automated incident response tool can cut the time required to look for suspicious emails, remove them from users’ inboxes and beef up your protection against future threats. Such a tool can also decrease the amount of time that a threat can spread throughout your organization and free up your security team to focus on other priorities.
  • Integrate your incident responses where possible. Beyond automating your security protection, integrate your incident response tools with email and web security as a way to stop future attacks. Any information you collect from your incident response process can help track down related threats and automatically deal with them.

Also see