the human firewall is on fire – anatomy of an email-based · 2020. 6. 10. · 1 verizon data...

©2017Mimecast.comAllrightsreserved.1

The Human Firewall is on fire – Anatomy of an email-based attack.

©2017Mimecast.comAllrightsreserved.2

DefenseArmsRace

BusinessDisrup1ons

SkillsDeficiencies

CyberSecurityToday

DataRecovery

Threatsareconstantlyevolving!

It’sdifficulttoa@ractandretaintalent!

HowdowemaintainavailabilityduringadisrupEon!

Canwerecovertothelastsafestate!

©2017Mimecast.comAllrightsreserved.3

EmailA@acks

1 Verizon Data Breach Report 2016 | 2 Wired 2015 | 3 Verizon Data Breach Report 2017 | 4 FBI, Public Service Announcement, May 4, 2017

~30% 100S 91% 66% $5Bofphishinga@ackswereopened1

MedianEmetofirstclick1

ofa@acksstartwithaphish2

ofmalwarewasinstalledvia

maliciousemaila@achments3

BECis$5Bglobalscam4

©2017Mimecast.comAllrightsreserved.4

Whydoa@ackersrelyonemail?Cheap,ubiquitous,global,flexible,anonymous,trustedbyusers,

integraltosomanybusinessprocesses

225BEmailssenteveryday

#1Office365Cloud

ServicebyUserCount

6.3BEmailMailboxesin2017,growingto7.7Bby2021

©2017Mimecast.comAllrightsreserved.5

OriginalPhishingScams-WhatdoyounoEceaboutthem?

•  Haveaprofile

•  Thinkyourlifeisdeemedinteres'ngenoughtobeon

Your company is at risk if you…

•  Havecertainle@ersinyourdomainname

•  Acceptresumesonyourwebsite

•  HighlightyourManagementorLeadershipTeamonyourwebsite

©2017Mimecast.comAllrightsreserved.7

It Only Takes One.

©2017Mimecast.comAllrightsreserved.8

Introducing:YourUsers

WouldYouClick?

©2017Mimecast.comAllrightsreserved.11

WhatShouldYourUserDo?WSYUD?

URLProtect

URLProtect

Realorfake?

©2017Mimecast.comAllrightsreserved.15

That“Apple.com”URLisreallythis….

xn--80ak6aa92e.com

IsthisreallyApple.com?

©2018Mimecast.comAllrightsreserved.16

WatchOutMobileBrowsers!PhishingwithElongatedURLs–Whatsiteareyoureallyon?

h@p://m.facebook.com----------------------------------securelogin.liraon.com/sign_in.htm

WouldYouOpenThis

A`achment?

©2017Mimecast.comAllrightsreserved.19

©2017Mimecast.comAllrightsreserved.20

NoOneWaytoCatchMalware

ImaginebeingabletostopEVERYmaliciousfile

WeallknowtherisksTrustyourusersnottoclick?

©2017Mimecast.comAllrightsreserved.22

Sta1cFileAnalysis

~1-2secondsa@achmentscanExpeditesscanningandscanEmeforusers

©2017Mimecast.comAllrightsreserved.23

Analyzeinbounda@achmentswithmul1pleAVengines+sta1cfile

analysis+behavioralsandboxing+Safefileconversion

©2017Mimecast.comAllrightsreserved.24

• Leverageglobalthreatintelligence• Incident/ResponseDashboard• Constantlymonitorandre-checkstatusofallfilea@achmentfingerprintsglobally

• Ifsecurityscoreofadeliveredfilechanges:– Quicklyalertandupdateadministrators– AutomaEcallyormanuallyremediatea@achmentbasedmalware

–  LogincidentacEons

EnhancedThreatRemedia1on

WhoSaysA`acksNeedtoInvolveMalware?

•  BusinessEmailCompromise•  Whaling•  WiretransferorW-2Fraud

Whowouldsendthemoney?

Impersona1onProtect

Impersona1onProtect

Impersona1onProtect

SupplyChainImpersona1on

©2017Mimecast.comAllrightsreserved.31

Oneofthesethingsisnotliketheothers!!!

©2018Mimecast.comAllrightsreserved.32

“Similar”DomainsBeingRegisteredEveryDay–Why?•  Serer-faƈebook.com-xn--faebook-ozb.com[facebook.com]•  OldEnglish-ɑƿƿle.com-xn--le-m1aa24e.com[apple.com]•  MathSymbol-hotmail¬.com-xn--hotmail-jka.com[hotmail.com]•  German-microsömonline.com-xn--microsmonline-0pb.com

[microsomonline.com]•  Chinese-amazon. -amazon.xn--g2xx48c[amazon.com]•  Cyrillic-applḙ.com-xn--appl-t64a.com[apple.com]•  Polish-ażure.com-xn--aure-bbb.com[azure.com]•  Fula/African-dropɓox.com--dropox-sxc.com[dropbox.com]•  Fula/African-eɓay.com-xn--eay-osb.com[ebay.com]•  Polish-ebąy.com-xn--eby-jpa.com[ebay.com]•  Danish-facebøøk.com-xn--facebk-fyaa.com[facebook.com]

©2017Mimecast.comAllrightsreserved.33

Similaritymatchingcapabili1esRealDomain SimilarityMatchmimecast.com mimecast.co.zaapple.com xn--80ak6aa92e.comamazon.co.uk www.amazonn.co.ukfacebook.com h@p://m.facebook.com----------------------------------securelogin.liraon.com/sign_in.htm

paypal.comh@p://paypal.com-us-cgi-bin-webscr-cmd--login-submit-dispatch-5885d80a13c0.mytruebox.com/

CustomDomain.com CustomDornain.com

•  Detectsimilaritybothsimpleandcomplex–  Characterswitching,Homoglyph/Homograph,longdomainstringsandmore

N CompromisedAccountsØ A`ackerusesstolenusercreden1alstospreada`ackinternallyand/orexternallyInternalEmail

ProtectN CarelessUsers

Ø “Oops,Isentittothewrongperson…again.”

N MaliciousInsidersØ Purposelydistribu1ngmalwareormaliciousURLs

AreUserspartofthesoluEonorpartoftheproblem?

©2017Mimecast.comAllrightsreserved.35

CyberResilienceforemail

ThreatProtecEon

Durability

AdaptabilityRecoverability